Professional Documents
Culture Documents
CONSTRUCTION WORKS
LOCATION: TITLE:
Q C 1 0 - H - 1 3 1 00
SUBCONTRACTOR: Page 1 of 38
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 2 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
LIST OF CONTENTS
ABBREVIATIONS ......................................................................................................................... 6
DEFINITIONS ................................................................................................................................ 8
1 INTRODUCTION .............................................................................................................. 9
2 STANDARDS ................................................................................................................. 10
Specification S11
Subject: Page 3 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
Specification S11
Subject: Page 4 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
17 BACKUP ........................................................................................................................ 31
18 RECOVERY ................................................................................................................... 31
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 5 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
22 DOCUMENTATION........................................................................................................ 38
Specification S11
Subject: Page 6 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
ABBREVIATIONS
AC Air Condition
AV Anti- Virus
CI Configuration Item
ID Identifier
IP Internet Protocol
Specification S11
Subject: Page 7 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
ABBREVIATIONS
OS Operating System
SL Security level
VM Virtual Machine
VMM VM Monitor
Specification S11
Subject: Page 8 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
DEFINITIONS
CLIENT SWCC
Vertical:
Vertical network segregation describes an approach to
segment the network resembling the levels of the automation
pyramid.
Specification S11
Subject: Page 9 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
1 INTRODUCTION
This specification contains the requirements for the design, manufacturing, supply, installation, test
and commissioning of measures to protect SCADA, station, unit control and ESD systems, smart
field devices, analysers, communication networks, all support equipment, perimeter protection
systems and process equipment against cyber- attacks which could impair the integrity of these
systems and thus lead to equipment damage, loss of containment, loss of control, or disruption or
degradation of operation.
A Cyber Security Team inside CLIENT’s Operation and Maintenance organization will:
• Constantly monitor the system for violations and signs of security breaches;
• Regularly perform security audits, assessments, vulnerability scans and penetration tests
as per corporate standards.
The following shall be provided as described in this specification in order to support CLIENT’s
Cyber Security Team in performing their duties:
• Traffic between zones is limited as per communication matrix and strictly enforced;
• All systems, processes and users are granted least privileges sufficient to complete a given
task;
• Defense- in- Depth principle to prevent important systems from compromise by a single
failure or vulnerability; and
• Only hard- and software developed and tested using a documented Security
Development Life Cycle is deployed with devices meeting SL 3 as per IEC 62443-4-2.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 10 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
2 STANDARDS
The following particular standards, rules and regulations, all in the latest valid edition, must be
observed:
HCIS High Commission for Industrial Security Directives for Industrial
Facilities
CVSS Common Vulnerability Scoring SystemSpecification Document
IEC 60870-5-7 Telecontrol equipment and systems Transmission protocols - Security
extensions to IEC 60870-5-101 and IEC 60870-5-104 protocols
(Applying IEC 62351)
ISO 28000 Specification for Security Management Systems for the Supply Chain
Further standards, rules and regulations used by the manufacturer for design, manufacturing and
testing are allowed, but must be declared.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 11 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
3 ENVIRONMENTAL CONDITIONS
The equipment shall be installed inside buildings, container or inside underground shafts.
The environmental data are summarised in the specification S01 “Design and Construction of I&C
System” and in the General Specification G02 “Description of Project and Works”.
Upon contract award shall a sufficiently qualified person for this PROJECT / in the organization be
nominated, who serves as a focal point for CLIENT’s Project Security Officer. This person (referred
to as project security officer) shall funnel the exchange of all information about cyber security
events related to his organization, the system and services provided, all necessary / required
updates, patches and changes.
An interdisciplinary cyber security risk assessments for the SCADA and control systems shall be
conducted during detail design in order to define the cyber security requirements and proposed
measures:
• After remediation measures defined during FAT have been implemented; and
Mobile devices used in the course in the project shall meet the requirements stipulated in chapter
“System Hardening” of this specification, as applicable. They shall not be used in networks or for
configuring devices serving different purposes. The usage of USB storage media shall be strictly
controlled.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 12 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
5 NETWORK DESIGN
• The Internet;
• For each host at least location, system name; and management IP address;
• For each NIC system ID, MAC and IP address settings, vLANs; and
• For all network connection purposes, socket information, traffic filter rules with net- work-
wide unique ID as well as DPI and application- layer specific settings.
Data flow control shall be used to enforce the traffic filter rules as per data communication matrix.
Generally, only data communication required for the proper functioning of the SCADA, control and
safety systems including administration and maintenance shall be allowed within and between
zones.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 13 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
Specification S11
Subject: Page 14 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
5.5.3 Router
Router shall additionally to 5.5.1:
• Filtering based on source and destination MAC and IP addresses, TCP and UDP ports;
• Filtering for incoming and outgoing connections, both in routing and transparent mode;
• Port forwarding.
• Filter traffic based on control protocol read / write commands, registers / coils, HTTP
request methods, etc.;
Specification S11
Subject: Page 15 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
Virtualization solutions shall preferably be used for server virtualization and shall provide high
availability, load balancing and fault tolerance for the server / application instances.
It shall at least comprise of:
• Host machines;
• Virtual network(s);
• Application VMs;
• VM Image Repository.
5.6.1 Host Machine
Host machines shall provide hardware support for virtualization for improved isolation of VMs and
protection of the host OS and have sufficient NICs to fit into the overall network segregation and
zoning concept and provide a dedicated NIC for the management inter- face.
5.6.2 Hypervisor with Management Tools
The hypervisor with related management tools shall:
• Protect the host hardware from dangerous commands originating from Application VMs;
• Allow the assignment of a guaranteed physical number of resources for each VM;
• Support ACLs to restrict the access of each VM to only the devices assigned to this VM;
• Provide virtual or software- defined networks; and
• Be manageable through an enterprise virtualization management software and support
SNMP v 3.0.
VMs shall continue to run / work in case the VMM is not available.
5.6.3 Virtual Machine Image Repository
Gold or Master Images shall be stored in a protected image repository.
• Vulnerability Scanning.
Where necessary, additional NICs shall be provided for servers, work stations, etc.
In case these networks share a common transmission path, e.g., as VLANs, basic Quality of
Service (QoS) shall be implemented by limiting the maximum bandwidth any VLAN can consume.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 16 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
• Support for all devices as per 5.5 (Network Devices / Appliances) used in the PROJECT;
Specification S11
Subject: Page 17 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
6 SYSTEM HARDENING
Where available, vendor- approved hardening guidelines shall be applied. For all other systems
the following security measures shall be implemented to ensure the integrity of all components.
All physical and logical access to configuration, diagnostic and auxiliary ports shall be protected
and be limited to approved devices, processes and persons.
Basic requirements include:
All wireless interfaces, unnecessary devices, modules and ports shall be removed or disabled.
Where this is technically not possible, access to these ports shall be blocked physically using port
locks.
All wireless interfaces shall be documented.
Systems shall employ HW detection features and be able to detect changes in HW modules.
All software, services, routing and network reconfiguration protocols, etc., not required for the
intended functionality shall be removed and/or disabled including, but not limited to:
• Games;
• Any software not required and unused TCP and UDP ports;
• Backups of files, databases, and programs used only during system development; and
Specification S11
Subject: Page 18 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
6.4.1 Controller
It shall be ensured that:
• Firmware changes and programming of the controllers can only be performed from an
Engineering Workstation on a dedicated network segment;
• Control logic is protected by a checksum or digital signature”;
• All changes to firmware and programming are logged;
• Access to controllers is password/ protected;
• Only approved devices (as per Data Communication Matrix) can communicate with the
PLC to:
o Send commands;
o Change set points; and
o Read process data.
• Unused servers / functions are disabled; where this is not possible, users shall be granted
only least privileges and strong passwords shall be enforced; and
• Only secure protocols are used.
6.4.2 Smart Field Devices
For Safety Integrity Function (SIF) loops and their core support systems (like powers supply and
HVAC) smart devices allowing for remote and / or wireless diagnostics, calibration and
configuration shall not be used.
6.4.3 Hypervisors
Hypervisor hosts shall:
• Have the AWL solution configured to prevent execution and installation of unauthorized
software;
Specification S11
Subject: Page 19 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
• Analysis of files / binaries for all deployed server and workstation OS;
Specification S11
Subject: Page 20 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
• Provide graphical representation of the network including status of links and devices; and
• Support all SNMP- enabled devices like firewalls, router, switches, PLCs, HMI panels, I/O
modules, servers, work stations etc. and provide access to device- specific configuration
settings, preferably via a GUI.
• Support managing configurations centrally and for all devices in a given path; and
Specification S11
Subject: Page 21 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
The fault management function shall detect, log, and automatically isolate and correct malfunctions
that occur in the network.
The system shall support alarm classification and optical and acoustical alarm indication.
All alarms and events shall be archived with their severity (e.g., critical, major, minor, warning).
Reporting and search functions shall be provided. Selected alarms (configurable) shall be
displayed on the SCADA system. It shall be possible to suppress selected alarms.
Information about security violations shall be displayed on the Network Management System.
Optionally it shall be possible to send a message to the Network Administrator.
9 CONFIGURATION MANAGEMENT
The configuration management system shall at least support the following functions:
For all configuration items (CI) for the system under consideration a secure baseline shall be
developed and documented covering:
Specification S11
Subject: Page 22 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
All resources shall have assigned access policies. Access policies shall be based on roles
assigned to users and non- human entities. Permissions shall be granted following the “Least
Privilege” principle. No single person shall be able to access, modify or use assets without
authorization or detection.
Users and non- human entities, roles and the corresponding permissions shall be managed
centrally using a directory service. Users in the office network shall be handled by the directory
service of the corporate IT system, while users of SCADA and control systems shall be handled by
a separate directory service.
In case this directory service is not available, local logon shall be supported.
The following features shall be provided:
• For selected roles (e.g., administrator) only one member of the group can assume the
responsibilities at any time;
• Identify all users and non- human entities uniquely in all roles;
• Authorize user and non- human entity actions based on roles and permissions;
10.1 Passwords
• Selectable minimum length, complexity and aging / maximum lifetime of pass- words;
• MFA.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 23 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
If there is no interaction between the administrator and a device for a configured time, the session
shall be discarded and prior to the next interaction, the user shall be forcedto re-authenticate.
• Have different accounts for the administration of the directory service and data con-
figured;
• Use Kerberos / MFA for authentication and sign SMB data traffic; and
11 PERFORMANCE MANAGEMENT
The following functions / features shall be provided by the Network Management System:
• Graphical representation of the network topology, health status of elements and free
resources; and
• Reporting.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 24 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
The following table specifies the minimum requirements for security violations that shall be
detected and reported, as applicable for the type of communication, data and activity:
• Duplicate information
• Information missing
Integrity violation • Information modification detected
• Information out of sequence
• Unexpected information
• Denial of service
• Out of service
Operational violation
• Procedural error
• Unspecified reason
• Authentication failure
• Breach of confidentiality
Security service or
mechanism violation • Non-repudiation failure
• Unauthorized access attempt
• Unspecified reason
• Delayed information
Time domain
violation • Key expired
• Out of hours activity
• All systems shall allow the patching of all system components during normal system
operation without interruption of normal system operations; and
• A test environment shall be provided that closely resembles the production environment
and allows for testing patches without interrupting the ability to monitor and control the
technological process.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 25 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
The following support for the entire life time of the systems shall be provided:
• Test updates and patches for the operating system and security solutions as they are
released by the OEM for compatibility with the installed applications;
• Develop and test updates and patches for control, SCADA and higher pipeline specific
applications;
A patch management system shall be provided that supports returning to a known clean state
after every use.
The patch management system shall perform the following functions:
• Archive successfully tested software and configuration files to read- only media; and
13 VULNERABILITY MANAGEMENT
In order to support the vulnerability management process, the following shall be provided:
• Patches and support as per para 12.3 “Lifetime support” of this specification;
Specification S11
Subject: Page 26 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
Intrusion Detection Systems shall support signature- and anomaly- based detection of events, self-
protection, produce human and machine-readable information on all events and alerts in real-time
and trigger an alert in the Log Management System when an intrusion is detected. Alerts shall
include relevant data to verify and contain the intrusion. The collected information shall be
forwarded to the log management system (see chapter15.).
Signature based IDS shall receive regular updates from a signature repository and shall be
centrally managed via a secure connection.
HIDS capabilities shall be implemented on all hosts, VMs and end points technically supporting it.
The HIDS shall support:
• Producing report.
The HIDS shall not perform any active responses automatically.
The network traffic shall be examined by Test Access Points located within the network in such a
way that all network traffic can be captured / must flow past these sensors and malicious activities
are detected on all networks.
NIDS shall support:
• Producing reports.
TAPs shall be installed as required in order to prevent “blind spots” in the network leading to traffic
that cannot be monitored.
TAPs shall be:
• Be protocol- agnostic;
• Support the media and full line speed of the respective connection; and
Specification S11
Subject: Page 27 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
All network devices and all security appliances shall be synchronized from the same time source as
all systems connected to the SCADA network. Synchronization shall be done using the Network
Time Protocol (NTP). All events, messages and alarms shall be consistently time- stamped.
The log management system shall:
• Collect and store raw logs from all log sources in real-time;
• Allow validating sources;
• Allow forwarding raw and filtered logs to other systems;
• Provide reporting functions; and
• Raise an alarm if no log messages were received for a configurable time
• All components of the logging infrastructure shall support:
• RFC 3195, RFC 5424 and RFC 5425 requirements; and
• Message digest algorithm SHA-1 or better.
15.1.1 Searching and Filtering
The search function shall:
A log server shall be installed at the control center at PS-1 to collect logs from all network devices
and hosts at all stations.
The log server shall support:
• Storing of raw logs for at least 14 months with an overlap of one month between years;
• Log protection and integrity checking;
• RAID 6 hard disk configuration;
• Basic log correlation (based on time stamps, IP addresses, event types);
• Basic reporting; and
• Forwarding logs to the SIEM.
Basic log processing like parsing, event filtering, event aggregation and log correlation shall not
alter the raw log entries nor shall it lead to any performance impact of the Log Management
System.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 28 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
• Vulnerability scanner;
• Activation and de-activation of security controls. Log entries shall contain, where relevant:
Specification S11
Subject: Page 29 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
• Reporting; and
• Privilege Abuse.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 30 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
The SIEM systems shall support standard security workflows and use cases like:
• Endpoint quarantine
• Suspend users
• Kill processes
• Endpoint forensics
CLIENT shall be informed immediately about any security incident related to systems that are used
to provide services or process his data for the entire duration of service provisioning.
Incident Response Procedures to handle unavailability of installed systems and services shall be
prepared.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 31 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
17 BACKUP
A backup solution shall be implemented that allows for regular backups of Control system servers
and workstations. It shall support the following features:
• Encryption of backups;
• Full system backup without the need to shut down systems; and
• Incremental backups.
Storage capacity of the backup server shall be sufficient to store the last complete images of all
relevant servers, work stations, one master backup for all work stations plus their relevant
configuration settings, configuration settings of network devices, etc.
18 RECOVERY
Specification S11
Subject: Page 32 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
It shall demonstrate that the latest approved firmware and software is installed on all systems and
all systems are configured and hardened in accordance with applicable policies and guidelines
provided in chapter “System Hardening”, and agreements reached during detail design.
Rulesets reviews shall be performed for all systems and demonstrate that:
Specification S11
Subject: Page 33 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
• Required basic functions for log parsing, filtering, and correlation work without altering the
raw log entries or impacting the performance of the logging system.
• The SIEM systems receives all log messages from the log management system;
19.7 Procedures
It shall be demonstrated that all backup, restore and incident response procedures work
seamlessly.
All issues found during FAT shall be resolved and remedied within 6 weeks. Failed tests shall be
repeated.
After remediation of weaknesses found during FAT no changes other than the ones agreed to
mitigate latest vulnerabilities (para 19.2) shall be made to hardware, firmware, software, patch
status, configurations and rulesets.
Detailed test protocols shall be prepared (witness by CLIENT and/or it´s representative). FAT
reports shall be provided at least 6 weeks before installation and start-up.
A complete list shall be submitted, detailing:
• Devices and services which are not compliant with applicable policies.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 34 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
During SAT all reviews and tests performed during FAT shall be repeated. Additionally, all
interfaces that were simulated during FAT shall be fully tested.
Additionally, the following tests shall be performed:
• All functionality that was not tested during FAT or were not tested with the full load;
All issues found during SAT shall be resolved and remedied within 6 weeks after SAT. Failed
tests shall be repeated.
Detailed test protocols shall be prepared (witness by the CLIENT and/or it´s representative)
within 6 weeks after remediation of issues.
A complete list shall be submitted, detailing:
• Devices and services which are not compliant with applicable policies.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 35 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
21 PENETRATION TEST
A penetration test shall be prepared and be conducted in close cooperation with CLI- ENT’s
Information Security Officer, control, SCADA, higher pipeline specific application and operation
specialists to:
• Identify additional measures that could mitigate threats against the system; and
• Wireless;
• Telecommunications; and
• Data Networks.
The following information shall be made available to the penetration test team:
In the pre-assessment phase, the joint team shall identify the assets to be targeted during the
testing. Where tests have to be performed on production systems, a detailed risk assessment shall
be performed in order to identify activities that might endanger the safety of the system or the
environment. For these critical activities specific instructions to penetration testers, required
additional safeguards and emergency plans shall be definedand documented.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 36 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
During the assessment preparation the joint team shall prepare the lab environment, all test
systems, test plans and procedures as well as the test tools. Required additional safeguards,
communication between the specialists and emergency procedures for life systems shall be
implemented and tested. The results of the tests shall be documented. Test plans and procedures
shall be approved by CLIENT’s specialists.
The following sections list the minimum tests to be prepared.
21.3.1 “Wireless Channel” Tests
The following tests shall be performed as per OSSTMM3, chapter 9 “Wireless Security Testing”:
• All links carrying SCADA traffic across public or semi-public links. All channels shall be
tested for:
o Ways to bypass or evade security controls; and
o Ways to overload the channel.
21.3.3 “Data Networks Channel” Tests
The following tests shall be prepared:
• Port scanning;
• DNS interrogation;
• SNMP enumeration;
21.4 Testing
During the testing phase the penetration testers have to log all operations they per- formed.
CLIENT’s specialist will check for the presence of any side effects on the tested systems and
trigger safeguards and emergency plans as necessary.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 37 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
21.5 Reporting
A full report shall be provided, containing at least the following information per test:
• Unknown anomalies.
After test completion the tested systems shall be cleaned up as to ensure that:
• All changes that were introduced during tests are fully undone.
SWCC WATER TRANSMISSION SYSTEMS
Specification S11
Subject: Page 38 of 38
Cyber Security System
Doc. - No.: Q C 1 0 - H - 1 3 1 Rev. 00
22 DOCUMENTATION
The security zone plan shall contain the following information per zone: