OT Security in the GCC: ISA-99, IEC 62443, and Vendor Reality

The word "compliance" has become the most misleading term in Gulf industrial cybersecurity, because the certificate on the wall and the configuration on the controller now point in opposite directions more often than operators care to admit.

Across the Gulf Cooperation Council, the formal architecture of operational technology security has matured at a speed few outside observers expected. National regulators in Saudi Arabia, the United Arab Emirates, Qatar, Oman, Kuwait and Bahrain have all written their controls catalogues, named their lead authority, and pointed their critical operators at ISA-99 in its IEC 62443 incarnation. The documents read well. They borrow the right structure from NIST CSF 2.0, the right vocabulary from ISO 27001, and the right zone-and-conduit logic from IEC 62443-3-3. What they cannot do, on paper, is close the gap between the written control and the actual state of a turbine controller, a tank gauge, or a substation relay that was commissioned long before any of these frameworks reached the procurement desk.

This article describes that gap from the operator's perspective. It draws on the manufacturer's view developed in BOSWAU + KNAUER. From Building to Security Technology, where the question is not whether a standard exists but whether the equipment in the field reflects it. The argument is not that GCC operators are behind. The argument is that adoption of IEC 62443 in the Gulf has reached a stage where the next gains will come from supplier discipline and asset-level rigour, not from another revision of the policy framework.

The regulatory architecture has hardened

In Saudi Arabia, the National Cybersecurity Authority publishes the Essential Cybersecurity Controls and the more demanding controls for critical systems, with the OT-specific guidance from the Saudi Aramco supplier ecosystem feeding back into national practice. In the United Arab Emirates, the UAE Cybersecurity Council and the sectoral regulators in Abu Dhabi and Dubai have built parallel structures, with ADNOC's information security standards setting the pace for upstream and downstream operators. In Qatar, the National Cyber Security Agency took over a fragmented landscape and consolidated it. In Oman, Kuwait and Bahrain, the trajectory is similar in form, even if the resources differ.

What these regulators share is the reference architecture. ISA-99, formalised internationally as IEC 62443, is the technical spine. ISO 27001 provides the management system wrapper. NIST 800-53 and CSF 2.0 are cited where the GCC documents need a familiar control catalogue for procurement language. CISA advisories on industrial control system vulnerabilities are circulated through the national CERT structures, and the BSI publications from Germany are read in translation by the more technically literate teams. The vocabulary is now consistent enough that a security manager moving from Dhahran to Abu Dhabi to Doha will recognise the categories in the audit checklist within a day.

The hardening has consequences. Tenders for upstream oil and gas, power generation, water desalination, petrochemicals and transmission infrastructure now carry IEC 62443 references as contractual requirements, not as aspirational language. Suppliers who cannot demonstrate at least IEC 62443-4-1 maturity for their secure development lifecycle find themselves struck from preferred-vendor lists. The conformity expectation in Aramco's CCC standards, in ADNOC's HSE and security frameworks, and in the equivalent documents issued by SEC, EWA and KAHRAMAA, has shifted from "consider" to "demonstrate". Operators have learned to ask for evidence at the bid stage rather than at the factory acceptance test, because rework after FAT carries costs that no project manager wants to absorb.

This regulatory weight has produced something the Gulf did not have five years ago: a baseline expectation that procurement, engineering and security speak the same language at the same table. The remaining question is whether the installed base lives up to that conversation.

What 62443 actually demands of an operator

IEC 62443 is often summarised as a zone-and-conduit standard, which captures the architectural intuition but misses most of the work. The standard is a family of documents covering general concepts, policies and procedures, system requirements and component requirements. The relevant parts for an operator are 62443-2-1 on security programme requirements, 62443-2-4 on service provider requirements, 62443-3-2 on risk assessment and system design, 62443-3-3 on system security requirements and security levels, and 62443-4-1 and 4-2 on product development and component requirements. A site that claims 62443 alignment has, in principle, addressed all of these.

In practice, the demanding parts are 62443-2-4 and 62443-3-3. The first defines what the operator must require from any service provider touching the industrial automation and control system, from the engineering firm that commissions the DCS to the contractor who replaces a flow meter on a Saturday night. The second defines the security capabilities the system itself must provide at each security level, from SL 1 against casual exposure to SL 4 against state-level adversaries with significant resources and motivation. Most GCC operators target SL 2 for general process areas and SL 3 for safety-instrumented systems and critical assets. The targets are sensible. The verification is where the discipline collapses.

A security level claim is meaningful only when it is anchored in a documented zone, a documented conduit, a documented risk assessment and a documented compensating control wherever the technical capability falls short. The standard does not require that every PLC enforce role-based access control on its own. It requires that the zone in which the PLC sits enforces the equivalent control through some combination of network segmentation, jump-host authentication, session logging and procedural restriction. Auditors who understand the standard will accept compensating controls when they are documented and tested. Auditors who do not understand the standard will tick a box because a firewall exists. Operators who confuse the two end up surprised when the next assessment, by a more competent team, reopens findings that were considered closed.

This is where the Gulf has matured unevenly. The largest national operators have built internal teams capable of the full assessment cycle, with their own people writing the zone-and-conduit diagrams, their own risk registers tied to specific consequence categories, and their own evidence packs that survive scrutiny from external auditors and reinsurers. The second tier of operators, including many midstream, utility and manufacturing assets, depends on consulting firms for the heavy lifting and on suppliers for the technical evidence. The dependency itself is not a weakness. The lack of internal capacity to challenge what the consultant delivers is.

The vendor reality, examined from the procurement side

The supplier landscape in the Gulf reflects a global industrial automation market that consolidated decades ago around a small number of platform vendors and a long tail of integrators. Siemens, ABB, Schneider Electric, Honeywell, Emerson, Yokogawa, Rockwell Automation and Hitachi Energy dominate the installed base, with regional integrators and engineering firms wrapping their products into project deliveries. Each of the platform vendors has, at this point, an IEC 62443-4-1 certification for at least one product line, and most can produce 62443-4-2 component certifications for specific controllers, gateways and engineering workstations. The certificates are real. They are also narrower than the marketing material suggests.

A 62443-4-2 certification applies to a specific version of a specific product, tested against a specific security level, in a specific configuration. The same controller deployed two firmware revisions later, with a non-default configuration, in an integration that bypasses the secure-by-default settings to accommodate legacy field devices, is no longer the certified product. It is a derivative whose security properties must be re-established by the integrator and the operator. The supplier's certificate does not transfer to the site. It transfers only the demonstrated capability that the product, properly deployed, can meet the standard.

GCC operators have learned this the hard way. The early years of 62443-driven procurement produced a wave of contracts that referenced the standard without specifying which parts, which security levels, which components and which evidence would satisfy acceptance. The result was a portfolio of installations that carried the brand of compliance without the substance. Subsequent NCA, NESA, NCSA and equivalent audits exposed the gap, and the procurement language tightened. Current Aramco and ADNOC supplier requirements specify not just the standard but the security level per zone, the evidence format, the patch management commitments, the secure remote access architecture, the incident notification thresholds and the right to audit the supplier's own development environment. Suppliers who cannot meet these terms negotiate exceptions in writing or lose the bid.

The honest reading of the current vendor landscape is that the major platform vendors can meet the requirements when the contract forces them to, and that the second-tier integrators and the long tail of niche suppliers cannot, in many cases, meet them at all. This is not a Gulf-specific problem. It is the global industrial cybersecurity market reflecting back what its customers are finally willing to demand. The Gulf is among the regions where the demand is most concentrated, because the operators are large, the regulators are aligned, and the consequences of failure are concentrated in a small number of strategic assets.

Where the installed base lags the framework

Every operator with assets older than ten years carries a portion of installed base that no security level claim can fully cover. Legacy DCS and SCADA systems, safety logic solvers running superseded firmware, serial-to-Ethernet gateways installed during the last revamp, engineering workstations on operating systems that the vendor stopped supporting, and field devices whose authentication consists of a default password printed in a manual from 2007. The Gulf is no exception. The exception, if anything, is that some Gulf operators run newer plants than the European or North American average, because the asset base expanded aggressively during periods when peer regions were retrofitting.

The newer plants help, but they do not solve the problem. A new gas processing train commissioned in 2022 may be built around a current-generation DCS with proper segmentation, signed firmware and certified components, and may still share a common engineering network with a 2008 plant whose isolation depends on a switch configuration that no one has audited since commissioning. The security level of the combined environment is the security level of the weakest enforced boundary. IEC 62443-3-2 is explicit on this point. Operators who read the standard carefully understand it. Operators who read only the executive summary do not.

The categories of lag that show up consistently in Gulf assessments are familiar to anyone working in ASIS International or industrial cybersecurity circles. Patch latency on Level 2 and Level 3 systems, where the operator's change management process treats every patch as a major maintenance event. Remote access architectures that grew through expediency rather than design, with vendor connections terminating in different zones for different vendors, none of them documented in the current network diagram. Identity and access management that depends on shared accounts because the original system did not support individual ones and no one has rebuilt the access model since. Backup and recovery procedures that have not been tested against a ransomware scenario, because the safety case for the test itself was never approved. Asset inventories that are accurate at the controller level and unreliable at the field device level, which is precisely where the GDV loss data and the NICB equivalents on industrial theft suggest that exposure accumulates.

None of these gaps disqualify an operator from claiming alignment with IEC 62443. The standard accommodates them through documented compensating controls and risk acceptance. The discipline is in the documentation and in the honesty of the risk acceptance. Where the discipline holds, the framework delivers what it promises. Where the discipline slips, the certificate becomes a liability rather than an asset, because the next audit will reopen what the previous one closed, and the cost of remediation under audit pressure exceeds the cost of doing it properly the first time.

Sectoral patterns that matter

Oil and gas leads the GCC in OT security maturity, for the obvious reason that the major operators have invested in dedicated teams, dedicated budgets and dedicated supplier relationships for more than a decade. Aramco's approach, ADNOC's approach and QatarEnergy's approach differ in detail but converge on the same operational pattern. Internal OT security teams that report through engineering rather than IT. Dedicated security operations capabilities for industrial environments, separated from corporate SOC functions. Mandatory supplier conformance to specified IEC 62443 parts, audited at intake and reviewed annually. Active participation in international forums on industrial cybersecurity, with the corresponding intelligence advantage.

Power and water utilities follow closely, with the larger generation and transmission operators applying frameworks comparable to oil and gas, and the smaller distribution operators relying more heavily on national guidance and external support. Desalination is a particular focus because of its consequence profile and because the asset class concentrates in a small number of large, identifiable sites that adversaries can map.

Petrochemicals and metals show more variance. The largest integrated operators apply oil and gas standards by default. Smaller specialty chemical and metals operators, particularly those whose corporate parent sits outside the region, sometimes default to home-country practice, which in some cases lags the GCC baseline. Where this happens, the regulator notices, and the gap closes through enforcement rather than through voluntary alignment.

Manufacturing, logistics and ports are the segments where the installed base is most heterogeneous and the security maturity most uneven. The growth of automated ports in the UAE and Oman has brought new OT environments into scope, and the corresponding security architectures are generally newer and better than the regional average for legacy manufacturing. Transport and rail, particularly in Saudi Arabia and the UAE, sit closer to the utility model than to the manufacturing model because of the criticality designation and the regulatory attention that follows from it.

The pattern across sectors is consistent: maturity correlates with criticality designation, with operator size, and with the presence of an internal OT security capability that can challenge suppliers on technical grounds. The framework is the same. The execution varies with the resources committed to it.

What holds

The state of OT security in the GCC is best described as a mature framework on top of a mixed installed base, with a regulatory architecture that now forces the gap into visibility. ISA-99 in its IEC 62443 form has been adopted broadly enough that an operator without a credible alignment story will struggle to win major tenders or maintain insurance terms. The standard does its work. It exposes weaknesses that policy alone could not, and it gives both regulators and operators a common language for what good looks like.

The next phase of improvement will not come from another framework or another national policy iteration. It will come from supplier discipline, from operator capability to verify what suppliers deliver, and from the slow, expensive work of bringing legacy installations into documented, defensible architectures. The operators that lead this phase will be those who invest in internal OT security capacity rather than outsourcing the entire function, and who treat their supplier relationships as continuous engineering partnerships rather than transactional procurements.

For operators considering where to start, the diagnostic is straightforward. A confidential conversation of sixty minutes, conducted under the Path I format described in BOSWAU + KNAUER. From Building to Security Technology, will surface whether the current alignment story holds up under operator-to-operator scrutiny. Where it does not, the Path II audit produces the documented evidence that closes the loop. The framework is in place. What remains is the work.

Frequently asked questions

How widely is 62443 adopted?

Adoption across the GCC is broad at the policy and procurement level. All six national regulators reference IEC 62443 directly or through compatible national catalogues, and major operators in oil and gas, power, water and petrochemicals have built procurement language around it. Adoption at the asset level is uneven. Newer installations from major platform vendors generally meet the relevant parts in their default configurations. Legacy installations depend on compensating controls, documented to varying standards of rigour. The honest summary is that the framework is universal and the implementation is graded by operator and by asset age.

Who certifies in the Gulf?

Product certification against IEC 62443-4-1 and 4-2 is issued by accredited international bodies, including TÜV Rheinland, TÜV SÜD, exida, Bureau Veritas and DNV, rather than by GCC national authorities. Operators rely on these certificates as inputs to procurement decisions. National regulators, including NCA in Saudi Arabia, the UAE Cybersecurity Council and sectoral bodies, NCSA in Qatar and equivalents in Oman, Kuwait and Bahrain, audit operator conformance against national controls catalogues that reference 62443. The split between product certification by international bodies and operator audit by national regulators is now stable practice across the region.

Which sectors lead?

Oil and gas leads on every measurable dimension, including budget per asset, dedicated OT security headcount, supplier conformance enforcement and intelligence integration. Power and water utilities follow, with the largest generation and transmission operators close to oil and gas standards. Petrochemicals and metals show variance by operator size and corporate origin. Manufacturing, logistics and ports lag at the sector average but include outliers, particularly in newly built automated ports in the UAE and Oman, that meet or exceed utility benchmarks. The leadership pattern correlates with criticality designation and with the maturity of the internal OT security capability.

What gaps remain?

Three gaps recur in assessments. First, the gap between certified product configurations and as-deployed configurations, where integration decisions undermine the security level that the component was certified to deliver. Second, the gap between policy and verified evidence, particularly around patch latency, remote access architecture and asset inventory completeness at the field-device level. Third, the gap between supplier promises and audited supplier delivery, especially among second-tier integrators and niche vendors whose 62443-4-1 maturity is claimed but not independently verified. Closing these gaps is the operational work of the next several years, and it depends on operator capability more than on additional policy.