What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of NCA CSCC — Critical Systems Cybersecurity Controls for Oil and Gas, Power, Banking. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for NCA Frameworks.

SKYLINE Engineering @skyline

Published: Feb 21, 2026
Last updated: May 28, 2026
Reading time: 4 min

Compliance Ksa Nca Cscc Critical Systems Oil Gas Banking

Overview

The Critical Systems Cybersecurity Controls (CSCC-1:2019) raise the ECC baseline for national critical systems — anything whose disruption would significantly impact national security, the economy, essential services or public safety. CSCC is additive to ECC: critical-system operators must comply with ECC plus the 32 extra CSCC controls. Audit cadence is annual and conducted by NCA-approved third parties.

Who this applies to

Banking — every domestic bank and FI subject to SAMA.
Energy — oil & gas operators, electricity transmission, refining.
Water and wastewater utilities on a national scale.
Healthcare — hospitals processing national-scale clinical records.
Telecommunications — Tier 1 carriers and national datacentre operators.
Aviation & ports — operators of national-significance terminals.

The classification is decided by the NCA in consultation with the sector regulator (SAMA, CST, Ministry of Energy, etc.). Once classified, the entity has 12 months to reach CSCC compliance.

Key extra controls

CSCC layers on top of ECC. The 32 CSCC-specific controls fall into four areas:

Strengthened governance — dedicated cybersecurity committee at C-level, mandatory CISO with direct line to the CEO and the board, dedicated cybersecurity budget line item.
Always-on defence — 24/7 Security Operations Centre with two-shift coverage minimum, mandatory threat intelligence feed subscription, mandatory red-team exercises every 12 months.
High availability — RPO ≤ 15 minutes, RTO ≤ 4 hours for tier-1 services; hot standby across two geographically separated KSA datacentres.
Strict OT/IT segmentation — Purdue model enforced, one-way data diodes for OT-to-IT flows where applicable.

Step 1: Re-baseline against ECC

Before adding CSCC, get to 100% on ECC. CSCC auditors will not start scoring CSCC controls until ECC baseline is met.

Step 2: Establish 24/7 SOC

Minimum staffing model for a tier-1 SOC:

| Role | Shift coverage | Count | |---|---|---| | SOC Manager | Business hours | 1 | | Tier 1 Analyst | 24/7 (3 shifts) | 6 | | Tier 2 Analyst | 24/7 (3 shifts) | 6 | | Tier 3 / IR Lead | On-call 24/7, weekday in-office | 2 | | Threat Hunter | Business hours | 1 | | SIEM Engineer | Business hours | 1 |

Tools: SIEM (Splunk / Sentinel / Wazuh + ELK), SOAR (Shuffle / Cortex XSOAR), threat intel platform (MISP / OpenCTI), EDR (Crowdstrike / SentinelOne / Wazuh).

Step 3: High-availability architecture

# Two-site active-passive sample for a critical Saudi service
sites:
  primary:
    region: ksa-riyadh
    rto: 0     # active
    rpo: 0
    capacity: 100%
  secondary:
    region: ksa-dammam   # >300km separation
    rto: 240   # 4h target
    rpo: 15    # 15-min target via async replication
    capacity: 100%
replication:
  database:
    mode: async-15s
    method: postgres-physical-streaming
  storage:
    mode: continuous
    method: minio-active-active

Step 4: Red-team exercises (CSCC 2-12-3)

Annual minimum scope:

External attack-surface — black-box reconnaissance and exploitation.
Insider threat — assume credentialed user as a malicious actor.
Phishing campaign — at least one organisation-wide simulation.
Physical access — social-engineering at site entry, with written prior approval.

Report must reach the cybersecurity committee within 30 days and remediation plan signed within 60.

Step 5: OT/IT segmentation

If you operate ICS/SCADA see the dedicated OTCC guide. Even non-OT critical systems must enforce three-tier segmentation: presentation / business logic / data store, with stateful inspection between every tier.

Common gotchas

Stand-up SOC on paper but no run-books — automatic non-compliance.
DR site in the same datacentre row — fails geographic-separation requirement.
Annual red team executed but findings never closed — flags Open Audit Finding.
Mixing critical and non-critical workloads in the same Kubernetes cluster.

Verification — audit-ready evidence

C-level cybersecurity committee minutes for the last 12 months.
SOC shift roster, on-call escalation matrix.
Threat intel platform subscription invoice + ingestion proof.
Annual red-team report + remediation evidence per finding.
DR test report demonstrating RTO and RPO actuals.
Asset register flagging "critical" tier explicitly.

Conclusion

CSCC turns cybersecurity from a department into a business function with continuous staffing and continuous testing. Treat the 24/7 SOC as your operational heartbeat and the red team as your annual reality check.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship NCA Frameworks for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.