Gpgouul gSoly
‘Saudi Aramco
Best Practice
SABP-Z-089 11 May 2017
Security Guidelines for Plant Pl Systems
Document Responsibility: Process Optimizations Solutions Standards Committee
Saudi Aramco Desktop Standards
Table of Contents
| Introduction,
2 Purpose and Scope ..
3 Conflicts and Deviations.
4 References,
5 Definiti
8 Plant PI Server Architecture...
9 Plant PI Interfaces (Collectors)
10 PI Server Secuirty Configurtion.
LIAnti-virus software to exclude PI files...
12 PI Scan Node Secuirty Configurtion....
BS em vuuaveunnDocument Responsibility: Engineering Standards Committee SABP-Z-089
Issue Date: 11 May2017
‘Next Planned Update: TBD Security Guidelines for local Pl Systems
1 Introduction
‘The PI System is a critical service for Aramco as it is responsible for collecting, storing
and presenting all the events the plant control systems produce. The local PI Systems
located inside the plant DMZ are the first layer of data collection mechanism. This makes
the implementation and compliance with this Security Baseline of great importance for the
well-being of the organization.
This security baseline is not only restricted to the actual application but act as guidelines
on all important aspects related to the PI security. All PAN Admin/ PI System
administrators or entities administering Saudi Aramco PI Servers are required to adhere to
these best practice guidelines.
2 Purpose and Scope
24 Purpose
‘The purpose of this best practice is to provide guidance for the organization/user to the
appropriate minimum acceptable baseline for protecting Saudi Arameo's Local PI Systems
of the existing as well as the new facilities as applicable.
The implementation of the best practice guidelines will ensure that Saudi Aramco has an
acceptable level of protection on its Local PI Systems to protect the Saudi Aramco
business
2.2 Scope
‘The best practice defines the necessary configuration settings that should be applied on
local PI Systems. This best practice covers standards governing the installation,
configuration and administration of the local P] systems.
“aval Arameo:Confdentah
Previous Issue: New Next Planned Update: TBD Page 20115
Primary contact: TBDDocument Responsibility: Engineering Standards Committee ‘SABP-A-069
Issue Date: 11 May 2017
Next Planned Update: TBD _ Security Guidelines for local Pl Systems
3 Conflicts and Deviations
In the event of any conflict between this best practice and other applicable Saudi Aramco
Standards requirement, the Mandatory SA requirements takes precedence.
Direct all requests to deviate from this best practice in writing to the primary contact of
this document who is responsible to study the request, redirect to the right Subject Matter
Expert relevant to the best practice and respond as suggested above.
4. References
This engineering best practice is based on the latest edition of the references below, unless
otherwise noted.
4.1 Saudi Aramco References
Saudi Aramco Engineering Standards
SAES-T-566 Demilitarized Zone (DMZ) Architecture
SAES-Z-010 Process Automation Networks Standard
Saudi Aramco Engineering Procedures
SAEP-99 Saudi Aramco Industrial Control System Security
Saudi Aramco Best Practice
SABP-Z-060 Operating Systems Hardening Guide Windows 7
‘SABP-Z-084 Operating Systems Hardening Guide — Windows Server 2012
SABP-2-063 Operating Systems Hardening Guide Windows Server 2008
5 Definitions
Plant DAHS: The Data Historian inside Plant DMZ shall be referred as plant DAHS.
Application Programming Interfacing (APD): A set of library functions to be made available
by DAHS that allows programmatic access to the DAHS both for data archiving and for
retrieval
Company: Means a SAUDI ARAMCO organization (ARAMCO Services COMPANY,
ARAMCO Overseas COMPANY, SAUDI ARAMCO)
Demilitarized Zone (DMZ): is a small network inserted as a “neutral zone" between a two
networks with different security levels that require to exchange limited sources of information.
It prevents network traffic from passing directly between the two networks; in our cased the
corporate and PAN networks.
Sead ramco: confident ere
Previous Issue: New Next Planned Update: TBD Page 30f 15
Primary contact: TBDDocument Responsibility: Engineering Standards Committee ‘SABP-2-089
Issue Date: 11 May2017
Next Planned Update: TBD _Security Guidelines for local Pl Systems
Firewall: A firewall is a set of related programs, located at a network gateway that protects
the resources of a private network from users of other networks.
Interfaces: are software modules for collecting data from any computing device with
‘measurements that change over time. Typical data sources can be DCS, PLCs, Lab systems
and process models,
OPC: is a standard established by the OPC Foundation task force to allow applications to
access process data from the plant floor in a consistent manner. Current OPC versions of OPC
Data Access (DA); OPC Historical Data Access (HDA) and OPC Unified Architecture (UA)
shall be used.
OPC-DA & OPC-HDA: Specifications of OPC Data Access & Historian Data Access for the
interfaces between @ historian and any client/server OPC compatible software system.
Plant Information (PD: Plant Information is the name of a Data Historian from vendor. A PL
Server is a computer on which PI Server programs are installed. The PI Server collects, stores,
and manages data from plant or process.
PI to PI Interface: Software that allows communication between historians. The PI to PL
interface copies tag data from one PI server to another. Data is moved in one direction, meaning
data is copied from the source to the receiving PI server (also referred to as target PI server),
The interface is a single threaded process. TCP/IP connections are needed to both receiving
and source PI servers.
PLInterface Configuration Utility (PI-ICU): is an application that aids in PI System
management by consolidating the setup and configuration options required for new and
existing PI Interfaces. Any new or existing PI Interface can be configured and maintained
using PLICU.
Process Automation Network (PAN): is a plant wide network interconnecting Process
Control Systems (PCS) that provides an interface to the DMZ. PAN does not include
proprietary process control networks provided as part of a vendor's standard process control
system,
6 Abbreviations:
APL - Application Program Interface
DAHS - Data Acquii
pcs - Distributed Control Systems
DMZ = Demilitarized Zone
Ics = Industrial Control Systems (SCADA etc.)
ion and Historization system
Saudi avemeo: Confidential
Previous Issue: New Next Planned Update: TBD Page 4 of 15
Primary contact: TBDDocument Responsibility: Engineering Standards Committee SABP-A-068
Issue Date: 11 May 2017
Next Planned Update: TBD Security Guid
for local Pl Systems
LAN ~ Local Area Network
os - Operating System
OLEDB - Object Linking and Embedding Database
PAN - Process Automation Network
IP ~ Internet Protocol
PLC ~ Programmable Logic Controllers
SCADA = Supervisory Control & Data Acquisition
eg ~ Transmission Control Protocol
vs ~ Vibration Monitoring System
7 Responsibilities
The best practice is intended for personnel who are responsible for installing, administering
and supporting the Saudi Aramco local PI Servers.
This document is not intended for PI Users, nor shall PI Users use this guide to modify
their local PI Systems without the explicit permission of the Aramco local PI
Administrators in charge of the specific installation.
8 Plant Pl Server Architecture
8.1 The PI DAHS shall be on a company approved standard operational set of hardware,
system software, networking, communications, database management and
applications.
8.2 Hardware and systems sizing recommendations shall be company approved standard
with minimum two physical drives. Drive C with Windows OS shall not be used for
PIDAHS.
8.3 Plant PI DAHS shall be hosted in the DMZ. Refer to Plant Demilitarized Zone (DMZ)
Architecture Engineering Standard SAES-T-566
8.4 PIDAHS shall be hosted on corporate network and shall be the primary data source
for solutions hosted on corporate domain.
“aval hrameo: Conf
Previous Issue: New Next Planned Update: TBD Page 5 of 15
Primary contact: TBD