Engineering Procedure

SAEP-99 25 January 2017

Saudi Aramco Industrial Control System Security
Document Responsibility: Plants Networks Standards Committee

Contents
1 Scope................................................................. 2
2 Conflicts and Deviations .................................... 3
3 Applicable Documents ....................................... 3
4 Instruction .......................................................... 5
5 General Security Management .......................... 5
6 Communication and
Configuration Management ........................ 9
7 Physical Security Management ........................ 25
8 Business Continuity Management.................... 26
9 Roles and Responsibilities ............................... 29
Revision Summary................................................. 31

Appendix A - Acronyms ......................................... 32

Appendix B - Definitions ........................................ 33
Appendix C - SAEP-99 Mapping to
International Standards ............................ 36
Appendix D - Sample Aggregate Inventory List ..... 38
Appendix E - Supporting Assets ............................ 42
Appendix F - Non-Disclosure, Confidentiality,
and Liability Agreement ............................ 43

Previous Issue: 29 October 2015 Next Planned Update: 25 January 2020

Page 1 of 44
Contact: Ouchn, Nabil J (ouchnnj) on phone +966-13-8801365

©Saudi Aramco 2017. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

1 Scope

1.1 Purpose

The purpose of this procedure is to establish minimum mandatory information

security policies and controls for ICS systems at Saudi Aramco plants.
This security procedure assigns ownership and accountability for meeting the
minimum mandatory security requirements.

To ensure consistency of the security controls with international standards,

SAEP-99 is structured in four categories further broken down into domains.

Figure 1 - Structure and Controls Grouping

Appendix C depicts the mapping of SAEP-99 domains with the international

standards particularly IEC 62443 series, NIST SP 800-82 and NIST SP 800-53
Rev. 4.

1.2 Application

SAEP-99 procedure applies to Saudi Aramco ICS components including the

plant Data Diode(s). Ultimately, each plant is responsible for implementing the
appropriate security controls to protect its assets.

1.3 Language

In this procedure, the terms “must”, “shall”, “should”, and “can” are used.
When must or shall is used, the item is a mandatory requirement. When should is
used, the item is strongly recommended but not mandatory. When ‘can’ is used,
compliance may further enhance the system security but compliance is optional.

1.4 Exclusions

Any requirement that is not supported by the system shall require the
implementation of mitigating controls that are approved by the plant manager.

Page 2 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

These mitigation controls shall be based on a formal risk assessment/business

impact analysis in accordance with SAEP-707.

This procedure does not cover Saudi Aramco industrial security requirements
such as gate access, door thickness, lock types or concrete structure.

Also, excluded are applications or systems that are:

a. Not utilized for any process automation function,
b. And, not connected to the ICS.

1.5 Responsible Organizations

This procedure is retroactive and applies to all Saudi Aramco plants.

Additional responsibilities are highlighted in Section 9.

2 Conflicts and Deviations

2.1 Compliance with SAEP-99 procedure is mandatory unless an exception is

explicitly stated. All Saudi Aramco plants personnel, contractors, and third-party
vendors must comply with the roles, responsibilities, and security policies in this
procedure and its subsequent documents to ensure the confidentiality, integrity,
and availability of the Saudi Aramco plants information.

2.2 Any conflicts between this procedure and other applicable Mandatory Saudi
Aramco Engineering Requirements (MSAERs), or industry standards, codes,
and forms shall be resolved in writing to the manager of Process & Control
Systems Department (P&CSD) of Saudi Aramco, Dhahran.

2.3 Direct all requests to deviate any mandatory security requirement from this
procedure in writing to the manager of P&CSD of Saudi Aramco, Dhahran, in
accordance to SAEP-302.

3 Applicable Documents

The requirements contained in the following documents apply to the extent specified in
this procedure.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-98 Removable Media usage for Process Automation
Systems
SAEP-100 Plant’s Cyber Security Incident Response

Page 3 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

SAEP-302 Instructions for Obtaining a Waiver of a Mandatory

Saudi Aramco Engineering Requirement
SAEP-707 Risk Assessment Procedure for Plants Networks and
Systems
SAEP-746 Lifecycle Management Procedure for Process
Automation Systems

Saudi Aramco Engineering Standard

SAES-T-566 Plant Demilitarized Zone (DMZ) Architecture

Saudi Aramco Engineering Best Practices

SABP-T-001 Proactive Monitoring and Alerting Solution for
Plant Networks and System
SABP-Z-047 Data Backup and Restore for Plants Networks and
Systems
SABP-Z-070 Process Automation Systems Cybersecurity
Obsolescence Management
SABP-Z-072 Functional Specification for Process Automation
System (ICS) Cybersecurity Requirement
SABP-Z-073 Guidelines for Disaster Recovery Plan Development
for ICS
SABP-Z-085 Juniper Intrusion Detection and Prevention
Signatures Offline Updates
SABP-Z-086 Remote Desktop Protocol Security Controls and
Mitigations Guidelines

Saudi Aramco General Instructions

GI-0299.120 Sanitization and Disposal of Saudi Aramco
Electronic Storage Devices and
Obsolete/Unneeded Software
GI-0710.002 Classification and Handling of Sensitive Information

Saudi Aramco Information Protection Standards and Guidelines

Information Protection Manual version 2015-11

Corporate Policy
INT-7 Data Protection and Retention

Page 4 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

3.2 Industry Codes and Standards

National Institute of Standards and Technology (NIST)

NISTIR 7977 NIST Cryptographic Standards and Guidelines
Development Process (March 2016 Release)
ISA/IEC 62443 Industrial Network and System Security
NIST SP 800-50 Building an Information Technology Security
Awareness and Training Program
NIST SP 800-53 Assessing Security and Privacy Controls for Federal
Information Systems and Organizations
NIST SP 800-82 Guide to Industrial Control Systems Security

4 Instruction

The following instructions shall be adhered to:

a. The user of this procedure must exercise sound professional judgment concerning
its use and applicability under user's particular circumstances.
b. The user must also consider the applicability of any Saudi Aramco standards before
implementing this procedure.

5 General Security Management

This section provides the minimum mandatory security requirements for ICS as related
to Change Management, Awareness and Training, and Cybersecurity-related
Obsolescence Management. It will address “general” plant operational security
requirements for each topic.

5.1 Change Management

Change management must apply to all and/or any changes made to any
components in ICS.

5.1.1 Change Management Process

5.1.1.1 The change management process shall have the capability for
change tracking, approval, scheduling, and verification prior to
the implementation.
Commentary Note:

The verification shall be performed by an individual other than

the implementer.

Page 5 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

5.1.1.2 All changes to ICS infrastructure, including hardware,

operating systems, and applications shall be strictly controlled
by a change management process.

5.1.1.3 Implementation and roll-back plans shall be developed and

tested prior to any change.

5.1.1.4 All supporting documents shall be attached to the change

request. Examples of such documents include, but not
necessarily limited to implementation plans, test plans,
roll-back procedures, diagrams, etc.

5.1.1.5 Affected components shall be backed up prior to any change

implementation.

5.1.1.6 Risk, impact, and security implications of changes shall be

evaluated.
Commentary Note:

SAEP-707 can be used as a reference.

5.1.1.7 The change management process shall contain the following

minimum information: User name, badge number, phone
number, ICS component ID accessed, session date, session
length, and reason.

5.1.2 Security Configuration Management

5.1.2.1 Initial baseline configuration shall be obtained and documented

from the vendor including components such as: hardware,
operating system, firmware, services, open ports, protocols,
versions, etc.

5.1.2.2 Baseline configuration shall be reviewed and updated annually.

5.1.2.3 All updates to the baseline should be documented and be

auditable.

5.1.2.4 The changes shall be approved by the vendor prior to

implementation.

5.1.2.5 PAN administrator should refer to P&CSD hardening best

practices for any system that lacks the vendor support.

Page 6 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

5.2 Awareness and Training

5.2.1 Awareness Program

5.2.1.1 A security awareness program shall be developed and

implemented to ensure that all employees, contractors and
third-party vendors are informed of security risks associated
with their activities.

5.2.1.2 Plant management shall ensure that their personnel have an

adequate understanding and awareness of ICS security in
addition to general comprehension of corporate standards and
procedures purpose and use. This can be done through:
a. Interactive Presentations: Security awareness presentations
as part of organizations communication meetings on an
annual basis.
b. Publishing and distribution: Posters, emails, updates,
alerts, etc., sent from plant management to their ICS user
community.
c. Saudi Aramco departments, such as ISD, IT Information
Protection Awareness Group or Industrial Security, can be
contacted for assistance in obtaining awareness material
for this purpose.

5.2.2 Training Program

Primary and secondary PAN administrators shall have:

5.2.2.1 Knowledge and experience in plant operations.

5.2.2.2 Successful completion of PAN administrators C-MAP.

Commentary Note:

The adequacy / relevancy of the C-MAP may be revisited by plant

organization based on a formal risk assessment and a business impact
analysis to ensure that their operational requirements are sufficiently
fulfilled.

5.3 Obsolescence Management

PAN administrators shall execute the security obsolescence management

process upon expiration of ICS third party support.

Page 7 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Commentary Note:

SAEP-746 and SABP-Z-070 can be used as references.

5.4 Documentation

5.4.1 Administrative

5.4.1.1 Up-to-date procedures relating to change management [such as

the change management process, Operating Instructions
Manual (OIM)] shall be documented, approved by plant
manager, communicated to support staff, and effectively
implemented.

5.4.1.2 A formal authorization procedure shall be in place by which

standardized access request forms are completed, reviewed by
appropriate supervisors based on business and security
requirements, approved by the plant operation superintendent
and retained for future reference, to grant requester access to
ICS components.

5.4.1.3 Approved access request forms should exist for all types of
accounts, including system and application accounts.
Manager approval is required for non-plant personnel.

5.4.1.4 A document defining the requirements for retention and

archival of security audit logs shall be developed in accordance
with Corporate Data Protection and Retention INT-7 policy.

5.4.2 Technical

5.4.2.1 Up-to-date documentation including as built drawings, logical

network design, and system architecture shall be maintained.

5.4.2.2 Up-to-date procedures relating to operational upgrade and

patch management for each ICS shall be documented in
accordance with ICS vendor recommendations, approved by
plant management, communicated to support staff, and
effectively implemented.

5.4.2.3 Up-to-date procedures relating to antivirus management shall

be documented in accordance with ICS vendor
recommendations, approved by the plant management,
communicated to support staff, and effectively implemented.

5.4.2.4 Up-to-date procedures relating to security monitoring shall be

documented, approved by the plant management,

Page 8 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

communicated to support staff, and effectively implemented.

5.4.2.5 The PAN administrators shall perform and retain annual

documented reviews for the following:
a. All accounts to ensure continued legitimacy for business
needs, and those inactive users are revoked.
b. Firewall filter rules to ensure accuracy and adequacy.

5.4.2.6 Up-to-date procedures relating to backup, recovery and backup

restoration testing for each ICS shall be documented, approved
by plant management, communicated to support staff, and
effectively implemented.

6 Communication and Configuration Management

This section provides the minimum mandatory security requirements for ICS as related
to asset management, network security, patch management, access control, monitoring,
and malware prevention management.

6.1 Network Security Management

Network security management directives shall be established to adequately

deploy the security controls as a minimum for a multilayered architecture.
In addition, the implemented defense layer must ensure to allow only the
authorized and approved data communication.

6.1.1 Segregation of Networks

6.1.1.1 Ensure physical separation between plants and Non-plant

networks. The physical separation shall also apply on
geographically distributed systems such as OSPAS, Power
Systems, and Pipelines Systems.
Commentary Note:

Corrosion Monitoring System (CMS) can utilize the corporate

network provided the CMS infrastructure does not interface
with the plant networks and systems.

6.1.1.2 Network segmentation shall be implemented by

interconnecting different automation systems communicating
with each other utilizing a network firewall. Segmentation
shall be implemented at the autonomous system as a minimum.

Page 9 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Commentary Notes:

Network segmentation between different automation systems

within the plant may be implemented by utilizing Layer 3
Access Control List (ACL).

Connection of different systems at the Controller or I/O card

level do not require a firewall.

6.1.1.3 The intent of the physical space requirement is to provide a

clear equipment identification to prevent unauthorized access,
service segmentation to prevent it being serviced
unintentionally by another organization or having a network
interface bypass. The table below provides further details on
the minimum requirements.

Table 1
Physical Space Network
Locked Cabinet Remote Site Connectivity
In-Plant
for Shared Information &
Connectivity Control
Rooms (1) Monitoring
The cabinets Dedicated Fiber optic Transmission
shall have cables for strands for circuit (i.e.,
identification both primary primary and fiber strand,
plates with and backup SDH, OTN, SDH-, OTN, or
contact and or WDM WDM)
information for secondary
Cables shall
be tagged and
secured
Commentary Notes:

a. Locked cabinet may be placed in a corporate communication

locked room. Locked cabinet may be placed in a 3rd party
shared shelter and or locked room.

b. Remote sites may include any Saudi Aramco automation

interface points outside the Plant fence.

c. All references to Transmission networks such as SDH, OTN or

WDM pertain to those owned and operated by Saudi Aramco.

d. Support services that are extended on the same network

connectivity infrastructure such as plant phone service shall be
based on private VoIP service and shall not connect to the
Corporate IP Telephony Network. The connection may be
established to the Local Access Gateway (LAG) based on non-IP
interface (i.e., FXO/FXS).

Page 10 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.1.1.4 Network segmentation for remote sites (e.g., RTU’s) shall be

implemented by interconnecting them to a firewall at the plant
site.

6.1.1.5 ICS can only interface with the corporate network in

compliance with SAES-T-566. ICS connection to any other
network is not permitted.

6.1.1.6 Static IP addresses shall be used on all networked ICS

components.

6.1.1.7 Private IP addresses can be used for internal plant networks

and systems components such as ICS.
Commentary Note:

Those IP addresses shall not be routed beyond the PAN.

6.1.2 DMZ Security Controls

Commentary Note:

SAES-T-566 can be used as a reference.

6.1.2.1 The fundamental policy for configuring firewalls in plant

automation networks shall be “DENY UNLESS
SPECIFICALLY PERMITTED”.

6.1.2.2 Plant to DMZ firewall(s) shall be configured with Intrusion

Prevention functionality (detection mode). The signatures
must be updated at least every six (6) months.
Commentary Note:

SABP-Z-085 can be used as a reference.

6.1.2.3 Network traffic through the firewall shall be filtered based on

source/destination IP addresses and TCP/UDP ports.

6.1.2.4 Blocking traffic shall be enabled for both inbound and

outbound communications.

6.1.3 Network Management

6.1.3.1 Network management shall not utilize insecure protocols to

manage ICS infrastructure.

6.1.3.2 A process shall be implemented, in accordance with vendor

recommendations, to proactively monitor the performance and

Page 11 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

availability of ICS equipment, with the following parameters:

a. Utilization of disk space, network connection, memory,
and CPU.
b. System event logs (i.e., system faults).
c. Availability (i.e., Ping).

6.1.3.2 A client-less centralized proactive monitoring system shall be

used to provide both monitoring and alerting functionalities.
Commentary Note:

SABP-T-001 can be used as a reference.

6.1.4 Remote Access Controls

6.1.4.1 Remote access from across the plant/IT firewall is not allowed.

6.1.4.2 RDP protocol can be allowed from within the plant network
whenever the minimum security requirements are satisfied.
Commentary Note:

SABP-Z-086 can be used as a reference.

6.2 Assets Management

The Asset Management controls shall be implemented by identifying and

assigning responsibility for all information assets.

6.2.1 Inventory of Assets

6.2.1.1 ICS supporting assets shall be identified and an inventory of

these assets shall be maintained, refer to Appendix E for a list
of applicable asset types.
Commentary Notes:

An automated inventory collection solution can be used to

automate the process of data collection.

ICS vendors shall be consulted when automated inventory

collection tools are used.

6.2.1.2 Multiple assets can be grouped if they collectively provide a

given service (e.g., PC, monitor, mouse, and keyboard can be
grouped together as workstation).

6.2.1.3 The asset inventory shall be dated and aligned with other plant

Page 12 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

inventories, if any.

6.2.1.4 Aggregate assets inventory shall be in place summarizing the

different categories of assets.
Commentary Note:

The aggregate asset inventory summarizes the different

categories of assets and their count, see Appendix D for more
details.

6.2.1.5 Inventory shall be reviewed annually to verify that any changes

have been reflected in the inventory.

6.2.2 Asset Classification

6.2.2.1 Classification of information is required as per GI-0710.002.

6.2.2.2 Classification of ICS supporting assets shall be determined and

documented.

6.2.2.3 Classification of ICS assets shall be determined by the

classification of processed information.

6.2.3 Return of Assets

6.2.3.1 Assets shall be returned upon:

a. Termination of employment,
b. Termination of third party users, contract or agreement.
Commentary Note:

This requirement is needed when assets are assigned to

individuals such as USBs, mobile phones, etc.

6.2.3.2 A procedure shall be established to govern the transfer and

sanitization of information contained in third party equipment.

6.3 Identity and Access Control

Identity and access management controls shall be established, documented,

and reviewed based on business and security requirements for granting access.
The following requirements shall enforce the access to plants information
system, network services, and ensure that individual and shared accounts are
consistent with the concept of least privilege.

Page 13 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.3.1 Access Control and Privileges

6.3.1.1 All individual user ID formats should conform to corporate

guidelines as highlighted in Saudi Aramco Information
Protection Manual.

6.3.1.2 Users and third-party vendors shall sign statements indicating

that they understand the terms and conditions of access.
Commentary Note:

This may be included with the access request forms.

6.3.1.3 All accounts and their associated access level and privileges
shall be documented, verified, and reviewed for appropriateness
every 12 months.

6.3.1.4 Standard user access profiles should be created for common

job roles (e.g., operator, process area supervisor, maintenance
engineer/technician, etc.).

6.3.1.5 Individual accounts are mandatory for all accounts such as

administrators, supervisors, maintenance technicians,
operations supervisors, superintendents, and engineers.

6.3.1.6 Temporary privileged access profile shall be created for

auditing and assessment purposes. The assessment of systems
and network devices shall not be performed with the PAN
administrator account.

6.3.1.7 Individual accounts are mandatory including operators for

unattended areas such as PIBs. Shared operator account can be
used in attended areas such as the central control room
provided that it is not intended to administer or perform any
privileged action on the system, or ICS.

6.3.1.8 The use of privileged accounts shall be limited for system

administration, configuration, support, diagnostics, and not for
day-to-day plant operation.

6.3.1.9 PAN administrators shall log into the system with the least
privileges account unless otherwise required.

6.3.1.10 Access to ICS operating systems and devices for security

administration purposes shall be restricted to PAN
administrators.

Page 14 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.3.1.11 Access to ICS applications for plant operation and control

purposes shall be restricted to plant-authorized operators and
operations supervisors.

6.3.1.12 Access to ICS applications for monitoring and diagnostics

purposes shall be restricted to authorized engineers and
maintenance technicians.

6.3.1.13 Access to ICS applications for configuration purposes shall be

restricted to plant authorized engineers or authorized
maintenance technicians

6.3.1.14 Centralized identity and access management solution such as

Active Directory (AD) should be deployed.

6.3.1.15 When a user is being transferred or is leaving the plant, the

following shall be fulfilled:
a. The user’s access rights shall be adjusted to reflect the new
situation.
b. The account shall be locked and retained for a duration of
twelve (12) months before permanent deletion.

6.3.1.16 A process shall be documented and in place to notify PAN

administrators to modify or revoke access as follows:
a. Within seven (7) days for job/role changes
b. Within three (3) days for termination of employment
c. Immediately for involuntary termination

6.3.2 Password Policy

6.3.2.1 Passwords shall be the minimum authentication methodology.

6.3.2.2 Users shall maintain their own passwords and keep them
confidential.

6.3.2.3 Passwords shall be masked on the screen while being entered.

6.3.2.4 Passwords shall not be based on personal information.

6.3.2.5 Passwords shall have a minimum length of eight (8) characters

6.3.2.6 Systems shall be configured to enforce password uniqueness.

A minimum of six (6) unique passwords must be entered before
it can be re-used.

Page 15 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.3.2.7 Systems shall be configured to enforce password complexity

rules. A password must contain at least three (3) of the
following four characteristics:
a. Lower case characters a-z
b. Upper case characters A-Z
c. Digits 0-9
d. Punctuation characters, e.g., ! @ # $ % ^ & * , etc.

6.3.2.8 Systems should be configured to enforce a ten (10) day

password expiration notification.

6.3.2.9 Users and system level administrator accounts passwords shall

be changed as follows:
a. Six (6) months if the system uses local account management
b. Three (3) months if the system utilizes centralized account
management.

6.3.2.10 Shared operator account passwords should be changed

manually every 12 months.

6.3.2.11 Service accounts (including non-interactive) passwords should

be changed every 12 months.

6.3.2.12 Accounts shall be locked automatically for a duration of

24 hours after five (5) consecutive failed logon attempts.
Service accounts and operator stations in attended areas are
exempted from this requirement.

6.3.2.13 Master administrative privileged account and password shall

always be stored in a sealed envelope in a safe and made
available for immediate retrieval in emergencies.

6.3.2.14 New set of passwords shall be configured and stored in the

envelope once the old seal is broken.

6.3.2.15 Log tracking expiration and usage of master passwords shall be

maintained.

6.3.2.16 All Password records (e.g., paper, software file, etc.) shall be
avoided unless they are stored securely in a safe and approved
by the plant manager. The file containing encrypted passwords
shall be protected if electronically stored and only readable
with privileged account.

Page 16 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Commentary Note:

Unless specified, encryption wherever mentioned in this

document shall be aligned with NISTIR 7977 as a minimum.

6.3.2.17 Application account credentials should be used through

secured channels such as TLS/SSL and shall not be hardcoded
within the application.

6.3.2.18 Operator and service accounts shall be excluded from

automatic password change policy.

6.3.2.19 The following shall apply for systems with hardware key
authentication:
a. The shift coordinator or his delegated shift supervisor shall
be responsible for keeping and issuing the keys.
b. The keys should be restricted to authorized individuals.
c. The use of hardware keys shall be logged.
d. The key shall be securely stored within the facility and be
available after regular working hours.
e. The keys shall only be used for the duration required
f. Key logs shall be reviewed on an annual basis to ensure
that keys are appropriately secured and accounted for.
g. The hardware key shall not be used for administrative
purposes.

6.3.3 Industrial Systems and Field Devices Policy

Identity and access controls shall not prevent the operation of essential
functions of the sensitive DCS and field devices such as PLCs, IEDs,
RTUs, HMIs, etc.

The following controls should not be performed without consulting the

vendor. A risk assessment shall be conducted prior to any implementation
to evaluate the applicability and consequences on the business operations.

6.3.3.1 Identification and authentication shall not interfere with plant

critical functions.

6.3.3.2 Field devices and the industrial systems should be configured

to enforce authorization.

Page 17 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.3.3.3 Field devices and the industrial systems should be configured

to enforce the principle of least privilege.

6.3.3.4 Accounts used for any critical functions shall not be locked
out.

6.3.3.5 Default passwords shall be changed.

6.3.3.6 Hardcoded passwords or access level codes shall be noted and

compensating countermeasures developed and documented.

6.4 Patch Management

The Patch management controls shall be applied to ensure tracking, evaluating,

testing and deploying applicable patches for the plants assets in a timely manner.

6.4.1 Internal procedures for applying patches shall be developed, maintained,

and documented to include but not limited to:
a. Responsibilities for identifying, evaluating, testing and installing
software upgrades and patches.
b. Timely identification of patches and software upgrades when
released by the vendor, such as subscribing to vendor mailing lists
and/or reviewing vendor websites.
c. Evaluation and testing of the applicability of the patch or software
upgrades in consultation with the vendor. Software upgrades and
patches are installed only after they have been tested and certified
by the vendor as being compatible with the ICS software.
d. Defined timeframes for implementation of the patch or update.
e. Rolling out the patch or software upgrade.

6.4.2 PAN administrators shall obtain the latest vendor qualified patch file and
deployed within six (6) months of release.
Commentary Notes:

Patches can be obtained through the secured Enterprise network either

directly from the vendor or from the Enterprise IT Patch Management
database utilizing a secured removable media.

SAEP-98 can be used as a reference.

6.4.3 PAN administrators shall validate the authenticity of the patch and its
compatibility with the ICS system. The validation shall be offline on a

Page 18 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

test machine or non-critical system following the vendors approved

procedure.
Commentary Note:

In the absence of an offline or a test node, PAN administrators are

encouraged to test the signature update on a non-critical machine or
system.

6.4.4 PAN administrators shall monitor the system stability post a patch
deployment for each station and shall be able to rollback if needed.

6.4.5 PAN administrators shall upload manually the applicable/approved

patches into the central patch management server to be transmitted to
ICS.

6.4.6 Network equipment software updates process shall satisfy the same
requirements.

6.4.7 PAN administrators shall be responsible for implementing patches for

non-plant security systems connected to the plant network (i.e.,
compliance monitoring, SIEM, etc.) upon receiving respective updates
from responsible organization.

6.5 Malware Prevention Policy

Saudi Aramco plants malware prevention controls shall be established,

implemented, and documented to deploy and maintain the applicable detective
and preventive controls to protect against malicious code.

6.5.1 General Guidelines

6.5.1.1 PAN administrators shall prioritize analysis and remediation

actions for cybersecurity alerts or advisories once received
(e.g., from vendor or P&CSD).

6.5.1.2 PAN administrators shall report malware-related incidents as

per SAEP-100.

6.5.2 Antivirus Deployment

6.5.2.1 Plant workstations and servers shall have operational, properly

configured, and up-to-date antivirus software.

6.5.2.2 Latest vendor supported antivirus version shall be deployed.

6.5.2.3 List of systems without antivirus software shall be maintained

and mitigated with sufficient network-level controls.

Page 19 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.5.2.4 Antivirus software should have a built-in anti-spyware

capability.

6.5.2.5 Centralized management of antivirus software should be

adopted on installations with 10 or more stations.

6.5.2.6 PAN administrators shall conduct an investigation when

antivirus software has been unintentionally disabled.

6.5.3 Antivirus Configuration

6.5.3.1 Antivirus software shall be configured in accordance with ICS

vendor recommendations, including as minimum the following:
 On-Access scanning,
 Full scanning,
 Buffer overflow protection,
 Excluded directories from scanning.

6.5.3.2 Antivirus software shall be programmed to run/initiate upon

startup and/or reboot of workstations and servers.

6.5.4 Antivirus Maintenance

6.5.4.1 Antivirus software shall be updated every six (6) months upon
ICS vendor certification.

6.5.4.2 Authenticity of downloaded updates shall be verified by running

the file(s) through a cryptographic hashing algorithm and
matching the result with the hashes published on the vendor site.

6.5.4.3 Antivirus software quick scan shall be performed immediately

after the installation of any new software patch/update when
operating conditions permit.

6.5.4.4 Workstations and servers shall not be set to auto-apply updates

and/or engine upgrades.

6.5.5 Antivirus Testing and Deployment

6.5.5.1 Engine and signature updates shall be tested, on an offline or a

test node, prior to roll-out.
Commentary Note:

In the absence of an offline or a test node, PAN administrators

are encouraged to test the signature update on a non-critical

Page 20 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

machine or system.

6.5.5.2 The testing workstation shall be backed up prior to performing

the update.

6.5.5.3 The testing of an antivirus update shall be performed on

multiple nodes covering the variety of environments at the site.
Commentary Note:

Updates shall be pushed gradually. For example, 3-4 machines

for the first 3 hours, then gradually increase the number as time
lapses.

6.6 Audit Events and Monitoring Management

The events and monitoring controls shall be considered to continuously capture,

monitor, and retain the relevant security events and logs of the plant’s
information. In addition, the plants should assure that the logs are centrally
stored, secured, and managed.

6.6.1 Event Generation and Monitoring

6.6.1.1 ICS systems shall ensure audit policies are enabled to generate
events for all access, system and must produce an audit event
record for the following event types:
a. Security, system and application event log file
b. Successful and unsuccessful access to log file
c. Successful and unsuccessful authentication events
d. Successful and unsuccessful authorization events
e. Successful and unsuccessful resource access events
f. Successful and unsuccessful privileged operations
g. Creation, modification and deletion of system objects
including all user account types, groups, files and directories
h. Creation, modification and deletion of system and security
policies
i. Changes to logical access control authorities (e.g., rights,
permissions)

6.6.1.2 The audit event record shall include, at minimum, the following
information:
a. Timestamp
b. User ID

Page 21 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

c. Source / Destination IP address, hostname or application

d. Application or service accessed
e. Resource or complete URL
f. Module / Function accessed
g. Unique actioned performed (read/update/create/delete)
h. Primary record identifier
i. Data field accessed/updated

6.6.2 Log Management Infrastructure and Configuration Policy

6.6.2.1 Generated ICS systems security logs shall be collected and

forwarded to the Saudi Aramco corporate SIEM infrastructure.

6.6.2.2 Generated log data shall be protected from unauthorized access.

6.6.3 Log Management Process

6.6.3.1 Audit logs shall be retained for twelve (12) months.

6.6.3.2 Audit logs shall be classified as “Confidential Information” per

GI-0710.002 and shall be handled accordingly.

6.6.3.3 In the absence of the Saudi Aramco corporate SIEM, audit logs
shall be consolidated and stored centrally.
Commentary Note:

Syslog servers may be used as centralized repositories.

6.6.3.4 Electronic audit logs older than (12) months can be purged.

6.6.3.5 Hardcopy audit logs older than (12) months shall be “securely
destroyed without the possibility of being reconstituted” per
GI-0710.002.

6.6.4 Log Analysis and Reporting

6.6.4.1 All security events including critical and emergency regarding

the network devices shall be examined and monitored.

6.6.4.2 Systems lacking the capability of integrating with SIEM, logs

must be manually reviewed on a monthly basis.

6.6.5 Industrial Field Devices and Data Diode Considerations

6.6.5.1 Logging for sensitive field devices such as PLCs, IEDs, RTUs,

Page 22 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

HMIs shall not adversely affect essential operation functions.

6.6.5.2 The data diode appliance inherently does not support the
forwarding of generated security, performance and availability
information to a third party tool, nor does it have the capability
to store generated performance and security information for the
required retention duration (12 months). Therefore, it is
exempted from third party monitoring, reporting and retention
requirements. (6.1.3.2, 6.6.3.1, 6.6.4.2).

6.7 Configuration Enforcement

The configuration enforcement and hardening controls shall be applied to

continuously reduce the surface of vulnerabilities. The latter is achieved by
removing all non-essential software programs and utilities from the servers and
workstations.

Hardening procedures can be obtained from P&CSD published hardening best

practices (SABPs) in the absence of vendor supplied hardening guidelines.

6.7.1 Hardening Considerations

The hardening controls could prevent the operation of essential functions

of ICS, including DCS and field devices such as PLCs, IEDs, RTUs,
HMIs, etc.

6.7.1.1 The plant shall not implement the controls without consulting
with the vendor.

6.7.1.2 A risk assessment shall be conducted prior to any

implementation to evaluate the applicability and consequences
on the business operations.

6.7.2 Network, System, and Application Hardening

6.7.2.1 Unused or unnecessary services and applications shall be

removed from ICS components.

6.7.2.2 The list of necessary applications shall be obtained from ICS

vendors.

6.7.2.3 Unused physical ports in network devices and firewalls shall be

disabled (i.e., Ethernet, fiber ports).

6.7.2.4 Insecure protocols shall not be allowed. In case of business

requirement, mitigation controls shall be applied.

Page 23 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

6.7.2.5 The firewall filter rules must be set to deny all traffic by default
then enable only necessary and approved services.

6.7.2.6 Users are not allowed to make any changes to their system that
will disable or tamper approved antivirus software or otherwise
prevent the software from performing its intended purpose.

6.7.3 Identity Access Enforcement

6.7.3.1 Only required accounts are permitted on the systems.

6.7.3.2 Connection/session timeouts shall be configured for all systems

excluding those at operators' consoles. For equipment not
supporting session timeout, the user shall terminate all active
sessions from the equipment when finished.

6.7.3.3 All vendor-supplied default passwords shall be changed

immediately after installation if allowed/ supported by the
vendor.

6.7.3.4 Operator accounts shall have a restricted user profile to prevent

from installing/uninstalling programs, changing software
configuration, or accessing floppy disk drives, CD drives or
ports (e.g., Firewire, USB, Ethernet, Serial, etc.) that enable
communication with computer peripherals (e.g., personal
media players, flash drives, external hard drives, or any other
portable media, etc.).

6.7.3.5 The remote vendor troubleshooting including dial-up accesses

shall be prohibited.

6.7.4 Other Security Considerations

6.7.4.1 Systems capable of displaying a warning banner, upon logon,

shall be configured to display the following text “This computer
is for company business use only. This system may be
monitored as permitted by law. Unauthorized use may result in
criminal prosecution, termination or other action”. For operator
consoles, a printed sticker may alternatively be used.

6.7.4.2 ICS components times shall be synchronized with correct and

consistent time.
Commentary Note:

NTP is one example of time synchronization technology.

Page 24 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

7 Physical Security Management

This section provides the minimum mandatory security requirements to ensure critical
or sensitive information processing facilities are physically protected from unauthorized
accesses, damages, and interferences.

7.1 Physical Access

The physical security management controls shall be applied to reduce the risk of
physical misuse, damage or unauthorized access. The critical information and
assets shall be placed in a secure area protected by security perimeters and entry
controls.

7.1.1 General Guidelines

The physical security measures are employed to prevent many types of

undesirable effects, including but not limited to:
a. Unauthorized physical access to restricted locations
b. Physical modification, manipulation, theft or other removal, or
destruction of existing Saudi Aramco plant systems, infrastructure,
communications interfaces, personnel, or physical locations
c. Prevention of unauthorized introduction of new systems,
infrastructure, communications interfaces, or other hardware
d. Prevention of unauthorized introduction of devices intentionally
designed to cause hardware manipulation, or communications
snooping.

7.1.2 Physical Controls

7.1.2.1 Security perimeters around informational assets should be

clearly defined and carefully monitored on a daily basis for
evidence of penetration or tampering attempts.

7.1.2.2 Appropriate entry controls shall be provided at each barrier or

boundary.

7.1.2.3 Procedures should be established for alarming and alerting

when physical security is compromised.

7.1.2.4 Separate physical protections should be in place to protect the

plants distribution/communication lines from damage,
tampering, eavesdropping or in transit modification of
unencrypted communications.

Page 25 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

7.1.2.5 Visitor access to facilities housing ICS components shall be

authorized and supervised by operations, documented, and
securely maintained with purpose of visit, date, and time of
entry and exit.

7.1.2.6 Physical inventories shall be tagged with tamper-resistant

labels to prevent removal of property.

7.1.2.7 ICS workstations, servers, and network equipment shall be

located in plant controlled facilities such as server rooms.

7.1.2.8 ICS computers and network devices not located in plant

controlled communication or server rooms shall be secured in
locked cabinets with clear labels indicating its functionality.

7.1.2.9 Physical access logs to facilities housing ICS assets shall be

periodically reviewed and revoked when necessary or no
longer required.

7.1.2.10 Plant owned racks or cabinets housing ICS equipment shall

always be locked.

7.2 Data Movement and Sanitization

7.2.1 Ensure that sensitive documents and other media material that are no
longer needed are completely destroyed.

7.2.2 Data on any electronic storage device being disposed, returned to

manufacturer, donated or decommissioned shall be sanitized in
accordance with GI-0299.120.

8 Business Continuity Management

This section sets forth instructions and directives for developing plans and strategies to
enable the business to continue while providing a course of action to recover promptly
from any type of disruption to the business.

8.1 Disaster Recovery Plan

The following are the requirements for Disaster Recovery Planning (DRP) for
Saudi Aramco ICS. For more information, refer to SABP-Z-073.

8.1.1 DRP shall be developed based upon a formal risk assessment or business
impact analysis.

8.1.2 DRP document shall provide instructions on restoring the plant operation

Page 26 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

and resuming production promptly without impacting HSE of plants

assets and personnel.

8.1.3 A team within each plant organization shall be established and well
trained to develop, implement, test, use, and maintain the DRP.

8.1.4 Key personnel list shall be clearly identified including plant personnel,
support organizations, and vendors.

8.1.5 DRP shall define the data backup strategy identifying the systems to
backup, files to backup, the storage media, the locations of the storage
and the storage retention.

8.1.6 DRP shall be addressed as part of the overall plant process disaster
response plan.

8.1.7 DRP shall be reviewed, updated, tested, and approved once a year,
documenting such reviews in writing.

8.1.8 If change(s) to ICS infrastructure take place within the annual review
cycle, the DRP shall be reviewed, updated, tested, and approved within
one (1) month after the changes are commissioned. Accordingly, the
new test date should be one year from the last revision.

8.1.9 Testing of the recovery procedure shall be documented. The DRP

document shall be updated to reflect and resolve any new issues arising
during the recovery test.

8.1.10 Testing of the DRP plan should be done off line in a testing environment
and not on the actual system if the off line systems are available.

8.1.11 A distribution list shall be defined for the DRP and kept up to date.
A process shall exist to ensure DRP is distributed to all authorized
recipients.

8.2 Availability and Backup

8.2.1 An up-to-date backup and restoration procedure shall be developed and

approved by the plant manager. The support staff responsible for backup
and restoration shall be trained to effectively implement the procedure
for all ICS.
Commentary Note:

SABP-Z-047 can be used as a reference.

Page 27 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

8.2.2 The procedure shall cover the following for each ICS component:
a. Personnel responsible for performing backups, restoration and
monitoring success or failure if automated
b. Step-by-step instructions to perform a backup and subsequent
restore in accordance with vendor recommendations
c. Restoration testing and maintenance of restoration test results after
performing backups
d. Verification of the success or failure of a particular backup
e. Media library management relating to retention, rotation,
transmittal, labeling, and inventories.

8.2.3 Fully automated data backup operation is highly recommended to avoid

human errors and ensure integrity. However, backup logs need to be
monitored for backup failures.

8.2.4 Backup shall fulfill the following:

a. A minimum of two (2) copy sets,
b. Maximum six (6) months old,
c. The most recent backup and recovery data shall be stored and
maintained at secure locations with one set being at an off-site location,
d. At least one copy of the backup and recovery data on removable
media shall be stored in a safe located outside the plant main gate,
e. All backups shall be stored at a secure location.

8.2.5 Critical ICS components with dynamic data change shall be backed up at
least on weekly basis. The data required for complete backup and
restore shall be archived at least once every six (6) months.

8.2.6 Network devices configuration files shall be backed up every six (6)
months.

8.2.7 Access to backup and recovery data shall be restricted to authorized

personnel.

8.2.8 A logbook shall be maintained at each storage location for the purpose of
monitoring access to the backup media. Entries shall be recorded in the
logbook whenever a media is removed/added from/to the designated
storage location. The logbook shall contain the following:
a. Date and time of removal/addition,

Page 28 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

b. Name and badge number of employee responsible for

removing/adding the media,
c. Purpose of removal/addition,
d. Specific data which was removed/added such as number of CDs,
DVDs, tapes,
e. Estimated time the data will be removed from the location,
f. The employee's signature at check-out of data if using hard copy log
book,
g. Date and time when data is returned to the location,
h. The employee's signature when the data is returned to the safe
location if using hard copy log book.

8.2.9 A backup and restoration log shall be maintained for all backup /
restoration operations, covering at least their success or failure state,
date, personal performing the operation and the media labels used.

8.3 Cyber Security Incident Response

Refer to SAEP-100, Plant’s Cyber Security Incident Response, for establishing a

computer security incident response capability.

9 Roles and Responsibilities

To accomplish the aforementioned controls and achieve increased effectiveness in

implementation of SAEP-99 and its subsequent documents, this procedure assigns
ownership of roles and responsibilities to stakeholders and entities within Saudi Aramco
plants.

9.1 Plants Operations/Management

9.1.1 Plant manager shall assume the ownership of all plant assets.

9.1.2 Plant organization shall have at least one qualified primary and one
secondary PAN administrators.
Commentary Note:

Depending on the facility’s size and complexity, more PAN administrators

may be required.

9.1.3 Access and privileges to plant systems shall be approved by the plant
management and commensurate with the user’s business roles and
responsibilities.

Page 29 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

9.1.4 The plant manager shall be responsible for all ICS assets, throughout
their lifecycle.

9.1.5 Assets can conveniently be grouped for a particular service and assigned
to a service owner. The service owner retains the accountability to
deliver the service and operate the assets.

9.1.6 The plant organization is responsible for developing a DRP that covers
all ICS installed in the plant.

9.1.7 The plant management is responsible for approving the DRP.

9.2 PAN Administrators

9.2.1 PAN administrators are responsible to implement the instructions

specified in this procedure and its subsequent documents and to assume
the security administration of all ICS systems.

9.2.2 PAN administrators shall obtain a prior approval from Admin Area
compliance entity for any firewall rules change.

9.2.3 PAN administrators shall create and maintain the accuracy of the PAN
administrator email distribution lists relevant to their plants.

9.2.4 PAN administrators shall be responsible for reporting of security

incidents.

9.2.5 PAN administrators shall be responsible for ensuring the authenticity and
integrity of any software or instructions, through a cryptographic hashing
algorithm, prior deployment onto ICS.

9.2.6 Risk assessment study, when required, must be independent, and

initiated by PAN administrator. ISD approval shall be obtained prior to
third party risk assessment studies. ICS vendor must be accordingly
consulted before implementing any change or modification to ICS to
ensure that the subject change doesn’t introduce any impact to plant
operations.

9.3 Other Saudi Aramco Users

This section pertains to other Saudi Aramco users such as Engineering Services,
Auditing, IT, etc.

9.3.1 Plant users shall sign statements indicating that they understand the
terms and conditions of access.

Page 30 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

9.3.2 All other Saudi Aramco employees requiring temporary access to any
plant systems shall sign a liability agreement (refer to Appendix F).

9.4 Contractors and Third Party Vendors

9.4.1 PAN administrators shall ensure that contractors and third-party

organizations support the implementation of information security across
Saudi Aramco plants.

9.4.2 PAN administrators shall ensure that the contracts and other agreements
between the Saudi Aramco plants and contractors or third party
organizations be aligned with this procedure and its subsequent
documents.

9.4.3 PAN administrators shall ensure that contractors, vendors, and third-party
organizations comply with the procurement requirement of the ICS.
Commentary Note:

SABP-Z-072 can be used as a reference.

9.4.4 PAN administrators shall ensure that contractors, vendors and third party
organizations requiring temporary access to any plant systems sign a
liability agreement (refer to Appendix F).

9.5 Delegation of Responsibility

9.5.1 The owner of an asset can delegate tasks to a custodian to perform a

certain task but the ultimate responsibility remains with the owner.

9.5.2 The plant manager may elect to delegate some of his authorities to other
personnel in his organization, provided that such delegation is documented.

9.5.3 Any delegation of support and management responsibility must be

approved by the plant manager through a Service Level Agreement (SLA).

Revision Summary
27 April 2014 Major revision to reflect BIT mandates.
6 November 2014 Editorial revision to transfer this engineering document from Communications Standards
Committee to be under the newly established Plants Networks Standards Committee.
27 April 2014 Major revision to reflect BIT mandates.
15 October 2015 Major revision to reflect Audit IS2105-426 observations.
25 January 2017 Major revision to complete restructure and align with the relevant international standards.
Revision is required due to:
- Cyber security challenges evolving
- Align with the International Standards new requirements
- Align with Company directions (i.e., BIT, CISO, ERM)

Page 31 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Appendix A - Acronyms
ACL Access Control List
AD Active Directory
AV Antivirus
DCS Distributed Control System
DHCP Dynamic Host Configuration Protocol
DRP Disaster Recovery Planning
ESD Emergency Shutdown Systems
HMI Human-Machine Interface
HSE Health, Safety, and Environment
FTP File Transfer Protocol
ICS Industrial Control System
IED Intelligent Electronic Device
IOS Internetwork Operating System
IPS Intrusion Prevention System
ISD Information Security Department
NDA Non-Disclosure Agreement
NIST National Institute of Standards and Technology
NTP Network Time Protocol
PAN Process Automation Network (also: Plant Information Network)
PIB Process Interface Buildings
PCN Process Control Network
PCS Process Control Systems
P&CSD Process & Control Systems Department
PLC Programmable Logic Controller
PMS Power Monitoring System
RDP/TSE Remote Desktop Protocol/Terminal Services
RTU Remote Terminal Unit (also Remote Telemetry Unit)
SABP Saudi Aramco Best Practice
SCADA Supervisory Control and Data Acquisition
SDH Synchronous Digital Hierarchy
SIEM Security Information and Event Management
SLA Service Level of Agreement
SOC Security Operation Center
SSH Secure Shell
SNMP Simple Network Management Protocol
TCP/IP Transmission Control Protocol/Internet Protocol
TLS/SSL Transport Layer Security/Secure Sockets Layer
TMS Terminal Management System
USB Universal Serial Bus
VLAN Virtual Local Area Network
VMS Vibration Monitoring System
VPN Virtual Private Network
WAN Wide Area Network

Page 32 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Appendix B - Definitions

Access Control: Means of controlling and regulating access to computing resources and
information.

Asset: An asset is anything that has value to the organization and which therefore requires
protection. Bear in mind that a plant system consists of more than just hardware and software.

Authentication: The process of verifying of a user through a code such as a Password.

Authorization: A right or a permission that is granted to an entity to access a system or a

resource.

Autonomous System: It is referring to a single system such as DCS, SCADA, CCTV, TMS,
PMS, etc. Autonomous in this context means a collection of devices that are interconnected to
form a unified system serving as a single application.

Backup: A data image stored separately from the original, for use if the original becomes lost
or damaged.

CoGen: Supplementary Power generation facilities, normally operated by a third party.

Confidentiality: The process of ensuring that information is not disclosed to unauthorized

individuals, processes, or devices.

Configuration Baseline: A system configuration that has been approved at a point in time and
should be changed only through a formal change control procedure. The configuration baseline
can be used as basis for future changes.

Data Diode: It is a simple modified fiber optic cable, with send and receive transceivers
removed for one direction.

Firewall: An inter-network connection device that controls data communication traffic

between two or more connected networks.

Hardware Key: A physical key or dongle that is used to regulate access to a system or an
application.

Industrial Control System (ICS): Integrated system which is used to automate, monitor
and/or control an operating facility (e.g., plant process units). The ICS consists of operating
area automation systems and their related auxiliary systems which are connected together at the
PCN and PAN level to form a single integrated system.

Integrity: The process of ensuring data accuracy and authenticity.

Page 33 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Insecure Protocols: Any protocol or service the introduces security concerns due to the lack
of controls over confidentiality and/or availability and/or integrity. Example of insecure
services include but not limited to FTP, Telnet, SNMP, and HTTP.

Logs: Files or prints of information in chronological order.

Master Passwords: Primary administrative privileged account password with highest

privilege access associated with the built-in system accounts such as Administrator, Root,
Admin, etc. Such passwords are usually kept with shift superintendent in sealed envelope to be
used in the case of emergencies.

Non-Disclosure Agreement: A contract that restricts the disclosure of confidential

information or proprietary knowledge under specific circumstances.

Operator Account: The account used by plant operator to access the system characterized
with restricted profile with least access rights.

PAN: A plant wide network interconnecting Process Control Networks (PCN) and provides an
interface to the WAN. A PAN does not include proprietary process control networks provided
as part of a vendor's standard process control system.

PAN Administrator: A system administrator that performs day-to-day maintenance

activities on the PAN devices (e.g., administration, configuration, upgrade, monitoring, etc.).
The administrator also performs additional functions such as granting, revoking, and tracking
access privileges for ICS operating systems and applications.

Password: Sequence of characters (letters, numbers, symbols) used as a secret key for
accessing a computer system or network.

Plant Main Gate(s): Physically restricted access points through perimeter security fencing
into Saudi Aramco process facilities. Such points, when manned, are typically controlled by
Saudi Aramco Industrial Security Operations (ISO) organizations via identification, privilege
validation and logging. While both manual and electronic procedures are in still in use, the use
of electronic ID card readers has become the prevalent methodology.

Primary Assets: Are those assets whose compromise will, in any way possible, hinder the
organization from accomplishing its business objective(s): information, core business processes.

Privileged Account: Accounts exhibiting authoritive capabilities to fully manipulate system

and network resources.

Process Control Network (PCN): A proprietary process control networks provided as part of
a vendor's standard process control system.

Page 34 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Remote Access: The ability of a user to connect to a network asset (system, device or
application) from distant location. When connected, the user can monitor or manipulate the
configuration to modify or update the asset’s capabilities.

Security Baseline: A security implementation document that is usually produced by the

system or application developer. The document consists of security configurations for a
particular system that enable it to perform its duties only. The document may consist of
settings for services, registry and file permissions, network ports, authentication protocols, etc.

Secure Room: A room within plant premise, i.e., CCR or server rooms, where physical
security controls such as access identification, authorization, and logging are applied.

Security Awareness: A formal training process for educating employees about computer
security. It explains proper rules of behavior for the use of plants systems and information.

Separation (Logical): Logical separation is indicated by the virtual isolation of network assets
by means of multiplexing or the use of software emulation technologies such as VLAN, VPN
or SDH dedicated circuits.

Separation (Physical): Physical separation is indicated by the comprehensive isolation of

network assets such as switches, medium and housing cabinets to achieve highest level of
security.

Server: A dedicated un-manned data provider.

Service account: An account used by a process running on a computer operating system in a

non-interactive mode.

Service Level Agreement (SLA): Contract between a service provider and a customer, it
details the nature, quality, and scope of the service to be provided.

Shared Operator Account: Plant operator account that is shared between operators due to
system’s limitation, vendor practice or operational requirements.

Supporting Assets: Assets servicing primary assets; typically include: hardware, software,
network, and personnel.

User Account: An established relationship between a user and a computer, network, or

information service such as operating system and applications.

Vulnerability: A flaw or weakness in a system's design, implementation, operation or

management that could be exploited to violate the system's integrity or security policy.

Page 35 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Appendix C - SAEP-99 Mapping to International Standards

Domain SAEP-99 Informative References

General Policy Management
Saudi Aramco plants risk tolerances,
SAEP-707 IEC 62443-2-1:2009 4.2.3, 4.3.4.2
and assumptions are established
Risk Management NIST SP 800-53 Rev. 4 PM-9
and used to support operational risk
Procedure NIST SP 800-82: 6.2.14
decisions.
Saudi Aramco plants comprehensive
documentation including procedures,
manuals, best practices, guidelines, Section 5.4 ISO 27001:2013 A.10.7.4, A.15.1.3
network diagrams is designed, Documentation NIST SP 800-53 SA-5
established, and maintained up to
date.
Saudi Aramco plants personnel and
IEC 62443-2-1:2009 4.3.2.4
partners are provided cybersecurity Section 5.2
ISO 27001:2013 A.7.2.2
awareness education and are Awareness and
NIST SP 800-53 AT-2, PM-13
adequately trained to perform their Training
NIST SP 800-82: 6.2.2
information security-related duties.
Communication and Configuration Management

The data, devices, systems, and

IEC 62443-2-1:2009 4.2.3.4, 4.2.3.6
facilities that enable Saudi Aramco
IEC 62443-3-3:2013 SR 7.8
plants to achieve business purposes Section 6.2
ISO 27001:2013 A.8.1.1, A.8.1.2, A.8.2.1
are identified and managed Asset Management
NIST SP 800-53 CM-8, CP-2, RA-2, SA-14
consistent with their relative
NIST SP 800-82: 4.5.1,
importance to business.

IEC 62443-2-1:2009 4.3.3.5.1

IEC 62443-3-3:2013 SR 1.1, SR 1.2, SR
Access to assets and associated
Section 6.3 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
facilities is limited to authorized
Identity and Access ISO 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,
users, processes, or devices, and to
Control A.9.3.1, A.9.4.2, A.9.4.3
authorized activities.
NIST SP 800-53 AC-2, IA Family
NIST SP 800-82: 6.2.7

Saudi Aramco plants procedure is

established to define and prioritize IEC 62443-2-1:2009 A.3.4.2.5.2
Section 6.4
systems and assets Patch IEC 62443-3-1:2009 8.2.4.3, 8.2.4.4,
Patch Management
Management Process with vendor NIST SP 800-82: 6.2.17.3
pre-approved patches.

Page 36 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Domain SAEP-99 Informative References

IEC 62443-3-3:2013 SR 2.8, SR 2.11,
SR 6.1, SR 6.2
The system and assets are
Section 6.6 ISO 27001:2013 A.10.10.2, A.13.1.1,
monitored to identify cybersecurity
Events and A.13.1.2
events and verify the effectiveness of
Monitoring NIST SP 800-53 AC-2, AU-12, CA-7, CM-3,
protective measures.
SC-5, SC-7, SI-4
NIST SP 800-82: 6.1.6
IEC 62443-2-1:2009 4.3.3.4
IEC 62443-3-3:2013 SR 3.1, SR 3.8, SR 5.1
Network integrity is protected, Section 6.1
ISO 27001:2013 A.13.1.1, A.13.1.3,
incorporating network segregation Network Security
A.13.2.0031
where appropriate Management
NIST SP 800-53 AC-4, SC-7
NIST SP 800-82:x 5.5
IEC 62443-2-1:2009 4.3.4.3.8
Use of antivirus and antimalware
IEC 62443-3-3:2013 SR 3.2
filtering software reduces the Section 6.5
ISO 27001:2013 A.10.4.1
opportunities for malicious code to Malware
NIST SP 800-53 AC-19, AT-2, SA-8, SC-2,
do damage, and lowers the number Prevention Policy
SC-3, SC-7, SC-14, SI-3, SI-7
of incidents.
NIST SP 800-82: 6.2.17.1
Physical Security Management
IEC 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
Policy and regulations regarding the Section 7 ISO 27001:2013 A.11.1.1, A.11.1.2,
environment physical security are Physical Security A.11.1.4, A.11.1.6, A.11.2.3
met Management NIST SP 800-53 PE-1 to PE-14
NIST SP 800-82: 6.2.10, 6.2.11, 6.2.13
Business (Service) Continuity Management
IEC 62443-2-1:2009 4.3.2.5, 4.3.4.5.1
Policy, procedures, processes and IEC 62443-3-3:2009 SR 7.3
Section 8
responsibilities regarding service ISO/IEC 27001:2013 A.16.1.1, A.17.1.1,
Business Continuity
continuity and responses plans are A.17.1.2
Management
managed and maintained NIST SP 800-53 CP-2, IR-8
NIST SP 800-82: 6.2.6.1, 6.2.6, 6.2.8
Roles and Responsibilities
IEC 62443-2-1: 4.3.2.6, 4.3.2.3.3
Section 9
Definition of the appropriate roles ISO 27001:2013 A.5.1.1, A.6.1.1
Roles and
and responsibilities NIST SP 800-53 AC-21, PM-1, PS-7
responsibilities
NIST SP 800-82: 4, 6.2

Page 37 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Appendix D - Sample Aggregate Inventory List

ICS
Networks and Systems Data Collection Sheet
Admin Area: _______________________________________
Site: _______________________________________
Operating Area: _______________________________________
PAN Admin: _______________________________________ Phone: ______________
Area IT Contact: _______________________________________ Phone: ______________
Last Updated: _______________________________________

Data Collection Method:

☐ Manual entry ☐ Asset inventory solution ☐ Compliance solution
☐ Other: _____________________
Please answer the following questions (Y/N):
Is the PAN currently interfaced to the corporate network? ________
Is the PAN remotely accessed from outside the plant? ________
Is the data diode currently installed, configured and operational? ________
Process control domain
_________________ Total number of IP addressable nodes.
_________________ Number of IP addressable nodes to be accessed from outside the plant.
_________________ Number of concurrent connections from IT LAN to the PAN.
_________________ Total number of connections to the PAN.
_________________ Number of concurrent users inside ICS.
_________________ Number of concurrent users outside the plant requiring access to the PAN.
IP Addressing
☐ DHCP ☐ Public addresses used
☐ Static ☐ Private addresses used
☐ Network Address Translation (NAT)

_________________ Total number of workstations

_________________ Total number of servers
Workstations/Server vendors:
☐ Dell Inc. ☐ Hewlett-Packard ☐ IBM
☐ MSI ☐ Toshiba ☐ Fujitsu
☐ IOMega (storage) ☐ Stratus ☐ MicroNet (Storage)
☐ Kontron ☐ Other: (Specify) ________________________
☐ Sun ________________________
________________________

Page 38 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Operating Systems used:

☐ Windows 8 ☐ Windows 7 ☐ Windows Vista
☐ Windows XP (x64) ☐ Windows XP (x86) ☐ Windows 2000
☐ Windows NT 4.0 ☐ Windows ME ☐ Windows 98
☐ Windows 95 ☐ Other: (Specify) ________________________
☐ Unix (Specify) ☐ Linux (Specify) ________________________
________________________
Server versions:
☐ Windows Server 2012 R2 ☐ Windows Server 2012 ☐ Windows Server 2008 R2
☐ Windows Server 2008 ☐ Windows Server 2003 R2 ☐ Windows Server 2003
☐ Windows 2000 ☐Other: (Specify) _______________________
________________________
________________________
Service packs currently installed (if any):
______________________________________ ______________________________________
______________________________________ ______________________________________
______________________________________ ______________________________________
______________________________________ ______________________________________

Network Devices
What network security measures are put in place? (E.g., Firewalls, Routers, IPS, IDS, VLANs, etc.)
________________________ ________________________ ________________________
________________________ ________________________ ________________________
_________________ Total Number of unmanaged L2 Switches
_________________ Total Number of managed L2 Switches
_________________ Total number of managed L3 switches
_________________ Total number of routers
_________________ Total number of firewalls
Switches, Routers and Firewalls vendors:
☐ Cisco Systems ☐ Alcatel-Lucent ☐ Juniper Networks
☐ Hewlett-Packard ☐ Huawei ☐ Moxa
☐ Hirschmann ☐ Black Box ☐ Omnitron
☐ Allied Telesis ☐ 3COM ☐ Harting
☐ Siemens ☐Enterasys ☐ TRENDnet
☐ ABB ☐ADC Megabit (Modem) ☐Fujitsu
☐ Digi Systems ☐ EtherWAN ☐ LANTRONIX
☐ NetGear ☐ Linksys (Cisco) ☐ LinkPro
☐ Allied Telesyn ☐ Other: (Specify) ________________________
________________________
________________________

Page 39 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

ICS Platforms
_________________ Number of Automation platforms
Automation System type(s) ________________ ________________ ________________
________________ ________________ ________________
________________ ________________ ________________
________________ ________________ ________________
Automation System
________________ ________________ ________________
vendor(s)
________________ ________________ ________________
Operator consoles and HMI devices
_________________ Number of operator consoles
Operator console vendor(s) ________________ ________________ ________________
Model(s) ________________ ________________ ________________
HMI Operating System(s) ________________ ________________ ________________
Application Nodes (Select all that ☐ Process management and ☐ SCADA
apply) control server
☐ Engineering workstation ☐ OPC Scan node
☐ OPC Server ☐ PRM
Others: (Specify) _______________________ _______________________
_______________________ _______________________
_______________________ _______________________
_______________________ _______________________

Operating System Install-base

Count Operating System
____________________ Total number of install base for ____________________
____________________ Total number of install base for ____________________
____________________ Total number of install base for ____________________
____________________ Total number of install base for ____________________
____________________ Total number of install base for ____________________
____________________ Total number of install base for ____________________

Cyber Security
O.S patches, DAT file updates,
Network Security Support?
☐ Site support ☐ Internal (company-provided) ☐ External (Third-party)
Up-to-date simple network topology map is available?
☐ Yes ☐ No If yes, date completed: ______________
Up-to-date detailed network topology map is available?
☐ Yes ☐ No If yes, date completed: ______________
Security Office audit completed?
☐ Yes ☐ No If yes, date completed: ______________

Page 40 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Risk assessment completed?

☐ Yes ☐ No If yes, date completed: ______________

Obsolescence
Network Devices Tracking Form x.x
Count Brand/Model Network Device Type Software Revision

Automation System Type Vendor Model/Revision #

Common Components of a ICS

DCSs and associated devices SCADA systems and associated devices;
PLCs and associated devices HMI stations
SIS and associated devices Process information management Systems (PIMS)
Special-purpose computers Industrial automation control modeling systems
Expert systems Analyzers
Gauging systems Electrical power monitoring and/or management systems
Program development computers Communication systems with remote devices
Batch systems Remote telemetry systems
Network communication gateways Network protection devices

Page 41 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Appendix E - Supporting Assets

1. Hardware
Any physical element supporting a primary asset falls under the hardware category:
a. Data processing equipment (active)
b. Transportable equipment (e.g., laptops, PDAs)
c. Fixed equipment used on the company’s premise such as servers or workstations
d. Processing peripherals are equipment connected to a communication port
(e.g., serial, parallel) for entering, conveying or transmitting data. Examples
include printers, removable disk drives, etc.
e. Passive data medium used for storing data
f. Electronic medium connected to a computer/computer network for data storage
such as floppy disc, CD ROM, back-up cartridge, removable hard disc, memory
key, tape
g. Static, non-electronic media containing data such as plant documentation

2. Software
a. Operating system
b. Service, maintenance or administration software
c. Standard, off-the-shelf software
d. Business application, whether it is a standard or a custom one

3. Network
a. Communication media and equipment. Examples include PTSN, Ethernet,
ADSL, Wi-Fi 802.11, Bluetooth, etc.
b. Passive or active relay such as bridges, routers, hubs, switches, automatic
exchange
c. Communication interface such as Network Interface Card (NIC), General Packet
Radio Service (GPRS)

Page 42 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Appendix F - Non-Disclosure, Confidentiality and Liability Agreement

Terms and Conditions

Saudi Aramco plants (“The Plant”) occasionally provides Vendors (“Vendor”) or Non-Plant Saudi
Aramco employee access to sensitive computing equipment (servers, workstations, DCS, switches)
located on-site in the facility. This access is typically provided to:

- Third Party Vendor who has a Service Contract or Agreement with the plant;
- Non-Plant Saudi Aramco employee from a department who has to provide engineering /
technical consulting service to the Plant.
The following Terms and Conditions must be agreed to in writing by the Vendor / Non-Plant Saudi
Aramco employee and approved by the Plant Manager or Superintendent.
Acceptable Uses

The access to the plant computing equipment shall satisfy the following:
(1) The access is granted to the undersigned only;
(2) The access credentials (username and password) are temporary and granted for the only duration of
the assignment;
(3) The access credential shall satisfy the SAEP-99 – 6.3.2 requirements;
(4) The undersigned shall not allow another person to use his temporary access;
(5) The access is granted solely for the purpose of:
- Scheduled troubleshooting;
- System / network maintenance;
- Updates or upgrade to the plant computing equipment (Hardware, Operation System,
application, software ...);
- Computing equipment configuration technical review;
- Annual IT auditing / risk assessment;
- Security and compliance technical review.
Prohibited Uses

It is prohibited to use the granted temporary access to the plant computing equipment in ways to
perform the following (but not limited to):
(1) Unauthorized use of the temporary account for duplicating, deleting, or modifying electronic
materials;
(2) Intentional damage to hardware, software, network equipment, security devices, or other
technology resources;
(3) Intentional creation or distribution of viruses, worms or other forms of electronic malware;
(4) Unauthorized copy of plants data (refer to Scope of Data)
(5) Unauthorized installation and use of non-approved applications, software or other related
computer scripts.

Page 43 of 44
Document Responsibility: Plants Networks Standards Committee SAEP-99
Issue Date: 25 January 2017
Next Planned Update: 25 January 2020 Saudi Aramco Industrial Control System Security

Scope of Data

Data used and stored by the Plant may contain “Restricted, Highly-Sensitive, Confidential, etc.”
information which include (but not limited to):
- Computing equipment configurations and logs;
- PI systems configuration and databases;
- Backup data;
- Any classified information defined by Saudi Aramco General Instructions GI-0710.002.
Verification and Monitoring of Work

All work performed by the Vendor/Non Plant Saudi Aramco Employee while connected to the plant
computing equipment shall be monitored by the plant administrator or any technical staff member.

Limitation of Liability

The under signee (Vendor/Non-Plant Saudi Aramco employee) shall be liable for any direct, indirect,
incidental or consequential damages pertaining to the temporary access given, whether foreseeable or
unforeseeable, based on claims (including, but not limited to, claims for failure to provide services,
mistakes, omissions, business interruptions, deletion or corruption of files, errors, or defects) arising out
of or in any way connected with the temporary access granted.
Acknowledgement

I have read and understand the statements presented in the above “Non-disclosure, Confidentiality, and
Liability Agreement” regarding my permitted and potential/inadvertent access to confidential or
sensitive information or data;
(1) I agree with these stated responsibilities;
(2) I understand that misuse of confidential or sensitive information or data, whether intentional or
due to neglect on my part, is a breach of Saudi Aramco plant security policy and grounds for
corrective action which may include my dismissal, the termination of access to plant computer
and network resources, or the termination of a contractual agreement and may subject me to
possible civil and/or criminal legal action.

Agreed to on the ______ day of ________________________, in the year __________, by:

Signed By VENDOR / NON-PLANT SAUDI ARAMCO Signed By SAUDI ARAMCO PLANT MANAGEMENT:
EMPLOYEE:
___________________________ ____________
___________________________ ____________ Signature Date
Signature Date
__________________________________________
__________________________________________ Print Name
Print Name
__________________________________________
__________________________________________ Title
Title

Page 44 of 44