What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A practitioner-grade walk-through of NCA OTCC — Operational Technology Cybersecurity Controls for ICS and SCADA. Scope, controls, implementation phases and audit-ready evidence — with sample policies and configs you can adapt for NCA Frameworks.

SKYLINE Engineering @skyline

Published: Feb 17, 2026
Last updated: May 28, 2026
Reading time: 4 min

Overview

The Operational Technology Cybersecurity Controls (OTCC-1:2022) are the NCA's mandatory baseline for industrial control systems — Distributed Control Systems (DCS), SCADA, Programmable Logic Controllers (PLCs), safety instrumented systems (SIS) and the engineering workstations that program them. OTCC translates IEC 62443 into Saudi enforcement language. It applies to every operator of a critical OT environment in the Kingdom.

Who this applies to

Upstream and downstream oil & gas operators.
Electricity transmission, distribution and generation operators.
Water treatment, desalination and distribution authorities.
Petrochemical and refining complexes.
Manufacturing facilities classified as critical-sector by the NCA.

Key control families

OTCC defines 47 controls in five domains:

Cybersecurity Governance (1-x): OT cyber strategy, OT-specific risk register, dedicated OT-CISO accountable to the plant manager.
Cybersecurity Defense (2-x): asset identification, zoning, hardening, access control, change management.
Cybersecurity Resilience (3-x): backup of PLC programs, recovery testing without disrupting production.
Third-Party / Vendor (4-x): remote support, contractor laptop hygiene.
Continuous Monitoring (5-x): OT-aware IDS, anomaly detection, OT log shipping.

Step 1: Inventory and Purdue zoning

Every OT asset must be tagged with its Purdue level:

| Level | Examples | Default trust | |---|---|---| | 0 | Sensors, actuators | Implicit, no IP | | 1 | PLCs, RTUs | Trusted within cell | | 2 | HMI, SCADA workstations | Cell + plant | | 3 | Historian, MES | Plant | | 3.5 | OT-IT DMZ | Bridge zone | | 4 | ERP, business systems | Corporate | | 5 | Internet | Untrusted |

Each zone must be separated by a stateful firewall or, for one-way flows, a data diode.

[Internet 5] —firewall— [Corp IT 4] —firewall— [OT DMZ 3.5]
                                                 ↑ diode (Hist→IT only)
                                            [Plant 3] — [SCADA 2] — [PLCs 1] — [Sensors 0]

Step 2: Asset hardening

For Windows engineering workstations (commonly Rockwell / Siemens TIA):

# OTCC 2-3-2 baseline: disable removable media autorun
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
  -Name NoDriveTypeAutoRun -Value 255 -PropertyType DWORD -Force

# Block legacy SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Application whitelisting via AppLocker
New-AppLockerPolicy -RuleType Path,Publisher -User Everyone `
  -RuleNamePrefix OT -Optimize -XmlPolicy C:\OT\applocker.xml
Set-AppLockerPolicy -XmlPolicy C:\OT\applocker.xml

For PLCs: disable web servers, disable telnet/FTP, enforce vendor-signed firmware only, document firmware version per device in the asset register.

Step 3: Change control

Every OT change must produce:

A signed change-request form including risk assessment.
A safety review by the process safety engineer.
A roll-back plan with the previous PLC program file archived to a write-once medium.
A post-implementation review within 48 hours.

Step 4: OT-aware monitoring

Deploy an OT IDS (Claroty / Nozomi / open-source: malcolm + zeek + suricata with ICS rule packs). Sample Zeek detection logic for an unusual Modbus function:

@load policy/protocols/modbus

event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) {
    if ( headers$function_code == 16 && c$id$resp_h !in trusted_plcs ) {
        NOTICE([$note=Modbus::Write_Multiple_Registers_Untrusted,
                $msg=fmt("Write to untrusted device %s", c$id$resp_h),
                $conn=c]);
    }
}

Step 5: Backup and recovery (OTCC 3-1-1)

Full PLC program backup on every change, retained for the asset's lifetime.
HMI / SCADA configuration snapshotted weekly.
Annual mock-recovery exercise: simulate failed PLC, restore from backup in a lab cell within 4 hours.
Backups stored off-site in encrypted form; key custody documented.

Common gotchas

"We air-gap our OT" — but the engineer's laptop also connects to corporate Wi-Fi.
Vendors with permanent VPN tunnels to your DCS — non-compliant.
USB sticks travelling between IT and OT — must be scanned at a kiosk and use a sheep-dip workstation.
Modbus and S7 traffic crossing the IT/OT boundary unencrypted — must terminate at the DMZ.

Verification — audit-ready evidence

OT asset inventory with Purdue level + firmware version per device.
Network diagram showing zoning, firewalls and diodes.
Hardened baselines per asset class, signed by the OT-CISO.
Change-control log for the past 12 months.
OT IDS detection rule pack version + signature update log.
Annual PLC restore-test report.

Conclusion

OT cybersecurity is a safety discipline first and an IT discipline second. Treat every change as you would a process modification: review it, document it, test it, and never touch a running plant on a Friday.

Related guides

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship NCA Frameworks for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Cybersecurity & Data Centre SACS-210, NCA ECC, SOC, 24/7 ops SACS-210 Aramco Compliance Third-party readiness, audit prep, ICV+CCC

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.