Professional Documents
Culture Documents
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 20
7 Hardening controls............................................ 24
8 Logs and Auditing............................................. 27
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the DELL switches
configurations settings, which might require software / hardware to ensure
“secure configuration” as per SAEP-99 “Process Automation Networks and
Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
Page 2 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Page 4 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
8.6
Domain DELL Ref. DEL-AP-01 BIT
12.0.a
5.1.6.1.l
Target [ ] PowerConnect 7000 Family Mapping SAEP-99
5.5.1.a-f
Page 5 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 6 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
12.0.b
Domain DELL Ref. DEL-AP-03 BIT
12.0.a
5.1.6.1.a-f
Target [ ] PowerConnect 7000 Family Mapping SAEP-99
5.1.11.d
Set a local password to control access to the
Action
privileged EXEC mode.
State Final Version 1.0 Created on 09/25/14
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password should respect the SAEP-99 passwords policy
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction
2. Issue the following commands:
console(config)# enable password NEW_PASSWORD
Page 7 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 8 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
3. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction
4. Issue the following commands:
console(config)# passwords aging 90
When a user’s password expires, the user is prompted to change it before logging in again
The password will be expired in 90 days
Automated task yes
Page 9 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction
Page 10 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Lockout policy does strengthen the security of the switch by locking user accounts that
have failed login due to wrong passwords.
Page 11 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 12 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies DEL-AP-13
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 13 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies DEL-AP-13
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 14 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies DEL-AP-13
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 15 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies DEL-AP-13
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 16 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Character-classes enables password character class checking using the parameters set by
the following commands:
Page 17 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
This command is not for hardening purposes. It should be used to display the configured
password management settings and detect any non-compliant policy.
Page 18 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Page 19 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Page 20 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
3. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction
Page 21 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
The GARP Multicast Registration Protocol provides a mechanism that allows networking
devices to dynamically register (and de-register) Group membership information with the
MAC networking devices attached to the same segment, and for that information to be
disseminated across all networking devices in the bridged LAN that support Extended
Filtering Services.
The operation of GMRP relies upon the services provided by the
Generic Attribute Registration Protocol (GARP).
Automated task Yes
Page 22 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Page 23 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
7 Hardening controls
Page 24 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
3. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router, SW for Switch and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Automated task Yes
Page 25 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Instruction
NTP_Server is IP address of the NTP server that servers Simple Network Time
Protocol (SNTP) traffic
Key_Number (if authentication is required) is the key used to authenticate the identity
of a system to which Simple Network Time Protocol (SNTP) will synchronize.
In case, NTP server is not available or not being deployed yet the time should be
set manually using the following command
Page 26 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
5. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
The logging process controls the distribution of logging messages to the various
destinations, such as the logging buffer, logging file, or syslog server. Logging on and off
for these destinations can be individually configured using the logging buffered,
logging file, and logging server global configuration commands.
Page 27 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction
Page 28 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
console(config)#logging web-session
<133> MAR 24 07:46:07 10.131.7.165-2 UNKN[83102768]:
cmd_logger_api.c(140) 764 %%
WEB:10.131.7.67:<<UNKNOWN>>:EwaSessionLookup :
session[0] created
<133> MAR 24 07:46:07 10.131.7.165-2 UNKN[83102768]:
cmd_logger_api.c(140) 765 %%
WEB:10.131.7.67:admin:User admin logged in
Page 29 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
Instruction console(config)#
Page 30 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Instruction
Page 31 of 32
Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
Dependencies
1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
Revision Summary
3 May 2015 New Saudi Aramco Best Practice.
Page 32 of 32