Energy, Utilities & Mining Focus
Zil-Ur-RehmanAssociate,Digital & Data
Ayidh Al KahtaniTrainee Lawyer,Digital & Data
The Saudi Critical National Infrastructure (“CNI”) sector is subject to heightened cybersecurity controls. The CNI sector comprises of organizations undertaking activities in sensitive industries including energy, banking, utilities, mining, oil and gas, and national security and defence amongst others.
Developing advanced cybersecurity abilities is one of the key priorities of the Kingdom’s contemporary vision. The National Cybersecurity Authority (“NCA”) was established by Royal Decree No. 6801 of 11 Safar 1439H )31 October 2017G). The NCA regulates cybersecurity matters in the Kingdom and is empowered to prescribe cybersecurity requirements for private entities owning or operating CNI (along with government sector entities).
CNI sector entities are subject to strict cybersecurity controls including, in particular, those developed by the NCA pursuant to and as an extension of the Essential Cybersecurity Controls 2018 (“ECC”). Obligations under the ECC include those in respect of governance, defence, resilience, third party / cloud computing and industrial control systems.
The ECC defines CNI as essential components of the infrastructure (i.e. assets, facilities, systems, networks, processes and and key operators who operate and process them), whose loss or vulnerability to security breaches may result in:
Significant negative impact on the availability, integration or delivery of basic services, including services that could result in serious loss of property and/or lives and/or injuries, alongside observance of significant economic and/or social impacts.
Significant impact on national security and/or national defense and/or state economy or national capacities”.
The NCA further developed the Critical Systems Cybersecurity Controls 2019 (“CSCC”) to supplement the ECC in respect of entities dealing in Critical Systems. The CSCC elaborates on the identification criteria for Critical Systems along with key obligations to protect information technology assets which, if compromised, may have a negative impact and significant loss on the national level. A system can be identified as a Critical System where a compromise to such system may result in:
Negative impact on national security.
Negative impact on the Kingdom’s reputation and public image.
Significant financial losses (i.e. more than one hundredth of a percent of the GDP).
Negative impact on the services provided to a large number of users (i.e. more than five percent of the population)
Loss of lives.
Unauthorized disclosure of data that is classified as Top Secret or Secret.
Negative impact on the operations of one (or more) vital sector(s).
All entities dealing with Critical Systems are obligated to comply with the controls set out in the CSCC in addition to the basic requirements of the ECC. It is unclear whether this includes third party vendors / service providers dealing with such Critical Systems for customers in Saudi Arabia – although, this does seem apparent on the face of it.
There is no clarification by the NCA on this but we note persons supporting a Critical System including operators and service providers have been described as “components” of Critical Systems, along with:
Routers, switches, gateways, firewalls, cyber intrusion detection and prevention systems and devices.
Databases, storage assets, servers and operating systems.
Applications and encryption devices.
The CSCC sets out obligations solely applicable to Critical Systems. Third party vendors / service providers dealing in Critical Systems may see such requirements flow down from the customer if not directly responsible for compliance. Key requirements include:
Restricting remote access from inside the Kingdom of Saudi Arabia and verifying each access attempt by the organization’s security operations center, and continuously monitoring activities relating to remote access.
Prohibiting Critical Systems from connecting to a wireless network.
Prohibiting the transfer of any Critical Systems’ data from production environment to any other environment.
Using secure and up to date methods, algorithms, keys and devices in accordance with what NCA has prescribed.
Establishing a disaster recovery center for Critical Systems.
Outsourcing and managed services of Critical Systems must rely on Saudi companies and organizations, in accordance with the relevant legislative and regulatory requirements.
Hosting of Critical Systems and any part of their technical components must be on premise or within cloud systems provided by government organizations or Saudi companies that are in compliance with NCA’s relevant requirements.
Separate to the cybersecurity controls set out in the ECC and the CSCC discussed above, entities in the CNI sector may also need to consider other relevant considerations under Saudi law including those contained in the following:
Data Cybersecurity Controls 2022: contains minimum cybersecurity requirements applicable to data as per the security classification levels prescribed by the NCA.
Operational Technology Cybersecurity Controls 2022: sets out the minimum cybersecurity requirements for organizations to protect their industrial control systems.
Cloud Cybersecurity Controls 2020: sets out minimum cybersecurity requirements in relation to cloud services used (including obligations for the cloud service provider).
Cloud Computing Regulatory Framework: contains requirements and protections in the context of cloud services provided to customers in Saudi Arabia as issued by the CITC (i.e. local telecoms regulator).
Security Directives issued by the High Commission for Industrial Security: such directives include cybersecurity requirements for sensitive industries, under supervision of the Ministry of Interior.
Considerations set out by the National Data Management Office.
Any sector specific considerations that may be relevant.
It is important for organizations owning or operating CNI in Saudi Arabia and their third party vendors / service providers to be aware of and comply with relevant cybersecurity considerations in the Kingdom. The cybersecurity regulatory landscape has developed extensively in the past few years and we expect it to continue to evolve exponentially to address the complex challenges presented by cybersecurity threats as adoption of new and emerging technologies continues to grow in the Kingdom as well as in the rest of the world. Businesses and other entities should watch this space to monitor and comply with any future developments in this respect.
For further information, please contact Zil Rehman.
Published in November 2022
