Best Practice

SABP-Z-057 4 May 2015

Network Devices Hardening Guide – 3COM Switches
Document Responsibility: Plants Networks Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.....................11
7 Hardening controls.............................................12
8 Logs and Auditing............................................. 13

Previous Issue: New Next Planned Update: 4 May 2020

Page 1 of 14
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365

Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the 3COM Switches
configurations settings, which might require software / hardware to ensure
“secure configuration” as per SAEP-99 “Process Automation Networks and
Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.

2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.

Page 2 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

 Saudi Aramco References

Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information

4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.

Page 3 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

Process Automation Systems (PAS): PAS include Networks and Systems

hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers,
firewalls, computers, etc. interconnecting process control system and provides
an interface to the corporate network. PAN Administrator: Process Automation
Networks (PAN) Administrator administers and performs system configuration
and monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a
personal identification number (PIN) or password. Password authentication
scheme is the simplest and most common mechanism.
Server: A dedicated un-manned data provider.

Page 4 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

5 Account & passwords Policies

Domain 3COM Ref. 3CO-AP-01 BIT 8.6

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.l
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Change the local account “admin” default
Action
password
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements

Dependencies 3CO-AP-09 : Set the password display mode for local users in encrypted mode
1. Enter privileged system view mode by issuing (using the admin account)
[switch] system-view
2. Issue the following command:
[switch] password cipher New_Password
Instruction
<New_Password>: is newest admin password

Note that the password is entered in encrypted mode. For more detail, please refer
to 3CO-AP-09
Automated task yes

Page 5 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

Domain 3COM Ref. 3CO-AP-02 BIT 8.6

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.l
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Change password or remove default local
Action
users (manager, monitor or admin)
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
[switch] undo local-user <user>

<user >: user account to be removed: admin, monitor or manager

Instruction
You should be able to create an account with the appropriate privileges. Here is an
example:

<4500>system-view
System View: return to User View with Ctrl+Z.
[4500]local-user 3Com1
[4500-luser-3Com1] password cipher 3Com1_password
Automated task yes

Page 6 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

Domain 3COM Ref. 3CO-AP-03 BIT 8.6

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.l
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Disable SNMP default Community Strings
Action
(private and public)
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
Instruction [switch] undo snmp-agent community public
3. Issue the following command:
[switch] undo snmp-agent community private

Automated task yes

Domain 3COM Ref. 3CO-AP-04 BIT 12.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Set minimum password length
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
Instruction [switch] password-control length 6

We would recommend at least 8 characters

Automated task yes

Page 7 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

Domain 3COM Ref. 3CO-AP-05 BIT 12.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Set password expiration for administrators
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
Instruction [switch] password-control aging 90

The password will be expired in 90 days

Automated task yes

Domain 3COM Ref. 3CO-AP-06 BIT 12.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Set a threshold of failed login attempts
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
Instruction [switch] password-control login-attempt 5

Account lockout threshold is set to 5 invalid logon attempts

Automated task yes

Page 8 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

Domain 3COM Ref. 3CO-AP-07 BIT 12.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target SAEP-99 5.1.6.1.a-f
[ ] 4228G Family (3C17304) Mapping
[ ] 4400 Family
Set length of time a user account remains
Action locked out of the switch before the account
is automatically unlocked
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
Instruction [switch] password-control exceed locktime 1440

Account lockout duration is set to 1440 minutes

Automated task yes

Domain 3COM Ref. 3CO-AP-08 BIT 12.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Set maximum number of old passwords to
Action
retain in the password history
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
[switch] password-control history 3
Instruction

3 refers to the number of old passwords for each user account that are saved by the
switch

Automated task yes

Page 9 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

12.0.a
Domain 3COM Ref. 3CO-AP-09 BIT
12.0.c
[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target SAEP-99 5.1.6.1.a-f
[ ] 4228G Family (3C17304) Mapping
[ ] 4400 Family
Force local users to display passwords in
Action cipher text (local-user password-display-
mode cipher-force)
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies

1. Enter privileged system view mode by issuing

[switch] system-view
2. Issue the following command:
Instruction
[switch]local-user password-display-mode
cipher-force

Automated task yes

Page 10 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

6 Services and applications settings

Domain 3COM Ref. 3CO-SA-10 BIT 8.5

[ ] 4500 family (3CR17771)
5.3.c
[ ] 4200 Family
Target Mapping SAEP-99 5.4.2.m
[ ] 4228G Family (3C17304)
5.1.6.1.o
[ ] 4400 Family
Action Disable SNMP server
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies

1. Enter privileged system view mode by issuing

[switch] system-view
Instruction 2. Issue the following command:
[switch] undo snmp-agent

Automated task yes

Page 11 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

7 Hardening controls

Domain 3COM Ref. 3CO-HC-14 BIT 8.3

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 n/a
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Configure the Host Name
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Naming convention procedure should exists. Router/Switch should reflect the type and
Pre requisite
role.
Dependencies
3. Enter privileged system view mode by issuing
[switch] system-view
4. Issue the following command:
[switch] sysname <device_name>
Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
Instruction - Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router and so on
- Incremental ID : 3 variables
Ex : ABQ-RTR-005 : means router number 5 in Abqaiq Plant. We can suppose, there are
ABQ-RT-001, ABQ-RTR-002, ABQ-RTR-003 etc ..
Automated task yes

Page 12 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

8 Logs and Auditing

Domain 3COM Ref. 3CO-AP-01 BIT 18.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.5.1.d.iv
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Set history command buffer size
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged system view mode by issuing
[switch] system-view
2. Issue the following command:
[switch] history-command max-size 100
Instruction

The history command buffer can store up to 100 commands. The command diplay
history-command could be issued to list the display user inputting

Automated task yes

Domain 3COM Ref. 3CO-AP-02 BIT 18.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.5.1.d.iv
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Enable switch logging
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority MODERATE
A I
Pre requisite Configuration of the info-center

Dependencies 3CO-HC-13: Enable and configure the Information Center

1. Enter privileged system view mode by issuing

[switch] system-view
Instruction 2. Issue the following command:
[switch] terminal logging

Automated task yes

Page 13 of 14
Document Responsibility: Plants Networks Standards Committee SABP-Z-057
Issue Date: 4 May 2015 Network Devices Hardening
Next Planned Update: 4 May 2020 Guide – 3COM Switches

Domain 3COM Ref. 3CO-AP-03 BIT 18.0.a

[ ] 4500 family (3CR17771)
[ ] 4200 Family
Target Mapping SAEP-99 5.5.1.d.iv
[ ] 4228G Family (3C17304)
[ ] 4400 Family
Action Enable switch monitoring
State Final Version 1.0 Created on November 2013
R C
RACI Matrix Priority MODERATE
A I
Pre requisite Configuration of the info-center

Dependencies 3CO-HC-13: Enable and configure the Information Center

1. Enter privileged system view mode by issuing

[switch] system-view
Instruction 2. Issue the following command:
[switch] terminal monitor

Automated task yes

Revision Summary
4 May 2015 New Saudi Aramco Best Practice.

Page 14 of 14