Process Automation Networks & Systems Security Communications Standards Committee Members Ghamdi, Khalid Sulaiman, Chairman Muammar, Rushdi Husain, Vice Chairman Shammary, Diab Methqal Mushcab, Rami Talib Walaie, Soliman Abdullah Bamardouf, Lutfi Hussain Mutairi, Salman Ayedh Rajeh, Majed Fahad Abu Alsaud, Zakarya Abdulelah Daraiseh, Abdelghani A. Kille, Bradley Clyde Tamimi, Mohammed Abdulaziz Qanber, Yousuf Abdul Aziz Musabeh, Ali Hamza Harbi, Saad Abdullah Elwi, Salem Saud Almadi, Soloman Musa Gotsis, Stavros D Kahtani, Waheed Hazza
Previous Issue: 28 October 2007 Next Planned Update: 27 October 2012 Revised paragraphs are indicated in the right margin Page 1 of 18 Primary contact: Abu Alsaud, Zakarya Abdulelah on 966-3-8737316
CopyrightSaudi Aramco 2008. All rights reserved. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 2 of 18 1 Scope This procedure provides minimum mandatory security requirements for Industrial Automation & Control Systems (IA&CS) including the networks and plant facilities. This procedure is retroactive to all Saudi Aramco Plants. The scope of this procedure includes but is not limited to: Networks and Systems hardware and software such as Process Automation Network (PAN), Distributed Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, Terminal Management Systems (TMS), networked electronic sensing systems, Power Monitoring System (PMS), Vibration Monitoring (VMS) and other monitoring, diagnostic and related industrial automation and control systems. Associated internal, human, network, or machine interfaces used to provide control, safety, maintenance, quality assurance, and other process operations functionalities to continuous, batch, discrete, and combined processes. The security requirements address the following eight security domains: 1) Access Control Systems & Methodology 2) Communications & Networks Security 3) Security Management Practices 4) Applications & Systems Development Security 5) Security Architecture & Models 6) Operations Security & Management 7) Disaster Recovery Planning (DRP) 8) Physical Security. 2 Conflicts and Deviations 2.1 Any conflicts between this Procedure and other applicable Saudi Aramco Engineering Standards (SAES's), Materials System Specifications (SAMSS's) Standard Drawings (SASDs), or industry standards, codes, and forms shall be resolved in writing to the Manager, Process & Control Systems Department of Saudi Aramco, Dhahran. 2.2 Direct all requests to deviate any mandatory security requirement from this procedure in writing to the Manager, Process & Control Systems Department of Saudi Aramco, Dhahran who shall follow internal company procedure SAEP-302. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 3 of 18 3 Referenced Documents The requirements contained in the following documents apply to the extent specified in this procedure. 3.1 Saudi Aramco References Saudi Aramco Engineering Standards SAES-Z-010 Process Automation Networks Connectivity Saudi Aramco Engineering Procedure SAEP-302 Instructions for Obtaining a Waiver of a Mandatory Saudi Aramco Engineering Requirement SAEP-1050 Guideline for Disaster Recovery Plan Development for Decision Support System Saudi Aramco Engineering Reports SAER-6123 Process Automation Networks Firewall Evaluation Criteria Saudi Aramco General Instructions GI-0710.002 Classification of Sensitive Information GI-0299.120 Sanitization and Disposal of Saudi Aramco Electronic Storage Devices and Obsolete/Unneeded Software Company Policy INT-7 Data Protection and Retention 3.2 Industry Codes and Standards The Instrumentation, Systems, and Automation Society ISA-TR99.00.01-2004 ISA Technical Report: "Security Technologies for Manufacturing and Control Systems", March 11, 2004 ISA-TR99.00.02-2004 ISA Technical Report: "Integrating Electronic Security into the Manufacturing and Control Systems Environment", April 12, 2004 ISA-d99.00.01 ISA Security Standard: "Security for Industrial Automation and Control Systems Part 1: Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 4 of 18 Terminology, Concepts and Models", February 2007 4 Instructions In this procedure, the terms "must", "shall", "should" and "can" are used. When must or shall is used, the item is a mandatory requirement. When should is used, the item is strongly recommended but not mandatory. When can is used, compliance may further enhance the system security but compliance is optional. This procedure shall be applied to all systems and networks as appropriate by knowledgeable Process Control Systems personnel. It helps to identify and address a wide spectrum of vulnerabilities, and to mitigate the risk of undesired intrusions that could compromise confidential information or cause disruption or failure in the IA&CS. The following are requirements for plants networks and systems security: a) Follow and apply "IA&CS vendor" recommendations and requirements for systems and networks security including Antivirus software and upgrades and security patches with a prior economic analysis of risk versus cost. "IA&CS vendor" refers to the vendor or manufacturer of the IA&CS. b) The user of this procedure must exercise sound professional judgment concerning its use and applicability under user's particular circumstances. The user must also consider the applicability of any government regulatory, Saudi Aramco standards, and safety practices before implementing this procedure. c) The delegation of any PAN management or operational function to another entity shall be executed through a Service Level Agreement (SLA). 4.1 Access Control Systems & Methodology The IA&CS access shall be restricted to plant authorized personnel such as Operators, Engineers and Maintenance personnel that are authorized to operate or administer the network and perform system configuration, diagnostics, and system monitoring. 4.1.1 Authentication and Authorization Authorization can be as granular as determining access to specific files in an application or as encompassing an access to a network. Authentication describes the process of positively identifying potential network users, hosts, applications, services, and resources using a combination of identification factors or credentials. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 5 of 18 Passwords, if supported by the system or application, shall be the minimum authentication requirement. The logon/logoff process shall neither cause system interruptions nor momentarily loss of view. For systems with hardware key authentication, the key must be securely guarded and logged. The following are the requirements for the passwords: a) Passwords shall have appropriate length and entropy characterization for the security required. In particular, they should not be found in a dictionary or contain predictable sequences of numbers or letters. b) Passwords shall be used with care on operator interface devices such as control consoles on critical processes. Passwords shall be guarded to prevent unauthorized access. c) User Account password shall not be stored electronically in unprotected files. d) All vendor-supplied default passwords for predefined accounts shall be changed immediately after installation or upgrade. e) In order to change user account passwords, users should always be required to provide both their old and new passwords, if supported by the system. f) The keeper of master passwords or his backup(s) shall always be available to ensure continuous operations. A password log, especially for master passwords, shall be maintained separately from the IA&CS, possibly in a notebook locked in a vault or safe. g) For user authentication purposes, password use is common and generally acceptable for users logging directly into a local device or a computer. Passwords shall always be encrypted when sent between networks. h) An automatic message, if supported by the systems, should be sent to users notifying them about the remaining days for their expired passwords. Individual accounts are mandatory for Supervisors, Engineers and Administrators, if supported by the system. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 6 of 18 4.1.2 User Account Types a) An application accounts are those associated with applications. The password for such accounts should always be used in encrypted/protected and encapsulated form and shall not be coded into the application in plain text. b) Operator Accounts are those used by Operators to access the system and operate the plant. Such Accounts shall have a restricted user profile so that the operator will not be able to install programs, change software configuration, or access floppy disk, CD drives, or any removable media. Shared operator accounts shall be restricted to those authorized and documented/tracked regularly. Individual Operator Accounts are mandatory, if supported by the system, for un-attended areas such as Process Interface Buildings (PIBs). c) GUEST accounts shall be disabled on all systems. d) Super/Privileged Accounts are those used by System Administrators and Engineers. The use of Super/Privileged Accounts shall be limited for system support purposes and system diagnostics and configuration and only when necessary. These accounts shall be reviewed every 12 months. Super/Privileged User Accounts shall be locked when not needed. e) Operator and Application Accounts shall be excluded from automatic password change policy; however, the PAN administrator shall make sure that Application Accounts passwords are changed manually every 12 months. 4.1.3 User Account Format The structure of the user account should be [xxxxxxfm] where [xxxxxx] is the first six characters of the last name and [f] is the first initial of the first name and [m] is the first initial of the middle name. Numeric and special characters should be extracted from the user account. Arabic prefixes Al, Al-, El and El- should be removed from last name and "x" should be used when there is no Middle initial. In case of that more than one employee has the same last name, first and middle initials; then following steps should be followed: Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 7 of 18 a) Up to 4 characters of last name, first initial and middle initial are used with an assigned suffix as the last 2 characters. b) The first suffix will always start with a numeric in the range 0-9, and the second character of the suffix will be in the ranges A-Z, 0-9. 4.1.4 System Access a) System Login scripts, if any, shall be configured to prevent a user bypassing them. b) Warnings banner on all systems, if supported, shall be enabled. Every computer will require changes to its system files to ensure that banner is displayed whenever the system is turned on or a user logs on. c) Repeated login failures shall be logged, if supported by the system, with the location, date, time and user account used without indicating whether the failure is caused by the wrong user name or password. An alert message should be sent to the PAN administrator in the event of repeated login failures. d) At login time, every user should be given information reflecting the last login time and date, if supported by the system. e) No dial in is allowed for control purposes. A vendor remote troubleshooting and testing is the only exception provided that such activity shall be strictly monitored, documented, and on temporarily basis with authorization of plant operations/ management. f) Remote access to plant applications from the corporate network or Internet, for control purposes, is not permitted. g) PAN Administrator shall assume the responsibility of adding/removing user's access from the proxy applications servers for his designated plant applications. h) Auto-logoff feature, if supported, shall be configured for all unattended systems excluding operators' consoles. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 8 of 18 4.2 Security Management Practices 4.2.1 Security Policies In addition to this procedure, the following are applicable Saudi Aramco documents for plants information security policies: a) Management Statement of Policy "INT-7" (URL: http://corpplan/LRPD1/corporat.htm) b) Classification of Sensitive Information "GI-0710.002", dated 15 J anuary 2002 (URL: http://gi/html/data/0710_002.pdf). c) Sanitization and Disposal of Saudi Aramco Electronic Storage Devices and Obsolete/Unneeded Software "GI-0299.120", dated December 2005 (URL: http://gi/html/data/0299_120.pdf). 4.2.2 Classification of Information The plant operations/management is responsible for classifying, controlling access to, and safeguarding such information as per GI-0710.002. The classification of information ensures that information labeled as sensitive is protected according to its classification. 4.2.3 Security Awareness Security awareness refers to the general, collective awareness of an organization's personnel of the importance of security and security controls. Plant management shall ensure that their personnel have an adequate understanding and awareness of security. This can be done through: a) Live/Interactive Presentations: Security awareness presentations in an annually basis or as needed. b) UUUPublishing/Distribution: UUU Posters, company newsletter, email, updates, alerts, etc. Saudi Aramco departments, such IPD/Awareness Group, Industrial Security, P&CSD, etc., can be contacted for assistance. 4.3 Applications & Systems Development Security a) The applications vendor default password shall be changed if supported and it does not affect the operations. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 9 of 18 b) If available, applications must log all successful and unsuccessful logon attempts and time of logons. It must also log sensitive transactions and sensitive changes as defined by the application owner. The log shall identify what, when and who made the change. c) All special access paths, doors and short-cuts used for developing the application shall be removed prior to moving the application to production. d) IA&CS shall have all unnecessary services disabled. 4.4 Security Architecture & Models 4.4.1 Communication and Network Security Control a) Ensure physical and logical separation between Plant Automation Networks and Corporate Network inside plant fence. Commentary Note: The table below provides further details on the minimum requirements:
Physical Space Network Locked Cabinet In-Plant Connectivity Remote Site Connectivity Dedicated cables for both primary and backup Fiber optic strands for primary and dedicated transmission circuit (i.e., SDH) for backup
b) Monitoring plants applications from the corporate network shall be allowed via only proxy servers. c) PAN shall not interface as gateways to non-Saudi Aramco networks such as Internet. d) PAN clients shall not be configured to access IT services such as e-mail, Internet/Intranet, and File and Print Sharing. e) All nodes on the PAN shall be assigned static IP addresses. Dynamic Host Configuration Protocol (DHCP) shall not be used any where on the PAN. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 10 of 18 4.4.2 Firewalls Filtering, Blocking, and Access Control: Firewalls shall: a) Control access and prevent undesirable packets into/out off a protected network. b) Enable information logging for traffic monitoring and intrusion detection. c) Dedicated firewall hardware shall be used to interface a PAN to the Corporate Network. d) The fundamental policy for configuring firewalls in plants automation networks shall be "DENY UNLESS SPECIFICALLY PERMITTED". e) Antivirus and Intrusion Prevention functionalities should be installed on the PAN interface to the Corporate Network. f) Patch management policy should be developed and maintained in order to help identifying the latest signatures files and upgrades. g) A procedure should be developed in order to help properly change the firewall Access Control List (ACL) based on information collected from the Intrusion Prevention System (IPS). h) The Firewall is an integral part of the PAN and shall be placed within the Plants fence. i) Network traffic through the firewall shall be limited to server-to- server connections and through selected IP ports. Any Corporate Network's user requiring access to Plant's Systems shall use Proxy Servers (See figure 1). j) A PAN comprising of multiple scattered (PANs), should interface with the Corporate Network via a centralized firewall. Hence, such PANs shall be connected together in order to establish one PAN utilizing the corporate transmission infrastructure (i.e., SDH dedicated bandwidth/Dark Fiber). k) Additional detailed network configurations can be found in SAES-Z-010 "Process Automation Networks Connectivity". l) Blocking shall be based on allowing specifically enabled communications between devices (Server-to-Server) on the Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Corporate Network and the PAN. The enabled communications shall be based on source and destination pairs, services, and ports. Blocking shall be enabled for both inbound and outbound communications. SAER-6123, "Process Automation Networks Firewall Evaluation Criteria" provides additional guidelines for firewall configuration and hardware selection.
DCS SCADA CCTV VMS Process Automation Network Aramco IT Network Backbone Switch ( Active) Firewall ( Active) Firewall ( Hot Standby) Scan Node Backbone Switch (Hot Standby) Splitter Plant Historian Server to Server Connection through Firewall Splitter Splitter Splitter Splitter ... Proxy Server Under Plant Control (or IT Control with SLA) MIS 1 MIS n
Figure 1
Page 11 of 18 Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 12 of 18 4.5 Operations Security & Management 4.5.1 Monitoring All available network and system logs shall be examined and monitored on both a periodic basis and when abnormal activities may indicate problems. PAN Administrator shall control and validate the access to these log files. Commentary Note: Recommended monitoring tools: a) Account logging events to monitor logon attempts (successful and unsuccessful). b) Events viewer logs. c) System events such as system and service startup and shutdown. d) Firewall logs, configurations and policies. The PAN Administrators shall perform and maintain regular reviews for the following: i) Regular review of all accounts shall be performed to ensure continues legitimacy for business needs. ii) Inactive users shall be revoked. iii) List of users accessing internal devices such as firewalls and switches. iv) Firewall penetration test of the plants networks is recommended to highlight any weaknesses and vulnerabilities. v) All unused ports in any network devices such as routers and switches shall be disabled. vi) IA&CS are synchronized with an accurate time and date stamps. 4.5.2 Reporting of Computer Security Incidents The reporting of a computing incident must be done promptly. It is the responsibility of the proponent plant management, their designated staff, or the PAN Administrator, to write a memorandum, detailing any computer irregularity incident to Corporate Security Services/Computer Security Administration (CSA). In the case of hardware theft, the Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 13 of 18 incident must be reported to plant management who will report it to Industrial Security. If any user or organization suspects a computer security incident implicating an individual, and where a formal investigation might be required they must contact their PAN Administrator. The PAN Administrator will evaluate the incident and, if warranted, report it to CSA via "Incident Reporting" on "http://csa.aramco.com.sa" In urgent situations, PAN Administrator should report these computer security incidents to CSA by phone via the numbers for "CSA Head" or "Computer Security Investigation" listed in the "Contacts" section of the CSA website. The "Incident Reporting" facility on CSA's website should be used to document and confirm the PAN Administrator's report by phone." 4.6 Disaster Recovery Planning (DRP) The following are the requirements for Disaster Recovery Planning (DRP) for Saudi Aramco IA&CS excluding Decision Support Systems (DSS). For further information of DSS Disaster Recovery Plan, refer to SAEP-1050. a) The mission and the objective of the DRP document is to provide instructions on restoring the plant operation and resume production in a fast speed response time without impacting safety and the impeded investment of plants assets and personnel. b) A team, in within each plant or in a centralized location, shall be established and well trained to develop, implement, test, use and maintain the DRP. c) Key personnel list shall be clearly identified including plant personnel, support organizations and vendors. d) The Plant is responsible for developing a DRP that covers all critical IA&CS installed in the plant which by losing plant production will be impacted. e) The DRP shall define the data backup strategy including the systems to backup, files to backup, the storage media, the locations of the storage and the storage rotation. f) The DRP shall be included as part of the overall plant process disaster response plan. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 14 of 18 g) It is highly recommended to fully automate the Data backup operation to avoid human errors and ensures integrity. h) A minimum of one copy set of the data backup and recovery shall be stored and maintained at a secure, off-site location. i) Critical IA&CS databases shall be backed up to hard drives on daily basis. The data required for complete backup and restore shall be archived to removable media at least once every six months. j) Networks and systems configuration files shall be backed up (and can be recovered) as part of the DRP. k) Backup and recovery data on removable media shall be stored in locked, fire-safe cabinets. l) Access to data backup and recovery shall be restricted to persons with legitimate company business needs. m) Testing of the recovery procedure shall be recorded to document the results and resolve any new issues in the procedure. n) The testing of the DRP plan should be done off line in a testing environment and not on the actual system if the off line systems are available. Testing the recovery procedure should be documented. o) A logbook shall be maintained at each storage location for purposes of monitoring access to the data. Entries shall be recorded in the logbook whenever a person removes any media from the designated location. The logbook shall contain the following: i) Date & Time of removal; ii) Name and Badge number of employee responsible for removing the data; iii) Purpose of removal; iv) Specific data which was removed such as number of CD's and DVD's; v) Estimated time the data will be removed from the location; vi) The employee's signature at check-out of data if using hard copy log book; vii) Date & Time when data is returned to the location; Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 15 of 18 viii) The employee's signature when the data is returned to the safe location if using hard copy log book. 4.7 Physical Security a) Security perimeters around informational assets should be clearly defined and carefully monitored on a daily basis for evidence of penetration, penetration attempt or tampering or for particular patterns of tampering that could indicate imminent physical attack. b) Ensure that sensitive documents and other media material that are no longer needed are destroyed completely. c) Access to a facility or internal locations such as Control Room (CR) and Process Interface Building (PIB) by employees, contractors, or any other visitors shall be authorized by Operations and documented with date and time of entry and exit. Authorization shall be documented. d) Isolate delivery and loading areas from any critical systems. These areas are often likely sources of attack or damage from potentially hazardous materials. e) Tag all physical inventories with tamper-resistant labels to prevent removal of property. f) Servers and network equipment shall be located in plant controlled facilities or data center/server/rack room. g) Unused network ports shall be disabled in equipment located in shared data closets or equipment racks. h) Data on servers and workstations sent for disposal should be deleted in accordance with GI-0299.120 "Sanitization and Disposal of Saudi Aramco Electronic Storage Devices and Obsolete/Unneeded Software". 5 Responsibilities 5.1 Plants Operations/Management Plants operations/management and their designated operating staff are responsible for the implementation of this procedure. We refer to the Management's designated operating staff as the Process Automation Networks (PAN) Administrator. Plants operations/management has the responsibility for monitoring the implementation of this procedure within their plants. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 16 of 18 5.2 PAN Administrator Each plant organization shall have a qualified PAN Administrator to administer and perform system configuration and monitoring and coordinating with Process Control System Administrator, if different, as designated by the plant management. The PAN Administrator shall assume the ownership of the IA&CS including the PAN Firewall. The PAN Administrator shall have the function of granting, revoking, and tracking access privileges and communications of users on IA&CS including the Firewall. It is essential that the PAN Administrator has: a) Knowledge or experience in plant's operations, and b) Networks security certification (or equivalent knowledge and experience). 5.3 Process & Control Systems Department (P&CSD)/Communication & Computer Networks Unit (CCNU) P&CSD/CCNU is responsible for maintaining and updating SAEP-99 "Process Automation Networks & Systems Security" Procedure. 6 Definitions Access Control: Control access to selected devices, information or both to protect against unauthorized interrogation of the device or information. Authentication: A security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information. Authorization: A right or a permission that is granted to a system entity to access a system resource. Backup: A reserve copy of data that is stored separately from the original, for use if the original becomes lost or damaged. Confidentiality: Assurance that information is not disclosed to unauthorized individuals, processes, or devices. Encryption: Cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used. Firewall: An inter-network connection device that restricts data communication traffic between two connected networks. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 17 of 18 Industrial Automation & Control Systems (IA&CS): IA&CS include the following: Networks and Systems hardware and software such as Process Automation Network (PAN), Distributed Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, Terminal Management Systems (TMS), networked electronic sensing systems, and monitoring (such as VMS AND PMS), diagnostic, and related industrial automation and control systems. Associated internal, human, network, or machine interfaces used to provide control, safety, maintenance, quality assurance, and other process operations functionalities to continuous, batch, discrete, and combined processes. Integrity: The quality of a system reflecting the logical correctness and reliability of the operating system, the logical completeness of the hardware and software implementing the protection mechanisms, and the consistency of the data structures and occurrence of the stored data. ISA: Stands for "The Instrumentation, Systems, and Automation Society". ISA is a leading, global, nonprofit organization that sets standards for automation. Logs: Files or prints of information in chronological order. PAN Administrator: Process Automation Networks (PAN) Administrator administers and performs system configuration and monitoring and coordinating with Process Control System Administrator, if different, as designated by the plant management. The PAN Administrator assumes the ownership of the IA&CS including the PAN Firewall and has the function of granting, revoking, and tracking access privileges and communications of users on IA&CS including the Firewall. Password: A form of secret authentication data that is used to control access to a resource. Server: A dedicated un-manned data provider. Service Level of Agreement (SLA): SLA is a contract between the service provider (e.g., Information Technology) and the proponent (the plant) to document and specify the service level expected such as response time for problem resolution and technical staff qualifications requirements. Security Domain: is a domain that establishes the scope of threat analysis for controllable assets in pre-defined physical or logical perimeter boundaries. Vulnerability: A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's integrity or security policy. Document Responsibility: Communications SAEP-99 Issue Date: 20 April 2008 Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security
Page 18 of 18 For a comprehensive list of security related terms and definitions, please refer to the ISA Security Standard: "Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts and Models" ISA-d99.00.01, February 2007. 7 Abbreviations CCNU - Communication & Computer Networks Unit DRP - Disaster Recovery Planning DCS - Distributed Control System DSS - Decision Support System ESD - Emergency Shutdown Systems IP - Internet Protocol IPS - Intrusion Prevention System ISA - The Instrumentation, Systems, and Automation Society IA&CS - Industrial Automation & Control Systems PAN - Process Automation Network PLC - Programmable Logic Controller PMS - Power Monitoring System P&CSD - Process & Control Systems Department SAES - Saudi Aramco Engineering Standard SCADA - Supervisory Control and Data Acquisition SLA - Service Level of Agreement TCP/IP - Transmission Control Protocol / Internet Protocol TMS - Terminal Management System VMS - Vibration Monitoring System
Revision Summary 28 October 2007 New Saudi Aramco Engineering Procedure. 20 April 2008 Minor revision to clarify the use of individual user accounts and physical and logical network separation.