Scribd
Upload
130 views21 pages

Sabp Z 080

Uploaded by

Hassan Mokhtar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
130 views21 pages

Sabp Z 080

Uploaded by

Hassan Mokhtar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Best Practice

SABP-Z-080 20 April 2016

Network Devices Hardening Guide – Siemens Scalance X-200 series


Document Responsibility: Plants Networks Standards Committee

Saudi Aramco DeskTop Standards


Table of Contents

1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 2
4 Definitions 3
5 Account & passwords Policies 5
6 Services and applications settings 7
7 Hardening controls 14
8 Logs and Auditing 19

Previous Issue: New Next Planned Update: 3 May 2020


Page 1 of 21
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365

Copyright©Saudi Aramco 2016. All rights reserved.


Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Siemens Scalance X-
200 Series configurations settings, which might require software / hardware to
ensure “secure configuration” as per SAEP-99 “Process Automation Networks
and Systems Security” procedure.

1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.

2 Conflicts with Mandatory Standards


In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.

3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the

`
Page 2 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information

4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DHCP - |Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
SSH - Secure Shell
SNMP - Simple Network Management Protocol

4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable

`
Page 3 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)


systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers, firewalls,
computers, etc. interconnecting process control system and provides an interface
to the corporate network. PAN Administrator: Process Automation Networks
(PAN) Administrator administers and performs system configuration and
monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a personal
identification number (PIN) or password. Password authentication scheme is the
simplest and most common mechanism.
Server: A dedicated un-manned data provider.

`
Page 4 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

5 Account & passwords Policies

Domain Siemens Ref. SMS-AP-01 BIT 12.0.a


Target [x] Scalance X-200 Series Mapping SAEP-99 5.1.6.1.a-f
Change the default passwords (for admin
Action
and user accounts)
State Final Version 1.0 Created on 25/01/16
R C
RACI Matrix Priority HIGH
A I
The password should respect the SAEP-99 passwords policy unless limited by system
Pre requisite capability
SSH / Web Management enabled
Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\SYSTEM>

Instruction

3. Change the admin password

password admin <password>

4. Change the user password

password user <password>

The new password must be compliant to SAEP-99 directives


Minimum password length is set to at least 8 characters

(*)default admin password is admin / default user password is user

`
Page 5 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Domain Siemens Ref. SMS-AP-02 BIT 8.6


Target [x] Scalance X-200 Series Mapping SAEP-99 5.1.6.1.l
Change the SNMP Read Default community
Action
String
State Final Version 1.0 Created on 25/01/16
R C
RACI Matrix Priority HIGH
A I
The password should respect the SAEP-99 passwords policy
Pre requisite
If SNMP is required by Alarm systems.
Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\SNMP>

Instruction

3. Change the community string

getcomm [string]

The new community string must be compliant to SAEP-99 directives


Minimum password length is set to at least 8 characters

`
Page 6 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

6 Services and applications settings

Domain Siemens Ref. SMS-SA-01 BIT


Target [x] Scalance X-200 Series Mapping SAEP-99

Action Disable the mailing function.

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\

Instruction

3. Issue the following command

mail D

`
Page 7 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Domain Siemens Ref. SMS-SA-02 BIT 8.5


5.3.c
Target [x] Scalance X-200 Series Mapping SAEP-99 5.4.2.m
5.1.6.1.o

Action Enable SNMP protocol

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite The vendor should be consulted. SNMP may be used for Alarm purposes

Dependencies SMS-SA-03
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\SNMP

Instruction

3. Issue the following command

snmp A

the case SNMP is not required. It is recommended to disable it using the following
command

snmp D

`
Page 8 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Domain Siemens Ref. SMS-SA-03 BIT 8.5


5.3.c
Target [x] Scalance X-200 Series Mapping SAEP-99 5.4.2.m
5.1.6.1.o

Action Enable SNMP Readonly mode

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite The vendor should be consulted. SNMP may be used for Alarm purposes

Dependencies
4. Connected to switch using SSH (or web)
5. When prompted, switch to CLI\AGENT\SNMP

Instruction

6. Issue the following command

readonly

`
Page 9 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Domain Siemens Ref. SMS-SA-04 BIT 8.5


Target [x] Scalance X-200 Series Mapping SAEP-99

Action Disable DHCP

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite The vendor should be consulted. SNMP may be used for Alarm purposes

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\IP

Instruction

3. Issue the following command

dhcp D

As per SAEP-99, The device shall be configured with a static IP address. The
following commands will help to achieve this task:

ip [IP address]
subnet [subnet mask]
gateway [IP address]

Domain Siemens Ref. SMS-SA-05 BIT 8.5


Mapping
Target [x] Scalance X-200 Series SAEP-99

`
Page 10 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Action Disable Telnet

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite SSH / HTTPS functions supported by the current firmware
SMS-SA-06
Dependencies
SMS-SA-07
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\

Instruction

3. Issue the following command

telnet D

An alternative should be available to manage the device (SSH or HTTPS)

`
Page 11 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Domain Siemens Ref. SMS-SA-06 BIT 8.5


Target [x] Scalance X-200 Series Mapping SAEP-99

Action Enable SSH function

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite SSH function supported by the current firmware

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\

Instruction

3. Issue the following command

ssh E

Domain Siemens Ref. SMS-SA-07 Mapping BIT 8.5

`
Page 12 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Target [x] Scalance X-200 Series SAEP-99

Action Enable HTTPS function

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite HTTPS function supported by the current firware

Dependencies
1. Connected to switch through WBM (Web Based Management)

2. Type IP address
Instruction
https://IP_address

Domain Siemens Ref. SMS-SA-08 BIT 8.5


Mapping
Target [x] Scalance X-200 Series SAEP-99

`
Page 13 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Action Disable Mirroring

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority MODERATE
A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\SWITCH\

Instruction

3. Issue the following command

mirroring D

7 Hardening controls

Domain Siemens Ref. SMS-HC-01 Mapping BIT 8.3

`
Page 14 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Target [x] Scalance X-200 Series SAEP-99


Set the system hostname according to the
Action
convention name
State Final Version 1.0 Created on 25/01/16
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\SYSTEM\

3. Sets the "PNIO Device Name" and "sysName" variables


Instruction
devname [Device Name]
name [sysName]

PNIO Device Name: Name under which the device will be accessible in PROFINET IO
mode.

Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router, SW for Switch and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Domain Siemens Ref. SMS-HC-02 BIT
Target [x] Scalance X-200 Series Mapping SAEP-99

Action Web Access timeout

State Final Version 1.0 Created on 25/01/16

`
Page 15 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\

Instruction

3. Issue the following command

wbmtime [minutes]

[minutes] should be set at 10

Domain Siemens Ref. SMS-HC-03 BIT


Mapping
Target [x] Scalance X-200 Series SAEP-99

`
Page 16 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

Action Telnet timeout

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite Telnet allowed (refer to SMS-SA-05)

Dependencies SMS-SA-05
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\

Instruction

3. Issue the following command

ttimeout E Timeout

[Timeout] should be set at 600 (in seconds means 10 minutes)

Domain Siemens Ref. SMS-HC-04 BIT


Target [x] Scalance X-200 Series Mapping SAEP-99

Action Set time manually

`
Page 17 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite NTP server is not available

Dependencies SMS-HC-05
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\TIME

Instruction

3. Issue the following command

ttype M
Settime [time]

Date and time should be entered in this format DD MMM HH:MM:SS YYYY

Domain Siemens Ref. SMS-HC-05 BIT


Target [x] Scalance X-200 Series Mapping SAEP-99

Action Set time with NTP server

State Final Version 1.0 Created on 25/01/16

`
Page 18 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\TIME

Instruction

3. Issue the following command

ttype P
server [IP address] [:port]
tpoll [10-100000s]

IP address : IP of the NTP server


port: UDP port (default UDP 123)
Tpoll: Specifies the polling interval. ( 600 seconds)

8 Logs and Auditing


Domain SIEMENS Ref. SMS-LA-01 BIT 18.0.a
Target [x] Scalance X-200 Series Mapping SAEP-99 5.5.1.d.iv

Action Enable the Agent Event Configuration

State Final Version 1.0 Created on 25/01/16


RACI Matrix R C Priority HIGH

`
Page 19 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\EVENT

3. Issue the following command


Instruction
setec [CW¦LC¦AF¦PM¦FC¦RD¦SB¦Index]
The following abbreviations are used for the events:
• CW Cold/Warm Start
• LC Link Change
• AF Authentication Failure
• PM Power M12 Change
• FC Fault State Change
• RD Redundancy Event
• SB Standby Event
If an event is specified, the configured actions are formed for each event.
The three parameters that follow <E> or <D> configure the reactions of the switch in
the order:
• E-mail
• Trap
• Entry in the log table

Value to be set
Local log table: setec LC AF FC D D E
SNMP traps: setec LC AF FC D E D

Domain SIEMENS Ref. SMS-LA-02 BIT 18.0.a


Target [x] Scalance X-200 Series Mapping SAEP-99 5.5.1.d.iv

Action Specify number of events in the log table

`
Page 20 of 21
Document Responsibility: Plants Networks Standards Committee SABP-Z-080
Issue Date: 20 April 2016 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Siemens Scalance Switches

State Final Version 1.0 Created on 25/01/16


R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Connected to switch using SSH (or web)
2. When prompted, switch to CLI\AGENT\LOG

Instruction

3. Issue the following command

eventmax [Max count]

Specifies the maximum number of events in the log table. A maximum of 10 to 400
entries can be set.

Set value to 400

`
Page 21 of 21

You might also like