Sabp Z 054

Best Practice
SABP-Z-054 4 May 2015

Network Devices Hardening Guide – Emerson DeltaV Smart Switches
Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 7
7 Hardening controls............................................ 9
8 Logs and Auditing............................................. 12
Previous Issue: New Next Planned Update: 4 May 2020

Page 1 of 14
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365
Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-054
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – Emerson DeltaV Smart Switches
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Emerson DeltaV
Smart Switches configurations settings, which might require software /
hardware to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Page 2 of 14
 Saudi Aramco References

Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 14
Process Automation Systems (PAS): PAS include Networks and Systems

hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers,
firewalls, computers, etc. interconnecting process control system and provides
an interface to the corporate network. PAN Administrator: Process Automation
Networks (PAN) Administrator administers and performs system configuration
and monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a
personal identification number (PIN) or password. Password authentication
scheme is the simplest and most common mechanism.
Server: A dedicated un-manned data provider.
Page 4 of 14
5 Account & passwords Policies
Domain EMERSON Ref. EME-AP-01 BIT 8.6

[ ] FP20 network switches
[x] RM100 network switches
Target Mapping SAEP-99 5.1.6.1.l
[ ] MD20 network switches
Change the default password for the account
Action
Admin
State Final Version 1.1 Created on 09/01/2014
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements
Dependencies
Connect the to switch using the Serial port (9600 baud, 8 data bits, no parity, 1
stop bit, no flow control)
At the prompt, type the following command

deltav
The deltav command initiates a wizard setup of the Smart Switch. Whenever
you want to skip a configuration just hit return.
During the setup steps, you should have the following request
Instruction Change the default admin password
Type the newest password and be sure to respect the requirements stated in the
SAEP-99
The admin password can only be reset via the DeltaV Setup wizard using the serial
port or telnet connection. Changing this password only impacts user access to the
switch and is not connected or synchronized with the DeltaV or Windows
passwords.
The default password is Emerson1
Page 5 of 14
Domain EMERSON Ref. EME-AP-02 BIT 8.6

Target Mapping SAEP-99 5.1.6.1.l
Change the default password for the account
Action
User
R C
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements
Dependencies

deltav
During the setup steps, you should have the following request
Instruction Change the default user password
Type the newest password and be sure to respect the requirements stated in the
SAEP-99
The user password can only be reset via the DeltaV Setup wizard using the serial
port or telnet connection. Changing this password only impacts user access to the
switch and is not connected or synchronized with the DeltaV or Windows
passwords.
The default password is Emerson1
Page 6 of 14
6 Services and applications settings
Domain EMERSON Ref. EME-SA-01 BIT

Target Mapping SAEP-99
Action Disable HTTP access

R C
A I
Pre requisite
Dependencies

deltav
Instruction
During the setup steps, you should have a following request

Disable HTTP access
Disable access to the view only web interface on the switch
Page 7 of 14
Domain EMERSON Ref. EME-SA-02 BIT

Action Disable Telnet access

R C
A I
Pre requisite
Dependencies The Telnet Service could be used for the Monitoring purposes. See EME-LA-03

deltav
Instruction

Disable Telnet access
Disable remote configuration access using Telnet
Page 8 of 14
7 Hardening controls
Domain EMERSON Ref. EME-HC-01 BIT 8.3

Action Set the hostname

R C
A I
Pre requisite
Dependencies

deltav

Switch name
Type a new hostname and a description (this item is optional)

Instruction
Naming convention sample
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router and so on
- Incremental ID : 3 variables
Ex : ABQ-RTR-005 : means router number 5 in Abqaiq Plant. We can suppose,
there are ABQ-RT-001, ABQ-RTR-002, ABQ-RTR-003 etc ..
Page 9 of 14
Domain EMERSON Ref. EME-HC-02 BIT 8.3

Configure external (NTP) timeservers to sync
Action
device clock.
R C
A I
Pre requisite
Dependencies NTP Time Server should be ready and configured.

deltav
Instruction

Configure the network IP address of the time
server
Type the IP address of the NTP server.
Page 10 of 14
Domain EMERSON Ref. EME-HC-04 BIT

Action Disable the network discovery

R C
RACI Matrix Priority MODERATE
A I
Pre requisite
Dependencies NTP Time Server should be ready and configured.

deltav
Instruction you want to skip a configuration just hit return.

Disable network discovery
Used for setup of switches to be installed in DeltaV v10.3 or 10.3.1 only. This command
disables the switch discovery access that is needed for v11 and newer systems. It should
be disabled in v10 systems as a security measure.
Page 11 of 14
8 Logs and Auditing
Domain EMERSON Ref. EME-LA-01 BIT

Action Configure SNMP Trap node

R C
A I
Pre requisite
Dependencies SNMP server should ready and configured

deltav
Instruction

Configure the network IP address of the SNMP
trap destination node
Allows switch to send any preconfigured traps to a computer on the DeltaV network
Page 12 of 14
Domain EMERSON Ref. EME-LA-02 BIT 18.0.a

Target Mapping SAEP-99 5.5.1.d.iv
Action Configure SysLog access

R C
A I
Pre requisite
Dependencies SNMP server should ready and configured

deltav
Instruction you want to skip a configuration just hit return.

Configure the network IP address of the SysLog
server node
Allows switch to send to a computer on the DeltaV network that is setup to collect
communications traffic information from the switch
Page 13 of 14
Domain EMERSON Ref. EME-LA-03 BIT

Action Monitoring the DeltaV

R C
RACI Matrix Priority INFO
A I
Pre requisite Telnet should be re-enabled
Dependencies
Telnet to the switch IP. At the prompt, type the following command for
The latest configuration

(Emerson RM100)> show running‐config
The detailed hardware and software information

(Emerson RM100)> show sysinfo
Instruction
The configured IP and MAC address
(Emerson RM100)> show network
The interface statistics for a specific interface

(Emerson RM100)> show interface 1/1
The event log statistics

(Emerson RM100)> show eventlog
Revision Summary
4 May 2015 New Saudi Aramco Best Practice.
Page 14 of 14

Sabp Z 054

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 054

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-054 4 May 2015

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: 4 May 2020

Copyright©Saudi Aramco 2015. All rights reserved.

2 Conflicts with Mandatory Standards

 Saudi Aramco References

Process Automation Systems (PAS): PAS include Networks and Systems

5 Account & passwords Policies

Domain EMERSON Ref. EME-AP-01 BIT 8.6

At the prompt, type the following command

The default password is Emerson1

Domain EMERSON Ref. EME-AP-02 BIT 8.6

At the prompt, type the following command

The default password is Emerson1

6 Services and applications settings

Domain EMERSON Ref. EME-SA-01 BIT

Action Disable HTTP access

State Final Version 1.1 Created on 09/01/2014

At the prompt, type the following command

During the setup steps, you should have a following request

Disable access to the view only web interface on the switch

Domain EMERSON Ref. EME-SA-02 BIT

Action Disable Telnet access

State Final Version 1.1 Created on 09/01/2014

At the prompt, type the following command

During the setup steps, you should have a following request

Disable remote configuration access using Telnet

Domain EMERSON Ref. EME-HC-01 BIT 8.3

Action Set the hostname

State Final Version 1.1 Created on 09/01/2014

At the prompt, type the following command

During the setup steps, you should have a following request

Type a new hostname and a description (this item is optional)

Domain EMERSON Ref. EME-HC-02 BIT 8.3

Dependencies NTP Time Server should be ready and configured.

At the prompt, type the following command

During the setup steps, you should have a following request

Type the IP address of the NTP server.

Domain EMERSON Ref. EME-HC-04 BIT

Action Disable the network discovery

State Final Version 1.1 Created on 09/01/2014

Dependencies NTP Time Server should be ready and configured.

At the prompt, type the following command

During the setup steps, you should have a following request

8 Logs and Auditing

Domain EMERSON Ref. EME-LA-01 BIT

Action Configure SNMP Trap node

State Final Version 1.1 Created on 09/01/2014

Dependencies SNMP server should ready and configured

At the prompt, type the following command

During the setup steps, you should have a following request

Domain EMERSON Ref. EME-LA-02 BIT 18.0.a

Action Configure SysLog access

State Final Version 1.1 Created on 09/01/2014

Dependencies SNMP server should ready and configured

At the prompt, type the following command

During the setup steps, you should have a following request

Domain EMERSON Ref. EME-LA-03 BIT

Action Monitoring the DeltaV

State Final Version 1.1 Created on 09/01/2014

The latest configuration

The detailed hardware and software information