Professional Documents
Culture Documents
Sabp Z 083
Sabp Z 083
1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 2
4 Definitions 3
5 Accounts & Passwords Policies 5
6 Services and applications settings 10
7 Hardening controls 15
8 Log and Auditing 20
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Moxa switches
configurations settings, which might require software / hardware to ensure “secure
configuration” as per SAEP-99 “Process Automation Networks and Systems
Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Saudi Aramco References
`
Page 2 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DHCP - |Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
SSH - Secure Shell
SNMP - Simple Network Management Protocol
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
`
Page 3 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
`
Page 4 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Instruction
`
Page 5 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
By default, some Moxa devices are shipped with 2 accounts: user and admin
either with ‘moxa’ or no password assigned.
If you are using the serial port, consider the following settings:
`
Page 6 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
Instruction
`
Page 7 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Instruction
`
Page 8 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
`
Page 9 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Basic Settings / System
Instruction
`
Page 10 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
`
Page 11 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
`
Page 12 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Instruction
`
Page 13 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
`
Page 14 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
7 Hardening controls
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Basic Settings / System
Instruction
`
Page 15 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router, SW for Switch and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
`
Page 16 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Basic Settings / Network
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / Network and set
Auto IP Configuration to Disabled:
`
Page 17 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Basic Settings / Time
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / Tine and set
time accordingly
`
Page 18 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Basic Settings / Time
Instruction
3. If using the Telnet or Serial, browse to Basic Settings / Tine and set
time accordingly
`
Page 19 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Monitor / syslog
Instruction
By default, the following events are recorded and sent over to the Syslog server
- Cold start
- Warm start
- Configuration change activated
- Power 1/2 transition (Off � On), Power 1/2 transition (On � Off)
- Authentication fail
`
Page 20 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
- Topology changed
- Master setting is mismatched
- Port traffic overload
- dot1x Auth Fail
- Port link off / on
`
Page 21 of 22
Document Responsibility: Plants Networks Standards Committee SABP-Z-083
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Moxa Switches
Dependencies
1. Connected to switch using the Serial Connection / Web Access / Telnet
2. If using the Web Access, point the browser to Monitor / using event log
Instruction
`
Page 22 of 22