Sabp Z 053

Best Practice
SABP-Z-053 3 May 2015

Network Devices Hardening Guide – Dell Switches
Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 20
7 Hardening controls............................................ 24
8 Logs and Auditing............................................. 27
Previous Issue: New Next Planned Update: 3 May 2020

Page 1 of 32
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365
Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-053
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Dell Switches
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the DELL switches
configurations settings, which might require software / hardware to ensure
“secure configuration” as per SAEP-99 “Process Automation Networks and
Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Page 2 of 32
 Saudi Aramco References

Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 32
Process Automation Systems (PAS): PAS include Networks and Systems

hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers,
firewalls, computers, etc. interconnecting process control system and provides
an interface to the corporate network. PAN Administrator: Process Automation
Networks (PAN) Administrator administers and performs system configuration
and monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a
personal identification number (PIN) or password. Password authentication
scheme is the simplest and most common mechanism.
Server: A dedicated un-manned data provider.
Page 4 of 32
5 Account & passwords Policies
8.6
Domain DELL Ref. DEL-AP-01 BIT
12.0.a
5.1.6.1.l
Target [ ] PowerConnect 7000 Family Mapping SAEP-99
5.5.1.a-f
Action Change the default credentials for Admin
State Final Version 1.0 Created on 09/25/14

R C
RACI Matrix Priority HIGH
A I
Pre requisite
Dependencies The password should respect the SAEP-99 passwords policy

1. Connected to switch using the privileged account and issued the
following command
console#configure
The prompt for global configuration should be
console(config)#
2. Issue the following commands:

aaa authentication login “loc” local
Instruction line telnet
login authentication loc
exit
3. Change the password for the admin account:
username admin password NEW_PASSWORD privilege
15
NEW_PASSWORD must be compliant to SAEP-99 directives

Minimum password length is set to at least 8 characters
Automated task yes
Page 5 of 32
Domain DELL Ref. DEL-AP-02 BIT 12.0.a

Target [ ] PowerConnect 7000 Family Mapping SAEP-99 5.1.6.1.a-f
Action Set password for the console

R C
A I
Pre requisite The password should respect the SAEP-99 passwords policy
Dependencies
following command
console#configure
console(config)#

console(config)# line console
Instruction console(config-line)# enable authentication
default
console(config-line)# login authentication
default
3. Add a password the line:
Password NEW_PASSWORD

Automated task yes
Page 6 of 32
12.0.b
Domain DELL Ref. DEL-AP-03 BIT
12.0.a
5.1.6.1.a-f
5.1.11.d
Set a local password to control access to the
Action
privileged EXEC mode.
R C
A I
Pre requisite The password should respect the SAEP-99 passwords policy
Dependencies
following command
console#configure
console(config)#
Instruction
console(config)# enable password NEW_PASSWORD

Automated task yes
Page 7 of 32

Enable Password Strength feature during
Action
user configuration
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)# passwords strength-check
This command enables enforcement of password strength checking policy as configured

Instruction
by the following commands:
 passwords strength minimum uppercase-letters

 passwords strength minimum lowercase-letters
 passwords strength minimum special-characters
 passwords strength minimum numeric-characters
 passwords strength max-limit consecutive-characters
 passwords strength max-limit repeated-characters
 passwords strength minimum character-classes
Automated task yes
Page 8 of 32

Action Set the Password expiration policy

R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#
Instruction
console(config)# passwords aging 90
When a user’s password expires, the user is prompted to change it before logging in again
The password will be expired in 90 days
Automated task yes
Page 9 of 32

Set number of old passwords to retain in the
Action
password history
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#
Instruction

console(config)# passwords history 3
Enforce password history is set to 3 passwords remembered

Automated task yes
Page 10 of 32

Set number of failed login attempts allowed
Action
(the lock-out policy)
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#
Instruction 2. Issue the following commands:

console(config)# passwords lock-out 5
Lockout policy does strengthen the security of the switch by locking user accounts that
have failed login due to wrong passwords.
Account lockout threshold is set to 5 invalid logon attempts.

Automated task yes
Page 11 of 32

Action Enable the minimum password length

R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)# passwords min-length 8
Minimum password length is set to at least 8 characters.
Exceptions should be handled according to SAEP-99 directives

Automated task yes
Page 12 of 32

Target [ ] PowerConnect 7000 Family SAEP-99 5.1.6.1.a-f
Mapping
Set minimum number of uppercase
Action characters allowed in a password
(Complexity Policy)
R C
A I
Pre requisite
Dependencies DEL-AP-13
following command
console#configure
console(config)#

console(config)# passwords strength minimum
uppercase-letters 2
Ensure a minimum of 2 uppercases are allowed
Automated task yes
Page 13 of 32

Mapping
Set minimum number of lowercase
(Complexity Policy)
R C
A I
Pre requisite
following command
console#configure
console(config)#

lowercase-letters 2
Ensure a minimum of 2 lowercases are allowed
Automated task yes
Page 14 of 32

Mapping
Enforce a minimum number of numeric
Action numbers that a password should contain
(Complexity Policy)
R C
A I
Pre requisite
following command
console#configure
console(config)#

numeric–characters 2
Ensure a minimum of 2 numeric characters are allowed
Automated task yes
Page 15 of 32

Mapping
Set minimum number of non-alphanumeric
(Complexity Policy)
R C
A I
Pre requisite
following command
console#configure
console(config)#

special–characters 2
Ensure a minimum of 2 special characters are allowed
Automated task yes
Page 16 of 32

Mapping
Set minimum number of non-alphanumeric
(Complexity Policy)
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

character-classes 4
Instruction
character-classes must be enabled with value 4
Character-classes enables password character class checking using the parameters set by
the following commands:
• passwords strength minimum uppercase-letters

• passwords strength minimum lowercase-letters
• passwords strength minimum special-characters
• passwords strength minimum numeric-characters
Automated task yes
Page 17 of 32
Domain DELL Ref. INFO BIT 12.0.a

Action Check the password policy configuration

R C
RACI Matrix Priority NONE
A I
Pre requisite
Dependencies Check the password policy for compliance.

following command
console#configure
console(config)#

console(config)# show passwords configuration
This command is not for hardening purposes. It should be used to display the configured
password management settings and detect any non-compliant policy.
Ex of output of show passwords configuration

Instruction
console# show passwords configuration
Passwords Configuration
-----------------------
Minimum Password Length........................ 8
Password History............................... 0
Password Aging (days).......................... 0
Lockout Attempts............................... 0
Password Strength Check........................ Enable
Minimum Password Uppercase Letters............. 4
Minimum Password Lowercase Letters............. 4
Minimum Password Numeric Characters............ 3
Minimum Password Special Characters............ 3
Maximum Password Consecutive Characters........ 3
Maximum Password Repeated Characters........... 3
Minimum Password Character Classes............. 4
Password Exclude Keywords...................... brcm, brcm1,brcm2
Automated task yes
Page 18 of 32
Domain DELL Ref. DEL-AP-14 BIT 8.6

Target [ ] PowerConnect 7000 Family Mapping SAEP-99 5.1.6.1.l
Change SNMP default communities (public
Action
and private)
R C
A I
Pre requisite SNMP enabled and authorized
DEL-HC-01: Disable SNMP read/write community
Dependencies
Community string must be compliant to SAEP-99 requirements
following command
console#configure
console(config)#

console(config)# no snmp-server community
Instruction public
private
console(config)# snmp-server community
New_String ro
New_String is the community string. RO is the privilege Read/Only.

The first issued command will disable the default community public.
The rw read/write privilege is not allowed.
Automated task Yes
Page 19 of 32
6 Services and applications settings
Domain DELL Ref. DEL-SA-01 BIT

Target [ ] PowerConnect 7000 Family Mapping SAEP-99 5.3
Action Disable Telnet Server

R C
A I
Pre requisite
Dependencies SSH enabled and fully functional

following command
console#configure
Instruction console(config)#

console(config)# ip telnet server disable
Automated task Yes
Page 20 of 32
Domain DELL Ref. DEL-SA-04 BIT 8.5

5.3.c
Target [ ] PowerConnect 7000 Family Mapping SAEP-99 5.4.2.m
5.1.6.1.o
Disable SNMP Community if protocol is not
Action
used
R C
RACI Matrix Priority MODERATE
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#
Instruction

string_in_use
Automated task Yes
Page 21 of 32

Disable GARP Multicast Registration Protocol
Action
if enabled
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)# no gmrp enable
Instruction
The GARP Multicast Registration Protocol provides a mechanism that allows networking
devices to dynamically register (and de-register) Group membership information with the
MAC networking devices attached to the same segment, and for that information to be
disseminated across all networking devices in the bridged LAN that support Extended
Filtering Services.
The operation of GMRP relies upon the services provided by the
Generic Attribute Registration Protocol (GARP).
Automated task Yes
Page 22 of 32

Disable GARP VLAN Registration Protocol
Action
(GVRP)
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

Instruction console(config)# no gvrp enable
GARP VLAN Registration Protocol (GVRP) is used to propagate VLAN membership

information throughout the network. GVRP is based on the Generic Attribute Registration
Protocol (GARP), which defines a method of propagating a defined attribute (that is, VLAN
membership) throughout the network.
GVRP allows both end stations and the networking device to issue and revoke
declarations relating to membership in VLANs. end stations that participate in GVRP
register VLAN membership using GARP Protocol Data Unit (GPDU) messages
Automated task Yes
Page 23 of 32
7 Hardening controls
Domain DELL Ref. DEL-HC-01 BIT 8.6

5.3.c
Target [ ] PowerConnect 7000 Family Mapping SAEP-99 5.4.2.m
5.1.6.1.o
Action Disable SNMP read/write community

R C
A I
Pre requisite
Dependencies SNMP enabled and authorized

following command
console#configure
console(config)#

private
Instruction
We assume that private community is default r/w. Ensure that all r/w communities are
disabled by issuing the show snmp command. See the following example.
Console # show snmp
Community-String Community-Access View name IP address

---------------- ---------------- ---------- ----------
Public read only user-view All
private read write Default 172.16.1.1
private su DefaultSuper 172.17.1.1
Automated task Yes
Page 24 of 32
Domain DELL Ref. DEL-HC-07 BIT 8.3

Set the system hostname according to the
Action
convention name
R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)# hostname NAME
Instruction Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router, SW for Switch and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Automated task Yes
Page 25 of 32
Domain DELL Ref. DEL-HC-10 BIT

Configure external (NTP) timeservers to sync
Action
device clock or local clock
R C
A I
Pre requisite
Dependencies NTP servers available

following command
console#configure
console(config)#

console(config)# sntp server NTP_Server
console(config)# sntp trusted-key Key_Number
Instruction
NTP_Server is IP address of the NTP server that servers Simple Network Time
Protocol (SNTP) traffic
Key_Number (if authentication is required) is the key used to authenticate the identity
of a system to which Simple Network Time Protocol (SNTP) will synchronize.
In case, NTP server is not available or not being deployed yet the time should be
set manually using the following command
console(config)#clock set 16:13.06 03/01/2014
Change 16:13.06 03/01/2014 to new values
Automated task Yes
Page 26 of 32
8 Logs and Auditing
Domain DELL Ref. DEL-LA-01 BIT 18.0

5.5.1
5.5.1 a-f
Action Configuring Local System Log

R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)#logging on
Instruction
The logging process controls the distribution of logging messages to the various
destinations, such as the logging buffer, logging file, or syslog server. Logging on and off
for these destinations can be individually configured using the logging buffered,
logging file, and logging server global configuration commands.
However, if the logging on command is disabled, no messages are sent to these

destinations. In this case, only the console will continue to receive logging messages.
Automated task Yes
Page 27 of 32

5.5.1
5.5.1 a-f
Action Configure the logging of command

R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#
Instruction

console(config)# logging cli-command
Automated task Yes

5.5.1
5.5.1 a-f
Action Enabling SNMP logs

R C
A I
Pre requisite
Dependencies SNMP enabled and authorized

following command
console#configure
console(config)#
Instruction

console(config)# logging snmp
Automated task Yes
Page 28 of 32

5.5.1
5.5.1 a-f
Action Enable web-session logs

R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)# logging web-session
Instruction
Sample output:
console(config)#logging web-session
<133> MAR 24 07:46:07 10.131.7.165-2 UNKN[83102768]:
cmd_logger_api.c(140) 764 %%
WEB:10.131.7.67:<<UNKNOWN>>:EwaSessionLookup :
session[0] created
<133> MAR 24 07:46:07 10.131.7.165-2 UNKN[83102768]:
cmd_logger_api.c(140) 765 %%
WEB:10.131.7.67:admin:User admin logged in
Automated task Yes
Page 29 of 32

5.5.1
5.5.1 a-f
Action Enable the auditing trail

R C
A I
Pre requisite
Dependencies
following command
console#configure
Instruction console(config)#

console(config)# logging audit
Automated task Yes
Page 30 of 32

5.5.1
5.5.1 a-f
Action Set the appropriate level of alerts

R C
A I
Pre requisite
Dependencies
following command
console#configure
console(config)#

console(config)# logging buffered 5
console(config)# logging file 2
console(config)# logging console 7
Here are the severity levels
Instruction
Automated task Yes
Page 31 of 32
Domain DELL Ref. INFO BIT

Enable Syslog Server if infrastructure is
Action
available
R C
RACI Matrix Priority NONE
A I
Pre requisite Syslog infrastructure fully functional
Dependencies
following command
console#configure
console(config)#

console(config)# logging Syslog_Server_IP
console(Config-logging)#description "WhatEver”
console(Config-logging)#level alert
Instruction
To verify the settings, issue the following command

console#show syslog-servers
Here is a sample output
IP address Port Severity Facility Description

---------------------------------------------------------
192.180.2.275 14 Info local7 7
192.180.2.285 14 Warning local7 7
Automated task Yes
Revision Summary
3 May 2015 New Saudi Aramco Best Practice.
Page 32 of 32

Sabp Z 053

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 053

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-053 3 May 2015

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: 3 May 2020

Copyright©Saudi Aramco 2015. All rights reserved.

2 Conflicts with Mandatory Standards

 Saudi Aramco References

Process Automation Systems (PAS): PAS include Networks and Systems

5 Account & passwords Policies

Action Change the default credentials for Admin

State Final Version 1.0 Created on 09/25/14

Dependencies The password should respect the SAEP-99 passwords policy

2. Issue the following commands:

NEW_PASSWORD must be compliant to SAEP-99 directives

Domain DELL Ref. DEL-AP-02 BIT 12.0.a

Action Set password for the console

State Final Version 1.0 Created on 09/25/14

2. Issue the following commands:

NEW_PASSWORD must be compliant to SAEP-99 directives

NEW_PASSWORD must be compliant to SAEP-99 directives

Domain DELL Ref. DEL-AP-04 BIT 12.0.a

2. Issue the following commands:

This command enables enforcement of password strength checking policy as configured

 passwords strength minimum uppercase-letters

Automated task yes

Domain DELL Ref. DEL-AP-05 BIT 12.0.a

Action Set the Password expiration policy

State Final Version 1.0 Created on 09/25/14

Domain DELL Ref. DEL-AP-06 BIT 12.0.a

2. Issue the following commands:

Enforce password history is set to 3 passwords remembered

Domain DELL Ref. DEL-AP-07 BIT 12.0.a

Instruction 2. Issue the following commands:

Account lockout threshold is set to 5 invalid logon attempts.

Domain DELL Ref. DEL-AP-08 BIT 12.0.a

Action Enable the minimum password length

State Final Version 1.0 Created on 09/25/14

Instruction 2. Issue the following commands:

Minimum password length is set to at least 8 characters.

Exceptions should be handled according to SAEP-99 directives

Domain DELL Ref. DEL-AP-09 BIT 12.0.a

Instruction 2. Issue the following commands:

Ensure a minimum of 2 uppercases are allowed

Automated task yes

Domain DELL Ref. DEL-AP-10 BIT 12.0.a

Instruction 2. Issue the following commands:

Ensure a minimum of 2 lowercases are allowed

Automated task yes

Domain DELL Ref. DEL-AP-11 BIT 12.0.a

Instruction 2. Issue the following commands:

Ensure a minimum of 2 numeric characters are allowed

Automated task yes

Domain DELL Ref. DEL-AP-12 BIT 12.0.a

Instruction 2. Issue the following commands:

Ensure a minimum of 2 special characters are allowed

Automated task yes

Domain DELL Ref. DEL-AP-13 BIT 12.0.a

2. Issue the following commands:

• passwords strength minimum uppercase-letters

Automated task yes

Domain DELL Ref. INFO BIT 12.0.a

Action Check the password policy configuration

State Final Version 1.0 Created on 09/25/14