Critical Systems Cybersecurity Controls

Image

Critical Systems Cybersecurity Controls

Type of regulatory document: Policies and controls

The National Cybersecurity Authority “NCA” has developed the Critical Systems Cybersecurity Controls (CSCC – 1: 2019), as an extension and a complement to the Essential Cybersecurity Controls (ECC), to fit the cybersecurity needs for national critical systems. The Critical Systems Cybersecurity Controls consist of 32 main controls and 73 subcontrols, divided into four main domains:

  • Cybersecurity Governance

  • Cybersecurity Defense

  • Cybersecurity Resilience

  • Third-party and Cloud Computing Cybersecurity

 

The Critical Systems Cybersecurity Controls are mandatory to the systems deemed critical -as per the critical systems criteria- by the organization who own or operate these systems,  where all organizations, within the scope of these controls must implement whatever necessary to ensure continuous compliance with the controls.

In order to develop a national framework, such as the "Critical Systems Cybersecurity Controls" (CSCC – 1: 2019), the NCA has linked the framework with the most prominent international and local standards. And to compare it with the rest of the controls issued by other parties, the NCA has developed the CSCC cybersecurity mapping with the internationally recognized cybersecurity standards such as (ISO 2700:2013, NIST Cybersecurity Framework v1.1, CIS 20 Controls, and Payment Card Industry Data Security Standard).

 

 

Critical Systems Cybersecurity controls (CSCC)

ISO 27001: 2013

NIST Cybersecurity Framework v1.1

Payment Card Industry

Data Security Standard version 3.2.1

CIS 20 Controls

2-1-1

In addition to the controls in ECC subdomain 2-1, cybersecurity requirements for managing information technology assets must include at least the following:

2-1-1-1   Maintaining an annually-updated inventory of critical systems’ assets.

2-1-1-2   Identifying assets owners and involving them in the asset management lifecycle for critical systems.

A.8

A.2.3

PR.DS-3

Req-12

 

2-2-1

In addition to the subcontrols in ECC control 2-2-3, cybersecurity requirements for identity and access management of critical systems must include at least the following:

 2-2-1-1 Prohibiting remote access from outside the Kingdom of Saudi Arabia.

2-2-1-2 Restricting remote access from inside the Kingdom of Saudi Arabia and verifying each access attempt by the organization’s security operations center, and continuously monitoring activities related to remote access.

2-2-1-3 Using multi-factor authentication for all users.

2-3-1-4 Using multi-factor authentication for privileged users, and on systems utilized for managing critical systems stated in control 2-2-1-4.

2-2-1-5 Developing and implementing a high-standard and secure password policy.

2-2-1-6 Utilizing secure methods and algorithms for storing and processing passwords, such as: hashing functions.

2-2-1-7 Securely managing service accounts for applications and systems, and disabling interactive login from these accounts.

2-2-1-8 Prohibiting direct access and interaction with databases for all users except for database administrators. Users' access and interaction with databases must be through applications only, with consideration given to applying security solutions that limit or prohibit visibility of classified data to database administrators.

 

 

PR.AC-1

PR.AC-3

PR.AC-4

PR.AC-6

 PR.AC-7

6.4

7.1

7.2

8.1.1

8.1.2

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.2

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.3

8.3.1

8.3.2

8.5

8.5.1

8.6

 

2-3-1

In addition to the subcontrols in ECC control 2-3-3, cybersecurity requirements for protecting critical systems and information processing facilities must include at least the following:

2-3-1-1 Whitelisting of application and software operation files that are allowed to execute on servers hosting critical systems.

2-3-1-2 Protecting servers hosting critical systems using end-point protection solutions that are approved by the organization.

2-3-1-3 Applying security patches and updates at least once every month for external and internet-connected critical systems and at least once every three months for internal critical systems, in line with the organization’s approved change management mechanisms.

2-3-1-4 Allocating specific workstations in an isolated network (Management Network), that is isolated from other networks or services (e.g., email service or internet), to be used by highly privileged accounts.

2-3-1-5 Encrypting the network traffic of non-console administrative access for all technical components of critical systems using secure encryption algorithms and protocols.

2-3-1-6 Reviewing critical systems’ configurations and hardening at least once every six months.

2-3-1-7 Reviewing and changing default configurations, and ensuring the removal of hard-coded, backdoor and/or default passwords, where applicable.

2-3-1-8 Protecting systems’ logs and critical files from unauthorized access, tampering, illegitimate modification and/or deletion.

 

PR.PT-2

DE.CM-4

5.1

5.1.1

5.2

5.3

6.2

10.4

10.4.1

10.4.2

 

2-4-1

In addition to the subcontrols in ECC control 2-5-3, cybersecurity requirements of critical systems’ network security management must include at least the following:

2-4-1-1 Logically and/or physically segregating and isolating critical systems' networks.

2-4-1-2 Reviewing firewall rules and access lists, at least once every six months.

2-4-1-3 Prohibiting direct connection between local network devices and critical systems, unless those devices are scanned to ensure they have security controls that meet the acceptable security levels for critical systems.

2-4-1-4 Prohibiting critical systems from connecting to a wireless network.

2-3-1-5 Protecting against Advanced Persistent Threats (APT) at the network layer.

2-3-1-6 Prohibiting connection to the internet for critical systems that provide internal services to the organization and have no strong need to be accessed from outside the organization.

2-3-1-7 Critical systems that provide services to a limited number of organizations (not individuals), shall use networks isolated from the Internet.

2-3-1-8 Protecting against Distributed Denial of Service (DDoS) attacks to limit risks arising from these attacks.

2-3-1-9 Allowing only whitelisting for critical systems’ firewall access lists.

A.11.1.1

A.13.1.3

PR.AC-3

PR.AC-5

PR.DS-7

PR.PT-4

DE.CM-4

1.1.4

1.1.6

1.2

1.2.1

1.2.3

1.3.1

1.3.6

2.1

2.2

4.1.1

6.4

11.4

9.5

11.7

12.3

12.4

14.1

14.2

14.3

2-5-1

In addition to the subcontrols in ECC control 2-6-3, cybersecurity requirements for mobile devices security and BYOD in the organization must include at least the following:

2-5-1-1 Prohibiting access to critical systems from mobile devices except for a temporary period only, after assessing the risks and obtaining the necessary approvals from the cybersecurity function in the organization.

2-5-1-2 Implementing full disk encryption for mobile devices with access to critical systems.

A.7.2.2

PR.IP-6

-

13.6

15.10

15.5

15.9

 

 

Critical Systems Cybersecurity Controls