Professional Documents
Culture Documents
Sabp Z 086
Sabp Z 086
1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 3
4 Definitions 3
5 Background 5
6 Risk Assessment 6
7 Different RDP/TSE authentication approaches 9
8 Remote Desktop Implementation 11
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to secure the RDP Remote Access
Protocol settings, which might require software / hardware to ensure “secure
configuration” as per SAEP-99 “Process Automation Networks and Systems
Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.
Page 2 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DHCP - |Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
PKI - Public Key Infrastructure
RDP/TSE - Remote Desktop Protocol / Terminal Services
SSH - Secure Shell
SNMP - Simple Network Management Protocol
TLS/SSL - Transport Layer Security / Secure Sockets Layer
Page 3 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers, firewalls,
computers, etc. interconnecting process control system and provides an interface
to the corporate network. PAN Administrator: Process Automation Networks
(PAN) Administrator administers and performs system configuration and
monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a personal
identification number (PIN) or password. Password authentication scheme is the
simplest and most common mechanism.
Server: A dedicated un-manned data provider.
Page 4 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
5 Background
5.1 Purpose
The following document highlights the P&CSD position regarding how to secure
the Remote Desktop Protocol / Terminal Services (RDP/TSE) traffic
communication within the Saudi Aramco Plants. The authentication mechanisms
enumerated take into account the inherent risk and the complexity of achievement.
SAEP-99 has new requirements to comply with in order to enable the RDP/TSE
capability within the plants. The protocol should be exclusively used within the
Plants with no impact on the IT Firewall side.
The Plants users whose accounts have been approved by their supervisors can use
the RDP/TSE. The appropriate permissions shall be granted accordingly. The
Process Automation Network (PAN) Administrators set and manage the list of the
approved users.
5.2 Applicability
As mentioned in this document enabling the Remote Desktop using the TLS/SSL
authentication may need a wide plethora of pre-requisites such as setting up the
PKI infrastructure and dealing with the key management process.
In order to circumvent this complexity and provide a quick but yet risk acceptable
solution, P&CSD would recommend using the RDP/TSE with the build-in
encryption capability alongside the mitigations controls.
Page 5 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
6 Risk Assessment
1 http://cve.mitre.org
2 https://www.first.org/cvss
3 https://nvd.nist.gov/cpe.cfm
Page 6 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Icon Classification
Low
Moderate
High
Page 7 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Page 8 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Page 9 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Nevertheless the solution should be considered and evaluated with the associated
implementation conditions such as: complexity, compensatory controls and the
threats addressed within the Plants.
6The DigiNotar intrusion case and issuance of fake public keys. http://www.esecurityplanet.com/browser-
security/fraudulent-ssl-cert-for-google-revoked.html
Page 10 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Following are the steps to leverage the encryption and apply the mitigation controls to
reduce the risk mentioned previously.
8.1 Activation
Enable the RDP if disabled (Only Remote Desktop. Ignore Remote Assistance)
Page 11 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Re-check the following settings for RDP to ensure that other default users are not
allowed to connect.
Go to the Programs - Administrative Tools - Local Security Policy. Under
Local Policies - User Rights Assignment, and look for “Allow logon through
Terminal Services."
7 Please refer to Hardening Best Practices associated with each Operating System
Page 12 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Remove all users and ensure only the approved logins you have created for this
purpose are reflected in Allow Logons through Terminal Services
Page 13 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Change the "Set client connection encryption level" from "Not Configured" to
"Enabled" and "High Level" to force the client to use 128-bit security. This
protects your passwords as well as anything transmitted during your terminal
service session.
Page 14 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Termin
al Server\WinStations\RDP-Tcp\PortNumber
Page 15 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Page 16 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Click EDIT if you are still using the default TCP port 3389
Once done, you need to provide the list of authorized IP. These is done
by clicking on “Change Scope” and then type the IPs in the Custom list
Page 17 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Following are the recommended audit settings. They should not compete
with Hardening documentation controls. If any conflict occurs, the most
restrictive shall be applied and P&CSD advised.
Page 18 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
Whenever an account connects to the computer using Remote Desktop, an event will be
created in the “Security Event Log” as Event 528 with Logon Type 10.
Page 19 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-086
Issue Date: 20 April 2016 Security and Mitigations Directives
Next Planned Update: 3 May 2020 Guide – Remote Access Protocol
type Description
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often
indicates a logon to IIS with "basic authentication")
9 NewCredentials
Page 20 of 20