OT/ICS Penetration Testing: Saudi OTCC Explained
Muhammad Khizer Javed
June 23, 2026
An OT/ICS penetration test for Saudi critical infrastructure evaluates SCADA systems, PLCs, HMIs, Safety Instrumented Systems (SIS), engineering workstations, and the IT/OT network boundary against the threat models that matter in industrial environments. It is governed primarily by NCA's Operational Technology Cybersecurity Controls (OTCC 1:2022), which contains 4 main domains, 23 subdomains, 47 main controls, and 122 sub-controls. OTCC applies to government and private sector entities owning or operating Critical National Infrastructure (CNI), whether inside or outside the Kingdom. For Aramco supply chain organisations, SACS-002 (Cybersecurity Compliance Certificate) adds a vendor-side certification overlay aligned to IEC 62443. SABIC suppliers face equivalent obligations under SABIC CyberTrust. Unlike an IT penetration test, an OT/ICS pentest must be safety-first: active scanning, default credential testing, and aggressive exploitation can shut down compressors, trip safety systems, or damage equipment. Methodology, not just findings, is what separates an OT-credible engagement from a dangerous one.
From SecurityWall's OT and ICS engagements across Saudi energy, utilities, and industrial environments, the recurring patterns we observe are operational rather than exotic. Production zones still run engineering workstations on outdated Windows builds because the OEM has not certified newer versions. Default credentials on HMIs survive far longer than they should because change requires planned maintenance windows. IT teams maintain a clean firewall configuration on paper while temporary engineering connections back to corporate networks accumulate undocumented over project cycles.
None of this is failure of intent. It is the gravitational pull of operational continuity in environments where the cost of stopping is measured in millions per hour. A useful OT pentest understands that gravity. It surfaces the gaps without becoming one of them.
Saudi Arabia operates some of the most consequential industrial infrastructure on the planet. Aramco's upstream and downstream operations, SABIC's petrochemical complexes, SEC's grid, the National Water Company's treatment systems, and a growing footprint of NEOM-region industrial facilities all run on Operational Technology (OT) and Industrial Control Systems (ICS). The cybersecurity expectations on these systems are not theoretical. They are codified in the NCA's Operational Technology Cybersecurity Controls (OTCC 1:2022), reinforced by Aramco's SACS-002 supplier certification, and increasingly mirrored across the broader giga project supply chain.
This guide explains penetration tester perspective what OTCC requires, why OT/ICS penetration testing is fundamentally different from web or network penetration testing, what the test actually covers, how supply chain compliance flows through Aramco and SABIC vendor programmes, and what an OT pentest report must contain to satisfy NCA expectations.
What Is OTCC and Who Does It Apply To?
OTCC 1:2022 is the NCA's dedicated cybersecurity controls framework for OT and ICS environments. It is published as an extension to the Essential Cybersecurity Controls (ECC), not a replacement. Organisations that fall under ECC and operate OT environments inherit OTCC obligations on top. To comply ECC you can explore NCA ECC Compliance Checklist.
Scope. OTCC applies to Industrial Control Systems located in facilities deemed critical, owned or operated by government entities or by private sector organisations responsible for Critical National Infrastructure (CNI), whether inside or outside Saudi Arabia. The "outside Saudi Arabia" clause matters: Saudi-owned CNI operations in other jurisdictions still inherit OTCC if they meet the criticality criteria.
Structure. OTCC contains 4 main domains, 23 subdomains, 47 main controls, and 122 sub-controls. The four pillars covered are strategy, people, processes, and technology. Domains include Cybersecurity Defence (asset management, identity and access management, system protection, network security, event logging and monitoring), Cybersecurity Resilience, Third-Party and Cloud Cybersecurity for OT, and Cybersecurity Governance specific to industrial environments.
Three control levels. Unlike ECC's relatively flat application, OTCC introduces three control levels calibrated to facility criticality. The NCA provides a Facility Identification Tool that asks about consequences and impact on business and service availability, Health, Safety, and Environment (HSE) impact, and national economy or security impact. The tool output determines which OTCC level applies. This is a meaningful simplification: smaller or older OT facilities are not held to the same control bar as a refinery or a power generation station.
Alignment to international standards. OTCC was built drawing on IEC 62443 (Industrial Automation and Control Systems Security), NIST 800-82 (Guide to Operational Technology Security), and the US Department of Energy's C2M2 model. Organisations with mature IEC 62443 or NIST 800-82 programmes will find substantial overlap and can typically map controls across with limited rework.
Penetration testing within OTCC. OT/ICS penetration testing is treated as a control effectiveness validation mechanism. The OTCC subdomain covering Vulnerability Management explicitly requires periodic technical assessment of OT/ICS environments. Combined with ECC's annual self-assessment obligation, the operational expectation is that critical OT environments undergo independent technical testing on a regular cycle.
Why OT/ICS Penetration Testing Is Different From IT Penetration Testing
A standard IT penetration test is a controlled adversary simulation against systems where worst case is service downtime. An OT/ICS penetration test is a controlled assessment of systems where worst case is physical damage, environmental release, or harm to human safety. The difference is not stylistic. It changes the methodology, the tools, the skill profile of the team, and the report.
The mature framing is that an OT pentest is a hybrid discipline that requires both offensive security expertise and process control engineering judgement. A team that can compromise a domain controller is necessary but not sufficient. The same team must also understand why you do not actively scan a network segment connected to a Safety Instrumented System mid-cycle, and what the safe alternatives are.
| Dimension | IT Penetration Test | OT/ICS Penetration Test |
|---|---|---|
| Worst case impact | Data loss, service outage | Equipment damage, environmental release, human safety |
| Restart capability | Service reboot is routine | Cannot restart compressor mid cycle |
| Testing window | Off peak hours generally acceptable | Planned maintenance window or shadow lab |
| Active scanning | Standard practice | Listen only or passive in production zones |
| Exploitation | Demonstrated where useful | Demonstrated only against twin lab or pre approved targets |
| Tool selection | Burp, Nessus, Metasploit, etc. | Curated OT aware tooling, IEC 62443 informed |
| Team skill profile | Offensive security generalists | Offensive plus process control engineering |
| Report audience | IT and security teams | IT, security, plus operations engineering and HSE |
If your last OT engagement scoped your Safety Instrumented Systems the same way it scoped your corporate web app, the report you received is not an OT pentest report. It is an IT report on the OT side of the firewall. The difference shows up at audit and again at the next incident.
Book an OT Scoping Call →What an OT/ICS Pentest Actually Covers
The technical scope of an OTCC-aligned penetration test spans the Purdue model layers from enterprise IT down to physical process. A useful engagement examines each layer with methodology calibrated to its risk.
Level 0 to 1 (physical and basic control). Sensors, actuators, intelligent electronic devices (IEDs), and the PLCs and RTUs running deterministic control loops. Testing here is almost always passive observation, configuration review, and review of vendor firmware advisories. Active testing against a running PLC is reserved for shadow labs or planned downtime.
Level 2 (supervisory control). SCADA systems, Distributed Control Systems (DCS), and Human-Machine Interfaces (HMI). These are the operator's window into the plant. Testing covers authentication strength, role-based access enforcement, default and shared credentials, screen-locking behaviour, audit logging, and the secure deployment of historian access.
Level 3 (operations). Engineering workstations, project servers, historian databases, and the OT domain controllers. This is where most realistic adversary activity concentrates. Testing examines patching cadence, lateral movement potential, USB and removable media policy enforcement, antivirus coverage in OT, and the integrity of project files used to push configuration to PLCs.
Level 3.5 (IT/OT DMZ). The buffer zone between corporate IT and OT operations. This is the highest-value area in an OTCC pentest. The DMZ is where temporary jumphosts, vendor remote access connections, and forgotten firewall exceptions accumulate. Testing maps every protocol path between IT and OT, validates the segmentation actually works, and looks for the undocumented exceptions that operations teams put in to keep production moving.
Safety Instrumented Systems (SIS). Treated as a separate testing class. SIS are designed to prevent harm when control fails. OTCC requires SIS to be segmented from other OT/ICS networks. Testing scope here is typically configuration review, segmentation validation, and engineering workstation hardening rather than any form of active testing against the SIS itself.
Wireless and vendor remote access. Plant wireless, supplier-provided remote access platforms, and cellular gateways used for equipment telemetry. These are high-value targets and historically the entry path in several public OT incidents internationally.
Asset inventory validation. OTCC explicitly requires asset management for OT environments. The pentest validates that the inventory matches reality. Many engagements find equipment that operations knows about but security does not.
The Aramco and SABIC Supply Chain: Why Subcontractors Need OTCC Awareness Too
Aramco's Cybersecurity Compliance Certificate (CCC) under the SACS-002 standard is mandatory for suppliers and contractors that access Aramco information systems, OT environments, or restricted data. The framework aligns to IEC 62443 and NIST CSF and covers both IT and OT controls. Certification is valid for two years, after which renewal requires fresh evidence. The newer SACS-210 expands and refines the supplier obligations further.
SABIC operates a comparable programme under SABIC CyberTrust. Other major operators including SEC and the National Water Company increasingly require supplier cybersecurity evidence as a procurement gate.
The practical implication for suppliers is direct. If your organisation provides services or technology that touches an Aramco or SABIC OT environment, you face certification obligations regardless of your own size or sector. The framework you are tested against is heavily OT-flavoured even when your delivery scope appears IT-centric, because the underlying customer environment is industrial.
Several patterns emerge consistently across supply chain readiness work. Suppliers who run a strong IT cybersecurity programme but have never touched an OT environment often discover during readiness assessment that their secure-by-design practices, their patching cadence, their incident response playbooks, and their staff awareness are all calibrated to corporate IT and do not translate cleanly into industrial expectations. Bringing those programmes up to SACS-002 or SABIC CyberTrust standard typically takes three to six months from a mature IT baseline, longer from a less mature one.
For subcontractors of Aramco prime contractors, the certification obligation flows down. The prime contractor remains accountable for ensuring its subcontractors meet the standard, and procurement reviews routinely ask for evidence of subcontractor controls. Building this evidence into your subcontractor agreements before procurement starts is materially cheaper than reconstructing it during a tender response.
Safety First Testing Methodology for Live OT Environments
The non-negotiable starting position for any credible OT engagement is that nothing tested causes harm, downtime, or equipment damage. The methodology below is how SecurityWall delivers OT engagements safely.
Pre-engagement plant familiarisation. Before any testing, the team reviews the plant's process flow, the criticality classification of zones, the SIS configuration, and the maintenance schedule. The output is a written testing plan that specifies what is in scope, what is out of scope, when active testing windows open and close, and what the abort conditions are.
Tiered testing posture by zone. Different zones receive different methodologies. Corporate IT is tested with standard offensive tooling. The IT/OT DMZ is tested with informed but active methodology. Level 3 OT systems receive constrained active testing during agreed windows. Level 0 to 2 systems receive passive observation, configuration review, and shadow-lab demonstration only. Active testing on safety systems is excluded by default.
Shadow-lab demonstration. Where exploitation evidence is needed, it is performed against a vendor-supplied or customer-supplied shadow lab that mirrors production configuration. The finding is then mapped back to the production environment with a clear statement of how it would apply.
Communications and abort protocol. A named operations contact stays in the loop throughout. Active testing windows are bracketed by communication. Any unexpected behaviour triggers immediate abort and rollback.
Tooling discipline. Tool selection is calibrated to OT. Active OT scanners (like Tenable OT Security, Claroty, Nozomi) are used where appropriate. General-purpose IT tools that are noisy on industrial protocols are constrained. The point is that the tooling does not, by itself, become the incident.
The expensive failure mode in OT pentesting is when an engagement led by IT-only testers runs a standard active scan against an industrial network and trips a process safety event. That outcome has happened in the industry and remains the operational reason that OTCC and IEC 62443 emphasise methodology so strongly.
What the OT/ICS Pentest Report Must Contain for NCA Compliance
A defensible OT pentest report goes beyond a list of findings. The contents below satisfy both OTCC evidence expectations and the operational needs of the customer.
The executive summary should communicate to leadership the residual risk posture in business terms, calibrated to the OTCC level of the facility. The scope and methodology section should specify zones tested, windows used, tooling employed, and explicit out-of-scope items. The findings section should distinguish IT findings from OT findings and clearly map each to OTCC sub-controls, IEC 62443 zones and conduits, and applicable SACS-002 or SABIC CyberTrust requirements where relevant.
For each finding, the report should include reproduction steps suitable for engineering teams, an impact statement that addresses both data and operational consequences, a remediation recommendation that is implementable inside an industrial change-control process, and a priority rating that accounts for safety as well as confidentiality, integrity, and availability. The appendix should include the asset inventory observed, network segmentation findings, and any deviations between documented architecture and observed reality.
This report serves three audiences simultaneously: NCA assessors reviewing OTCC self-assessment evidence, operations leadership making remediation decisions, and procurement teams responding to questions from Aramco or SABIC supply chain reviews. A report that satisfies all three is the practical artefact of an OT-credible engagement.
If you cannot confidently answer "yes" to all six, what you commissioned was an IT pentest with OT in the wrapper.
- Did the team include at least one tester with IEC 62443, GICSP, GRID, or equivalent OT certification?
- Was the OTCC Facility Identification Tool used to determine which level of controls applied?
- Were your Safety Instrumented Systems explicitly scoped IN or OUT, with the reasoning written down?
- Did the testing plan specify passive-only zones, active-windowed zones, and shadow-lab-only targets distinctly?
- Did the final report map findings to OTCC sub-controls and (if applicable) SACS-002 or SABIC CyberTrust?
- Was a named operations contact in the loop throughout the active testing windows?
Frequently Asked Questions
What is NCA OTCC? OTCC 1:2022 is the National Cybersecurity Authority's Operational Technology Cybersecurity Controls, published in 2022 as an extension to the Essential Cybersecurity Controls (ECC) specifically for OT and ICS environments. It contains 4 main domains, 23 subdomains, 47 main controls, and 122 sub-controls organised across strategy, people, processes, and technology, and aligns to IEC 62443, NIST 800-82, and DOE C2M2.
Is OT/ICS penetration testing different from regular penetration testing? Materially different. An IT pentest's worst case is service downtime. An OT/ICS pentest's worst case is equipment damage, environmental release, or human safety harm. Methodology, tooling, testing windows, team skill profile, and report audience all shift accordingly. Active scanning that is routine in IT becomes restricted to specific zones and windows in OT, and exploitation evidence is usually demonstrated against shadow labs rather than live equipment.
Do energy supply chain subcontractors need OTCC compliance? Often yes, but indirectly. OTCC itself applies to operators of Critical National Infrastructure. Subcontractors typically inherit obligations through supply chain certification programmes: Aramco's SACS-002 (CCC) certification is mandatory for suppliers touching Aramco OT environments, SABIC requires CyberTrust alignment, and prime contractors flow down cybersecurity obligations to their subcontractors. The practical effect is that almost every meaningful supplier in the Saudi industrial value chain faces OT-flavoured cybersecurity expectations.
How do you test OT systems without disrupting operations? A safety-first methodology built on four principles: tiered testing posture by zone (passive-only in production-critical layers, active-windowed in DMZ and engineering layers), shadow-lab demonstration of exploitation rather than live exploitation, planned maintenance windows aligned to operations, and a named operations contact in the loop throughout testing. Tool selection is OT-aware, with general-purpose IT scanners constrained on industrial protocols.
What sectors does OTCC apply to? Government entities and private sector organisations owning, operating, or hosting Critical National Infrastructure. In practice this includes energy (Aramco, SABIC, and downstream), utilities (SEC and the National Water Company), oil and gas, petrochemicals, water treatment, transport infrastructure, manufacturing tied to national security, and increasingly smart city OT environments within giga projects. The Facility Identification Tool determines which of three control levels applies to a given facility.
How often must OT/ICS systems be tested? OTCC requires periodic technical assessment, and ECC requires annual self-assessment. The practical cadence most CNI operators settle on is annual external penetration testing for highest-tier facilities, biennial for lower-tier facilities, plus targeted testing after major architecture changes, new equipment commissioning, or significant incidents. Aramco SACS-002 certification requires renewal every two years, which sets a similar cycle for the supplier base.
Related reading:
Tags
About Muhammad Khizer Javed
Muhammad Khizer Javed is a member of the SecurityWall team, contributing expert insights on cybersecurity and penetration testing.