forked from intuitem/ciso-assistant-community
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathotcc.yaml
2579 lines (2573 loc) · 103 KB
/
otcc.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
urn: urn:intuitem:risk:library:otcc
locale: en
ref_id: OTCC
name: Operational Technology Cybersecurity Controls
description: 'The NCA publishes the Operational Technology Cybersecurity Controls
(OTCC-1:2022). These controls are aligned with related international cybersecurity
standards, frameworks, controls, and best practices.
https://www.nca.gov.sa/otcc_en.pdf'
copyright: "Sharing Notice: White \nDocument Classification: Public "
version: 1
provider: Saudi Arabia's National Cybersecurity Authority
packager: intuitem
objects:
framework:
urn: urn:intuitem:risk:framework:otcc
ref_id: OTCC
name: Operational Technology Cybersecurity Controls
description: 'The NCA publishes the Operational Technology Cybersecurity Controls
(OTCC-1:2022). These controls are aligned with related international cybersecurity
standards, frameworks, controls, and best practices.
https://www.nca.gov.sa/otcc_en.pdf'
implementation_groups_definition:
- ref_id: L1
name: 'Control Level 1 '
description: The criticality level of the facility is high and have severe ad-
verse effects, consequences, and/or impacts to operations, cat- strophic or
assets, resources, or Health, Safety, and Environ- ment (HSE) of the organization.
- ref_id: L2
name: 'Control Level 2 '
description: The criticality level of the facility is moderate and have sig-
nificant effects, consequences, and/or impacts to operations, assets, resources,
or Health, Safety, and Environment (HSE) of the organization.
- ref_id: L3
name: 'Control Level 3 '
description: The criticality level of the facility is low and have moderate
adverse effects, consequences, and/or impacts to operations, assets, resources,
or Health, Safety, and Environment (HSE) of the organization.
requirement_nodes:
- urn: urn:intuitem:risk:req_node:otcc:1
assessable: false
depth: 1
ref_id: '1'
name: Cybersecurity Governance
- urn: urn:intuitem:risk:req_node:otcc:1-1
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-1
name: Cybersecurity Policies and Procedures
- urn: urn:intuitem:risk:req_node:otcc:node4
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-1
name: Objective
description: To ensure that OT/ICS cybersecurity requirements are documented,
communicated, and complied with by the organization as per related laws and
regulations, and orga- nizational requirements.
- urn: urn:intuitem:risk:req_node:otcc:node5
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-1
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:node5
ref_id: 1-1-1
description: With reference to the ECC controls 1-3-1 and 1-3-2, the organization
must document, approve, and implement a customized set of cybersecurity policies
and procedures for OT/ICS systems or assets.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:node5
ref_id: 1-1-2
description: With reference to the ECC control 1-3-3, the cybersecurity OT/
ICS policies and procedures must be supported by cybersecurity requirements
such as vendor recommendations, implementation guidelines, and configuration
management guidelines.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-1-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:node5
ref_id: 1-1-3
description: With reference to the ECC control 1-3-4, OT/ICS cybersecurity policies
and procedures must be reviewed periodically and/ or when there is a change
in the risks landscape, organizational structure, and/or process changes.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-2
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-2
name: Cybersecurity Roles and Responsibilities
- urn: urn:intuitem:risk:req_node:otcc:node10
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-2
name: Objective
description: To ensure that roles and responsibilities are defined for all parties
participating in implementing the operational technology cybersecurity controls
(OTCC) within the organization.
- urn: urn:intuitem:risk:req_node:otcc:node11
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-2
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-2-1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-2
ref_id: 1-2-1
description: 'In addition to the ECC subdomain 1-4, cybersecurity requirements
for Cybersecurity Roles and Responsibilities in OT/ICS must include, at a
minimum, the following:'
- urn: urn:intuitem:risk:req_node:otcc:1-2-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-2-1
ref_id: 1-2-1-1
description: Cybersecurity roles and responsibilities (RACI) assignment for
all stakeholders of the OT/ICS assets must be defined, documented, communicated
and approved by the Authorizing Official while ensuring there is no conflict
of interest.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-2-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-2-1
ref_id: 1-2-1-2
description: Cybersecurity roles and responsibilities related to OT/ ICS assets
must be assigned to the cybersecurity function in the organization.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-3
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-3
name: Cybersecurity Risk Management
- urn: urn:intuitem:risk:req_node:otcc:node16
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-3
name: Objective
description: "To ensure managing cybersecurity risks in a methodological approach\
\ in order to protect the organization\u2019s OT/ICS assets as per organizational\
\ policies and procedures, and related laws and regulations"
- urn: urn:intuitem:risk:req_node:otcc:node17
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-3
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-3-1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-3
ref_id: 1-3-1
description: 'In addition to the ECC subdomain 1-5, cybersecurity requirements
for cybersecurity risk management in OT/ICS must include, at a minimum, the
following:'
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-1
description: "OT/ICS cybersecurity risk management methodology must be included\
\ as part of the organization\u2019s risk management and safety risk management\
\ methodologies."
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-2
description: Cybersecurity risk assessment for OT/ICS assets must be conducted
periodically while ensuring to include risks associ- ated with signing contracts
and agreements with OT/ICS related third-party organizations and/or upon changes
in related regula- tory requirements as part of the assessment.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-3
description: "Risk register for OT/ICS cybersecurity risks must be included\
\ as part of the organization\u2019s risk register."
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-4
description: Appropriate level assignment to facilities which include (OT/ICS)
must be conducted based on approved methodology.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-5
description: Include a qualitative analysis of cybersecurity risks within the
Process Hazard Analysis (PHA) which is applied with any change in operations
and/or procedures in Plants.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-6
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-6
description: In the event that cybersecurity requirements cannot be implemented
within the OT/ICS environment, the specific justifications for not applying
those requirements must be documented and approved by the respective cybersecurity
function and the Authorizing Official.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-3-1-7
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-3-1
ref_id: 1-3-1-7
description: In the event of risk acceptance, alternative cybersecurity controls
must be clearly defined, documented, approved by the Authorizing Official,
and implemented effectively for a defined period of time while reassessing
the risk continuously.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-4
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-4
name: Cybersecurity in Industrial Control System Project Management
- urn: urn:intuitem:risk:req_node:otcc:node27
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-4
name: Objective
description: To ensure that cybersecurity requirements are included in project
management met odology and procedures in order to maintain safe operations,
confidentiality, integrity, and availability of OT/ICS assets as per organization
policies and procedures, and related laws and regulations.
- urn: urn:intuitem:risk:req_node:otcc:node28
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-4
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-4-1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-4
ref_id: 1-4-1
description: 'In addition to the ECC controls 1-6-2 and 1-6-3, cybersecurity
requirements in OT/ICS project management must include, at a minimum, the
following:'
- urn: urn:intuitem:risk:req_node:otcc:1-4-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-4-1
ref_id: 1-4-1-1
description: "Cybersecurity requirements must be part of OT/ICS project\u2019\
s lifecycle."
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-4-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-4-1
ref_id: 1-4-1-2
description: "Cybersecurity requirements must be included as part of any functional\
\ and acceptance testing and evaluation process (such as Factory Acceptance\
\ Testing \u201CFAT\u201D , Site Acceptance Test- ing \u201CSAT\u201D, Commissioning\
\ Testing, Change Testing, Integration Testing and Source Code Review)."
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-4-1-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-4-1
ref_id: 1-4-1-3
description: Secure-by-design principles must be included as part of security
architectural designs for OT/ICS environments.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-4-1-4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-4-1
ref_id: 1-4-1-4
description: System development environments including testing environment and
integration platforms must be protected.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-4-2
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-4
ref_id: 1-4-2
description: "Cybersecurity requirements within the organization\u2019s OT/ICS\
\ project management must be reviewed, and their implementation effectiveness\
\ is measured and evaluated periodically."
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-5
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-5
name: Cybersecurity in Change Management
- urn: urn:intuitem:risk:req_node:otcc:node36
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-5
name: Objective
description: To ensure that cybersecurity requirements are included in change
management meth- odology and procedures in order to maintain safe implementation
of change requests in OT/ICS environment by exercising due diligence analysis
and control of the changes.
- urn: urn:intuitem:risk:req_node:otcc:node37
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-5
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-5-1
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-5
ref_id: 1-5-1
description: "Cybersecurity requirements within the organization\u2019s OT/ICS\
\ change management must be defined, documented, and approved. The cybersecurity\
\ requirements must be a key part of the overall requirements of OT/ICS change\
\ management."
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-5-2
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-5
ref_id: 1-5-2
description: "Cybersecurity requirements within the organization\u2019s OT/ICS\
\ change management lifecycle must be implemented."
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-5-3
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-5
ref_id: 1-5-3
description: 'In addition to the ECC controls 1-6-2 and 1-6-3, cybersecurity
requirements in OT/ICS change management must include, at a minimum, the following:'
- urn: urn:intuitem:risk:req_node:otcc:1-5-3-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-5-3
ref_id: 1-5-3-1
description: Cybersecurity requirements are part of the change management lifecycle.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-5-3-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-5-3
ref_id: 1-5-3-2
description: Changes are validated in a separate environment prior to implementing
the changes on the production environment.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-5-3-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-5-3
ref_id: 1-5-3-3
description: In the event that OT/ICS devices are replaced with differ- ent,
but functionally equivalent devices, whether in design, testing, or operation
environments, the cybersecurity of the replacement device must be validated
prior to being utilized in operational environment.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-5-3-4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-5-3
ref_id: 1-5-3-4
description: Restricted processes for exceptional changes must be implemented.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-5-3-5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-5-3
ref_id: 1-5-3-5
description: Automated configuration and asset change detection mechanisms must
be implemented.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-5-4
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-5
ref_id: 1-5-4
description: "Cybersecurity requirements within the organization\u2019s OT/ICS\
\ change management requirements must be reviewed, and their implementation\
\ effectiveness is measured and evaluated periodically."
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-6
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-6
name: Periodical Cybersecurity Review and Audit
- urn: urn:intuitem:risk:req_node:otcc:node48
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-6
name: Objective
description: To ensure that OT/ICS cybersecurity controls are implemented and
in compliance with organizational policies and procedures, as well as related
national and international laws, regulations and agreements.
- urn: urn:intuitem:risk:req_node:otcc:node49
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-6
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-6-1
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-6
ref_id: 1-6-1
description: "With reference to ECC control 1-8-1, the organization\u2019s cybersecu-\
\ rity function must review the implementation of (OTCC-1:2022) controls at\
\ least annually."
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-6-2
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-6
ref_id: 1-6-2
description: With reference to ECC control 1-8-2, the implementation of (OTCC-1:2022)
controls must be reviewed by independent parties within the organization,
outside the cybersecurity function at least once every three years.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-7
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-7
name: Cybersecurity in Human Resources
- urn: urn:intuitem:risk:req_node:otcc:node53
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-7
name: Objective
description: To ensure that cybersecurity risks and requirements related to
OT/ICS personnel (employees and third party personnel) are managed efficiently
prior to employment, during employment, after termination/separation as per
organizational policies and procedures, and related laws and regulations.
- urn: urn:intuitem:risk:req_node:otcc:node54
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-7
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-7-1
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-7
ref_id: 1-7-1
description: In addition to subcontrols in the ECC control 1-9-3, cybersecurity
requirements related to human resources for OT/ICS environment must include,
at a minimum, screening or vetting of all personnel (including employees,
contractors and subcontractors) who have access or can utilize OT/ICS assets
prior to granting them access.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-7-2
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-7
ref_id: 1-7-2
description: With reference to the ECC control 1-9-6, the cybersecurity re-
quirements for cybersecurity in human resources in OT/ICS must be reviewed,
and their implementation effectiveness is measured and evaluated periodically.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-8
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:1
ref_id: 1-8
name: Cybersecurity Awareness and Training Program
- urn: urn:intuitem:risk:req_node:otcc:node58
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-8
name: Objective
description: "To ensure that personnel are aware of their cybersecurity responsibilities\
\ and have the required cybersecurity awareness. It is also to ensure that\
\ personnel is provided with the required cybersecurity training, skills,\
\ and credentials needed to accomplish their cybersecurity responsibilities\
\ and to protect the organization\u2019s OT/ICS assets."
- urn: urn:intuitem:risk:req_node:otcc:node59
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-8
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:1-8-1
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-8
ref_id: 1-8-1
description: In addition to subcontrols in the ECC control 1-10-3, the cybersecurity
awareness program must include a secure and safe interaction with the OT/ICS
assets or systems.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:1-8-2
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:1-8
ref_id: 1-8-2
description: 'In addition to subcontrols in the ECC control 1-10-4, cybersecurity
requirements in OT/ICS cybersecurity awareness and training program must include,
at a minimum, the following:'
- urn: urn:intuitem:risk:req_node:otcc:1-8-2-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-8-2
ref_id: 1-8-2-1
description: Customized training, qualifications, knowledge, and professional
skillsets must be provided to all personnel with access to the OT/ICS assets.
The organization is encouraged to utilize the reference material provided
in the Saudi Cybersecurity Workforce Framework (SCyWF).
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:1-8-2-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:1-8-2
ref_id: 1-8-2-2
description: Participation in OT/ICS authorized and/or specialized organizations
and groups must be encouraged to stay up-to-date on common cybersecurity practices.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2
assessable: false
depth: 1
ref_id: '2'
name: Cybersecurity Defense
- urn: urn:intuitem:risk:req_node:otcc:2.1
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:2
ref_id: '2.1'
name: Asset Management
- urn: urn:intuitem:risk:req_node:otcc:node66
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2.1
name: Objective
description: "To ensure that the organization has an accurate and detailed inventory\
\ of OT/ICS assets in order to support the organization\u2019s cybersecurity\
\ and operational requirements to maintain the production uptime, safe operations,\
\ confidentiality, integrity, and availability of OT/ICS assets."
- urn: urn:intuitem:risk:req_node:otcc:node67
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2.1
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:2-1-1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2.1
ref_id: 2-1-1
description: 'In addition to the controls in ECC subdomain 2-1, cybersecurity
requirements for asset management in OT/ICS environment must include, at a
minimum, the following:'
- urn: urn:intuitem:risk:req_node:otcc:2-1-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-1-1
ref_id: 2-1-1-1
description: OT/ICS assets inventory must be developed in electronic format
for all OT/ICS assets, and reviewed periodically.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:2-1-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-1-1
ref_id: 2-1-1-2
description: Automated solution to collect asset inventory information must
be utilized.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-1-1-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-1-1
ref_id: 2-1-1-3
description: OT/ICS asset inventory must be stored securely.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-1-1-4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-1-1
ref_id: 2-1-1-4
description: Asset owners for all OT/ICS assets must be identified and involved
throughout the relevant asset inventory management lifecycle.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-1-1-5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-1-1
ref_id: 2-1-1-5
description: Criticality rating for all assets must be assigned, documented,
and approved by asset owners.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-1-2
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2.1
ref_id: 2-1-2
description: With reference to the ECC control 2-1-6, the cybersecurity requirements
for managing OT/ICS assets must be reviewed, and their implementation effectiveness
is measured and evaluated periodically.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-2
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:2
ref_id: 2-2
name: Identity and Access Management
- urn: urn:intuitem:risk:req_node:otcc:node76
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-2
name: Objective
description: To ensure secure and restricted logical access to OT/ICS assets
in order to prevent unauthorized access and allow only authorized access for
users, which are necessary to accomplish assigned tasks.
- urn: urn:intuitem:risk:req_node:otcc:node77
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-2
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:2-2-1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-2
ref_id: 2-2-1
description: 'In addition to subcontrols in ECC control 2-2-3, cybersecurity
requirements for identity and access management in OT/ICS environment must
include, at a minimum, the following:'
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-1
description: Identity and access management lifecycle for OT/ICS is separated
and independent from Information Technology (IT) including centrally managed
identity and access management solutions.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-2
description: Service accounts must be managed securely for OT/ICS services,
applications, systems, and devices that are separated and disconnected from
interactive users account logins.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-3
description: Default credentials for all OT/ICS assets must be changed, disabled,
or removed.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-4
description: Sessions must be managed securely, including session authenticity,
session lockout, and session timeout termination.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-5
description: Automatic disabling/removing of service accounts, programs, or
accounts related to (OT/ICS) assets must be prevented, except for monitoring
systems.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-6
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-6
description: Dual approval and explicit privilege escalation mechanisms for
sensitive actions within the OT/ICS environment must be employed.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-7
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-7
description: Remote access to the OT/ICS networks must be restricted and exceptionally
enabled when necessary and justified. A cybersecurity risk assessment must
be conducted prior to granting a remote access and its associated risks are
monitored and managed. The granted access must be through trusted multi-factor
authenticated and encrypted channel for a defined period of time and with
limited access privilege. The remote access session must be monitored and
recorded while its time duration and granted user's privilege must be in accordance
with the cybersecurity risk assessment.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-8
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-8
description: Secure and complex password standards must be implemented.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-9
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-9
description: "Secure mechanisms to store OT/ICS assets\u2019 passwords must\
\ be used."
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-10
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-10
description: "With reference to the ECC subcontrol 2-2-3-5, users\u2019 identities\
\ and access rights must be reviewed in response to cybersecurity incidents,\
\ personnel roles changes, or whenever there is a change in OT/ICS system\
\ architecture."
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-2-1-11
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-2-1
ref_id: 2-2-1-11
description: Access shall be immediately revoked when no longer needed.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-2-2
assessable: true
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-2
ref_id: 2-2-2
description: With reference to the ECC control 2-2-4, the cybersecurity requirements
for identity and access management in OT/ICS environment must be reviewed,
and its implementation effectiveness is measured and evaluated periodically.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3
assessable: false
depth: 2
parent_urn: urn:intuitem:risk:req_node:otcc:2
ref_id: 2-3
name: System and Processing Facilities Protection
- urn: urn:intuitem:risk:req_node:otcc:node92
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-3
name: Objective
description: "To ensure the protection of OT/ICS systems and processing facilities\
\ (including workstations, servers and Safety Instrumented Systems \u201C\
SIS\u201D) against cyber risks."
- urn: urn:intuitem:risk:req_node:otcc:node93
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-3
name: Controls
- urn: urn:intuitem:risk:req_node:otcc:2-3-1
assessable: false
depth: 3
parent_urn: urn:intuitem:risk:req_node:otcc:2-3
ref_id: 2-3-1
description: 'In addition to subcontrols in the ECC control 2-3-3, cybersecurity
requirements for system and processing facility protection in OT/ ICS environment
must include, at a minimum, the following:'
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-1
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-1
description: Advanced, up-to-date protection mechanisms and techniques must
be utilized and securely managed to block and protect from malware, Advanced
Persistent Threats (APT), malicious files, and activities.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-2
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-2
description: "Periodic security configurations\u2019 review and hardening must\
\ be conducted in alignment with the vendor implementation guidance or recommendations\
\ with respect to cybersecurity and organization\u2019s formal change management\
\ mechanisms."
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-3
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-3
description: "Periodic security patches and upgrades must be implemented in\
\ alignment with vendor implementation guidance or recommendations with respect\
\ to cybersecurity and organization\u2019s formal change management mechanisms."
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-4
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-4
description: Principles of least privilege and least functionality must be applied.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-5
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-5
description: Safety Instrumented Systems (SIS) controllers must be configured
in appropriate modes at all times, which prevent any unauthorized changes,
and changes to improper modes are limited to exceptional cases with a specific
period of time.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-6
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-6
description: Application whitelisting techniques or other similar techniques
must be deployed to limit the applications that are allowed to run in OT/ICS
environment.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-7
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-7
description: OT/ICS assets must be managed through dedicated, segmented and
hardened Engineering Workstation (EWS) and Human-Machine Interface (HMI) for
management purposes and maintenance.
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-8
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-8
description: External storage media is scanned and analyzed against malware
and APT. The scan must be executed in an isolated and secure environment.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-9
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-9
description: Usage of external storage media in the production en- vironment
must be restricted unless secure mechanisms for data transfer are developed
and properly implemented.
implementation_groups:
- L1
- L2
- L3
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-10
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-10
description: "Systems\u2019 logs and critical files must be protected from unauthorized\
\ access, tampering, illegitimate modification and/or deletion."
implementation_groups:
- L1
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-11
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-11
description: Unauthorized applications, scripts, tasks, and changes must be
detected and analyzed.
implementation_groups:
- L1
- L2
- urn: urn:intuitem:risk:req_node:otcc:2-3-1-12
assessable: true
depth: 4
parent_urn: urn:intuitem:risk:req_node:otcc:2-3-1
ref_id: 2-3-1-12