Gpgouul gSoly ‘Saudi Aramco Best Practice SABP-Z-089 11 May 2017 Security Guidelines for Plant Pl Systems Document Responsibility: Process Optimizations Solutions Standards Committee Saudi Aramco Desktop Standards Table of Contents | Introduction, 2 Purpose and Scope .. 3 Conflicts and Deviations. 4 References, 5 Definiti 8 Plant PI Server Architecture... 9 Plant PI Interfaces (Collectors) 10 PI Server Secuirty Configurtion. LIAnti-virus software to exclude PI files... 12 PI Scan Node Secuirty Configurtion.... BS em vuuaveunnDocument Responsibility: Engineering Standards Committee SABP-Z-089 Issue Date: 11 May2017 ‘Next Planned Update: TBD Security Guidelines for local Pl Systems 1 Introduction ‘The PI System is a critical service for Aramco as it is responsible for collecting, storing and presenting all the events the plant control systems produce. The local PI Systems located inside the plant DMZ are the first layer of data collection mechanism. This makes the implementation and compliance with this Security Baseline of great importance for the well-being of the organization. This security baseline is not only restricted to the actual application but act as guidelines on all important aspects related to the PI security. All PAN Admin/ PI System administrators or entities administering Saudi Aramco PI Servers are required to adhere to these best practice guidelines. 2 Purpose and Scope 24 Purpose ‘The purpose of this best practice is to provide guidance for the organization/user to the appropriate minimum acceptable baseline for protecting Saudi Arameo's Local PI Systems of the existing as well as the new facilities as applicable. The implementation of the best practice guidelines will ensure that Saudi Aramco has an acceptable level of protection on its Local PI Systems to protect the Saudi Aramco business 2.2 Scope ‘The best practice defines the necessary configuration settings that should be applied on local PI Systems. This best practice covers standards governing the installation, configuration and administration of the local P] systems. “aval Arameo:Confdentah Previous Issue: New Next Planned Update: TBD Page 20115 Primary contact: TBDDocument Responsibility: Engineering Standards Committee ‘SABP-A-069 Issue Date: 11 May 2017 Next Planned Update: TBD _ Security Guidelines for local Pl Systems 3 Conflicts and Deviations In the event of any conflict between this best practice and other applicable Saudi Aramco Standards requirement, the Mandatory SA requirements takes precedence. Direct all requests to deviate from this best practice in writing to the primary contact of this document who is responsible to study the request, redirect to the right Subject Matter Expert relevant to the best practice and respond as suggested above. 4. References This engineering best practice is based on the latest edition of the references below, unless otherwise noted. 4.1 Saudi Aramco References Saudi Aramco Engineering Standards SAES-T-566 Demilitarized Zone (DMZ) Architecture SAES-Z-010 Process Automation Networks Standard Saudi Aramco Engineering Procedures SAEP-99 Saudi Aramco Industrial Control System Security Saudi Aramco Best Practice SABP-Z-060 Operating Systems Hardening Guide Windows 7 ‘SABP-Z-084 Operating Systems Hardening Guide — Windows Server 2012 SABP-2-063 Operating Systems Hardening Guide Windows Server 2008 5 Definitions Plant DAHS: The Data Historian inside Plant DMZ shall be referred as plant DAHS. Application Programming Interfacing (APD): A set of library functions to be made available by DAHS that allows programmatic access to the DAHS both for data archiving and for retrieval Company: Means a SAUDI ARAMCO organization (ARAMCO Services COMPANY, ARAMCO Overseas COMPANY, SAUDI ARAMCO) Demilitarized Zone (DMZ): is a small network inserted as a “neutral zone" between a two networks with different security levels that require to exchange limited sources of information. It prevents network traffic from passing directly between the two networks; in our cased the corporate and PAN networks. Sead ramco: confident ere Previous Issue: New Next Planned Update: TBD Page 30f 15 Primary contact: TBDDocument Responsibility: Engineering Standards Committee ‘SABP-2-089 Issue Date: 11 May2017 Next Planned Update: TBD _Security Guidelines for local Pl Systems Firewall: A firewall is a set of related programs, located at a network gateway that protects the resources of a private network from users of other networks. Interfaces: are software modules for collecting data from any computing device with ‘measurements that change over time. Typical data sources can be DCS, PLCs, Lab systems and process models, OPC: is a standard established by the OPC Foundation task force to allow applications to access process data from the plant floor in a consistent manner. Current OPC versions of OPC Data Access (DA); OPC Historical Data Access (HDA) and OPC Unified Architecture (UA) shall be used. OPC-DA & OPC-HDA: Specifications of OPC Data Access & Historian Data Access for the interfaces between @ historian and any client/server OPC compatible software system. Plant Information (PD: Plant Information is the name of a Data Historian from vendor. A PL Server is a computer on which PI Server programs are installed. The PI Server collects, stores, and manages data from plant or process. PI to PI Interface: Software that allows communication between historians. The PI to PL interface copies tag data from one PI server to another. Data is moved in one direction, meaning data is copied from the source to the receiving PI server (also referred to as target PI server), The interface is a single threaded process. TCP/IP connections are needed to both receiving and source PI servers. PLInterface Configuration Utility (PI-ICU): is an application that aids in PI System management by consolidating the setup and configuration options required for new and existing PI Interfaces. Any new or existing PI Interface can be configured and maintained using PLICU. Process Automation Network (PAN): is a plant wide network interconnecting Process Control Systems (PCS) that provides an interface to the DMZ. PAN does not include proprietary process control networks provided as part of a vendor's standard process control system, 6 Abbreviations: APL - Application Program Interface DAHS - Data Acquii pcs - Distributed Control Systems DMZ = Demilitarized Zone Ics = Industrial Control Systems (SCADA etc.) ion and Historization system Saudi avemeo: Confidential Previous Issue: New Next Planned Update: TBD Page 4 of 15 Primary contact: TBDDocument Responsibility: Engineering Standards Committee SABP-A-068 Issue Date: 11 May 2017 Next Planned Update: TBD Security Guid for local Pl Systems LAN ~ Local Area Network os - Operating System OLEDB - Object Linking and Embedding Database PAN - Process Automation Network IP ~ Internet Protocol PLC ~ Programmable Logic Controllers SCADA = Supervisory Control & Data Acquisition eg ~ Transmission Control Protocol vs ~ Vibration Monitoring System 7 Responsibilities The best practice is intended for personnel who are responsible for installing, administering and supporting the Saudi Aramco local PI Servers. This document is not intended for PI Users, nor shall PI Users use this guide to modify their local PI Systems without the explicit permission of the Aramco local PI Administrators in charge of the specific installation. 8 Plant Pl Server Architecture 8.1 The PI DAHS shall be on a company approved standard operational set of hardware, system software, networking, communications, database management and applications. 8.2 Hardware and systems sizing recommendations shall be company approved standard with minimum two physical drives. Drive C with Windows OS shall not be used for PIDAHS. 8.3 Plant PI DAHS shall be hosted in the DMZ. Refer to Plant Demilitarized Zone (DMZ) Architecture Engineering Standard SAES-T-566 8.4 PIDAHS shall be hosted on corporate network and shall be the primary data source for solutions hosted on corporate domain. “aval hrameo: Conf Previous Issue: New Next Planned Update: TBD Page 5 of 15 Primary contact: TBD