ENGINEER’S STAMP: CONTRACTOR’S STAMP:

00 Issued for Tender Documents December 2022

REV DESCRIPTION PREPARED CHECKED DATE

SALINE WATER CONVERSION CORPORATION

KINGDOM OF SAUDI ARABIA
Projects Engineering Department

SWCC WATER TRANSMISSION SYSTEMS

CONSTRUCTION WORKS

LOCATION: TITLE:

YANBU SPECIFICATION S11

CYBER SECURITY SYSTEM

SCALE: DOCUMENT No.: REV:

Q C 1 0 - H - 1 3 1 00

SUBCONTRACTOR: Page 1 of 38
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 2 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

LIST OF CONTENTS
ABBREVIATIONS ......................................................................................................................... 6

DEFINITIONS ................................................................................................................................ 8

1 INTRODUCTION .............................................................................................................. 9

2 STANDARDS ................................................................................................................. 10

3 ENVIRONMENTAL CONDITIONS ................................................................................. 11

4 PROJECT- SPECIFIC ORGANISATIONAL MEASURES .............................................. 11

4.1 Project Security Officer ................................................................................................... 11

4.2 Risk Assessments .......................................................................................................... 11
4.3 Mobile Devices ............................................................................................................... 11

5 NETWORK DESIGN ...................................................................................................... 12

5.1 Network Segregation ...................................................................................................... 12

5.1.1 Physical Network Segregation...................................................................................................... 12
5.1.2 Logical Network Segregation........................................................................................................ 12
5.2 Security Zones................................................................................................................ 12
5.3 Data Communication Matrix............................................................................................ 12
5.4 Data Flow Control ........................................................................................................... 12
5.4.1 Data Diodes..................................................................................................................................... 13
5.4.2 De- Militarized Zones ..................................................................................................................... 13
5.4.3 Firewalls .......................................................................................................................................... 13
5.5 Network Devices / Appliances ........................................................................................ 13
5.5.1 General Requirements ................................................................................................................... 13
5.5.2 Switches .......................................................................................................................................... 13
5.5.3 Router .............................................................................................................................................. 14
5.5.4 Packet Filtering Firewalls .............................................................................................................. 14
5.5.5 DPI Firewalls ................................................................................................................................... 14
5.5.6 Data Diodes / Unidirectional Firewalls ......................................................................................... 14
5.6 Virtualization Solutions / Virtualized Environment ........................................................... 15
5.6.1 Host Machine .................................................................................................................................. 15
5.6.2 Hypervisor with Management Tools ............................................................................................. 15
5.6.3 Virtual Machine Image Repository ............................................................................................... 15
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 3 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

5.7 Security Management ..................................................................................................... 15

5.7.1 Security Management Network ..................................................................................................... 15
5.7.2 Centralized Administration of Data Traffic Filter Rules .............................................................. 16

6 SYSTEM HARDENING .................................................................................................. 17

6.1 System Access Control................................................................................................... 17

6.2 Hardware Components ................................................................................................... 17
6.3 Software Components .................................................................................................... 17
6.4 Malware Protection ......................................................................................................... 18
6.4.1 Controller ........................................................................................................................................ 18
6.4.2 Smart Field Devices ....................................................................................................................... 18
6.4.3 Hypervisors..................................................................................................................................... 18
6.4.4 Server, Workstation, and Application VMs .................................................................................. 18
6.4.5 Data Bases ...................................................................................................................................... 19
6.4.6 Network Devices ............................................................................................................................ 19
6.4.7 Secure Data Transfer to and from SCADA Systems................................................................... 19

7 NETWORK AND DEVICE MANAGEMENT.................................................................... 20

7.1 Central Network Management System............................................................................ 20

7.2 Network Monitoring and Administration........................................................................... 20
7.3 Device management....................................................................................................... 20

8 FAULT AND ALARM MANAGEMENT ........................................................................... 21

9 CONFIGURATION MANAGEMENT ............................................................................... 21

9.1 General Requirements.................................................................................................... 21

9.2 Secure Baseline Configuration ....................................................................................... 21

10 USER AUTHENTICATION AND AUTHORIZATION ...................................................... 22

10.1 Passwords ...................................................................................................................... 22

10.2 Time- Based Logout after Inactivity................................................................................. 23
10.3 Directory Services .......................................................................................................... 23

11 PERFORMANCE MANAGEMENT ................................................................................. 23

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 4 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

12 SECURITY AND PATCH MANAGEMENT ..................................................................... 24

12.1 Security Events............................................................................................................... 24

12.2 General Requirements for Patching ................................................................................ 24
12.3 Life- Time Support .......................................................................................................... 25
12.4 Patch Management System ............................................................................................ 25

13 VULNERABILITY MANAGEMENT ................................................................................ 25

14 INTRUSION DETECTION SYSTEM ............................................................................... 26

14.1 General Requirements.................................................................................................... 26

14.2 Host- Based IDS ............................................................................................................. 26
14.3 Network- Based IDS ....................................................................................................... 26
14.4 Test Access Points ......................................................................................................... 26

15 LOG MANAGEMENT SYSTEM ..................................................................................... 27

15.1 General Requirements.................................................................................................... 27

15.1.1 Searching and Filtering .............................................................................................................. 27
15.1.2 Reporting ..................................................................................................................................... 27
15.2 Log Server ...................................................................................................................... 27
15.3 Log Sources ................................................................................................................... 28
15.4 Logged Events................................................................................................................ 28

16 SECURITY INCIDENT AND EVENT MANAGEMENT SYSTEM .................................... 29

16.1 General requirements ..................................................................................................... 29

16.2 Events (to be detected)................................................................................................... 29
16.3 Security Workflows and Use Cases ................................................................................ 30
16.4 Incident Management ..................................................................................................... 30

17 BACKUP ........................................................................................................................ 31

17.1 General Requirements.................................................................................................... 31

17.2 Network Attached Storage .............................................................................................. 31

18 RECOVERY ................................................................................................................... 31
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 5 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

19 FACTORY ACCEPTANCE TEST ................................................................................... 32

19.1 System Configuration Review ......................................................................................... 32

19.2 Vulnerability Scans ......................................................................................................... 32
19.3 Patch Management System ............................................................................................ 32
19.4 Security Tests................................................................................................................. 32
19.5 Log Management System ............................................................................................... 33
19.6 SIEM Function Tests ...................................................................................................... 33
19.7 Procedures ..................................................................................................................... 33
19.8 Remediation of Issues .................................................................................................... 33
19.9 Design Freeze ................................................................................................................ 33
19.10 FAT Documentation........................................................................................................ 33

20 SITE ACCEPTANCE TEST ............................................................................................ 34

20.1 Reviews and Tests ......................................................................................................... 34

20.2 Remediation of Issues .................................................................................................... 34
20.3 SAT Documentation ....................................................................................................... 34

21 PENETRATION TEST .................................................................................................... 35

21.1 General Requirements.................................................................................................... 35

21.2 Pre- Assessment ............................................................................................................ 35
21.3 Assessment Preparation ................................................................................................. 36
21.3.1 “Wireless Channel” Tests .......................................................................................................... 36
21.3.2 “Telecommunication Channel” Tests ....................................................................................... 36
21.3.3 “Data Networks Channel” Tests ................................................................................................ 36
21.4 Testing ........................................................................................................................... 36
21.5 Reporting ........................................................................................................................ 37
21.6 System Cleanup ............................................................................................................. 37

22 DOCUMENTATION........................................................................................................ 38

22.1 Information to be provided at FAT and SAT .................................................................... 38

22.2 Security Zone Plan ......................................................................................................... 38
22.3 Final Documentation ....................................................................................................... 38
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 6 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

ABBREVIATIONS

AC Air Condition

ACL Access Control List

ALG Application Layer Gateway

AV Anti- Virus

AWL Application Whitelisting

CI Configuration Item

CPE Common Platform Enumerator

CSM Cybersecurity Management

CVSS Common Vulnerability Scoring System

DPI Deep Packet Inspection

DMZ De- militarized zone

ESD Emergency Shutdown

FAT Factory Acceptance Test

FOC Fiber Optic Cable

FTP File Transfer Protocol

GUI Graphical User Interface

HIDS Host- based IDS

HTTP Hyper Text Transfer Protocol

HTTPS HTTP Secured

HVAC Heating, Ventilation & Air Conditioning

ID Identifier

IDS Intrusion Detection System

IP Internet Protocol

LVS Line Valve Station

MAC Media Access Control

MFA Multi- Factor Authentication

MLE Measured Launch Environment

NAS Network Attached Storage

NDA Non- Disclosure Agreement

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 7 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

ABBREVIATIONS

NESCOR US National Electric Sector Cybersecurity Organization Resource

NIC Network Interface Card

NIDS Network- based IDS

NTP Network Time Protocol

OEM Original Equipment Manufacturer

OPC Open Platform Communication

OPC UA OPC Unified Architecture

OS Operating System

OSSTMM Open-Source Security Testing Methodology Manual

QoS Quality of Service

RAID Redundant Array of Independent Disks

RFC Request for Comments

SAT Site Acceptance Test

SCADA Supervisory Control and Data Acquisition

SIEM Security Information and Event Management

SL Security level

SMB Service Message Block

SNMP Simple Network Management Protocol

TAP Test Access Port

TCP Transfer Control Protocol

UDP User Datagram

USB Universal Serial Bus

VLAN Virtual Local Area Network

VM Virtual Machine

VMM VM Monitor

WSUS Windows Server Update Service

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 8 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

DEFINITIONS

ATTACK Attempt to destroy, expose, alter, disable, steal or gain

unauthorized access to or make unauthorized use of an asset

CONDUIT A communication conduit is a type of security zone. It is a

logical organization of informational flow within, into, or out of,
a security zone. It can be made up of a single network, or
constructed of multiple data carriers, both physical and logical.

CLIENT SWCC

CRITICAL VULNERABILITY CVSS vector CVSS:3.1 AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L

or more severe

GOLDEN IMAGE A VM image containing the OS and applications, that can be

used as template for consistent and effective deployment of VMs

MALWARE Any means intentionally designed to cause damage to or gain

unsolicited control over a RESOURCE

NETWORK SEGREGATION Horizontal:

Horizontal network segregation describes an approach to
segment the network on the same level of the automation
pyramid

Vertical:
Vertical network segregation describes an approach to
segment the network resembling the levels of the automation
pyramid.

RESOURCE Resources include:

- All hardware and software used to collect, process, store,

transmitand destroy data and to manage other systems

- All data / information stored and processed

SECURITY ZONE A security zone is a logical and/or physical grouping of

physical, informational, or application assets that have
common security requirements.
The zone concept implies there is a need to access assets and
information both inside (local) and outside (remote) a zone.
The zone security policies define the requirements that allow
people and information to move within and between security
zones.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 9 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

1 INTRODUCTION

This specification contains the requirements for the design, manufacturing, supply, installation, test
and commissioning of measures to protect SCADA, station, unit control and ESD systems, smart
field devices, analysers, communication networks, all support equipment, perimeter protection
systems and process equipment against cyber- attacks which could impair the integrity of these
systems and thus lead to equipment damage, loss of containment, loss of control, or disruption or
degradation of operation.
A Cyber Security Team inside CLIENT’s Operation and Maintenance organization will:

• Integrate the SCADA and control systems into its CSM;

• Constantly monitor the system for violations and signs of security breaches;

• Initiate responses to isolate compromised systems and restore a trusted state;

• Apply security patches and compensating controls as necessary; and

• Regularly perform security audits, assessments, vulnerability scans and penetration tests
as per corporate standards.
The following shall be provided as described in this specification in order to support CLIENT’s
Cyber Security Team in performing their duties:

• Cyber Security systems; and

• Cyber Security services for the operation phase

The Cyber Security System shall be designed by companies certified cyber security specialists
applying the following principles:

• Equipment shall be placed into zones; zones to be connected by conduits;

• Traffic between zones is limited as per communication matrix and strictly enforced;

• All systems, processes and users are granted least privileges sufficient to complete a given
task;

• Defense- in- Depth principle to prevent important systems from compromise by a single
failure or vulnerability; and

• Only hard- and software developed and tested using a documented Security
Development Life Cycle is deployed with devices meeting SL 3 as per IEC 62443-4-2.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 10 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

2 STANDARDS

The following particular standards, rules and regulations, all in the latest valid edition, must be
observed:
HCIS High Commission for Industrial Security Directives for Industrial
Facilities
CVSS Common Vulnerability Scoring SystemSpecification Document
IEC 60870-5-7 Telecontrol equipment and systems Transmission protocols - Security
extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols
(Applying IEC 62351)

IEC 62541 OPC UA Standard series

IEC 62443 Industrial communication networks –

Network and system security (All relevant parts)

ISO 27001 Information technology – Security techniques – Information security

management systems - requirements

ISO 28000 Specification for Security Management Systems for the Supply Chain

RFC 3195 Reliable Delivery for Syslog

RFC 5424 The Syslog Protocol

RFC 5425 TLS Transport Mapping for Syslog

NESCOR Guide to Penetration Testing for Electric Utilities

Further standards, rules and regulations used by the manufacturer for design, manufacturing and
testing are allowed, but must be declared.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 11 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

3 ENVIRONMENTAL CONDITIONS

The equipment shall be installed inside buildings, container or inside underground shafts.

The environmental data are summarised in the specification S01 “Design and Construction of I&C
System” and in the General Specification G02 “Description of Project and Works”.

4 PROJECT- SPECIFIC ORGANISATIONAL MEASURES

4.1 Project Security Officer

Upon contract award shall a sufficiently qualified person for this PROJECT / in the organization be
nominated, who serves as a focal point for CLIENT’s Project Security Officer. This person (referred
to as project security officer) shall funnel the exchange of all information about cyber security
events related to his organization, the system and services provided, all necessary / required
updates, patches and changes.

4.2 Risk Assessments

An interdisciplinary cyber security risk assessments for the SCADA and control systems shall be
conducted during detail design in order to define the cyber security requirements and proposed
measures:

• At design review meeting;

• After remediation measures defined during FAT have been implemented; and

• After Penetration Test / during hand over.

During these risk assessments all cases where the requirements stipulated in this specification
cannot be met shall be brought to the attention of the CLIENT.

4.3 Mobile Devices

Mobile devices used in the course in the project shall meet the requirements stipulated in chapter
“System Hardening” of this specification, as applicable. They shall not be used in networks or for
configuring devices serving different purposes. The usage of USB storage media shall be strictly
controlled.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 12 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

5 NETWORK DESIGN

5.1 Network Segregation

5.1.1 Physical Network Segregation

Networks serving different purposes shall be physically segregated by using their own fibers in
FOC cables, routers, switches, backbone and horizontal cabling subsystems and patch cables.
SCADA, control and safety networks shall be physically separated from all other networks like:

• The Internet;

• Other organizations (vendor, service provider, business partners);

• Corporate / office and perimeter security networks; and

• Security management network.

The number of interfaces and connections to these networks shall be minimized. Traffic passing
through these interfaces shall be reduced to the minimum, be strictly controlled and secured using
at least the cryptographic algorithms and cipher suites specified by HCIS Sec-08.
5.1.2 Logical Network Segregation
Services serving a related purpose may be implemented as logical networks sharing re- sources of
the same physical network, if there is no impact on the overall performance of the process data
communication.

5.2 Security Zones

The following zones shall be established:

• Station and Unit Control System Zone;

• SCADA System Zone; and

• Telecom and perimeter security systems.

5.3 Data Communication Matrix

The data communication matrix shall contain all necessary information:

• For each host at least location, system name; and management IP address;

• For each NIC system ID, MAC and IP address settings, vLANs; and

• For all network connection purposes, socket information, traffic filter rules with net- work-
wide unique ID as well as DPI and application- layer specific settings.

5.4 Data Flow Control

Data flow control shall be used to enforce the traffic filter rules as per data communication matrix.
Generally, only data communication required for the proper functioning of the SCADA, control and
safety systems including administration and maintenance shall be allowed within and between
zones.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 13 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

5.4.1 Data Diodes

Data diodes shall be used in all cases where information needs to be forwarded from SCADA
networks to other networks (uni- directional communication). Data diodes shall physically block
ingress connection to the SCADA network and be configured to allow only approved egress
connections as per data communication matrix.
5.4.2 De- Militarized Zones
Where bi-directional data exchange with other systems is required, a DMZ with two different
protocol-aware firewalls (e.g., DPI, ALG) shall be set up. Traffic from each side shall be terminated
in the DMZ. In the DMZ a protocol conversion shall be performed.
5.4.3 Firewalls
Firewalls, preferably with DPI, shall be used to enforce traffic limitations between different control
and monitoring locations and process stations. Firewalls shall be configured following a “default-
deny” approach, allowing only what is necessary as per data communication matrix. Rules shall be
set both for inbound and outbound traffic.
Host-based firewalls shall be enabled and be used to restrict incoming and outgoing traffic
between zones at the same level of the automation pyramid and generate logs upon unauthorized
activities.

5.5 Network Devices / Appliances

5.5.1 General Requirements

All supplied network elements, whether physical or virtual, shall fulfil the following mini- mum
security related requirements:

• Provide a way to verify the integrity of the configuration;

• Provide a way to securely update the firmware;
• Password- protected role- based login;
• Access can be limited to specific IP address, physical port, protocol;
• Support local and out- of- band management using SNMP v3.0 and HTTPS;
• All unused services and ports can be removed or administratively disabled;
• NTP client and server (where required); and
• Log violations of security rules and metadata of all traffic and forward this to a (central) log
server.
Physical devices provide alarm contacts.
5.5.2 Switches
Switches shall additionally to general requirements (see 5.5.1):

• Provide Layer-3 functionality;

• Provide protection against flooding, spanning tree and VLAN attacks;
• Support port- based access control as per IEEE 802.1x;
• Support discarding any topology- related messages like BPDUs on edge ports; and
• Support port mirroring.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 14 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

5.5.3 Router
Router shall additionally to 5.5.1:

• Filter bogus and martian IP packets;

• Provide protection against, flooding, IP fragmentation and spoofing attacks;

• Support routing protocol authentication (e.g., for OSPF); and

• Support ACL and VPNs.

5.5.4 Packet Filtering Firewalls

Packet filtering firewalls shall additionally to 5.5.1 support:

• Stateful packet inspection;

• Filtering based on source and destination MAC and IP addresses, TCP and UDP ports;

• Filtering for incoming and outgoing connections, both in routing and transparent mode;

• Rate limiting per port and service; and

• Port forwarding.

5.5.5 DPI Firewalls

DPI firewalls shall additionally to 5.5.1 and 5.5.4:

• Support inspecting packet payloads from Layer 2 to 7, as required per communication

matrix;

• Filter traffic based on control protocol read / write commands, registers / coils, HTTP
request methods, etc.;

• Support inspection of encrypted traffic; and

• Support test or detection- only and enforce or protection mode.

5.5.6 Data Diodes / Unidirectional Firewalls

Data diodes shall additionally provide the following features:

• Real- time one- way data transfer;

• Support selected SCADA protocol(s) and OPC UA;

• Support SNMP traps; and

• Support updates of WSUS and AV signature databases, as required.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 15 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

5.6 Virtualization Solutions / Virtualized Environment

Virtualization solutions shall preferably be used for server virtualization and shall provide high
availability, load balancing and fault tolerance for the server / application instances.
It shall at least comprise of:

• Host machines;

• On each host machine a hypervisor with management tools;

• Virtual network(s);

• Application VMs;

• Virtual Storage; and

• VM Image Repository.
5.6.1 Host Machine
Host machines shall provide hardware support for virtualization for improved isolation of VMs and
protection of the host OS and have sufficient NICs to fit into the overall network segregation and
zoning concept and provide a dedicated NIC for the management inter- face.
5.6.2 Hypervisor with Management Tools
The hypervisor with related management tools shall:

• Protect the host hardware from dangerous commands originating from Application VMs;
• Allow the assignment of a guaranteed physical number of resources for each VM;
• Support ACLs to restrict the access of each VM to only the devices assigned to this VM;
• Provide virtual or software- defined networks; and
• Be manageable through an enterprise virtualization management software and support
SNMP v 3.0.
VMs shall continue to run / work in case the VMM is not available.
5.6.3 Virtual Machine Image Repository
Gold or Master Images shall be stored in a protected image repository.

5.7 Security Management

5.7.1 Security Management Network

A separate network shall be set up for the following tasks:

• Network and device monitoring and management;

• Log management and SIEM;

• Patch Management and AV; and

• Vulnerability Scanning.
Where necessary, additional NICs shall be provided for servers, work stations, etc.
In case these networks share a common transmission path, e.g., as VLANs, basic Quality of
Service (QoS) shall be implemented by limiting the maximum bandwidth any VLAN can consume.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 16 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

5.7.2 Centralized Administration of Data Traffic Filter Rules

A solution for centralized administration of data traffic filter rules shall be provided offering the
following functionality as a minimum:

• Support for all devices as per 5.5 (Network Devices / Appliances) used in the PROJECT;

• Detect misconfigurations, unused and conflicting rules;

• Orchestrate configuration across devices; and

• Provide rule- set review reports.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 17 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

6 SYSTEM HARDENING

Where available, vendor- approved hardening guidelines shall be applied. For all other systems
the following security measures shall be implemented to ensure the integrity of all components.

6.1 System Access Control

All physical and logical access to configuration, diagnostic and auxiliary ports shall be protected
and be limited to approved devices, processes and persons.
Basic requirements include:

• Default and anonymous users shall be changed or disabled;

• Systems shall provide the means to enforce corporate password policy;

• Administration via unsecure protocols shall be removed; and

• Administrative accounts shall be personalized.

6.2 Hardware Components

All wireless interfaces, unnecessary devices, modules and ports shall be removed or disabled.
Where this is technically not possible, access to these ports shall be blocked physically using port
locks.
All wireless interfaces shall be documented.
Systems shall employ HW detection features and be able to detect changes in HW modules.

6.3 Software Components

All software, services, routing and network reconfiguration protocols, etc., not required for the
intended functionality shall be removed and/or disabled including, but not limited to:

• Games;

• Any software not required and unused TCP and UDP ports;

• Device drivers for devices not used or not installed;

• Backups of files, databases, and programs used only during system development; and

• All unused data and configuration files.

Users, services and applications shall run with the minimum rights / privileges required for the
intended tasks.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 18 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

6.4 Malware Protection

6.4.1 Controller
It shall be ensured that:

• Firmware changes and programming of the controllers can only be performed from an
Engineering Workstation on a dedicated network segment;
• Control logic is protected by a checksum or digital signature”;
• All changes to firmware and programming are logged;
• Access to controllers is password/ protected;
• Only approved devices (as per Data Communication Matrix) can communicate with the
PLC to:
o Send commands;
o Change set points; and
o Read process data.
• Unused servers / functions are disabled; where this is not possible, users shall be granted
only least privileges and strong passwords shall be enforced; and
• Only secure protocols are used.
6.4.2 Smart Field Devices
For Safety Integrity Function (SIF) loops and their core support systems (like powers supply and
HVAC) smart devices allowing for remote and / or wireless diagnostics, calibration and
configuration shall not be used.
6.4.3 Hypervisors
Hypervisor hosts shall:

• Be equipped with a MLE and measure core system components;

• Extend the chain of trust to the application VMs;

• Ensure the isolation of processes running in VMs; and

• Provide for security monitoring and policy enforcement.

6.4.4 Server, Workstation, and Application VMs
In addition to the aforementioned measures, servers, workstations and application VMs shall:

• Support trusted boot mechanism;

• Have an AWL or Exploit Mitigation solution installed (preferred over AV);

• Have the AWL solution configured to prevent execution and installation of unauthorized
software;

• Use an AV solution where AWL is not possible;

• Have bi- weekly AV signatures updates implemented;

• Have automatic blocking of known malware implemented; and

• Have the configuration interfaces for AWL and AV solutions protected.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 19 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

6.4.5 Data Bases

Database applications shall validate all input, preferably using a whitelisting approach in order to
defend against SQL injection attacks. Invalid input shall be logged.
SQL- generated error messages shall be removed from replies to users. For trouble- shooting
purposes it shall be possible to change this behavior.
6.4.6 Network Devices
All devices shall be managed out- of- band using personalized administrative accounts. For remote
locations dedicated communication links for management traffic shall be utilized.
6.4.7 Secure Data Transfer to and from SCADA Systems
Data transferred to and from servers and workstations, e.g., using removable media (USB, CD,
DVD) shall be checked for malware using a separate security appliance / sheep- dip system.
This appliance shall support:

• Analysis of files / binaries for all deployed server and workstation OS;

• Multiple AV engines running simultaneously; and

• Local analysis of suspected files.

Once the media and the files have passed the tests (AV scans, hash value verification etc.), the
files shall be made available to the respective network for further use.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 20 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

7 NETWORK AND DEVICE MANAGEMENT

The network management consists out of the central network management system and the
components in the local network nodes.
The Network Management system shall provide the following functions:

• Network monitoring and administration

• Fault Management (para 8);

• Configuration Management (para 9);

• Authentication, Authorization and Accounting Management (para 10);

• Performance Management (para 11);

• Security and Patch Management (para 12); and

• Communication / alarm forwarding to the SCADA system using OPC UA.

The Network Management System shall scale to handle all stations of the PROJECT.

7.1 Central Network Management System

The network management system shall consist of a NMS server and a NMS workstation and meet
the same requirements for the availability as in the specification S05 “Central Control Hardware
and Standard Software” and the appropriate data sheets.
Server and work station shall meet the requirements as defined in the specification S05
„Central Control Hardware and Standard Software”, section 5, “Standard Hardware” and section 6,
“Standard Software”.

7.2 Network Monitoring and Administration

Network monitoring and administration shall:

• Automatically detect the network topology;

• Provide graphical representation of the network including status of links and devices; and

• Configuration of protection switching and topology conversion.

7.3 Device management

Device management shall:

• Support all SNMP- enabled devices like firewalls, router, switches, PLCs, HMI panels, I/O
modules, servers, work stations etc. and provide access to device- specific configuration
settings, preferably via a GUI.

• Detect new devices, MAC and IP addresses automatically;

• Display module assembly, module data and status;

• Diagnosis and tests of modules and communication links;

• Support managing configurations centrally and for all devices in a given path; and

• Support configuration backups and restore procedures.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 21 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

8 FAULT AND ALARM MANAGEMENT

The fault management function shall detect, log, and automatically isolate and correct malfunctions
that occur in the network.
The system shall support alarm classification and optical and acoustical alarm indication.
All alarms and events shall be archived with their severity (e.g., critical, major, minor, warning).
Reporting and search functions shall be provided. Selected alarms (configurable) shall be
displayed on the SCADA system. It shall be possible to suppress selected alarms.
Information about security violations shall be displayed on the Network Management System.
Optionally it shall be possible to send a message to the Network Administrator.

9 CONFIGURATION MANAGEMENT

9.1 General Requirements

The configuration management system shall at least support the following functions:

• Inventory Management (hardware, firmware and software versions);

• Maintenance and modification of all system data;

• Support importing of vulnerability definitions (CVEs) as provided by NIST / the National

Vulnerability Database (or equivalent) into the asset management system;

• Match vulnerability definitions (CVEs) with platform descriptions (CPEs);

• Provide a list / report of all unpatched vulnerabilities; and

• Backup and recovery of device configurations.

9.2 Secure Baseline Configuration

For all configuration items (CI) for the system under consideration a secure baseline shall be
developed and documented covering:

• Firmware and software versions;

• Patch levels; and

• System configuration including all security measures applied.

Secure baseline configurations shall represent the most secure state consistent with operational
requirements and constraints and shall be provided for review and approval 6 weeks before FAT.
Once approved, all configuration items shall be configured to always start / boot into their approved
secure baseline configuration.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 22 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

10 USER AUTHENTICATION AND AUTHORIZATION

All resources shall have assigned access policies. Access policies shall be based on roles
assigned to users and non- human entities. Permissions shall be granted following the “Least
Privilege” principle. No single person shall be able to access, modify or use assets without
authorization or detection.
Users and non- human entities, roles and the corresponding permissions shall be managed
centrally using a directory service. Users in the office network shall be handled by the directory
service of the corporate IT system, while users of SCADA and control systems shall be handled by
a separate directory service.
In case this directory service is not available, local logon shall be supported.
The following features shall be provided:

• Define multiple roles;

• Assign several users to one role;

• Assign users to different roles;

• Users cannot be assigned mutually exclusive roles;

• The number of users per role can be limited;

• For selected roles (e.g., administrator) only one member of the group can assume the
responsibilities at any time;

• Identify all users and non- human entities uniquely in all roles;

• Authenticate users and non- human entities;

• Authorize user and non- human entity actions based on roles and permissions;

• Support password policies and MFA;

• Secure transmission of passwords;

• Secure storing of passwords; and

• Download / upload of user account configuration.

10.1 Passwords

Devices and applications shall support:

• Selectable minimum length, complexity and aging / maximum lifetime of pass- words;

• Limit the number of allowed failures;

• Introduction of delay between password submission attempts;

• Password history enforcement;

• Secure storage of passwords; and

• MFA.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 23 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

10.2 Time- Based Logout after Inactivity

If there is no interaction between the administrator and a device for a configured time, the session
shall be discarded and prior to the next interaction, the user shall be forcedto re-authenticate.

10.3 Directory Services

Directory service shall:

• Contain the schema for SCADA and control networks;

• Have different accounts for the administration of the directory service and data con-
figured;

• Use Kerberos / MFA for authentication and sign SMB data traffic; and

• Have the integrated DNS zones protected.

11 PERFORMANCE MANAGEMENT

The following functions / features shall be provided by the Network Management System:

• Baseline and threshold setup;

• Measure network resource utilization;

• Raise alarms if thresholds are crossed;

• Graphical representation of the network topology, health status of elements and free
resources; and

• Reporting.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 24 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

12 SECURITY AND PATCH MANAGEMENT

12.1 Security Events

The following table specifies the minimum requirements for security violations that shall be
detected and reported, as applicable for the type of communication, data and activity:

Event Type Security Alarm Causes

Integrity violation
• Duplicate information
• Information missing
• Information modification detected
• Information out of sequence
• Unexpected information

• Denial of service
• Out of service
Operational violation
• Procedural error
• Unspecified reason

Security service or
mechanism violation
• Authentication failure
• Breach of confidentiality
• Non-repudiation failure
• Unauthorized access attempt
• Unspecified reason

• Delayed information
Time domain
violation • Key expired
• Out of hours activity

12.2 General Requirements for Patching

The following general requirements apply:

• All systems shall allow the patching of all system components during normal system
operation without interruption of normal system operations; and

• A test environment shall be provided that closely resembles the production environment
and allows for testing patches without interrupting the ability to monitor and control the
technological process.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 25 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

12.3 Life- Time Support

The following support for the entire life time of the systems shall be provided:

• Test updates and patches for the operating system and security solutions as they are
released by the OEM for compatibility with the installed applications;

• Develop and test updates and patches for control, SCADA and higher pipeline specific
applications;

• Release / approve updates;

• Provide guidance on compensating measures and system configuration; and

• Updates documentation to reflect changes.

12.4 Patch Management System

A patch management system shall be provided that supports returning to a known clean state
after every use.
The patch management system shall perform the following functions:

• Download required files and verify their integrity;

• Apply new software / configuration to test environment;

• Archive successfully tested software and configuration files to read- only media; and

• Provide a report about test results.

Deployment of successfully tested software and configuration files to production systems shall than
be manually initiated by operator personnel.

13 VULNERABILITY MANAGEMENT

In order to support the vulnerability management process, the following shall be provided:

• A monthly summary on vulnerabilities detected on systems deployed;

• Patches and support as per para 12.3 “Lifetime support” of this specification;

• Systems can be checked by the vulnerability scanner; and

• Recommendations on compensating measures for CRITICAL VULNERABILITIES.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 26 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

14 INTRUSION DETECTION SYSTEM

14.1 General Requirements

Intrusion Detection Systems shall support signature- and anomaly- based detection of events, self-
protection, produce human and machine-readable information on all events and alerts in real-time
and trigger an alert in the Log Management System when an intrusion is detected. Alerts shall
include relevant data to verify and contain the intrusion. The collected information shall be
forwarded to the log management system (see chapter15.).
Signature based IDS shall receive regular updates from a signature repository and shall be
centrally managed via a secure connection.

14.2 Host- Based IDS

HIDS capabilities shall be implemented on all hosts, VMs and end points technically supporting it.
The HIDS shall support:

• Analysis and correlation of events, escalation, documentation and long-term storage;

• Monitoring the entire host system for anomalies; and

• Producing report.
The HIDS shall not perform any active responses automatically.

14.3 Network- Based IDS

The network traffic shall be examined by Test Access Points located within the network in such a
way that all network traffic can be captured / must flow past these sensors and malicious activities
are detected on all networks.
NIDS shall support:

• Capturing network traffic at full line speed;

• Detection of injected traffic;

• Integration of honeypots / a honey net; and

• Multi-user capability, role based- authentication; and

• Producing reports.

14.4 Test Access Points

TAPs shall be installed as required in order to prevent “blind spots” in the network leading to traffic
that cannot be monitored.
TAPs shall be:

• Available for FOC, copper and virtual connections;

• Be protocol- agnostic;

• Support the media and full line speed of the respective connection; and

• Prevent traffic injection from the monitoring infrastructure.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 27 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

15 LOG MANAGEMENT SYSTEM

15.1 General Requirements

All network devices and all security appliances shall be synchronized from the same time source as
all systems connected to the SCADA network. Synchronization shall be done using the Network
Time Protocol (NTP). All events, messages and alarms shall be consistently time- stamped.
The log management system shall:

• Collect and store raw logs from all log sources in real-time;
• Allow validating sources;
• Allow forwarding raw and filtered logs to other systems;
• Provide reporting functions; and
• Raise an alarm if no log messages were received for a configurable time
• All components of the logging infrastructure shall support:
• RFC 3195, RFC 5424 and RFC 5425 requirements; and
• Message digest algorithm SHA-1 or better.
15.1.1 Searching and Filtering
The search function shall:

• Provide a common and intuitive interface;

• Allow for searching raw and filtered log data using keyword search across full text;
• Allow multiple filters to be applied to a single message; and
• Automatically include metadata when available.
15.1.2 Reporting
The logging system shall provide predefined reports and allow for the creation of customreports.

15.2 Log Server

A log server shall be installed at the control center at PS-1 to collect logs from all network devices
and hosts at all stations.
The log server shall support:

• Storing of raw logs for at least 14 months with an overlap of one month between years;
• Log protection and integrity checking;
• RAID 6 hard disk configuration;
• Basic log correlation (based on time stamps, IP addresses, event types);
• Basic reporting; and
• Forwarding logs to the SIEM.
Basic log processing like parsing, event filtering, event aggregation and log correlation shall not
alter the raw log entries nor shall it lead to any performance impact of the Log Management
System.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 28 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

15.3 Log Sources

Logs shall be collected from the following log sources:

• Unit and station controllers;

• Network devices and network management systems;

• Host- and network-based IDS;

• Vulnerability scanner;

15.4 Logged Events

The following events shall be logged:

• Changes in network topology, devices and links added and removed;

• Records of successful and rejected login attempts;

• Detected malware, attacks, anomalies and violations of security rules;

• Changes to system configuration;

• Use of privileges, system utilities and applications; and

• Activation and de-activation of security controls. Log entries shall contain, where relevant:

• User, device, system and security rule IDs; and

• Date, time and failure codes.

 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 29 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

16 SECURITY INCIDENT AND EVENT MANAGEMENT SYSTEM

16.1 General requirements
The SIEM shall support.

• Receiving log messages from the log management system;

• Receiving context data from:

o Workforce management systems;
o Identity management systems;
o Vulnerability scan results;
o Asset management systems; and
o Threat intelligence suppliers

• Normalization and categorization of log messages and context data;

• Correlation of log messages and context data;

• Prioritization of detected events, e.g., based on the:

o Criticality of involved assets; and
o Vulnerability of the involved assets

• Notification and alerting via e-mail and SMS;

• Real- time views;

• Reporting; and

• Security workflows and use cases.

16.2 Events (to be detected)

The SIEM shall be able to detect the following events with a high degree of probability and low
rate of false alarms:

• Unsolicited devices and services;

• Unsolicited communication with controllers and engineering workstations;

• Unsolicited communication with security systems;

• Command and Control Traffic;

• Suspicious Configuration Changes;

• Failed Malware Cleaning;

• Audit Log Tampering;

• Suspicious Network Activity;

• Suspicious Account Activity;

• Lateral Movement; and

• Privilege Abuse.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 30 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

16.3 Security Workflows and Use Cases

The SIEM systems shall support standard security workflows and use cases like:

• Endpoint quarantine

• Suspend users

• Suspend network access

• Kill processes

• Endpoint forensics

• Network forensics / full packet capture

It shall also support creating custom use cases using standard programming technology such as
Bash, Java, Perl, PowerShell or Python.
It shall be possible to select for each device between the following execution options:

• Automatic execution; and

• Approval- based execution.

Approval- based execution shall be possible across the network.

16.4 Incident Management

CLIENT shall be informed immediately about any security incident related to systems that are used
to provide services or process his data for the entire duration of service provisioning.
Incident Response Procedures to handle unavailability of installed systems and services shall be
prepared.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 31 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

17 BACKUP

17.1 General Requirements

A backup solution shall be implemented that allows for regular backups of Control system servers
and workstations. It shall support the following features:

• Storage on a backup server;

• Storage on removable or portable media;

• Encryption of backups;

• Integrity checks of backups;

• Full system backup without the need to shut down systems; and

• Incremental backups.
Storage capacity of the backup server shall be sufficient to store the last complete images of all
relevant servers, work stations, one master backup for all work stations plus their relevant
configuration settings, configuration settings of network devices, etc.

17.2 Network Attached Storage

NAS shall provide / support:

• Gigabit Ethernet interface or better;

• Out-of-band management / KVM interface;

• RAID controller supporting RAID 6;

• Storage capacity to store 3 full images of all server and workstations;

18 RECOVERY

A recovery solution shall be implemented supporting the following features:

• Remote Recovery; and

• Full operational system restore is supported on new hardware. Complete restoration of a

server shall not take more than 4 hours, assuming functional hardware is available.
A complete set of OEM installation media with all required license keys, dongles etc. for setting up
systems from scratch shall be provided.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 32 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

19 FACTORY ACCEPTANCE TEST

The following tests shall be performed:

• System configuration review;

• Ruleset review;
• Vulnerability scans;
• Security tests;
• Log Management system and SIEM integration test; and
• Restore and recovery tests.

19.1 System Configuration Review

It shall demonstrate that the latest approved firmware and software is installed on all systems and
all systems are configured and hardened in accordance with applicable policies and guidelines
provided in chapter “System Hardening”, and agreements reached during detail design.
Rulesets reviews shall be performed for all systems and demonstrate that:

• Only traffic as per Data Communication Matrix is permitted;

• Security measures cannot be bypassed; and
• Roles and permissions have been setup correctly.

19.2 Vulnerability Scans

Both unauthenticated and authenticated vulnerability scans shall be performed for all systems and
devices. All vulnerabilities and missing patches shall be documented.

19.3 Patch Management System

Patches for vulnerabilities with a vector CVSS:3.1 AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L or more
severe shall be installed, if possible before starting security tests. Where no patch- es are
available, compensating measures shall be implemented.
The following functions shall be tested:

• Import of patches and updates;

• Integrity verification of imported files; and
• Application of new software / configuration to test environment.

19.4 Security Tests

All security mechanisms shall be tested. Functions that require a network connection to other
premises shall be simulated.
The following shall be demonstrated:

• The required functionality;

• That security measures withstand invalid input (commands, data, timing etc.);
• That the security measures withstand attempts to disable or bypass them;
• That security measures do not impact performance of the SCADA systems; and
• Verify that they don’t produce unacceptable side effects.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 33 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

19.5 Log Management System

The following shall be demonstrated:

• All events are properly logged as required;

• Unavailability of log sources is properly detected; and

• Required basic functions for log parsing, filtering, and correlation work without altering the
raw log entries or impacting the performance of the logging system.

19.6 SIEM Function Tests

The following shall be demonstrated:

• The SIEM systems receives all log messages from the log management system;

• Messages are properly normalized;

• Events are properly correlated; and

• Notifications and alerts are sent via e-mail and SMS.

19.7 Procedures

It shall be demonstrated that all backup, restore and incident response procedures work
seamlessly.

19.8 Remediation of Issues

All issues found during FAT shall be resolved and remedied within 6 weeks. Failed tests shall be
repeated.

19.9 Design Freeze

After remediation of weaknesses found during FAT no changes other than the ones agreed to
mitigate latest vulnerabilities (para 19.2) shall be made to hardware, firmware, software, patch
status, configurations and rulesets.

19.10 FAT Documentation

Detailed test protocols shall be prepared (witness by CLIENT and/or it´s representative). FAT
reports shall be provided at least 6 weeks before installation and start-up.
A complete list shall be submitted, detailing:

• Identified vulnerabilities, patch availability and compensating measures in place; and

• Devices and services which are not compliant with applicable policies.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 34 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

20 SITE ACCEPTANCE TEST

20.1 Reviews and Tests

During SAT all reviews and tests performed during FAT shall be repeated. Additionally, all
interfaces that were simulated during FAT shall be fully tested.
Additionally, the following tests shall be performed:

• All functionality that was not tested during FAT or were not tested with the full load;

• Network discovery with device, OS, port and service identification;

• Wireless and Bluetooth scanning;

• Penetration Test (see para 21); and

• Forwarding logs to the SIEM.

20.2 Remediation of Issues

All issues found during SAT shall be resolved and remedied within 6 weeks after SAT. Failed
tests shall be repeated.

20.3 SAT Documentation

Detailed test protocols shall be prepared (witness by the CLIENT and/or it´s representative)
within 6 weeks after remediation of issues.
A complete list shall be submitted, detailing:

• Identified vulnerabilities, patch availability and compensating measures in place; and

• Devices and services which are not compliant with applicable policies.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 35 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

21 PENETRATION TEST

21.1 General Requirements

A penetration test shall be prepared and be conducted in close cooperation with CLI- ENT’s
Information Security Officer, control, SCADA, higher pipeline specific application and operation
specialists to:

• Identify vulnerabilities of the systems not identified during FAT;

• Estimate the level of sophistication an attacker needs to successfully compromise the

system;

• Identify additional measures that could mitigate threats against the system; and

• Evaluate the ability to detect attacks and respond accordingly.

The test shall be performed by an independent team (not involved in any of the design activities of
the PROJECT), but familiar with the used hardware, software, configuration and ICS specifics.
The penetration test shall be performed as a tandem test covering the SCADA and control systems
for following channels as per OSSTMM v3:

• Wireless;

• Telecommunications; and

• Data Networks.
The following information shall be made available to the penetration test team:

• HAZOP and HAZID reports;

• Control and operation philosophy;

• System architecture diagrams;

• Specifications for SCADA and higher pipeline specific applications system,

instrumentation, control, cause and effect matrix, telecommunication system, HVAC, UPS,
and diesel generators;

• Data communication matrix; and

• System configuration documents as defined in chapter “Final Documentation”.

The penetration test shall be performed preferably on the SCADA raining systems. Where this is
not possible, tests shall be performed while the system is offline. Testing production systems,
while they are online, shall be considered only as the last resort if the target of the penetration
test cannot be achieved otherwise.

21.2 Pre- Assessment

In the pre-assessment phase, the joint team shall identify the assets to be targeted during the
testing. Where tests have to be performed on production systems, a detailed risk assessment shall
be performed in order to identify activities that might endanger the safety of the system or the
environment. For these critical activities specific instructions to penetration testers, required
additional safeguards and emergency plans shall be definedand documented.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 36 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

21.3 Assessment Preparation

During the assessment preparation the joint team shall prepare the lab environment, all test
systems, test plans and procedures as well as the test tools. Required additional safeguards,
communication between the specialists and emergency procedures for life systems shall be
implemented and tested. The results of the tests shall be documented. Test plans and procedures
shall be approved by CLIENT’s specialists.
The following sections list the minimum tests to be prepared.
21.3.1 “Wireless Channel” Tests
The following tests shall be performed as per OSSTMM3, chapter 9 “Wireless Security Testing”:

• Passive wireless scans to detect both legitimate and unauthorized devices;

• Locate unauthorized wireless devices; and

• Bypass or evade security controls of legitimate devices.

21.3.2 “Telecommunication Channel” Tests
Tests for the following communication channels shall be prepared:

• All connections from corporate networks to SCADA networks;

• All remote access connections into the SCADA networks; and

• All links carrying SCADA traffic across public or semi-public links. All channels shall be
tested for:
o Ways to bypass or evade security controls; and
o Ways to overload the channel.
21.3.3 “Data Networks Channel” Tests
The following tests shall be prepared:

• Port scanning;

• DNS interrogation;

• SNMP enumeration;

• Network protocol traffic capture and analysis;

• Denial of Service tests; and

• Bypassing and evading security controls.

21.4 Testing

During the testing phase the penetration testers have to log all operations they per- formed.
CLIENT’s specialist will check for the presence of any side effects on the tested systems and
trigger safeguards and emergency plans as necessary.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 37 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

21.5 Reporting

A full report shall be provided, containing at least the following information per test:

• Date, time and duration of the test;

• Auditors and analysts involved;

• Test scope, setup and tools that have been used;

• Test results with test error margins;

• Generated false positives and false negatives;

• Vulnerabilities discovered with recommendations how to solve the problem; and

• Unknown anomalies.

21.6 System Cleanup

After test completion the tested systems shall be cleaned up as to ensure that:

• The system performs as required; and

• All changes that were introduced during tests are fully undone.
 SWCC WATER TRANSMISSION SYSTEMS

Specification S11
Subject: Page 38 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00

22 DOCUMENTATION

22.1 Information to be provided at FAT and SAT

The following documentation shall be provided additionally to the standard documentation

before FAT and after SAT respectively, as applicable:

• IP address plan for all local networks;

• Data Communication Matrix;

• Security Zone Plan;

• Patch test procedures;

• Update and patch procedures; and

• Backup and restore procedures.

22.2 Security Zone Plan

The security zone plan shall contain the following information per zone:

• The risks associated with each zone;

• The security policies to be enforced;

• The types of activities permitted within the zone; and

• The types of communications allowed within and with the zone.

22.3 Final Documentation

The following documents shall be provided for the implemented controls:

• Final version of documents listed in 22.1 and 22.2;

• System configuration document, describing for each system:

o Hardware, firmware, OS and application software revisions and patch level;
o System configuration settings and hardening measures;
o Installed / running processes, services and agents with their respective per-
missions;
o Update, patch, backup and restore procedures; and
o Account information; and

• Licenses and keys.