Documente Academic
Documente Profesional
Documente Cultură
1 Scope............................................................. 2
2 Conflicts and Deviations................................. 3
3 Applicable Documents.................................... 3
4 Definitions....................................................... 5
5 Instructions..................................................... 9
6 Responsibilities............................................ 30
7 Training........................................................ 31
8 Appendix……………………………………… 32
1 Scope
1.1 Purpose
1.2 Application
This procedure applies to the plant IT managed firewall(s) and all PAS
components below it. The scope of this procedure includes, but not limited to:
1.2.4 The plant DMZ and all of its components per SAES-T-566.
1.3 Exclusions
1.3.1 Any requirement that is not supported by the system shall constitute the
implementation of mitigating controls that are approved by the plant
manager. These mitigation controls shall be based on a formal risk
assessment/business impact analysis.
1.3.2 This procedure does not cover Saudi Aramco Industrial Security
requirements such as gate access, door thickness, lock types or concrete
structure.
Page 2 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
1.3.3 Applications or systems that are not utilized for any process automation
function and not connected to the PAN.
This procedure is retroactive in nature and applies to all Saudi Aramco Plant
organizations for existing installations. Additional responsibilities are
highlighted in Section 6 of this document.
1.5 The security requirements address the following eight security domains:
o Access Control Systems and Methodology.
o Communications and Networks Security.
o Security Management Practices.
o Applications and Systems Development Security.
o Security Architecture and Models.
o Operations Security and Management.
o Disaster Recovery Planning (DRP).
o Physical Security.
2.1 Any conflicts between this procedure and other applicable Saudi Aramco
Engineering Standards (SAES's), Materials System Specifications (SAMSS's)
Standard Drawings (SASDs), or industry standards, codes, and forms shall be
resolved in writing to the Manager of Process & Control Systems Department
(P&CSD) of Saudi Aramco, Dhahran.
2.2 Direct all requests to deviate any mandatory security requirement from this
procedure in writing to the Manager of P&CSD of Saudi Aramco, Dhahran in
accordance to SAEP-302.
3 Applicable Documents
The requirements contained in the following documents apply to the extent specified in
this procedure.
Page 3 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Corporate Policy
INT-7 Data Protection and Retention
Page 4 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
4 Definitions
4.1 Abbreviations
ACL Access Control List
AD Active Directory
ANSI American National Standards Institute
CSA Computer Security Administration
DC Domain Controller
DCS Distributed Control System
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Service
DRP Disaster Recovery Planning
DSS Decision Support System
ESD Emergency Shutdown Systems
FTP File Transfer Protocol
GOI General Operating Instructions
IOS Internetwork Operating System
IPS Intrusion Prevention System
MOC Management of Change
NDA Non-Disclosure Agreement
NIST National Institute of Standards and Technology
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PIB Process Interface Buildings
PCN Process Control Network
PCS Process Control Systems
P&CSD Process & Control Systems Department
PLC Programmable Logic Controller
PMS Power Monitoring System
RDP Remote Desktop Protocol
SAES Saudi Aramco Engineering Standard
SCADA Supervisory Control and Data Acquisition
Page 5 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
4.2 Definitions
Asset: An asset is anything that has value to the organization and which
therefore requires protection. Bear in mind that a plant system consists of more
than just hardware and software.
Backup: A data image stored separately from the original, for use if the
original becomes lost or damaged.
Page 6 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Firewire: An IEEE 1394 high performance serial bus standard for connecting
devices to computers.
Primary Assets: Are those assets whose compromise will, in any way possible,
hinder the organization from accomplishing its business objective(s):
Information
Core Business Processes
Page 7 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Remote Access: The ability of a user to connect to a network asset (system, device
or application) from distant location. When connected, the user can monitor or
manipulate the configuration to modify or update the asset’s capabilities.
Secure Room: A room within plant premise, i.e., CCR or Server rooms, where
physical security controls such as access identification, authorization and
logging is applied.
Page 8 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
or security policy.
5 Instructions
In this procedure, the terms “must”, “shall”, “should” and “can” are used. When must
or shall is used, the item is a mandatory requirement. When should is used, the item is
strongly recommended but not mandatory. When can is used, compliance may further
enhance the system security but compliance is optional.
5.1.2 Access to PCS operating systems and PCN devices for administration
purposes shall be restricted to PAN administrators.
5.1.3 Access to PCS applications for Plant operation and control purposes
shall be restricted to Plant authorized Operators and Operations
Supervisors.
5.1.7 For systems with password authentication, the following shall apply:
a. Passwords shall have a minimum length of eight characters.
b. The system shall be configured to enforce password uniqueness.
A minimum of six unique passwords must be entered before a
Page 9 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 10 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
5.1.8 For systems with hardware key authentication, the following shall apply:
a. The shift coordinator or his delegated shift supervisor shall be
responsible for keeping and issuing the keys.
b. The keys should be restricted to authorized individuals.
c. The use of hardware keys shall be logged.
d. The key shall be securely stored within the facility and be available
after regular working hours.
e. The keys should only be used for the duration required.
f. Key logs should be reviewed on an annual basis to ensure that keys
are appropriately secured and accounted for.
g. The hardware key shall not be used for administrative purposes.
Page 11 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 12 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 13 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 14 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 15 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 16 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 17 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 18 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Table 1
Page 19 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 20 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 21 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
5.5.2 The PAN administrator shall utilize an automated (SIEM) solution that
securely integrates with Saudi Aramco corporate SOC to monitor and
analyze security log events.
Page 22 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
The following are the requirements for Disaster Recovery Planning (DRP) for
Saudi Aramco PAS:
a. The Plant organization is responsible for developing a DRP that covers all
PAS installed in the plant.
b. The PAS DRP shall be developed based upon a formal Risk Assessment or
Business Impact Analysis.
c. The DRP document shall provide instructions on restoring the plant
operation and resuming production promptly without impacting safety and
the impeded investment of plants assets and personnel.
d. A team within each plant organization shall be established and well trained
to develop, implement, test, use and maintain the DRP.
e. Key personnel list shall be clearly identified including plant personnel,
support organizations and vendors.
f. The DRP shall define the data backup strategy identifying the systems to
backup, files to backup, the storage media, the locations of the storage and
the storage retention.
g. The DRP shall be addressed as part of the overall plant process disaster
response plan.
h. The PAS DRP shall be reviewed, updated, tested and approved once a
year, documenting such reviews in writing.
i. If change(s) to PAS infrastructure take place within the annual review
cycle, the DRP shall be reviewed, updated, tested, and approved as soon as
possible after the changes are commissioned. Accordingly, the new test
date will be one year from the last revision.
j. Testing of the recovery procedure shall be documented. The DRP
document shall be updated to reflect and resolve any new issues arising
Page 23 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 24 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 25 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 26 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Wireless networks operated in plant environment shall meet the procedural and
configuration requirements by the wireless network vendor and/or Section 10.3.4
“Wireless Network & Portable Device Security Standards and Guidelines” of
Saudi Aramco Information Protection Manual.
Page 27 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 28 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Page 29 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
6 Responsibilities
Plant management and their designated operating staff are responsible for the
implementation of this procedure.
Page 30 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
7 Training
Revision Summary
29 October 2015 Major revision to reflect Audit IS2015-426 observations.
Page 31 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
Appendix A
Primary Assets
1. Business Processes, for example:
a. Processes whose interruption leads to partial/complete loss of production.
b. Processes, that when loss or degraded, makes it impossible to carry the
organization’s mission.
c. Processes involving proprietary/patented technology.
d. Processes that are necessary for the organization to comply with contractual,
legal or regulatory requirements.
2. Information, primary information mostly include:
a. Information vital for the organization to conduct its business/mission.
b. Strategic information pertaining to corporate strategic objectives.
c. High-cost information whose lifecycle from gathering until destruction requires a
long time and/or high acquisition cost.
Supporting Assets
1. Hardware
a. Any physical element supporting a primary asset falls under the hardware
category:
b. Data processing equipment (active)
c. Transportable equipment, e.g., laptops, PDAs…etc.
d. Fixed equipment used on the company’s premise, e.g., server or workstation.
e. Processing peripherals are equipment connected to a communication port (serial,
parallel, etc.) for entering, conveying or transmitting data. Examples include
printers, removable disk drives, etc.
f. Passive data medium used for storing data.
g. Electronic medium connected to a computer/computer network for data storage
such as floppy disc, CD ROM, back-up cartridge, removable hard disc, memory
key, tape.
Page 32 of 33
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 29 October 2015
Next Planned Update: 29 October 2018 Process Automation Networks and Systems Security
2. Software
a. Operating system.
b. Service, maintenance or administration software.
c. Standard, off-the-shelf software.
d. Business application, whether it is a standard or a custom one.
3. Network
a. Communication media and equipment. Examples include PTSN, Ethernet,
ADSL, Wi-Fi 802.11, and Bluetooth…etc.
b. Passive or active relay such as bridges, routers, hubs, switches, automatic
exchange.
c. Communication interface such as Network Interface Card (NIC), General Packet
Radio Service (GPRS).
4. Personnel
a. Management staff
b. Operations staff
c. Maintenance staff
d. Engineers
e. Administrators
Page 33 of 33