Engineering Procedure

SAEP-99 16 February 2013

Process Automation Networks and Systems Security
Document Responsibility: Communications Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Scope............................................................. 2
2 Conflicts and Deviations................................. 3
3 Applicable Documents.................................... 3
4 Definitions....................................................... 4
5 Instructions..................................................... 8
6 Responsibilities............................................ 29
7 Training........................................................ 31

Previous Issue: 18 July 2012 Next Planned Update: 6 November 2015

Revised paragraphs are indicated in the right margin Page 1 of 31
Primary contact: Harbi, Saad A. on 966-3-8801360
Abu Alsaud, Zakarya Abdulelah on 966-3-8801358

Copyright©Saudi Aramco 2013. All rights reserved.

Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

1 Scope

1.1 Purpose

This procedure provides the minimum mandatory security requirements for

Process Automation Systems (PAS), including its communication and networking
infrastructure. This procedure addresses “general” Plant operational security
requirements. More specific non-retroactive security requirements can be found
in relevant system standards such as SAES-Z-001, SAES-Z-004, or SAES-Z-010.

1.2 Application

This procedure applies to the plant firewall(s) and all PAS components below it.
The scope of this procedure includes, but not limited to:

1.2.1 Information Networks and Systems hardware and software such as

Process Automation Network (PAN), Distributed Control Systems
(DCSs), Emergency Shutdown Systems (ESD), Programmable Logic
Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic
sensing systems, Power Monitoring System (PMS), Vibration
Monitoring (VMS), Multivariable Control applications (MVC), Smart
Valve Monitoring System (SVMS), Process Gas Chromatograph Data
(PGCD), Corrosion Monitoring System (CRMS), Closed-Circuit
Television (CCTV), Domain Controller (DC) and other monitoring,
diagnostic and related industrial automation and control systems.

1.2.2 Associated internal, human, network, or machine interfaces used to

provide control, safety, maintenance, quality assurance, and other
process operations functionalities.

1.2.3 Firewall equipment used to interface PAN to corporate and third party
networks such as CoGen.

1.3 Exclusions

1.3.1 Any requirement that is not supported by the system is automatically

excluded upon vendor’s certification. This does not apply to systems
certified by SAEP-135 as obsolete.

1.3.2 This procedure does not cover Saudi Aramco Industrial Security
requirements such as gate access, door thickness, lock types or concrete
structure.

Page 2 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

1.3.3 Applications or systems that are not utilized for any process automation
function and not connected to the PAN.

1.4 Responsible Organizations

This procedure is retroactive in nature and applies to all Saudi Aramco Plant
organizations for existing installations. Additional responsibilities are
highlighted in Section 6 of this document.

1.5 The security requirements address the following eight security domains:
o Access Control Systems and Methodology.
o Communications and Networks Security.
o Security Management Practices.
o Applications and Systems Development Security.
o Security Architecture and Models.
o Operations Security and Management.
o Disaster Recovery Planning (DRP).
o Physical Security.

2 Conflicts and Deviations

2.1 Any conflicts between this procedure and other applicable Saudi Aramco
Engineering Standards (SAES's), Materials System Specifications (SAMSS's)
Standard Drawings (SASDs), or industry standards, codes, and forms shall be
resolved in writing to the Manager of Process & Control Systems Department
(P&CSD) of Saudi Aramco, Dhahran.

2.2 Direct all requests to deviate any mandatory security requirement from this
procedure in writing to the Manager of P&CSD of Saudi Aramco, Dhahran in
accordance to SAEP-302.

3 Applicable Documents

The requirements contained in the following documents apply to the extent specified in
this procedure.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-302 Instructions for Obtaining a Waiver of a Mandatory
Saudi Aramco Engineering Requirement

Page 3 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

SAEP-135 Saudi Aramco Process Automation Systems (PAS)

Obsolescence Program
SAEP-1050 Guideline for Disaster Recovery Plan Development
for Decision Support System

Saudi Aramco Engineering Standards

SAES-Z-001 Process Control Systems
SAES-Z-004 Data Acquisition (SCADA) Systems
SAES-Z-010 Process Automation Networks Connectivity

Saudi Aramco Engineering Reports

SAER-6123 Process Automation Networks Firewall Evaluation
Criteria

Saudi Aramco General Instructions

GI-0710.002 Classification of Sensitive Information
GI-0299.120 Sanitization and Disposal of Saudi Aramco Electronic
Storage Devices and Obsolete/Unneeded Software
GI-0431.001 Protection of Intellectual Property

Saudi Aramco Information Protection Manual (IPM)

IPSAG-007 Computer Accounts Security Standards & Guidelines
IPSAG-008 Wireless Network & Portable Device Security
Standards and Guidelines

Corporate Policy
INT-7 Data Protection and Retention

3.2 Industry Codes and Standards

Institute of Electrical and Electronics Engineers, Inc.

IEEE 1394 Standard for a High Performance Serial Bus

4 Definitions

4.1 Abbreviations
ACL Access Control List
AD Active Directory

Page 4 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

ANSI American National Standards Institute

CCNU Communication & Computer Networks Unit
CSA Computer Security Administration
DC Domain Controller
DCS Distributed Control System
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Service
DRP Disaster Recovery Planning
DSS Decision Support System
ESD Emergency Shutdown Systems
FTP File Transfer Protocol
GOI General Operating Instructions
IOS Internetwork Operating System
IPS Intrusion Prevention System
MOC Management of Change
NDA Non-Disclosure Agreement
NIST National Institute of Standards and Technology
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PIB Process Interface Buildings
PCS Process Control Systems
P&CSD Process & Control Systems Department
PLC Programmable Logic Controller
PMS Power Monitoring System
SAES Saudi Aramco Engineering Standard
SCADA Supervisory Control and Data Acquisition
SDH Synchronous Digital Hierarchy
SLA Service Level of Agreement
TCP/IP Transmission Control Protocol / Internet Protocol
TMS Terminal Management System
USB Universal Serial Bus

Page 5 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

VLAN Virtual Local Area Network

VMS Vibration Monitoring System
VPN Virtual Private Network
WAN Wide Area Network

4.2 Definitions

Access Control: Means of controlling and regulating access to computing

resources and information.

Authentication: The process of verifying the identity of a user through a code

such as a password.

Authorization: A right or a permission that is granted to an entity to access a

system or a resource.

Backup: A data image stored separately from the original, for use if the
original becomes lost or damaged.

CoGen: Supplementary Power generation facilities, normally operated by a

third party.

Confidentiality: The process of ensuring that information is not disclosed to

unauthorized individuals, processes, or devices.

Firewall: An inter-network connection device that controls data

communication traffic between two or more connected networks.

Firewire: An IEEE 1394 high performance serial bus standard for connecting
devices to computers.

Hardware Key: A physical key or dongle that is used to regulate access to a

system or an application.

Integrity: The process of ensuring data accuracy and authenticity.

Logs: Files or prints of information in chronological order.

Non-Disclosure Agreement: A contract that restricts the disclosure of

confidential information or proprietary knowledge under specific circumstances.

PAN: is a plant wide network interconnecting Process Control Networks (PCN)

and provides an interface to the WAN. A PAN does not include proprietary
process control networks provided as part of a vendor's standard process control
system.

Page 6 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

PAN Administrator: A system administrator that performs day-to-day

maintenance activities on the PAN devices (e.g., administration, configuration,
upgrade, monitoring, etc.). He may also perform additional functions such as
granting, revoking, and tracking access privileges for PCS operating systems
and applications.

Password: Sequence of characters (letters, numbers, symbols) used as a secret

key for accessing a computer system or network.

PCS Administrator: a system administrator who performs day-to-day system

configuration, monitoring for critical systems such as DCS, SCADA, ESD, etc.

Plant Main Gate(s): Physically restricted access points through perimeter

security fencing into Saudi Aramco process facilities. Such points, when
manned, are typically controlled by Saudi Aramco Industrial Security
Operations (ISO) organizations via identification, privilege validation and
logging. While both manual and electronic procedures are in still in use, the use
of electronic ID card readers has become the prevalent methodology.

Process Automation System (PAS): A network of computer-based or

microprocessor-based electronic equipment whose primary purpose is process
automation. The functions may include process control, safety, data acquisition,
advanced control and optimization, historical archiving, and decision support.

Process Control Network (PCN): A proprietary process control networks

provided as part of a vendor's standard process control system.

Process Control System (PCS): The integrated system which is used to

automate, monitor and/or control an operating facility (e.g., Plant process units).
The PCS consists of operating area DCS and their related Auxiliary systems
which are connected together at the PCN and PAN level to form a single
integrated system.

Remote Access: The ability to log onto a system with the ability to manipulate
resources or configuration from a distant location.

Remote Engineering: The ability to manipulate resources or configuration

across the plant firewall.

Remote Troubleshooting: The ability to perform diagnostics and review event

logs from a location across the plant firewall.

Separation (Logical): Logical separation is indicated by the virtual isolation of

network assets by means of multiplexing or the use of software emulation
technologies such as VLAN, VPN or SDH dedicated circuits.

Page 7 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

Separation (Physical): Physical separation is indicated by the comprehensive

isolation of network assets such as switches, medium and housing cabinets to
achieve highest level of security.

Server: A dedicated un-manned data provider.

Service account: An account used by a process running on a computer

operating system in a non-interactive mode.

Service Level Agreement (SLA): Contract between a service provider and a

customer, it details the nature, quality, and scope of the service to be provided.

User Account: An established relationship between a user and a computer,

network or information service such as Operating System and Applications.

Vulnerability: A flaw or weakness in a system's design, implementation,

operation or management that could be exploited to violate the system's integrity
or security policy.

5 Instructions

In this procedure, the terms “must”, “shall”, “should” and “can” are used. When must
or shall is used, the item is a mandatory requirement. When should is used, the item is
strongly recommended but not mandatory. When can is used, compliance may further
enhance the system security but compliance is optional.

The following instructions shall be adhered to:

a. The user of this procedure must exercise sound professional judgment concerning
its use and applicability under user's particular circumstances.
b. The user must also consider the applicability of any government regulatory, Saudi
Aramco standards, and safety practices before implementing this procedure.

5.1 Access Control Systems and Methodology

5.1.1 Access to PAN devices (e.g., switches, routers and Plant-managed

firewalls) should be restricted to PAN administrators.

5.1.2 Access to PCS operating systems for administration purposes shall be

restricted to PCS and/or PAN administrators.

5.1.3 Access to PCS applications for administration purposes shall be

restricted to PCS and/or PAN administrators.

5.1.4 Access to PCS applications for Plant operation, monitoring, diagnostics

and control purposes shall be restricted to Plant authorized personnel,

Page 8 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

such as Operators, Engineers, Maintenance technicians and Operations

Supervisors.

5.1.5 Access to PCS applications for PCS configuration purposes shall be

restricted to Plant authorized process engineers.

5.1.6 Authentication and Authorization

Passwords, if supported by the system or application, shall be the

minimum authentication methodology. The logon/logoff process shall
not cause prolonged system interruptions.

5.1.6.1 For systems with password authentication, the following shall

apply to the extent supported by the Data Network Device/PCS:
a. Passwords shall have a minimum length of six characters.
b. Passwords shall not be found in a dictionary or contain
predictable sequences of numbers or letters).
c. The system shall be configured to enforce password
uniqueness. A minimum of three unique passwords must
be entered before a password can be re-used.
d. The system shall be configured to enforce password
complexity rules as follows:

A password must contain at least two of the following

four characteristics: lower case characters a-x, upper case
characters A-Z, Digits 0-9, and punctuation characters
e.g. ! @ # $ % ^ & * , etc.
e. The system shall not allow common phrases such as
names, and the word 'Password'.
f. The system shall enforce password change for individual
user IDs as follows:
i. If supported by the system.
ii. The change must be executed by the user.
iii. Upon password expiry, the system shall not cause a
permanent account lockout.
iv. Every six months, if the system utilizes centralized
account management.

Page 9 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

v. Every 12 months, if the system utilizes local account

management.
g. Application account passwords should be changed every
12 months.
h. Accounts shall be locked for 24 hours or until the PAN
administrator unlocks the account after five consecutive
failed logon attempts. Operator accounts are exempted
from this requirement.
i. Passwords shall be masked on the screen while being
entered.
j. Passwords shall be used with care on operator interface
devices, such as control consoles on critical Plant process
units. Passwords shall be guarded to prevent
unauthorized access.
k. User account passwords shall not be stored electronically
in unprotected files.
l. All vendor-supplied default passwords for predefined
accounts shall be changed immediately after installation
or upgrade if allowed/ supported by the vendor.
m. In order to change user account passwords, users should
always be required to provide both their old and new
passwords, if supported by the system.
n. Master passwords shall always be stored in a sealed
envelope in a safe and made available for immediate
retrieval in emergencies. A password log shall be
maintained separately from the PAS, possibly in a
notebook locked in a vault or safe.
o. Passwords shall always be encrypted when sent between
networks.
p. An automatic message, if supported by the systems,
should be sent to users notifying them about passwords to
be expired within 10 days.
q. Users shall maintain their own passwords and keep them
confidential.
r. Group passwords shall be kept within the group members
only.

Page 10 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

s. Password records (e.g., paper, software file, etc.) should

be avoided unless they are stored securely and approved
by Plant management. They should be encrypted if
electronically stored.
t. Passwords shall be changed whenever there is an
indication of possible password compromise.
u. Application account passwords should be used in
encrypted/protected and encapsulated form and shall not
be coded into the application in plain text.

5.1.6.2 For systems with hardware key authentication, the following

shall apply:
a. The shift coordinator or his delegated shift supervisor
shall be responsible for keeping and issuing the keys.
b. The keys should be restricted to authorized individuals.
c. The use of hardware keys shall be logged.
d. The key shall be securely stored within the facility and be
available after regular working hours.
e. The keys should only be used for the duration required.
f. Key logs should be reviewed on an annual basis to ensure
that keys are appropriately secured and accounted for.

5.1.7 User Accounts

a. If supported by the system, individual accounts are mandatory for
all accounts such as, Administrators, Supervisors, Maintenance
Technicians, Operations Supervisors, Superintendents and
Engineers.
b. Shared Operating System accounts can be used for systems with
the following criteria:
i. User Management / Access Control function implemented
within the application.
ii. The availability of controls safeguards such as logon scripts
or profile settings to protect against potential system bypass
or intrusions.
c. GUEST accounts shall be disabled on all systems. Such accounts

Page 11 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

shall be removed, if possible.

d. The use of administrative accounts shall be limited for system
administration, configuration, support, diagnostics, and not for day-
to-day plant operation. These accounts shall be reviewed every
12 months to ensure their continued legitimacy for business and
shall be locked when not needed.
e. Shared operator accounts shall be restricted to those authorized by
the Plant management. The use of such accounts shall be
documented and reviewed/verified annually.
f. Shared “view only” accounts, if required, shall be restricted to
those authorized by the facility management. The use of such
accounts shall be documented and reviewed annually.
g. Individual accounts are mandatory including Operators for un-
attended areas such as PIBs.
h. Operator accounts shall have a restricted user profile to prevent
from installing/uninstalling programs, changing software
configuration, or accessing floppy disk drives, CD drives or ports
(e.g., Firewire, USB, Ethernet, Serial, etc.) that enable
communication with computer peripherals (e.g., personal media
players, flash drives, external hard drives, any other portable
media, etc.).
i. Operator and Service accounts shall be excluded from automatic
password change policy; however, the PAN administrator shall
make sure that Service account passwords are changed manually
every 12 months.
j. Operator shared account passwords are recommended to be
changed manually every 12 months. The password change should
be well communicated to the Operators using the account.
k. Operators, Plant engineers and Maintenance personnel should not
be granted access to administer networks or perform operating
system configurations, unless officially assigned by plant
management with clear roles and responsibilities.

5.1.8 User Account Format

Where applicable, all individual User IDs formats should conform to

corporate guidelines as highlighted in Section 11.1.1.3.6 “USER ID
CONSTRUCTION” in IPSAG-007.

Page 12 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

5.1.9 System Access

a. System Login scripts, if any, shall be configured to prevent a user
bypassing them.
b. If supported by the system, repeated login failures shall be logged
with the location, date, time and user account.
c. Upon logon failure, the system shall not indicate to the user
whether the failure is caused by the wrong user name or password.
An alert message should be sent to the PAN administrator in the
event of repeated login failures.
d. When logging into a system, the user should be given information
reflecting the last login time and date, if supported by the system.
e. PAN Administrators shall assume the responsibility of maintaining
user's access to proxy applications servers for his designated plant
applications.
f. Auto-logoff feature, if supported, shall be configured for all
unattended systems excluding those at operators' consoles.

5.1.10 Remote Access

Remote access may be required for remote troubleshooting, or

engineering purposes. The following guidelines shall be followed:
a. Remote access through the plant firewall, for control purposes, is
not permitted.
b. For remote engineering through the firewall, the following
conditions need to be in place:
i. An authorization process must be established identifying
Engineers and systems involved.
ii. The Engineering station must be in a room with controlled
physical access.
iii. Remote configuration download to critical plant components
such as PLCs and other controllers must be pre-approved by
plant management and accompanied by on-site presence of a
maintenance or technician.
iv. Access to the room must be logged with information such as,
Name, Date, time of entry/exit and type of activity.

Page 13 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

Commentary Note:

Remote engineering” (i.e., the implementation of any

parameter or configuration change in a PCS that is initiated
from outside of the process facility being controlled) to be
allowed under strict adherence to a remote work permit
issuance and receipt procedure co-developed and approved
by both the Operating Organization and P&CSD, and
concurred by Loss Prevention department.

c. For remote vendor troubleshooting, the following shall be followed:

i. A manager approval is required prior to the establishment of
the connection.
ii. Secure VPN tunneling shall be used as the preferred method
if supported by the system.
iii. User ID authentication shall be performed by Aramco IT
active directory services.
iv. Dial-in modems shall be highly limited and only used when
operationally required. The Modem shall support encryption
and dial-back if supported.
v. All Modems shall have written justification of ownership
with Plant manager’s approval that is reviewed annually for
validity of need.
vi. The PAN administrator shall maintain a list of all approved
Modems with their justification, approval, log sheets and
location.
vii. Plant modems shall be removed and physically locked in a
secure place while not in use.
viii. The VPN/Modem connection shall be documented with date,
time, duration, purpose and connecting party information.
ix. VPN/Modem connection shall be active for the duration of
the troubleshooting session only. The VPN/Modem session
shall then be terminated and disabled.

5.1.11 User Account Management

a. An up-to-date, accurate and comprehensive procedure relating to
user account management (user registration, de-registration and
allocation of access rights and associated privileges) shall be
documented, approved by Plant Management, communicated to

Page 14 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

support staff and effectively implemented.

b. A formal authorization procedure shall be in place by which
standardized access request forms are completed, reviewed by
appropriate Supervisors based on business and security
requirements, approved by the Plant Superintendent and retained
for future reference, to grant requester access to the PAS
components. Approved access request forms should exist for all
types of accounts, including system and application accounts.
Manager approval is required for non-plant personnel.
c. Access shall not be provided until the authorization procedure has
been completed.
d. Access privileges assigned should be commensurate with the user’s
business roles.
e. Users shall sign statements indicating that they understand the
terms and conditions of access (this may be included with the
access request forms).
f. All PAS user accounts and their associated access level shall be
reviewed for appropriateness every 12 months.
g. An appropriate mechanism shall be documented and in place to
notify PAN administrators of job/role changes or termination of
employment so that access is modified accordingly or revoked on a
timely basis.
h. Unneeded/unused accounts shall be removed, if possible, rather
than being locked.
i. Where supported, standard user access profiles should be created
for common job roles (e.g., operator, process area supervisor,
maintenance engineer/technician, etc.) to facilitate the creation of
individual user access privileges based on user role or user group to
which they are assigned.
j. Centralized user authentication and account management
methodology is highly recommended.

5.2 Security Management Practices

5.2.1 Security Policies

In addition to this procedure, the following are applicable Saudi Aramco

documents for plant information security policies:

Page 15 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

a. Management Statement of Policy “INT-7“

(URL: http://corpplan/LRPD1/corporat.htm)
b. Classification of Sensitive Information “GI-0710.002“,
dated February, 1st 2008 (URL: http://gi/html/data/0710_002.pdf).
c. Sanitization and Disposal of Saudi Aramco Electronic Storage
Devices and Obsolete/Unneeded Software “GI-0299.120“, dated
March, 1st 2010 (URL: http://gi/html/data/0299_120.pdf).

5.2.2 Security Awareness

Security awareness refers to the general, collective awareness of an

organization's personnel of the importance of security and security
controls. Plant management shall ensure that their personnel have an
adequate understanding and awareness of PAS security in addition to
general comprehension of corporate standards and procedures purpose
and use. This can be done through:
a. Interactive Presentations

Security awareness presentations as part of organizations

communication meetings on an annual basis.
b. Publishing and Distribution

Posters, email, updates, alerts, etc., sent from plant management to

their PAS user community.

Saudi Aramco departments, such as P&CSD, IT Information Protection

Awareness Group or Industrial Security, can be contacted for assistance
in obtaining awareness material for this purpose.

5.3 Applications and Systems Security

a. If available, applications must log all successful and unsuccessful logon
attempts and time of logons. It must also log sensitive transactions and
sensitive changes as defined by the application owner. The log shall
identify what, when and who made the change.
b. During the development of in-house application, all special access paths,
back-doors and short-cuts used to bypass the application security
mechanism shall be removed prior to moving the application to production.
c. PAS shall have all unnecessary services disabled as part of vendor’s
approved tightening procedure.

Page 16 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

d. Security configuration baseline shall be obtained from PAS vendors,

including those of the PAN equipment.
e. In coordination with responsible vendors, a security baseline shall be
thoroughly tested and modified as required to ensure that the security
settings will not adversely impact operations.
f. A Security configuration baseline shall be implemented on all existing
PAS components, in coordination with responsible vendors, utilizing a
formal change management process.
g. The implemented configuration settings shall be periodically monitored to
ensure compliance with the approved baseline.
h. Security configuration baselines shall be adjusted whenever required
(e.g., software upgrades) and re-applied, if necessary.
i. Security and Operating System upgrades and patches for each PAS shall
be identified and implemented in a timely manner in compliance with
vendor recommendations in accordance with change management policies
and guidelines. Software (e.g., operating systems, IOS, etc.) and patches
shall only be obtained from relevant vendors.
j. A current and complete inventory of PAS components shall be maintained.
k. Up to date documentation including as built drawings, logical network
design, and systems information (Operating System version, Serial
Number, etc…) shall be maintained.
l. Appropriate backups of the systems and/or applications must be performed
prior to any patch installation.
m. Up-to-date, accurate and comprehensive procedures relating to Security
and Operational Upgrade and Patch Management for each PAS shall be
documented, approved by Plant Management, communicated to support
staff and effectively implemented, including but not limited to:
i. Responsibilities for identifying, evaluating, testing and installing
software upgrades and patches.
ii. Timely identification of patches and software upgrades when
released by the vendor, such as subscribing to vendor mailing lists
and/or reviewing vendor websites.
iii. Evaluation of the applicability of the patch or software upgrades in
consultation with the vendor. Software upgrades and patches are
installed only after they have been tested and certified by the vendor
as being compatible with the PCS software.

Page 17 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

iv. Defined timeframes for implementation of the patch or update.

v. Testing of the patch or software upgrade unless already tested by
vendor.
vi. Rolling out the patch or software upgrade.
n. Unattended PAN equipment shall have appropriate protection, such as
configuring connection/session timeouts for consoles and remote login.
For equipment not supporting session timeout, the user shall terminate all
active sessions or log off from the equipment when finished.
o. Systems capable of displaying a warning banner, upon logon, shall be
configured to display the following text “This Computer is for Company
business use only. This system may be monitored as permitted by law.
Unauthorized use may result in criminal prosecution, termination or other
action”. For operator consoles, a printed sticker may alternatively be used.
p. Where Anti-Virus is supported by the vendor, approved anti-virus software
shall be installed on all Windows-based PAS servers and workstations.
The following shall be considered when applying Anti-Virus software:
i. Up-to-date, accurate and comprehensive procedures relating to anti-
virus management including proper installation, configuration and
software update shall be documented in accordance with PAS vendor
recommendations, approved by Plant Manager, communicated to
support staff and effectively implemented.
ii. Timeframes for updating software version and virus definition files
shall be in line with PAS vendor recommendations.
q. Anti-virus software shall be configured according to PAS vendor
recommendations, including the different configuration options within the
scanning software such as On-Access Scanning, Full Scanning, Buffer
Overflow Protection, Directories to be excluded from scanning, etc.
Where Anti-Virus is not supported, documented confirmation from each
PCS vendor shall be retained for future reference in addition to a list of all
Windows based systems running without the anti-virus software installed.

5.4 Security Architecture and Models

5.4.1 Communication and Network Security Controls

a. Ensure physical and logical separation between PAS and Corporate
networks inside plant fence.
b. The intent of the Physical space requirement is to provide a clear

Page 18 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

equipment identification to prevent it being serviced

unintentionally by another organization. The table below provides
further details on the minimum requirements:

Table 1

Physical Space Network

Locked Cabinet Remote Site Connectivity

In-Plant
for Shared Information &
Connectivity Control
Rooms Monitoring
The cabinets Dedicated Fiber optic Transmission
shall have cables for strands for circuit (i.e., SDH)
identification both primary primary and SDH
plates with and backup for secondary
contact
Cables shall be
information
tagged and
secured

c. PAN shall not interface to other networks without the use of a

firewall.
d. The firewall represents a security and functionality boundary, thus,
in the event of a connection loss to the corporate network, full
functionality of plants networks and systems shall be maintained
internally. For this purpose, plant systems shall not be configured
to rely on IT provided services such as File / Print Sharing, e-mail,
Internet / Intranet, DNS, AD and Anti-Virus.
e. For communication on the PAN, nodes shall be assigned static IP
addresses officially obtained from Aramco IT, DHCP is not allowed.
f. Static IP addresses are not required on standalone (isolated) systems.
g. Private IP addresses are allowed for internal PAS components such
as PCS. Those IP addresses shall not be routed beyond the PAN.

5.4.2 Firewalls Filtering, Blocking, and Access Control

Firewalls shall:
a. Control and regulate access into/out of the PAS.
b. Enable information logging for traffic monitoring and intrusion
detection.
c. Dedicated firewall hardware shall be used to interface a PAS to the

Page 19 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

Corporate or third party networks.

d. It is highly recommended that interface(s) to third party networks,
such as co-generation (CoGen) utilize the existing PAS to
Corporate network firewall.
e. Firewalls connecting to third parties shall comply with the firewall
requirements in this procedure.
f. The fundamental policy for configuring firewalls in plant
automation networks shall be “DENY UNLESS SPECIFICALLY
PERMITTED”.
g. Antivirus and Intrusion Prevention functionalities shall be installed
on firewall(s) to the PAN.
h. Patch management policy shall be developed and maintained in
order to help identifying the latest signature files and upgrades.
i. A procedure should be developed in order to help properly change
the firewall(s) Access Control List (ACL) based on information
collected from the Intrusion Prevention System (IPS).
j. Network traffic through the firewall shall be limited to server-to-
server communications and filtered based on source/destination IP
addresses and TCP/UDP ports. Blocking shall be enabled for both
inbound and outbound communications. Any Corporate Network's
user requiring access to Plant's Systems shall use Proxy Servers
(See Figure 1).
k. A PAN comprising of multiple scattered (PANs), should interface
with the Corporate Network via a centralized firewall. The
consolidated PANs shall be connected together in order to establish
one PAN utilizing the corporate transmission infrastructure (i.e.,
SDH dedicated bandwidth or Dark Fiber).
l. For consolidated networks, the PAN backbone switch can be located
in an IT controlled facility provided that an SLA is established with
IT to govern the switch operation and the PAS equipment adheres to
the physical space requirements specified in this document.
m. The firewall filter rules shall not allow insecure services such as
Telnet and FTP to traverse the firewall.
n. SAER-6123, “Process Automation Networks Firewall Evaluation
Criteria” provides additional guidelines for firewall configuration
and hardware selection.

Page 20 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

o. To minimize the number of open TCP/IP ports on the firewall, it is

recommended to install an application proxy inside the plant.

Figure 1

5.5 Operations Security and Management

5.5.1 Security Monitoring

a. All available network and system logs shall be examined and
monitored periodically and when abnormal activities are detected.
The PAN Administrators shall control and validate the access to
these log files.

Page 21 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

Commentary Note:

Recommended monitoring tools:

a. Account logging events to monitor logon attempts (successful

and unsuccessful).

b. Events viewer logs.

c. System events such as system and service startup and

shutdown.

d. Firewall logs, configurations and policies.

b. Up-to-date, accurate and comprehensive procedures relating to

monitoring security audit logs shall be documented, approved by
Plant Management, communicated to support staff and effectively
implemented.
c. The PAN administrator shall perform and retain annual
documented reviews for the following:
i. All accounts to ensure continued legitimacy for business
needs and that inactive users are revoked.
ii. Access logs of internal devices such as firewalls and switches.
iii. Firewall penetration test log.
iv. PAN firewall filter rules to ensure rules accuracy and
adequacy.
v. Security audit logs, where the frequency of such reviews shall
depend on the risks involved. Risk factors that should be
considered include, but are not limited to:
1. Criticality of PAS component.
2. Value, sensitivity, and criticality of the
information/transactions involved.
3. Past experience of system penetration and misuse, and
the frequency of vulnerabilities being exploited.
d. A document defining the requirements for retention and archival
of security audit logs should be developed in accordance with
Corporate Data Protection and Retention INT-7 policy.
The following requirements should be considered:
i. The retention period for audit logs shall be set for 3 months as
a minimum.

Page 22 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

ii. Mechanisms to secure the audit logs from unauthorized

access. For example, audit logs could be stored in a central
log archiving server or a media to prevent unauthorized
alteration.
iii. The parties authorized to access the audit logs.
iv. That the storage capacity of the log file media shall be
adequate to avoid failure to record events or over-writing of
past recorded events.
e. PAS component suspected of security breach shall not be tampered
with to allow CSA to gather evidence and perform an effective
investigation.
f. The following events within PAS System Audit Policies shall be
enabled:
i. System Events
ii. Account Management
iii. Logon Events
iv. Privileged activities
g. PAS components times should be synchronized.

5.5.2 The release of classified information to a third party must be governed

by a Non-Disclosure Agreement (NDA) approved by Saudi Aramco Law
department. Intellectual Asset Management shall be consulted prior to
the exchange of any intellectual property, intangible research data, or
confidential information as governed by GI-0431.001.

5.5.3 Reporting of Computer Security Incidents

The reporting of a computing incident must be done promptly. It is the

responsibility of the proponent plant management, their designated staff,
or the PAN administrator, to write a memorandum, detailing any
computer irregularity incident to Corporate Security Services/Computer
Security Administration (CSA). In the case of hardware theft, the
incident must be reported to plant management who will then report it to
Industrial Security.

If any user or organization suspects a computer security incident

implicating an individual, and where a formal investigation might be
required they must contact their PAN administrator. The PAN

Page 23 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

administrator will evaluate the incident and, if warranted, report it to

CSA via “Incident Reporting” on “http://csa.aramco.com.sa”

In urgent situations, PAN administrator should report these computer

security incidents to CSA by phone via the numbers for “CSA Head” or
“Computer Security Investigation” listed in the “Contacts” section of the
CSA website. The “Incident Reporting” facility on CSA's website
should be used to document and confirm the PAN Administrator's report
by phone.”

5.6 Disaster Recovery Planning (DRP)

The following are the requirements for Disaster Recovery Planning (DRP) for
Saudi Aramco PAS. For detailed instruction on PAS Disaster Recovery Plan,
refer to SAEP-1050.
a. The Plant organization is responsible for developing a DRP that covers all
critical PAS installed in the plant.
b. The PAS DRP shall be developed based upon a formal Risk Assessment or
Business Impact Analysis.
c. The DRP document shall provide instructions on restoring the plant
operation and resuming production promptly without impacting safety and
the impeded investment of plants assets and personnel.
d. A team within each plant organization shall be established and well trained
to develop, implement, test, use and maintain the DRP.
e. Key personnel list shall be clearly identified including plant personnel,
support organizations and vendors.
f. The DRP shall define the data backup strategy identifying the systems to
backup, files to backup, the storage media, the locations of the storage and
the storage retention.
g. The DRP shall be included as part of the overall plant process disaster
response plan.
h. The PAS DRP shall be updated on a timely basis after major changes in
the infrastructure.
i. PAS disaster recovery tests shall be scheduled annually, after major
changes in the infrastructure, or to the plant and related applications.
j. A detailed test schedule based on established recovery priorities shall be
developed.

Page 24 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

k. Testing of the recovery procedure shall be documented. The DRP

document shall be updated to reflect and resolve any new issues arising
during the recovery test.
l. The testing of the DRP plan should be done off line in a testing
environment and not on the actual system if the off line systems are
available. Testing the recovery procedure should be documented.
m. A proper distribution list shall be defined for the PAS DRP and kept up to
date. A distribution process shall be defined that distributes the PAS DRP
in a timely manner to all recipients and locations on the distribution list.
n. The PAS DRP shall be approved by the Plant Manager.

5.7 Systems Backup and Restore

a. Up-to-date, accurate and comprehensive procedures relating to backup,
recovery and backup restoration testing for each PAS shall be documented,
approved by Plant Manager, communicated to support staff and effectively
implemented. The documented procedures should include, for each PAS
component:
i. Responsibilities for taking and monitoring backups.
ii. Detailed step-by-step procedures to perform a backup and subsequent
restore.
iii. Procedures to perform restoration testing and maintenance of
restoration test results.
iv. Procedures to verify the success or failure of a particular backup.
v. Procedures for media library management relating to retention,
rotation, transmittal, labeling and inventories.
b. It is highly recommended to fully automate the data backup operation to
avoid human errors and ensure integrity. However, backup logs need to be
monitored for backup failures.
c. A minimum of two copy sets, maximum 6 months old, of the most recent
backup and recovery data shall be stored and maintained at a secure, off-
site location.
d. Critical PAS components with dynamic data change shall be backed up on
weekly basis. The data required for complete backup and restore shall be
archived to removable media at least once every six months.

Page 25 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

e. Networks and systems configuration files shall be backed up on regular

basis.
f. Backup and recovery data on removable media shall be stored in locked
offsite fire-safe cabinets located outside the Plant Main Gate.
g. Access to backup and recovery data shall be restricted to persons with
legitimate company business needs.
h. A system restore procedure shall be performed on semi-annual basis to
ensure system successful recovery on offline PAS components.
i. Any backup for a particular data shall not reside on the same hard drive
where the data resides.
j. A logbook shall be maintained at each storage location for the purpose of
monitoring access to the backup media. Entries shall be recorded in the
logbook whenever a media is removed/added from/to the designated
storage location. The logbook shall contain the following:
i. Date & Time of removal/addition.
ii. Name and Badge number of employee responsible for
removing/adding the media.
iii. Purpose of removal/addition.
iv. Specific data which was removed/added such as number of CD's,
DVD's, tapes.
v. Estimated time the data will be removed from the location.
vi. The employee's signature at check-out of data if using hard copy log
book.
vii. Date & Time when data is returned to the location.
viii. The employee's signature when the data is returned to the safe
location if using hard copy log book.

5.8 Physical Security

a. Security perimeters around informational assets should be clearly defined
and carefully monitored on a daily basis for evidence of penetration or
tampering attempts.
b. Ensure that sensitive documents and other media material that are no
longer needed are destroyed completely.

Page 26 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

c. Visitor access to facilities housing PAS components shall be authorized by

Operations, documented and securely maintained with purpose of visit,
date and time of entry and exit.
d. Tag all physical inventories with tamper-resistant labels to prevent
removal of property.
e. PAS workstations, servers and network equipment shall be located in plant
controlled facilities such as a data center or server room.
f. The following conditions shall be in place prior to relocating the PAN
backbone switch into an IT room:
i. The plant organization consists of multiple PANs to be consolidated
into a single PAN.
ii. The Plant firewall is to be also relocated to the same IT controlled
facility.
iii. The backbone switch shall be dedicated for a single plant
organization and shall not be shared with others.
iv. The backbone switch and the firewall shall be housed in a locked
cabinet with clear labels indicating its functionality.
v. An SLA is signed by IT and the Plant organization for IT to manage
and operate the L3 switch.
g. PAS components not located in plant controlled communication or server
rooms shall be secured in locked cabinets.
h. Unused network ports shall be disabled.
i. Data on any electronic storage device being disposed, returned to
manufacturer, donated or decommissioned shall be sanitized in accordance
with GI-0299.120.
j. The use of active “Testing Tools” such as network sniffers and analyzers
shall adhere to the following guidelines:
i. The use of “active” testing tools shall be exercised with extreme care
on critical networks and systems and shall be approved and
coordinated with the vendor.
ii. They should always be authorized by Plant Management and
restricted to PAN administrators.
iii. Captured information classified as “Sensitive”, as defined in
GI-0710.002, shall be adequately safeguarded.

Page 27 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

iv. All testing tools shall have written justification of need with Plant
manager’s approval that is reviewed annually for validity of need.
v. The PAN administrator shall maintain a list of all approved testing
tools with their justification, approval, log sheets and location.
vi. Testing tools should be securely stored and accessible only by
authorized personnel.
Commentary Note:

Passive testing tools such as cable testers, voltmeters, etc. are

exempted and can be used without the above controls.

k. Physical access to facilities housing PAS assets shall be periodically

reviewed and revoked when necessary or no longer required.
l. Where required, unique combination locks’ personal identification codes
shall be set for each of the different facility housing PAS assets.
m. A formal procedure shall be documented and implemented to ensure that
these codes are periodically changed and immediately when someone with
knowledge of these codes no longer requires access.
n. Plant owned and managed PAS equipment shall be physically segregated
from equipment owned and managed by other organizations (e.g., Saudi
Aramco IT, CoGen partners, etc.) as depicted by Table 1.
o. Plant owned racks or cabinets shall always be locked if they provide
potential access to the plant PAN.

5.9 Wireless Security

Wireless networks may be considered for non-critical monitoring applications

with prior written approval of the General Supervisor, Process Instrumentation
Division, Process & Control Systems Department, Saudi Aramco, Dhahran.

Wireless networks operated in plant environment shall meet the procedural and
configuration requirements by the wireless network vendor and/or IPSAG-008:

5.10 Change Management

a. All changes to PAS infrastructure, including hardware, operating systems,
applications, process related configurations, shall be strictly controlled.
b. PAS changes shall be performed through a change management system
with capabilities such as change tracking, approval and scheduling.

Page 28 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

c. PAS changes shall be prioritized (e.g., emergency, high, medium, low)

according to their criticality. Prioritization criteria shall be established.
d. PAS changes shall be appropriately tested using test plans in a non-
production environment, where available.
e. Implementation and back-out plans shall be developed prior to any change.
f. All required deliverables shall be attached to the change request.
Examples of such deliverables include, but not necessarily limited to
implementation plans, test plans, fallback procedures, diagrams depicting
process flow changes, etc.
g. Affected PAS components shall be backed up prior to any change.
h. PAS changes shall be formally reviewed and approved by appropriate
stakeholders before implementation.
i. PAS changes shall meet the security requirements defined within SAEP-99.
j. Risk, impact and security implications of changes shall be evaluated.
k. Up-to-date, accurate and comprehensive procedures relating to PAS
Change Management (such as the MOC GOIs) shall be documented,
approved by Plant Manager, communicated to support staff and effectively
implemented.

6 Responsibilities

6.1 Plants Operations/Management

Plant operations/management and their designated operating staff are

responsible for the implementation of this procedure. Reference is made to the
Management's designated operating staff as the PAN) Administrator. Plant
operations/management has the responsibility for monitoring the
implementation of this procedure within their plants.

6.2 PAN Administrators

a. Each plant organization shall have a qualified formally assigned primary
and backup PAN administrator to manage and perform system
configuration and monitoring and ensure proper coordination of systems
security responsibilities with PCS administrators, if different, as
designated by the plant management.
b. The PAN administrator shall assume the ownership of the PAS.

Page 29 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

c. The PAN administrators shall ensure the accuracy of firewall filter rules
and security policies.
d. The PAN administrator is responsible for the operation, management and
accuracy of any firewall that may exist between the PAN and other third
party networks such as that of the CoGen partners, including granting,
revoking, and tracking user’s access and maintaining filter rules, unless the
firewall is already operated by Information Technology.
e. The PAN administrator shall create and maintain the accuracy of the 'PAN
administrator e-mail distribution lists' relevant to their Plants.
f. The PAN administrators are responsible to implement the instruction
specified in this document.
g. The PAN administrators shall be responsible for reporting of security
incidents, if any.

6.3 PCS Administrator

a. Each plant organization shall have a qualified formally assigned primary
and backup PCS administrator to administer and perform system
configuration and monitoring of PCS.
b. Coordinate all PCS security administration activities with the PAN
administrator.

6.4 Delegation of Responsibility

a. Delegation of support and management responsibilities are limited to
process information networks and systems (i.e., systems that are not part of
control or engineering).
b. A risk assessment, with participation from P&CSD, IT and the Plant shall
precede the official delegation of support responsibilities of PAN
components to IT or other support entities.
c. Any Delegation of support and management responsibility must be
approved by the plant Manager through a Service Level Agreement (SLA).

6.5 Process & Control Systems Department (P&CSD)/Communication & Computer

Networks Unit (CCNU)
a. P&CSD/CCNU is responsible for maintaining and updating SAEP-99
“Process Automation Networks & Systems Security” procedure.
b. P&CSD/CCNU is responsible for developing a training curriculum for
PAN Administrators and promote awareness for new SAEP-99 updates.

Page 30 of 31
Document Responsibility: Communications Standards Committee SAEP-99
Issue Date: 16 February 2013
Next Planned Update: 6 November 2015 Process Automation Networks and Systems Security

c. P&CSD may review internal plant developed procedures pertinent to this

document.

7 Training

It is essential that the primary and backup PAN and PCS Administrators have:
a. Knowledge or experience in plant operations, and
b. Successful completion of P&CSD’s “Process Automation Network Administrator
Training and Certification Curriculum”
c. As part of their security training, PCS Administrators are only required to
complete the Windows administration courses listed in P&CSD’s “Process
Automation Network Administrator Training and Certification Curriculum”

Revision Summary
6 November 2010 Major revision as part of the continuous security management cycle to enhance Saudi
Aramco plants process automation network and systems security.
18 July 2012 Editorial revision to change the primary contact.
16 February 2013 Editorial revision removing paragraph 6.5(d) to clarify P&CSD roles and responsibilities.

Page 31 of 31