Location · Penetration Testing in Jubail, Saudi Arabia

Penetration testing in Jubail for the world's largest industrial city.

CyberFortify delivers manual, exploit-driven penetration testing to the petrochemical, power and desalination operators of Jubail Industrial City - a purpose-built complex where a cyber incident is a safety event, not just an IT one. We test the enterprise systems and the boundary that shields the plant, mapping every finding to the NCA Operational Technology controls and IEC 62443.

Aligned with: NCA OTCC · NCA ECC · IEC 62443 · PDPL · OWASP · PTES · NIST 800-115
OTCC
OT controls aligned
62443
Zone & conduit aware
Safe
Process-first testing
Free retest
Serving Jubail Industrial City: Petrochemicals & chemicals · power generation · water & desalination · SCADA & process control · marine & port terminals · utilities · industrial services · EPC contractors · the Royal Commission ecosystem Serving Jubail Industrial City: Petrochemicals & chemicals · power generation · water & desalination · SCADA & process control · marine & port terminals · utilities · industrial services · EPC contractors · the Royal Commission ecosystem
// Executive summary

Jubail is a city built to be a factory - the largest industrial complex of its kind, dense with petrochemical plants, power stations and desalination trains whose control systems keep processes safe. CyberFortify runs manual network and IT testing plus safe, boundary-focused OT assessment for operators here, aligned to the NCA OTCC and ECC, IEC 62443 and the Saudi PDPL. Delivered in Jubail's time zone with on-site engagements. Fixed price, audit-ready reporting, free remediation retest.

// 01 Why Jubail operators need penetration testing

In most cities a breach costs data or money. In Jubail it can cost a process. The plants that fill this industrial city run on control systems - distributed control systems, PLCs, safety-instrumented systems - that were engineered to keep reactors, turbines and desalination trains inside safe limits, long before anyone worried about a remote attacker. Wrap that OT in a modern IT estate full of contractors, vendor remote access and business connectivity, and the risk becomes the crossing point: whether an intruder who lands in email or on a corporate laptop can travel toward the systems that hold pressure, temperature and flow.

No scanner should ever be aimed at a live safety-instrumented system, and none can tell you whether your defences would stop a determined attacker. That takes a tester who understands both worlds. A disciplined assessment proves whether the demilitarised zone between business and process networks genuinely isolates them, whether a compromised vendor connection reaches further than intended, and whether an incident on the IT side would be detected before it ever approached the plant - the questions that matter when the worst case is physical.

// 02 Compliance and regulatory drivers in Jubail

Jubail's operators sit under a demanding, safety-oriented control set that reaches well beyond ordinary IT security. These are the obligations CyberFortify most often maps evidence against for organisations in the industrial city.

R.01 · Operational tech

NCA Operational Technology Cybersecurity Controls (OTCC)

The national baseline for industrial and OT environments - covering segmentation, secure remote access, hardening and technical assurance over control systems. We evidence those controls without ever endangering a running process.

R.02 · Industrial standard

IEC 62443

The global standard for industrial automation security shapes our OT work - zones and conduits, security levels and boundary validation - so results land in the language your process-control engineers and assessors already use.

R.03 · Critical infrastructure

NCA ECC & critical-sector expectations

As operators of critical national infrastructure, Jubail's plants and utilities fall under the ECC and the heightened assurance expected of essential services, including periodic penetration testing of the enterprise estate.

R.04 · Supply chain

Contractor & vendor assurance

EPC contractors and technology vendors working inside Jubail must prove their own systems and remote-access paths are tested - the connections into a plant are only as safe as the least-tested supplier holding a key.

R.05 · Data protection

Saudi PDPL

Even process-heavy operators hold employee, contractor and commercial data, and must apply appropriate technical measures under the Personal Data Protection Law. Testing evidences that this security is real, not assumed.

R.06 · Governance

ISO 27001 & NIST CSF

Operators and their service firms use ISO 27001:2022 (A.8.29) and the NIST Cybersecurity Framework to structure assurance, with independent testing supplying the technical evidence behind the paperwork.

// 03 Penetration testing services for Jubail

Jubail engagements centre on the IT/OT boundary, with supporting tests across the enterprise surface. Which service leads depends on the operation - process operators prioritise segmentation and remote-access testing, while contractors and shared-service firms add web, cloud and API work.

A.02

Network pen testing

External perimeter, internal Active Directory, IT/OT segmentation and vendor remote-access testing - the core assessment for a Jubail operator.

A.07

Red teaming

Goal-based simulation asking the decisive question: would an intrusion be detected and stopped before it reached the process network?

A.01

Web application pen testing

Manual testing of operations portals, contractor platforms and corporate applications against the OWASP Top 10 and business-logic abuse.

A.04

Cloud pen testing

Configuration-aware testing of the analytics, historian and enterprise workloads operators increasingly run in cloud.

A.05

API pen testing

Testing of telemetry, integration and supplier APIs that bridge industrial and business systems - authorisation flaws and over-trusting connections.

A.03

Mobile app pen testing

iOS and Android testing for the field, permit-to-work and workforce apps used across Jubail's operations.

// 04 How we deliver to Jubail

Jubail keeps our exact clock - Arabia Standard Time, UTC+3 - and sits within easy reach of our Gulf base for on-site work. IT-side testing runs remotely from our secure environment; anything touching the plant is scheduled tightly with your operations, HSE and OT teams around turnaround windows and change control.

What runs remotely

External perimeter, web, cloud and API testing delivered from our secure environment during Jubail business hours, with Arabic- or English-language read-outs and immediate escalation of anything critical.

What we do on-site

Internal network, DMZ, wireless, segmentation and OT-boundary review at your Jubail facility, coordinated with operations and safety so no production process is ever touched outside agreed, controlled conditions.

Every engagement opens with a free 30-minute scoping call. For OT work, safety constraints, permitted techniques and escalation paths are fixed in writing before anything starts - alongside the fixed-price quote and a free remediation retest.

// 05 Industries we secure in Jubail

Jubail's economy is heavy industry, built around process and utilities. CyberFortify tests across the sectors that define the city's risk profile:

Petrochemicals & chemicalsComplexes · downstream · specialty chemicals
Power generationIPPs · cogeneration · grid connections
Water & desalinationDesalination trains · water utilities · SWRO
Marine & portsIndustrial port · terminals · logistics
Industrial servicesEPC contractors · maintenance · integrators
Shared & corporate servicesOperator HQs · enterprise IT · utilities admin

// 06 Our methodology

Every Jubail engagement follows the same disciplined, audit-defensible process CyberFortify runs worldwide, with OT safety built into every step. IT testing is grounded in the Penetration Testing Execution Standard (PTES) and NIST SP 800-115, with exploitation mapped to the relevant MITRE ATT&CK tactics, including the ATT&CK for ICS knowledge base; OT work follows the IEC 62443 zone-and-conduit model and stays non-disruptive. As a CREST Accreditation Pathway firm, we lead with manual testing and never turn automation loose on live control systems.

01

Scoping & safety agreement

Targets, IT/OT boundaries, permitted techniques, safety constraints and escalation paths agreed in writing before any testing begins.

Fixed quote in 1h
02

Reconnaissance & threat modelling

Attack surface mapped and prioritised against the intrusion paths that could threaten a Jubail process environment.

ATT&CK for ICS
03

Controlled exploitation

Weaknesses exploited on the IT side and validated at the OT boundary under agreed, safe conditions - the process is never the target.

Process-first
04

Reporting & free retest

Executive summary, CVSS-scored technical report and OTCC and IEC 62443 mapping - followed by a free retest once fixes ship.

Audit-ready

// 07 Why CyberFortify for Jubail

An IT-only scan vendor

A team that treats a petrochemical operator like an office network - unsafe near OT, blind to the process boundary, and delivering findings that an OTCC or IEC 62443 assessor cannot use.

CyberFortify in the Gulf

A Gulf-based, CREST-pathway team that respects the plant. Real manual exploitation on the IT side, safe boundary validation on the OT side, findings mapped to NCA OTCC and IEC 62443, fixed pricing and a free remediation retest.

Jubail engagements almost always combine network and segmentation testing with a red team exercise - proving not just that a gap exists, but that a real intrusion would be caught before it mattered.

// 08 Frequently asked questions

Is it safe to penetration-test a live plant in Jubail?

Yes, because we do not blindly attack production. In Jubail's live petrochemical, power and desalination environments we lead with passive analysis and architecture review, run active testing on the IT and business side and on offline or non-production OT segments, and focus on the boundary between them. Any activity that could touch a running process is agreed with your operations and safety teams in advance and performed under controlled conditions - never improvised.

Do you align with the Royal Commission and NCA OTCC requirements?

Yes. Operators inside Jubail Industrial City work within the Royal Commission's oversight and, for cybersecurity, the NCA Operational Technology Cybersecurity Controls and IEC 62443. We test and evidence the segmentation, secure remote access and technical-assurance expectations those frameworks set, and format findings so they slot into your existing OT security governance.

What parts of an industrial operation do you actually test?

The enterprise IT estate, the DMZ and jump-host layer between IT and OT, remote-access and vendor connections into the plant, wireless, and the segmentation that is meant to keep the process network isolated. On the OT side we validate architecture and exposure rather than exploit live controllers, so you learn where an attacker could reach without risking a single process.

Can you test power, water and desalination operators as well as petrochem?

Yes. Jubail's critical infrastructure spans petrochemical complexes, power generation, and one of the world's largest desalination footprints - all control-system-heavy and all in scope for OT cybersecurity assurance. Our approach is the same across them: protect the process, prove the boundary, and evidence the controls the NCA and IEC 62443 expect.

How fast can we get a quote for a Jubail engagement?

After a free 30-minute scoping call - which for OT work includes agreeing safety and change-control constraints - we return a fixed-price quote, usually within one hour and always within one business day. Every engagement includes a free remediation retest once fixes ship.

Ready for a pen test in Jubail?

Book a free 30-minute scoping call. Our Gulf-based team will recommend the right model and quote a fixed-price engagement - usually within the hour.

Schedule scoping call → Contact CyberFortify →