Documente Academic
Documente Profesional
Documente Cultură
1 Scope............................................................. 2
2 Conflicts and Deviations................................. 4
3 References..................................................... 4
4 Definitions....................................................... 6
5 Process Automation Network Design............. 8
6 Wiring System.............................................. 12
7 PAN Router and Switch Access and
Monitoring Design Requirements......... 12
8 Operating System and
Network Device Hardening................... 15
9 Centralized Patch Server............................. 15
10 Backup and Recovery.................................. 16
11 System Testing............................................. 16
12 Documentation............................................. 16
1 Scope
1.1 This standard establishes the requirements for design, installation, configuration
and commissioning of Process Automation Networks (PANs), which shall
interface with plant DMZ (Demilitarized Zone) to communicate with the Saudi
Aramco Corporate Network or third party external networks. Process Automation
Network (PAN) is a plant wide network interconnecting Process Control Systems
(PCS) that provides an interface to the Corporate Network through plant DMZ.
A PAN does not include proprietary process control networks provided as part of
a vendor's standard process control system.
Parties involved in the commissioning of PANs are required to comply with this
standard.
1.2.2 The requirements and guidelines governing the engineering, design and
installation of Supervisory Control and Data Acquisition (SCADA) is
covered in SAES-Z-004.
1.3 This entire standard may be attached to and made a part of purchase orders.
Page 2 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
Page 3 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
2.1 Any conflicts between this standard and other applicable Saudi Aramco
Materials System Specifications (SAMSSs), Engineering Standards (SAESs),
Engineering Procedures (SAEPs), Standard Drawings (SASDs), or other
Mandatory Saudi Aramco Engineering Requirements (MSAERs) shall be
resolved in writing by the Company or Buyer Representative through the
Chairman, Process Control Standards Committee, Process & Control Systems
Department, Dhahran.
2.2 Direct all requests to deviate from this standard in writing to the Company or
Buyer Representative, who shall follow internal company procedure SAEP-302
and forward such requests to the Manager, Process & Control Systems
Department of Saudi Aramco, Dhahran.
3 References
The selection of material and equipment and the design, construction, maintenance, and
repair of equipment and facilities covered by this standard shall comply with the latest
edition of the references listed below, unless otherwise noted.
Page 4 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
Corporate Policy
INT-7 Data Protection and Retention
Page 5 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
4 Definitions
Page 6 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
the client and the OPC Server is either through the Microsoft COM interface or through
OLE Automation, and the client accesses data from the data cache maintained by the
OPC Server or requests that the server read the device directly.
Physical Separation: use of different hardware to separate two or more networks and
systems.
Process Automation Network (PAN): is a plant wide network interconnecting Process
Control Systems (PCS) that provides an interface with plant DMZ to communicate with
the Corporate Network or third party external networks. A PAN does not include
proprietary process control networks provided as part of a vendor's standard process
control system.
Scan Node: Scan Nodes run interfaces. Interfaces get the data from the data sources
and send it to the plant historian servers. Each different data source needs an interface
that can interpret it.
Secured Node: A server or a workstation is located in a room with controlled physical
access. It is assigned with a fixed IP address and the remote desktop service is disabled;
however, remote desktop client can be enabled. Access to the room must be logged
with information such as, Name, Date, time of entry/exit and type of activity.
Server: A server is a dedicated un-manned data provider.
Virtual Private Network (VPN): A private communications network existing within a
shared or public network platform (i.e., the Internet).
Abbreviations:
CCTV - Closed Circuit Television
CSMA/CD - Carrier Sense Multiple Access / Collision Detection
DAHS - Data Acquisition and Historization System
DCS - Distributed Control Systems
DHCP - Dynamic Host Configuration Protocol
DMZ - Demilitarized Zone
DNS - Domain Name System
FTP - File Transfer Protocol
IP - Information Protocol
LAN - Local Area Network
OSI - Open Systems Interconnection
PAN - Process Automation Network
Page 7 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
5.1 The PAN shall be based on IEEE 802.3 CSMA/CD (Ethernet) standard.
The backbone shall be based on Layer 3 multi-protocol switches or routers.
5.2.1 The network design shall provide physical and logical separation between
PAN and all other networks such as the Saudi Aramco Corporate Network
using SAES-T-566 standard, titled “Plant Demilitarized Zone (DMZ)
Architecture” standard.
5.3 PAN can be used to integrate auxiliary systems on a single network such as
Emergency Shutdown Systems, Compressor Control Systems, Vibration
Monitoring Systems, etc., for the purpose of centralizing the engineering and
maintenance activities of the plant.
5.4.1 Remote control from Corporate Network or Internet even through the
plant firewall is not permitted.
Page 8 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
5.6 All TCP/IP addressing shall be obtained from Saudi Aramco IT Organization.
5.8 Dynamic Host Configuration Protocol (DHCP) shall not be used on the PAN.
Page 9 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
local PI server(s). The DMZ local PI server is reading and collecting data from
the PI scan node located in PAN through the Plant-DMZ firewall. The PI Scan
node will be interfaced to the Plant Process Automation Systems to get real time
data and the Server which is called Data Collector will let captured process data
to be stored in time-series database with accurate time stamping and send it to
the local DMZ PI server.
Corporate Plant Historian Server(s) shall be on Corporate Network (CN) and
it shall be Saudi Aramco standard (IT) server hardware.
Corporate Plant Historian shall be accessed within the plant using Corporate
Network.
Local PI server and PI Interface Server, which has PI-to-Pi interface on the DMZ.
PI-to-PI Interface shall transfer data between two PI Servers that are
separated by a DMZ and Firewalls.
Page 10 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
Page 11 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
6 Wiring System
6.3 Fiber Optic Cable routed to another cabinet shall be run in Polyethylene
Corrugated Loom Tubing or flexible conduit at a minimum.
6.4 Corrugated Loom Tubing or flexible conduit is not required inside cabinets.
6.5 PAN cabling shall conform to “The Data Link” requirements in SAES-J-902
(Electrical Systems for Instrumentation).
6.6 PAN cabinets shall be designed in accordance with Saudi Aramco Materials
System Specification 34-SAMSS-820 without affecting the accessibility and
safety.
7.1.1 Management of passwords, User IDs and User Role privileges of servers
and workstations shall be done via a central server connected to the PCS
system.
Page 12 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
7.1.4 The system should be configured to require passwords to be reset for all
User IDs every six months.
7.1.5 The system should issue a password expiration notification to the user at
least 10 days prior to password expiry date.
7.1.7 In order to change user account passwords, users should always be required
to provide both their old and new passwords, if supported by the system.
7.1.8 PAN router and switch passwords shall be changed prior to commissioning.
7.1.9 PAN routers and switches should monitor and record all failed login
attempts.
7.2.2 Repeated login failures shall be logged with the location, date, time and
user account used.
7.2.3 At login time, every user should be given information reflecting the last
login time and date, if supported by the system or application. This will
allow unauthorized system usage to be detected.
Page 13 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
7.3 Using wireless technologies such as ISA 100.11a and WiFi in the Process
Automation Network or to extend the PAN are permitted with prior approval
from P&CSD Manager.
7.4 PAN equipment that contains data storage shall be sanitized in compliance with
GI-0299.120, when disposed of.
7.5.1 The PAN shall be configured for the monitoring and recording of:
Unexpected users logged on the system.
Users from unexpected hosts logged on.
Users logged on at unexpected times.
Login failures.
Logins from unknown hosts.
Failed access to system files.
Changes to the system date and/or time.
System reboots and shutdowns.
Use of remote console facility.
Integrity of system security files.
Users without passwords.
Users with passwords similar to their login names.
Users with passwords of fewer than six characters.
Users who are not required to change their passwords every 120 days.
Users who are not required to use unique passwords.
Inappropriate accesses to system files.
7.5.2 PAN switches and routers shall be configured to capture all related
events to detect performance and availability related problems.
This must be a vendor approved solution.
Page 14 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
7.6.1 The PAN hardware components such as cables, switches, routers and
modems are vulnerable to vandalism and electronic eavesdropping and
shall be physically secured.
8.1 PAN equipment shall be deployed with vendor latest supported security
hardened operating system.
8.2 The secure configuration baselines shall be thoroughly tested by the vendor.
The vendor shall enable the PAN administrators to support and administrate the
PAN equipment after deployment and commissioning.
8.3 PAN equipment with unused physical ports/interfaces shall be disabled prior to
commissioning.
A centralized patch server shall be located on the PAN or DMZ to distribute operating
systems’ security patches, antivirus updates, and vendor application software to stations
located on PAN or DMZ. This centralized server shall be used for stations connected to
the PAN, which are part of other systems such as PCS or emergency shutdown systems.
Page 15 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
A complete backup of PAN switches, routers, and PAN systems configuration shall be
developed for new installations or upgrades of PAN equipment. This includes:
10.4 One copy shall be stored in a secure onsite location and the other copy shall be
maintained at a secure off-site location.
11 System Testing
11.1 Testing shall address all Plant components, networking and interfaces to
external systems and to legacy applications/system. Formal testing shall
minimally comprise Factory Acceptance Test (FAT) per SAEP-1634, Site
Acceptance Tests (SAT) per SAEP-1638, Performance Acceptance Tests (PAT),
and Preparation of Integration Test Procedure Document SAEP-1630.
11.2 Comprehensive test plans and test specifications such as SAEP-701 “Plant Ethernet
Network Test Procedure” shall be followed for all plant platforms, networking,
applications, integration components, interfaces to external systems and legacy
applications/systems, and any additional technology content of the project.
12 Documentation
Comprehensive documentation shall be provided to ensure that the PAN is installed and
configured in a consistent manner. It shall include detailed layouts of TCP/IP addressing
schemes and all other network protocols used in the system. The documentation shall
also include physical locations of systems components like routers, and switches.
The following shall be made available:
12.1 Standard vendor manuals and catalogs shall be provided in CD-ROM or other
electronic media. Formats should be in PDF or HTML.
12.3 Final project specific documents in two signed hard copies plus two (2) sets of
CD-ROM in Microsoft Word.
12.4 A plant network drawings layout showing the PAN logical and physical design
and its interconnection to the Corporate Network.
Page 16 of 17
Document Responsibility: Process Control Standards Committee SAES-Z-010
Issue Date: 26 June 2014
Next Planned Update: 1 September 2017 Process Automation Networks
12.6 All PAN software shall be authentic, supported, and up to date with security
patches, fixes or other revisions. Software licenses, activation keys and, where
available, offline backup media shall be provided as part of the equipment
documentation.
Revision Summary
1 September 2012 Major revision to include value engineering study’s comments and recommendations.
2 July 2013 Minor revision to reflect the new DMZ requirements in Plant Demilitarized Zone (DMZ)
Architecture Requirements.
26 June 2014 Editorial revision to change the primary contact from Plant Networks Unit
Page 17 of 17