Sabp Z 083

Best Practice
SABP-Z-083 20 April 2016
Network Devices Hardening Guide – Moxa Switches

Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 2
4 Definitions 3
5 Accounts & Passwords Policies 5
6 Services and applications settings 10
7 Hardening controls 15
8 Log and Auditing 20
Previous Issue: New Next Planned Update: 3 May 2020

Page 1 of 22
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365
Copyright©Saudi Aramco 2016. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Moxa switches
configurations settings, which might require software / hardware to ensure “secure
configuration” as per SAEP-99 “Process Automation Networks and Systems
Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.
2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
 Saudi Aramco References
`
Page 2 of 22
Saudi Aramco Engineering Procedures

SAEP-99 Process Automation Networks and Systems
Security
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DHCP - |Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
SSH - Secure Shell
SNMP - Simple Network Management Protocol
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
`
Page 3 of 22
maintenance, quality assurance, and other process operations functionalities to

continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers, firewalls,
computers, etc. interconnecting process control system and provides an interface
to the corporate network. PAN Administrator: Process Automation Networks
(PAN) Administrator administers and performs system configuration and
monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a personal
identification number (PIN) or password. Password authentication scheme is the
simplest and most common mechanism.
Server: A dedicated un-manned data provider.
`
Page 4 of 22
5 Accounts & Passwords Policies
Domain MOXA Ref. MXA-AP-01 BIT 12.0.a

[ ] IKS-67xx Series
[ ] IKS-G68xx Series
[ ] EDS-5xx Series
Target [ ] EDS-G5xx Series Mapping SAEP-99 5.1.6.1.a-f
[ ] ICS-G75xx Series
Action Change default passwords
State Final Version 1.0 Created on 30/03/16

R C
RACI Matrix Priority HIGH
A I
Pre requisite The password should respect the SAEP-99 passwords policy
Some settings and commands may not work for all the switches series.
NOTE
Please consider to report them to the author of this document.
1. Connected to switch using the Serial Connection / Web Access / Telnet

2. If using the Web Access, point the browser to Basic Settings / Password
Instruction
3. If using the Telnet or Serial, the menu should be as follow :
`
Page 5 of 22
By default, some Moxa devices are shipped with 2 accounts: user and admin
either with ‘moxa’ or no password assigned.
If you are using the serial port, consider the following settings:
The new password must be compliant to SAEP-99 directives

Minimum password length is set to at least 8 characters
`
Page 6 of 22
Domain MOXA Ref. MXA-AP-02 BIT 12.0.a

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Target [ ] EDS-G5xx Series Mapping SAEP-99 5.1.6.1.a-f
Action Delete ‘user’ account if not used

R C
A I
Pre requisite If supported by your device
Dependencies

2. If using the Web Access, point the browser to System Setting / Accounts
Instruction
`
Page 7 of 22
Domain MOXA Ref. MXA-AP-03 BIT 8.6

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Target [ ] EDS-G5xx Series Mapping SAEP-99 5.1.6.1.l
Action Change the SNMP Default community

R C
A I
The Communitry string should respect the SAEP-99 passwords policy
Pre requisite
If SNMP is required by Alarm systems.
Dependencies
2. If using the Web Access, point the browser to SNMP Settings
Instruction
3. If using the Telnet or Serial, browse to SNMP Settings :
`
Page 8 of 22
The new community string must be compliant to SAEP-99 directives

Minimum password length is set to at least 8 characters
`
Page 9 of 22
6 Services and applications settings
Domain MOXA Ref. MXA-SA-01 BIT 8.5

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Target [ ] EDS-G5xx Series Mapping SAEP-99
Action Disable Telnet Access

R C
A I
Pre requisite The device must have an alternative administration access (Webm, V.24, SSH)
Dependencies
2. If using the Web Access, point the browser to Basic Settings / System
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / System and

modify Enable to Disable:
`
Page 10 of 22

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Action Disable Web Access

R C
A I
Pre requisite The device must have an alternative administration access (V.24, SSH or Telnet)
Dependencies

Instruction 2. If using the Web Access, point the browser to Basic Settings / System
`
Page 11 of 22

modify Enable to Disable:
`
Page 12 of 22

[ ] IKS-67xx Series
[ ] EDS-5xx Series 5.3.c
Target [ ] EDS-G5xx Series Mapping SAEP-99 5.4.2.m
[ ] ICS-G75xx Series 5.1.6.1.o
Action Disable SNMP

R C
A I
The vendor should be consulted. SNMP may be used for Alarm purposes
Pre requisite
If supported by the devices
Disabling SNMP in Moxa series mentioned above was not found in the
NOTE official documentation. Please report this control as not applicable if
there is no option to disable SNMP
2. If using the Web Access, point the browser to SNMP Settings
Instruction
3. If using the Telnet or Serial, browse to SNMP Settings and scroll to

option where SNMP can be Disable:
`
Page 13 of 22
`
Page 14 of 22
7 Hardening controls
Domain MOXA Ref. MXA-HC-01 BIT 8.3

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Set the system hostname according to the
Action
convention name
R C
A I
Pre requisite
Dependencies
2. If using the Web Access, point the browser to Basic Settings / System
Instruction

modify Switch Name:
`
Page 15 of 22
Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router, SW for Switch and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
`
Page 16 of 22
Domain MOXA Ref. MXA-HC-02 BIT

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Action Set static IP Address

R C
RACI Matrix Priority INFO
A I
Pre requisite
Dependencies
2. If using the Web Access, point the browser to Basic Settings / Network
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / Network and set
Auto IP Configuration to Disabled:
`
Page 17 of 22

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Action Set time manually

R C
RACI Matrix Priority MODERATE
A I
Pre requisite
Dependencies
2. If using the Web Access, point the browser to Basic Settings / Time
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / Tine and set
time accordingly
`
Page 18 of 22

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Action Set time using NTP server

R C
A I
Pre requisite NTP server available
Dependencies
2. If using the Web Access, point the browser to Basic Settings / Time
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / Tine and set
time accordingly
Provide value for Server IP name and Query period
`
Page 19 of 22
8 Log and Auditing
Domain MOXA Ref. MXA-LA-01 BIT 18.0.a

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Target [ ] EDS-G5xx Series Mapping SAEP-99 5.5.1.d.iv
Action Enable Syslog

R C
A I
Pre requisite Syslog server available
Dependencies
2. If using the Web Access, point the browser to Monitor / syslog
Instruction
3. If using the Telnet or Serial, browse to Monitor / syslog
Provide value for syslog server 1
By default, the following events are recorded and sent over to the Syslog server
- Cold start
- Warm start
- Configuration change activated
- Power 1/2 transition (Off � On), Power 1/2 transition (On � Off)
- Authentication fail
`
Page 20 of 22
- Topology changed
- Master setting is mismatched
- Port traffic overload
- dot1x Auth Fail
- Port link off / on
`
Page 21 of 22
Domain MOXA Ref. MXA-LA-02 BIT 18.0.a

[ ] IKS-67xx Series
[ ] EDS-5xx Series
Target [ ] EDS-G5xx Series Mapping SAEP-99 5.5.1.d.iv
Action Access Event logs

R C
RACI Matrix Priority INFO
A I
Pre requisite
Dependencies
2. If using the Web Access, point the browser to Monitor / using event log
Instruction
`
Page 22 of 22

Sabp Z 083

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 083

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-083 20 April 2016

Network Devices Hardening Guide – Moxa Switches

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: 3 May 2020

Copyright©Saudi Aramco 2016. All rights reserved.

2 Conflicts with Mandatory Standards

Saudi Aramco Engineering Procedures

maintenance, quality assurance, and other process operations functionalities to

5 Accounts & Passwords Policies

Domain MOXA Ref. MXA-AP-01 BIT 12.0.a

Action Change default passwords

State Final Version 1.0 Created on 30/03/16

1. Connected to switch using the Serial Connection / Web Access / Telnet

3. If using the Telnet or Serial, the menu should be as follow :

The new password must be compliant to SAEP-99 directives

Domain MOXA Ref. MXA-AP-02 BIT 12.0.a

Action Delete ‘user’ account if not used

State Final Version 1.0 Created on 30/03/16

1. Connected to switch using the Serial Connection / Web Access / Telnet

Domain MOXA Ref. MXA-AP-03 BIT 8.6

Action Change the SNMP Default community

State Final Version 1.0 Created on 30/03/16

3. If using the Telnet or Serial, browse to SNMP Settings :

The new community string must be compliant to SAEP-99 directives

6 Services and applications settings

Domain MOXA Ref. MXA-SA-01 BIT 8.5

Action Disable Telnet Access

State Final Version 1.0 Created on 30/03/16

3. If using the Telnet or Serial, browse to Basic Settings / System and

Domain MOXA Ref. MXA-SA-02 BIT 8.5

Action Disable Web Access

State Final Version 1.0 Created on 30/03/16

1. Connected to switch using the Serial Connection / Web Access / Telnet

3. If using the Telnet or Serial, browse to Basic Settings / System and

Domain MOXA Ref. MXA-SA-03 BIT 8.5

Action Disable SNMP

State Final Version 1.0 Created on 30/03/16

3. If using the Telnet or Serial, browse to SNMP Settings and scroll to

Domain MOXA Ref. MXA-HC-01 BIT 8.3

3. If using the Telnet or Serial, browse to Basic Settings / System and

Domain MOXA Ref. MXA-HC-02 BIT

Action Set static IP Address

State Final Version 1.0 Created on 30/03/16

Domain MOXA Ref. MXA-HC-03 BIT

Action Set time manually

State Final Version 1.0 Created on 30/03/16

Domain MOXA Ref. MXA-HC-04 BIT

Action Set time using NTP server

State Final Version 1.0 Created on 30/03/16

Provide value for Server IP name and Query period

8 Log and Auditing

Domain MOXA Ref. MXA-LA-01 BIT 18.0.a

Action Enable Syslog

State Final Version 1.0 Created on 30/03/16

3. If using the Telnet or Serial, browse to Monitor / syslog

Provide value for syslog server 1

Domain MOXA Ref. MXA-LA-02 BIT 18.0.a

Action Access Event logs

State Final Version 1.0 Created on 30/03/16

You might also like