North Field East Project Onshore LNG Facilities

NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

DESIGN SPECIFICATION (FDS) FOR
ELECTRICAL DISTRIBUTION CONTROL
REV 0 Page 1 of 223
SYSTEM (ELICS)
Table of Contents
Page
1 INTRODUCTION ............................................................................................................................7
1.1 DOCUMENT OWNERSHIP, AUTHORITY & CONTRACTUAL STATUS 7
1.2 PURPOSE & SCOPE 7
1.3 SECURITY FRAMEWORK SPECIFICATION 8
2 SYSTEM HARDENING ................................................................................................................13
2.1 REMOVING WINDOWS COMPONENTS 19
2.2 DISABLING SERVICES 20
2.3 SETTING OF DATA PROTECTION AND TELEMETRY DATA IN WINDOWS 10 23
2.4 SMB SIGNING 25
2.5 REMOTE DESKTOP SECURITY SETTING 26
2.6 DISABLING SMBV1 27
2.7 WINDOWS FIREWALL 27
2.8 BLOCKING ACCESS TO ALL USB STORAGE MEDIA 33
2.9 PASSWORD MEASURES 35
2.10 DISABLING AUTORUN / AUTOPLAY FOR EXTERNAL DRIVES AND STORAGE MEDIA 37
2.11 BIOS SETTINGS 42
2.12 SECURITY OPTIONS 45
2.13 ESXI SECURITY OPTIONS 46
2.14 TWO FACTOR AUTHENTICATION 47
3 NETWORK HARDENING ............................................................................................................48
3.1 SWITCHES AND ROUTERS 48
3.2 NEXT GENERATION FIREWALLS (NGFWS) 49
4 PLC CONTROLLER/CPU HARDENING.....................................................................................51
4.1 ENGINEERING SOFTWARE SETTINGS 51
5 L2.5 NETWORK SWITCHES ......................................................................................................53
5.1 HARDWARE PLATFORM 53
6 FIREWALLS ................................................................................................................................54
6.2 SOFTWARE PLATFORM 55
7 NGFW SOLUTION OVERVIEW ..................................................................................................55
7.1 INTRODUCTION 55
7.2 SECURITY ZONES 58
7.3 NGFWS SIZING 58
8 NETWORK SECURITY MONITORUNG SOLUTION ..................................................................59
8.1 INTRODUCTION 59

REV 0 Page 2 of 223
SYSTEM (ELICS)
9 LOCAL DMZ L2.5 NGFWS .........................................................................................................61

9.1 SECURITY ZONES ARCHITECTURE 61
9.2 THREAT PREVENTION 64
10 L3 NGFWS ...................................................................................................................................66
11 L2 FWS ........................................................................................................................................68
11.2 L2 FIREWALL HARDWARE PLATFORM 68
12 SECURITY RULES ......................................................................................................................68
13 ELIGIBLE PORTS FOR COMMUNICATION ..............................................................................70
13.1 NETWORK MANAGEMENT SYSTEM (NMS) 70
13.2 EPO SERVER 71
13.3 BACKUP SERVER 73
13.4 WSUS 77
13.5 PROCESS HISTORIAN 77
13.6 NTP SERVER 77
14 NMS SOLUTION OVERVIEW .....................................................................................................98
14.1 NETWORK MONITORING AND CONFIGURATION MANAGEMENT 98
14.2 SINEC NMS COMPONENTS 99
14.3 SOFTWARE FUNCTIONS OVERVIEW 100
14.3.1 USER AND ROLE MANAGEMENT ................................................................................100
14.3.2 MONITORING ON CONTROL ........................................................................................101
14.3.3 MONITORING ON OPERATIONS ..................................................................................102
14.3.4 REPORTS ........................................................................................................................102
14.3.5 POLICY-BASED DEVICE CONFIGURATION ................................................................102
14.3.6 FIRMWARE MANAGEMENT ..........................................................................................103
14.3.7 MANAGEMENT OF DEVICE CONFIGURATION ...........................................................104
15 VIRTUALIZATION SOLUTION OVERVIEW .............................................................................114
15.1 INTRODUCTION 114
15.2 TERMINOLOGY 114
15.3 VIRTUAL MACHINES 116
15.4 THE VIRTUALIZATION SERVER 116
15.5 BILL OF VSPHERE PLATFORM 117
16 VIRTUALIZATION SYSTEM REQUIREMENTS .......................................................................118
17 SOFTWARE DEPLOYMENT .....................................................................................................120
17.1 VMWARE VSPHERE 120
17.2 VIRTUAL MACHINE DEPLOYMENT AND CONFIGURATION 125
18 WSUS SOLUTION OVERVIEW ................................................................................................143
19 WSUS SYSTEM PLATFORM ....................................................................................................144

REV 0 Page 3 of 223
SYSTEM (ELICS)
19.1 VIRTUAL MACHINE REQUIREMENTS 144

20 SOFTWARE DEPLOYMENT AND CONFIGURATION ............................................................145
20.1 DESIGN AND PLANNING OF THE NETWORK 145
21 PATCHING PROCEDURE ........................................................................................................151
21.1 WSUS ROLL-BACK 151
21.2 PATCH TESTING 152
21.3 PATCH MANAGEMENT PROCEDURE AND STRATEGY FOR RELEASING AND INSTALLING MICROSOFT
SECURITY UPDATES 152
22 BACKUP STRATEGY PLANNING ...........................................................................................154
22.1 DATA TYPE (WHAT) 154
SYSTEM BACKUP ............................................................................................................................154
ENGINEERING PROJECT BACKUP ................................................................................................155
REAL-TIME DATA BACKUP ............................................................................................................155
COMPONENT SPECIFIC DATA .......................................................................................................155
22.2 ESTIMATED BACKUP SIZE 156
22.3 BACKUP SCHEDULE (WHEN) 156
22.4 PROJECT RECOMMENDED BACKUP SCHEDULE 157
23 BACKUP PLATFORM ...............................................................................................................158
23.1 HARDWARE PROFILE 159
23.2 SOFTWARE PROFILE 160
24 SYSTEM BACKUP CONFIGURATION.....................................................................................164
24.1 BACKUP MANAGEMENT SERVER 164
24.2 BACKUP AGENT 164
24.3 BACKUP SCHEDULING 164
24.4 BACKUP MEDIA (WHERE) 166
25 BACKUP VALIDATION AND RECOVERY STRATEGY ..........................................................167
26 COMPONENT SPECIFIC BACKUP ..........................................................................................169
26.1 DOMAIN CONTROLLER 169
26.2 LOG COLLECTOR 169
26.3 FIREWALL CONFIGURATION 169
26.4 SWITCH CONFIGURATION 169
26.5 USER ADMINISTRATION 169
27 MALWARE PREVENTION AND DETECTION .........................................................................171
28 APPLICATION WHITELISTING SOLUTION OVERVIEW ........................................................173
28.1 APPLICATION CONTROL (WHITELISTING) 173
29 EPO PLATFORM .......................................................................................................................174
29.1 VIRTUAL PLATFORM 174
29.3 DASHBOARD AND REPORTS 207
29.4 APPROVED PATCHES 207

REV 0 Page 4 of 223
SYSTEM (ELICS)
30 TIME SYNCHRONIZATION SOLUTION OVERVIEW ..............................................................209

30.1 TIME DISPLAYED 209
30.2 TIME MASTER, TIME SLAVE, AND COOPERATIVE TIME MASTER 209
30.3 TIME SYNCHRONIZATION IN A DOMAIN 210
30.4 TIME SYNCHRONIZATION LAYOUT 211
31 TIME SYNCHRONIZATION HARDWARE ................................................................................214

REV 0 Page 5 of 223
SYSTEM (ELICS)
Appendices
App Document No Description

1.
Appendix 1 4253-AMPF-7-95-9236 Sht 001 - Cyber -System Architecture
2.
Appendix 2 4253-AMPF-7-95-9461 Sht 001_CYBER-Network
Backing up and restoring data - PCS7_ SIMATIC Process Control System
3.
Appendix 3
PCS 7 Compendium Part F - Industrial Security
LegendAbbreviations
NAS Network Attached Storage

GPOs Group Policy Objects
WSUS Windows Server Update Services
ePO ePolicy Orchestrator
HDD Hard Disk Drive
HW Hardware
SW Software
OS Operator Stations
DC Domain Controller
ES Engineering Station
NMS Network Management System
VM Virtual Machine
IPC Industrial Personal Computer
FW Firewall
BIOS Basic Input/Output System
NA Not Applicable
TB Terra Byte
PH Process Historian
IPS Intrusion Pretension System
AMS Asset Management System
SNMP Simple Network Management Protocol
VM Virtual Machine
MIB Management Information Base
UTC Universal Time Coordinated
STG Steam Turbine Generator

REV 0 Page 6 of 223
SYSTEM (ELICS)

REV 0 Page 7 of 223
SYSTEM (ELICS)
1 INTRODUCTION
1.1 DOCUMENT OWNERSHIP, AUTHORITY & CONTRACTUAL STATUS

This document is produced by Siemens for the Backup systemCybersecurity system, as part of the
AL MORJAN ICSS UPGRADEELICS PROJECTELICS PROJECT.
This document requires formal Review & Approval as follow.
Table 1-1
Milestone Description
Contract milestone – Client Technical Approval Specification / Design Approval prior to
subsequent detailed engineering or fabrication
1.2 PURPOSE & SCOPE

ICSS ELICS system availability is the main requirement to operate the plant safely with the minimum
downtime for any system. The need of the backup and recovery system is based on IEC-62433 SR
7.4; hence, a dedicated Backup and Recovery system shall be provided as it is one of the most
important risk mitigation measures to ensure high availability with minimal downtime and effort.
The Backup and Recovery solution shall optimize the manpower and resources that have been
maintaining the ICSS ELICS systems to ensure the availability of the system. In case of any type of
Disasters, Backup and Recovery solution shall provide the capability to reconstitute the control
system to its secure state before the disruption of the operation. In other words, the Backup system
protects the systems, applications, licenses, and data for both physical and virtual infrastructures.
The same shall optimize manpower and resources that have been maintaining the ICSS ELICS
systems to ensure the availability of the system.
As part of this project, multiple systems are hosted as Virtual Machines in order to minimize the
physical footprint and optimize the resources allocated for each system. Subsequently, the Backup
and Recovery system is required to provide data protection and recovery for the virtual machines
hosted in the virtual infrastructure.The purpose of this document is to outline the cybersecurity
functional design specifications of the project, which include the topics of network security, end point
security, user management and AAA, intrusion detection, system log management and backup and
restore system for disaster recovery.

REV 0 Page 8 of 223
SYSTEM (ELICS)
1.3 SECURITY FRAMEWORK SPECIFICATION
4.1. Overview
An Industrial Control System (ICS) is composed of diversified automation control components for
real-time operation, monitoring, and data collection.
The primary objective of the ICS security shall be based on the following unique attributes listed
according to their priority levels. VENDOR shall concur with these and generate relevant
documentation concerning each of system compliance components and applicable checklists.
1) Integrity
It is paramount to maintain the consistency, accuracy, and trustworthiness of data over its
entire lifecycle. ICS data shall not be changed, destroyed, or lost in an unauthorized or
accidental manner. VENDOR shall implement policies and procedures to protect systems
and their data from flaws and unauthorized modification using functionality verification, data
integrity checking, intrusion detection, malicious code detection, and security alert and
advisory controls.
2) Availability
Another critical aspect of control system performance measurement is its Availability. The
implemented architecture shall avoid a single point of failures using equipment high
availability, redundancy and alternate implementations across all communication and control.
In case of redundant virtualization hardware, primary/secondary virtualization hardware shall
be located at different building.
3) Confidentiality
Preserving authorized restrictions on information access and disclosure is regarded as
confidentiality. It is the prevention of sensitive information from reaching the undesired
personal like a foe or attacker. VENDOR shall comply with the secrecy of COMPANYCOMPANY.
proprietary data from the Industrial Control and Safety System or relevant policies or
procedure, which can jeopardize reputation.
Plant security
● Physical security measures

REV 0 Page 9 of 223
SYSTEM (ELICS)
Control of physical access to spaces, buildings, individual rooms, cabinets, devices,

equipment, cables and wires. The physical security measures must be based around the
security cells and the responsible persons. It is also important to implement physicalphysical.
protection at remote single station systems.
● Organizational security measures
Security guidelines, security concepts, set of security rules, security checks, riskrisk.
analyses, assessments and audits, awareness measures and training.
Security strategies
4.2 Concept of "defensedefence in depth"
Compendium Part F - Industrial Security (V9.0)

Configuration Manual, 03/2018, A5E43228971-AA 13
Network security
● Division into security cells
A comprehensively secured network architecture subdivides the control network into
different task levels.
Perimeter zone techniques should be employed for this. This means that systems set up
in the perimeter network (DMZ) are shielded by one or more firewalls (front-end firewall
and back-end firewall or three-homed firewall) from other networks (e.g. Internet, office
network). This separation enables access to data in the perimeter network without having
to simultaneously allow access to the internal network to be protected (e.g. automation
network). As a result, risks of access violations can be significantly reduced.
● Securing access points to the security cells
A single access point to each security cell (should be realized by a firewall) for
authentication of users, employed devices and applications, for direction-based access
control, for assignment of access authorizations, and for detection of intrusion attempts.
The single access point functions as the main access point to the network of a security
cell and serves as the first point of a control of access rights to a network level.
● Securing the communication between two security cells over an "insecure" network
Certificate-based, authenticatedauthenticated, and encrypted communication should always be used
when the perimeter zone technique is used and there is communication across the
access points. Tunnel protocols such as PPTP (Point Toto Point TunnelingTunnelling Protocol),
L2TP
(Layer Two TunnelingTunnelling Protocol) and IPSecIPsec (IPSecurityIP Security) can be used for
this. Furthermore,

REV 0 Page 10 of 223
SYSTEM (ELICS)
communication is possible using protocols that are secured by server-based certificates,

such as RDP (Remote Desktop Protocol) or a website published via HTTPS. In this case,
communication takes place across the firewall using TLS (Transport Layer Security) or
SSL (Secure Sockets Layer) technology.
System integrity
● System hardening
Adjustments to a system to make it more resistant to malware attacks.
● User management and role-based operator authorizations
Task-based operation and access authorizations (role-based access control)
● Patch management
Patch management is the systematic procedure for installing updates on plant systems.
● Malware detection & prevention
Use of suitable and correctly configured virus scanners
Cybersecurity Architecture for the ELICS

SYSTEM (ELICS)

SYSTEM (ELICS)

SYSTEM (ELICS)
2 SYSTEM HARDENING
All the System Hardening listed below shall be part of Domain Policy configurations.
System hardening measures shall be implemented such that they do not conflict with
operational
requirements for automatic recovery and restart of systems.

For a SIMATIC PCS 7 computer that fulfils a specific function in an automation system (OS server,
OS client, engineering station), certain programs that were installed during installation of the
operating system are not required for operation. These programs should be removed. In most cases,
this involves "Windows components", such as Games, Calculator, Notepad, WordPad, Paint, etc.
The below table illustrates the applicable Hardening measure against the following categories:
• PCS 7 ELICS Servers
• PCS 7 ELICS Operator Worksation OS Clients
• PCS 7 EWS
• Other Hosts (Security Servers/Machines)
These include WSUS, NMS, Backup Server, ePO server and Terminal Server VMs.
• Hypervisor

SYSTEM (ELICS)
Hardening PCS 7 PCS 7 PCS 7 PCS 7 Other Hypervisor

ELICS ELICS ELICS Process Hosts
Server OWS EWS Historian
OS
Client
Secure network No action required
Identity and Access
Management
• SMB Setting X X X X X
• Disabling SBMv1 X X X X X
• Windows Firewall X X X X X
• Password Measures X X X X X X
• Disable Autorun/Autoplay
for external drives and X X X X X
storage media
• BIOS Settings X X X X X X
• Security Options X X X X X
• ESXi Security Options X
Attack Surface Reduction
• Remove Windows
X X X X X
Components
• Disabling Services X X X X X
• Setting of Data Protection
and Telemetry Data in X X
Windows 10
• Blocking Access to All
X X X X X
USB Storage Media
Secure Channel and
Encryption
• Remote Desktop Security
X X X X X X
Settings
Logging and Monitoring
• Two Factor Authentication X

SYSTEM (ELICS)
• PCS7 OS Server
The below table illustrates the applicable sections against each required Hardening measure for the
PCS7 OS servers.
Table 2-1: Applicable hardening measures for OS servers.
Security Topic Hardening Measures
Secure Network • No action required
Identity and Access Management • Section 2.4
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
Attack Surface Reduction • Section 2.1
• Section 2.2
• Section 2.8
• Section 2.14
Secure Channels & Encryption • Section 2.5
System Integrity • ENS and AC agent as detailed in 4253-AMPF-7-95-9411
Sht 001.
• Time Synchronization as detailed in 4253-AMPF-7-95-
9467 Sht 001.
Logging and Monitoring • Syslog and WMI enabled as detailed in 4253-AMPF-7-
95-9464 Sht 001 document.
• PCS7 OS Clients
PCS7 OS Clients.
Table 2-2: Applicable hardening measures for OS Clients.
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12

SYSTEM (ELICS)

• Section 2.2
• Section 2.3
• Section 2.8
• Section 2.14
Sht 001.
9467 Sht 001.
• PCS7 EWS
The below table illustrates the applicable sections against each required Hardening measure for
PCS7 EWS.
Table 2-3: Applicable hardening measures for EWS.
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
• Section 2.2
• Section 2.3
• Section 2.8
• Section 2.14
Sht 001.
9467 Sht 001.

SYSTEM (ELICS)

• PCS7 Process Historian

PCS7 PH.
Table 2-46: Applicable hardening measures for PH.
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
• Section 2.2
• Section 2.8
• Section 2.14
Sht 001.
9467 Sht 001.
• Other hosts (Security Server/Machines)


SYSTEM (ELICS)
The below table illustrates the applicable sections against each required Hardening measure for any
security machine including WSUS, NMS, Backup Server, ePO server and Terminal Server VMs.
Table 2-57: Applicable hardening measures for security server.
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
• Section 2.2
• Section 2.8
Sht 001.
9467 Sht 001.
• Hypervisor
hypervisor.
Table 2-68: Applicable hardening measures for Hypervisor.
• Section 2.9
• Section 2.11
• Section 2.13
• Section 2.14
System Integrity • Time Synchronization as detailed in 4253-AMPF-7-95-
9467 Sht 001.

SYSTEM (ELICS)

Logging and Monitoring • Section 2.13
1.42.1 REMOVING WINDOWS COMPONENTS

For a SIMATIC PCS 7 computer that fulfils specific functions in an automation system (OS server,
OS client, engineering station), certain programs that were installed during installation of the
operating system are not required for operation. These programs should be removed. In most cases
this involve “Windows components, such as Games, Calculator, Notepad, WordPad Pain, etc.To
remove unneeded Windows components, follow these steps:
In the Window Start menu, right-click the "Programs & Features" command in the shortcut menu.
Then, the "Programs & Features" dialog box opens.
Click the "Turn Windows features on or off" entry in the navigation pane. Enter the administrator
password, if required. If you are already logged on as an administrator, confirm the execution of
the application. Then, the "Windows Features" dialog box opens.

SYSTEM (ELICS)
Disable the Media Features.
Confirm the changes with "OK".
1.52.2 DISABLING SERVICES

In accordance with the specifications for hardening a system, unneeded services should be disabled
in addition to the software packages that are not required for the operation of a system.
The following services can arebe disabled for all operating systems supported by PCS 7 V9.1:
• Certificate distribution
• Diagnostic Policy Service
• Diagnostic Service Host
• Windows ColorColour System
• Windows Connect Now - Config Registrar
• Performance Logs and Alerts
• Windows Presentation Foundation Font Cache
If you select the "System hardening" option during installation via the SIMATIC PCS 7 Setup, the
services listed in the table are disabled by the installation.

SYSTEM (ELICS)
To disable the above-mentioned services manually, follow these steps (using Windows 10 as an
example):
• In the Window Start menu, right-click on the "Computer Management" command from the
shortcut menu. Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application. The "Computer Management" dialog
opens.
In the navigation pane, select "Services and Applications > Services". The right pane of the dialog lists all
available services. The "Status" column indicates whether the service is currently running. The "Startup Type"
column shows how the service is started, "Manual", "Automatic", "Automatic (Delayed Start)" or "Disabled"
(service cannot be started).

SYSTEM (ELICS)
In the right area, select the service to be disabled, and open the properties dialog of the service by double-
clicking on it. Only the services listed above may be disabled.
Under "Service status", click "Stop" to stop the service.
Select "Disabled" as the start-up type and confirm your changes with "OK".

SYSTEM (ELICS)
1.62.3 SETTING OF DATA PROTECTION AND TELEMETRY DATA IN WINDOWS 10

Default Windows services and functions which can lead to disclosing the location of the machine,
automatic synchronization of windows settings and personalization and using insecure protocols to
communicate are disabled to ensure anonymity.
To set the data protection and telemetry data in Windows 10, follow these steps:
Select the "Notifications" icon in the Windows taskbar. The "ACTION CENTER" opens.
Select the "All settings" option.
In the "Settings" navigation area, click the "Privacy – Location, Camera" entry.

SYSTEM (ELICS)
Go step by step through the privacy settings and disable them if this is possible.
Close the "Settings" window. Additional Windows 10 data protection functions can be enabled via group policy
settings. To do this, start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative

SYSTEM (ELICS)
command prompt (these settings can be made centrally in a domain) and configure the following policy settings
(Group Policy Object or GPO).
Figure 2-1: Group Policy Object
1.72.4 SMB SIGNING

SMB is required for transferring project files between engineering workstation, servers and client
machines. To ensure secure communication digitally signed SMB communication is
required.Additional Windows security functions can be enabled via group policy settings. To do so,
start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative command
prompt (these settings can be made centrally in a domain).

SYSTEM (ELICS)
The following settings are found under policy setting "Computer Configuration > Windows Settings >
Security Settings > Local Policies > Security Options":
Microsoft network (client): Digitally sign communication (always)
Microsoft network (server): Digitally sign communication (always)
Microsoft network (server): Digitally sign communication (if client agrees)
These three settings must be enabled for use of SMB signing.
1.82.5 REMOTE DESKTOP SECURITY SETTING

All machines are set to refuse any request for remote desktop connection as all cabinets include
KVM/KMM and RDP is not required.If required, e.g. when an OS client is accessed via the Remote
Desktop Protocol (RDP), an additional security measure should be taken. To do so, start the Group
Policy Editor for the local group policies "gpedit.exe" in an administrative command prompt (this
setting can be made centrally in a domain) to make the appropriate group policy setting.
The setting "Require user authentication for remote connections by using Network Level
Authentication" can be found under policy setting "Computer Configuration > Administrative
Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host >
Security". This setting must be enabled.
On all PCS 7 systems, except when necessary, on OS clients (e.g. in virtual environments), the
setting "Computer Configuration > Administrative Templates > Windows Components > Remote

SYSTEM (ELICS)
Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely
using Remote Desktop Services" must be disabled. This prevents users from logging on to systems
using RDP.
1.92.6 DISABLING SMBV1

Disable an Ooutdated version of the SMB protocol is disabled on your systems which can be used
for copying files between two systems.
The following command shall be executed on powershell to disable SMBv1:
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
1.102.7 WINDOWS FIREWALL

To prevent the Windows Firewall from blocking the communication, between the OS server and other
systems, the following changes must beare made to the firewall rules of the Windows Firewall of the
systems involved in order to allow communication on the required ports between the intended IP
Addresses.:
1. Select the command "Start (Windows logo) - right mouse button > Control Panel > System and
Security > Windows Firewall". The "Windows Firewall" dialog opens.

SYSTEM (ELICS)
2. Click "Advanced settings" in the left navigation pane.
Enter the administrator password, if required. If you are already logged on as an administrator,
confirm the execution of the application. The "Windows Firewall" dialog box opens.

SYSTEM (ELICS)
3. Click "Inbound Rules" in the left navigation pane.
The "Inbound Rules" are displayed.


SYSTEM (ELICS)
4. Open the properties of an active file and printer sharing rule (according to the network profile
domain used, Private or Public) with a double-click. The properties dialog of this rule opens.
5. Open the "Scope" tab. The "Remote IP address" area shows the IP address range for which
this firewall rule is valid and, for example, does not block the inbound communication.
In the case of the figure below, the communication is allowed only with computers in the "Local
subnet". Communication of computers in a different subnet is thus blocked.
6. In order to allow communication of, click the "Add" button in the "Remote IP Address".
The configuration dialog opens.


SYSTEM (ELICS)
7. Select the option "This IP address or subnet:" and enter the IP address of the communication
partner and confirm the entry with the "OK" button.

SYSTEM (ELICS)
8. Confirm the change with "OK".
9. Adapt all inbound and outbound rules marked in the following figure according to your
environment (e.g. workgroup, Windows domain, subnets). In addition, all inbound rules of the
"Automation …" and "SIMATIC …" group must also be checked or adapted.

SYSTEM (ELICS)
1.112.8 BLOCKING ACCESS TO ALL USB STORAGE MEDIA

This section shall be applicable for Blocking access for USBUSB access to machines is blocked
using group polices.
Start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative command prompt
(these settings can be made centrally in a domain) and configure the following policy settings (Group Policy
Object or GPO).
Select the folder "Computer Configuration > Administrative Templates System > Removable Storage Access".

SYSTEM (ELICS)
Double-click the group policy "All Removable Storage classes: Deny all access". The properties dialog of the
group policy opens.
Select "Enabled" and confirm your changes with "OK".


SYSTEM (ELICS)
Reboot the computer.
1.122.9 PASSWORD MEASURES

Poorly chosen passwords are still one of the most common deficiencies for security. Often, the user
chooses character combinations that are too short or too simple.
To find passwords, for example, hackers use so-called brute-force attacks that automatically try a
variety of possible character combinations or test entire dictionaries. To prevent such attacks, a
password should meet certain quality requirements. This is whyTherefore, care should beis taken in
defining and implementing a password policy in the automation plant. Such a passwordThe password
policy should takes the following points into consideration:
• Password aging
Passwords must be changed at regular intervals (every 36 months at the latest).
• A password must meet minimum complexity standards, i.e. it should meet the following
requirements:
– Minimum length of 12 characters
– At least 2 alphanumeric characters (upper/lower case letters), at least 1 number and
special character.
• Password history
A new password must differ significantly from the previous password (by at least 3
characters).

SYSTEM (ELICS)
The following procedure is described using the example of a "Windows 10" operating system. To
implement the password policies, follow these steps:
1. Start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative
command prompt (these settings can be made centrally in a domain) and configure the following
policy settings (Group Policy Object or GPO).
2. Select "Computer Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy" in the left navigation pane. The password policies are displayed.
3. Make the required settings for the following policies:
• Service Accounts
As for Service accounts, the password hardening measures shall beare as followsing:
A 1. passwords shall be of at least 20 characters.
2. A process for changing service account passwords shall be implemented.
3. All service accounts shall beare in a dedicated organizational unit (OU) in AD so that
they can be managed separately from other accounts.

SYSTEM (ELICS)
1.13 DISABLING AUTORUNAUTORUN / AUTOPLAY FOR EXTERNAL DRIVES

AND STORAGE MEDIA
2.10 DISABLING AUTORUN / AUTOPLAY FOR EXTERNAL DRIVES AND

STORAGE MEDIA
Disabling the AutoPlay function using a group policy

To disable the AutoPlay function in Windows via a group policy, follow these steps: Autoplay and
Autorun function for windows is disabled using the group policies to prevent any executable file from
executing automatically on insertion of removeable and external media.
• Start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative
command prompt (these settings can be made centrally in a domain) and configure the following
policy settings (Group Policy Object or GPO).
Select the folder "Computer Configuration > Administrative Templates > Windows Components
> Autoplay Policies". The associated policies for the folder are displayed in the right pane of the
editor.
Double-click the group policy "Turn off Autoplay". The properties dialog of the group policy opens.
Select the "Enabled" option, and from the drop-down list in the "Turn off Autoplay on:" area, select
the "All drives" option.

SYSTEM (ELICS)
Confirm the settings with "OK".
Disabling all AutoRun functions using a group policy

To disable the AutoRun function in Windows via a group policy, follow these steps:
Start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative command prompt
(these settings can be made centrally in a domain) and configure the following policy settings (Group Policy
Object or GPO).
Select the folder "Computer Configuration > Administrative Templates > Windows Components > Autoplay
Policies". The right pane of the editor shows the policies associated with the folder.

SYSTEM (ELICS)
Double-click the group policy "Specify Default Autorun BehaviorBehaviour". The properties dialog of the group
policy opens.
Select the "Enabled" option, and from the drop-down list in the "Default Autorun BehaviorBehaviour" area,
select the "Do not execute any autorun commands" option.

SYSTEM (ELICS)
Confirm the settings with "OK".


SYSTEM (ELICS)

SYSTEM (ELICS)
1.142.11 BIOS SETTINGS

The following BIOS settings shall be is implemented on each computer in the plant:
• Access to the BIOS should beis protected with a password. The password should beis set by an
administrator and handled as confidential. To set a password, below steps shall be followed:
o Restart the PC, and press F2 continuously to the following interface. Select the security with
the cursor and choose "Set User" password or "Set User Password". Note: The difference
between Set User Password and Set Supervisor Password: User password controls access
to the system at boot; supervisor password controls access to the setup utility.
o Then enter the password.
• The order of the boot media of the computer must beis set in such a way that the first boot attempt is
from the hard disk containing the operating system installation and SIMATIC PCS 7. The BIOS boot

SYSTEM (ELICS)
manager should beis disabled. These measures will make it difficult to boot from other media, such as
CDs or USBs.
• Restart your PC, and press the F2 or Del key to get into the BIOS/UEFI
o Search for BOOT ORDER or BOOT DEVICES.
o Disable all boot options from (CD, USB)
• Disabling the USB ports are disabled through BIOS. with below measures.
• In the first step, you have to go to the Start menu and then open Run dialog box or Press "Window +
R" combination to directly open the RUN window.
Then type "regedit.exe" and then click on enter to open the Registry Editor as shown in the figure below.

SYSTEM (ELICS)
Registry Editor Window will be launched, now Navigate to the following path:
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > USBSTOR
Now you have to click on the start option to open the "Edit DWORD (32-bit) Value" Window.
After pressing Start, you have to change the "value data" field to ‘4’ to disable the USB Drives or Ports and
then click on OK. Once done USB drives and ports on your system will be disabled.
To enable back the USB Ports or Drives, change this data value to 3 and then click on OK, as depicted in the
figure below. Once done USB drives and ports on your system will be enabled back.
• You can restart your system to check the applied effects.
• TPM shall beis enabled. To check if TPM is enable, below steps shall be followed:
o Restart your PC, and press the F2 or Del key to get into the BIOS/UEFI
o Locate Security Section or Advanced or something similar
o If TPM is available, enable it.
o Once enabled, you need to switch from discrete TPM to a firmware TPM
o Save the settings, and exit the BIOS or UEFI

SYSTEM (ELICS)
o Reboot your machine and run tpm.msc again. It should now report that TPM is ready for use.
1.152.12 SECURITY OPTIONS

All Machines shall have a GPO applied from the Active Directory with a computer setting to enforce
the following Security Options settings mentioned in Table 2-1, in addition audit logs will be generated
for the following scenarios::
• Successful/Failed User login
• Activities of users with different privileges
• Windows System logs and events
• PCS 7 application logs and events
Table 2-1179: Security GPOs
Policy Security Setting

Audit
Audit: Shutdown system immediately if unable to log
Disabled
security audits
Audit: Audit the use of Backup and Restore Privilege Enabled
Interactive Logon
Interactive logon: Do not display last user nameusername Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
(**** Unauthorized Access is
Prohibited ****This property
belongs to ‘QatarGas’ and any
Interactive logon: Message text (security Banner) for users unauthorized attempts to access
attempting to log on this device will be logged and
investigated. Violators will be
prosecuted in conformance with
local state laws)
Interactive logon: Message title for users attempting to log
“Warning”
on
Interactive logon: Number of previous logons to cache (in
10
case domain controller is not available)
Interactive logon: Prompt user to change password before
15 days
expiration
Interactive Logon: Display user information when the User Display name, domain and
session is locked user namesusernames
Network Security
Network security: Do not store LAN Manager hash value on
Enabled
next password change
Network security: Force logoff when logon hours expire Disabled
Send LM & NTLM – use NTLMv2
Network security: LAN Manager authentication level
session security if negotiated
Shutdown
Shutdown: Allow system to be shutdownshut down without
Disabled
having to log on

SYSTEM (ELICS)
1.162.13 ESXI SECURITY OPTIONS

All Machines shall have a GPO applied from the Active Directory with a computer setting to enforce
the following Security Options settings:
Table 2-22810: Security settings
Guideline Desired value

Automatically unlock a locked account after a specific amount of time. 900
Do not permit password reuse. 5
Use Active Directory for ESXi user authentication. Site-Specific-
UEFI Secure Boot with TPM enabled Enabled
Hardware firmware is up to date. Up-to-dateUp to date
Configure remote logging Log Collector IP
Ensure hardware management controller interfaces are isolated on
their own network segment and protected with perimeter access vLAN Management
controls.
Configure NTP NTP server IP
Only run binaries delivered via VIB. Enabled
Disable virtual disk shrinking. Enabled
Based on Site
requirement.
Limit the number of console connections. Recommended: 11
Limit the size of VM diagnostic logs. 2 MB
Lock the VM guest session when the remote console is disconnected. Enabled

SYSTEM (ELICS)
2.14 TWO FACTOR AUTHENTICATION

YubiKey physically keys will be used for two factor authentication for security of access on
Engineering Workstations.
YubiKey 5C NFC is selected for the two-factor authentication on the Engineering workstation in
NMCB, SS-6502 & Operation Centre.

SYSTEM (ELICS)
23 NETWORK HARDENING
The strategy for dividing plants and connected plants into security cells increases the availability of
the overall system. Failures or security threats that result in failure can thereby be restricted to the
immediate vicinity. During the planning of the security cells, the plant is first divided into process cells
and then into security cells based on the security measures. The security cells can be achieved by
network components and hence hardening these devices is crucial to the overall plant security.
Network access points normally block prohibited data traffic to the process control and process
visualization systems, in addition to, enabling permitted data traffic and the normal operation of the
process control and process visualization systems. The following table shows several access points.
Table 3-1: Access Points
2.13.1 SWITCHES AND ROUTERS

The following table illustrates the hardening measures to be taken against each switch and router.
Table 3-2: Applicable hardening measures for switches and routers.
Secure Network • Use static IPs.
• Use of SNMPv3
• Network Discovery Disabled
Identity and Access Management • RADIUS server is used for authentication of all the
switches.
• SNMPv3 with strong auth and priv passwords.
• Threshold of five (5) failed login attempts for account
lockout.
• Account reset after account lockout possible after thirty
(30) minutes.
• SNMP with a strong community string.
• Set a threshold of failed login attempts as per the
password standards
• Password shall be as per the standard password
complexity defined in 2.9.
• Integrated with Domain for groups and users
management.
Attack Surface Reduction • Disable unused switch ports and assign them a VLAN
number not in use.
• The un-used ports shall be physically locked.

SYSTEM (ELICS)

• Disable unnecessary services, protocols, and features
on network devices.
Secure Channels & Encryption • Utilize SSH instead of telnet and set a strong password
for SSH.
• Utilize HTTPS instead of HTTP.Utilize SSH instead of
telnet and set a strong password for SSH.
System Integrity • NTP for time synchronization shall be configured.
Logging and Monitoring • Enable syslog logging and send logs to a dedicated,
secure log host (SIEM).
2.23.2 NEXT GENERATION FIREWALLS (NGFWS)

The following table illustrates the hardening measures to be taken against each NGFW.
Table 3-3: Applicable hardening measures for NGFW.
Secure Network • Use static Ips
• Use of SNMPv3
• Network Discovery Disabled
Identity and Access Management • SNMPv3 with strong auth and priv passwords. with a
strong community string.
• Set a Tthreshold of five (5) failed login attempts for
account lockout. as per the password standards
• Account reset after account lockout possible after thirty
(30) minutes.
• Shall be Iintegrated with Domain for groups and users
management.
number not in use.
• The unused ports shall be physically locked.
• Disable unnecessary services, protocols, and features
on network devices.
• Rules allowed based on specific IP address
for SSH.
• Utilize HTTPS instead of HTTP.

SYSTEM (ELICS)

Logging and Monitoring • Enable syslog logging and send logs to a dedicated,
secure log host (SIEM).
To achieve the above criteria, the following steps shall be followed.
1. Change the default admin password before connecting the firewall to any network.
2. Enable admin profiles and groups to limit access to other administrators.
3. Enable password profile to enforce tough passwords. Change passwords regularly on a
scheduled interval.
4. Set up notifications for system and configuration log messages that indicate modifications of the
firewall's operational parameters (these notifications can beare sent via email, Syslog, and/or
SNMP traps)
5. Set an SNMP community string that is not easy to guess and is preferably not shared by other
network equipment. Only enable SNMP on internal interfaces that you need them on.
6. Interface management profiles: do not enable ping, ssh, htttp/s, and other services on the firewall
interfaces that don't require them. Note that the "Response pages" may not be necessary on
certain interfaces. These are the pages the firewall uses for URL filtering notification, virus block
messages, SSL VPN, and captive portal.
7. Place the management interface into a management VLAN that limits access to authorized
personnel. Do not turn on management profiles on interfaces that are accessed by non-
authorized personnel.
8. Monitor system and configuration logs on a regular basis to monitor for unauthorized login
attempts or changes to configuration settings.
2.3 TIME SYNCHRONIZATION

The following table illustrates the hardening measures to be taken against the DTS
4138S.timeserver.
Table 3-5: Applicable hardening measures for DTS Time server.
Secure Network • Use static IPs
Identity and Access Management • SNMP with a strong community string.
• Set a threshold of failed login attempts as per the
password standards
• Dedicated User accounts shall be created.
number not in use.
• The unused ports shall be physically locked.

SYSTEM (ELICS)

for SSH.
Logging and Monitoring • Logging shall be through SNMP traps only.
34 PLC CONTROLLER/CPU HARDENING
3.14.1 ENGINEERING SOFTWARE SETTINGS

The following table illustrates the hardening measures to be taken against each CPU.

SYSTEM (ELICS)
Table 4-1: Applicable hardening measures for CPU.

Secure Network • No Action.
Identity and Access Management • CPU shall be protected by password as per the standard
password complexity defined in 2.9.
Attack Surface Reduction • The unused ports shall be physically locked.
• OS firmware shall be updated as per the latest.
Secure Channels & Encryption • No action
Logging and Monitoring • All alarms shall be logged in Process Historian machine.
To achieve the above criteria, the below settings shall be configured using the PCS7 Engineering
station as follow:
1. Open step7 which is installed on the engineering station and connected to the plant network.
2. Select the project which have the latest backup for the running CPU.
3. Open the hardware configuration for the specific station to be protected.
4. Double click on the hardware configuration icon.
5. Double click on the main CPU in rack-0rack 0.
6. Select protect option from the dialog box.
7. Select protect CPU by a password.
8. Enter the required password in the blank field.
9. Confirm the change by clicking “Ok”.
10. Save and compile the configuration.
11. Download the updated configuration to the CPU.
12. Disabling of unused USB/Network or serial ports.
13. Updating the firmware to latest revision.
Physical button/key protection etc.

SYSTEM (ELICS)
5 L2.5 NETWORK SWITCHES

The L3 switches will provide 24x 10/100/1000M RJ-45 ports per switch for the copper connectivity,
these switches are proposed to connect DMZ servers, Update servers & DMZ /Perimeter network
firewalls.
Both the L2.5 switches shall be redundant.
Figure - L2.5 Network Switches

The gateway for the DMZ and Perimeter network shall be. The communication between services will
be allowed only through the Perimeter firewall.
Static routing will be used to route the traffic between different segments though perimeter firewall.
5.1 HARDWARE PLATFORM

The below table details the specifications and quantity considered for the Switches L2.5 as part of
the scope of this project.
Table 5-1: Selected hardware
Description Qty
Switches as per the Approved ICS Vendor list
Hirschmann L3 Switches shall be selected with appropriate number of the 2
portsHirshmanHirschman GRS1042-6T6ZSHH00V9HHSE3A99XX.X.XX
(942135999)

SYSTEM (ELICS)
6 FIREWALLS
Design Requirements and Business Needs
Perimeter IPS is used to efficiently monitor and analyse user and system activity, audit system
configurations and vulnerabilities, assess the integrity of any critical system and data files, perform
statistical analysis of activity patterns based on the matching to known attacks, detect abnormal
activity and audit operating systems. The need of the IPS is based on IEC 62443 -3-3 SR-3.2 and
DEL requirements.
The below FWs shall be located as following:

- L2.5 (Front & back security) NGFWs: Redundant NGFWs (a pair of two) are shall be used to
segment Level 3 and L2.5 Local DMZ networks. These firewalls shall beare supplied with Threat
prevention subscription that shall be used to add integrated protection against network-borne
threats. These threats include exploits, malware, command and control traffic and a variety of
hacking tools.
- Level 2 FWs: These FWs with Stateful inspection shall be used to segment the operation Level
(Level 2) and the Third-party Interface Modbus connectivity level with ELICS.
4.16.1 HARDWARE PLATFORM
L2.5 (Front & back security) NGFWs:

The below table details the specifications and quantity considered for the PA NGFWs (L3 and L32.5)
as part of the scope of this project.
Table 6-1: Selected hardware for PA NGFW
Description Qty
Firewall as per the Approved ICS Vendor list
Fortinet or SonicWallFG-101F
225 x GE RJ45 ports (including 2 x WAN ports, 1 x DMZ port, 1 x MGMT port,
2 x HA ports, 16 x switch ports with 4 SFP ports shared media), 4 SFP ports,
2 x 10G SFP+ Fortilinks, 480 GB onboard storage, dual power supply redundancy. 2 x GE
4
SFP slots
Threat Protection
IPS, Advanced Malware Protection Service, Application Control
Bi-directional inspection

SYSTEM (ELICS)
Firewall Specification
Table 6-2: Performance and Capacities for the Firewall
Description Details
Firewall inspection throughput1Firewall 1.63 GbpsTBA
throughput (HTTP/appmix)
Threat Prevention throughput (HTTP/appmix) TBA1.5 Gbps
Application inspection throughput 12 GbpsTBA
(approx.)IPsec VPN throughput
Max sessions TBA
New sessions per second TBA
Latency ˂5100 microseconds
L2 Stateful inspection firewalls:

These firewalls are deployed for the GTG,Offshore ELICS Interface Interface
Description Qty
Scalance firewall 6GK5636-2GS00-2AC2 14
4.26.2 SOFTWARE PLATFORM

The below table details the NGFW software for both L2.5 and L3 communication considered as
below.
Table 6-3334: Software licenses
Description Qty
Next Generation Firewall Software (FortiOS) -44
57 NGFW SOLUTION OVERVIEW
5.17.1 INTRODUCTION
To monitor all network traffic and can identify and block unwanted traffic, Next Generation Firewalls
are utilized as they are application aware and make decisions based on application, user, and
content. Their natively integrated design simplifies operation and improves security posture of the
network.

SYSTEM (ELICS)
The selected NGFWs are based on Palo Alto where Four of them shall be provided as part of the
scope of this project and shall be allocated as shown in the below architecture.The below Architecture
shows the Firewall representation.

SYSTEM (ELICS)
Figure 7-1: Typical architecture
The four NGFWs shall be located as following:


SYSTEM (ELICS)
- L2.53.5 Local DMZ NGFWsFront Security DMZ NGFWs- : Redundant NGFWs (a pair of two)
are shall be used to segment Level 3 and L23.5 Local DMZ networks. These firewalls shall beare
supplied with Threat prevention subscription that shall be used to add integrated protection
against network-borne threats. These threats include exploits, malware, command and control
traffic and a variety of hacking tools. The NGFWs shall be configured in high availability mode
as active-passive scheme.
- Level 2.53 NGFWs: Redundant NGFWs (a pair of two) shall beare used to segment the
operation Level (Level 2) and the management level (Level 3). The NGFWs shall be configured
in high availability mode as active-passive scheme.
5.27.2 SECURITY ZONES

Security zones are a logical way to group physical and virtual interfaces on the firewall to control and
log the traffic that traverses specific interfaces on your network. An interface on the firewall must isbe
assigned to a security zone before the interface can process traffic. Based on the architecture and
customer specifications, the security zones shall be defined.
5.37.3 NGFWS SIZING

Firewalls come in all sorts of shapes and sizes and selecting the right model shall be based on the
below criteria:
- Number of required connections (Ports & Interfaces)
Accordingly, each set of the NGFWs have been selected based on above required connections.
Document No. Rev. Date Status Page
4253-AMPF-7-95-9462 Sht 0014253-AMPF-7-95- 2022-02-242022-
9462 Sht 0014253-AMPF-7-95-9462 Sht A 02-242022-02- AFC 59 of 223
0014253-AMPF-7-95-9463 Sht 001 242022-04-21
Title
Cyber Security - Backup SystemCyber Security - Backup SystemCyber Security - Backup
SystemCYBER-Firewall
8 NETWORK SECURITY MONITORUNG SOLUTION
8.1 INTRODUCTION
Network Security Monitoring Solution provides detection of advanced threats, increase security awareness, and accelerate response time to the event and
maintaining the availability of communication networks. NSM is able to detect the following network threats:
• Application Layer Threats
• Hidden Payloads
• Data Lateral Movements
• Malicious Traffic
• Covert Traffic
NSM Solution facilitates the following:
• Visibility into Network Behaviour
• Detect Advanced Threats
• Improve Cybersecurity Posture
• Maintain System Availability
• Mitigate Risks
The below table lists the selected hardware for NSM.

Description Qty
RUGGEDCOM RX1524 Nozomi-Based NIDS Pre-Installed on APE1808
1
Part number - 6GK60001AM010AA3
4253-AMPF-7-95-9462 Sht 0014253-AMPF-7-95- 2022-02-242022-
0014253-AMPF-7-95-9463 Sht 001 242022-04-21
Title
Description Qty
HI = 88-300 VDC or 85-264 VAC, screw terminal block
HI = 88-300 VDC or 85-264 VAC, screw terminal block
RM = 19" Rack Mount Kit
L3 = Layer 3 Switch
L3SECL3HW = Layer 3 Security Edition (with L3 HW)
APE1808LNX = Application Processing Engine, Atom X5-E3940, 8GB RAM, 64GB eMMC, DisplayPort, uSD, USB, Linux
6TX01 = 6x 10/100TX RJ45
6FX50 = 6x 100FX SFP Blank (no optical transceiver)
6FX50 = 6x 100FX SFP Blank (no optical transceiver)
8.3 SOFTWARE PLATFORM

The below table lists the selected software\licenses for NSM.
Description Qty
V100-VA-PS-3YR - Siemens V100 Virtual Appliance SGA-CE

1
Pre-configured on APE
Nozomi V100 Support 1
Nozomi OT Threat Feed 1

4253-AMPF-7-95-9462 Sht 0014253-AMPF-7-95- 2022-02-242022-
0014253-AMPF-7-95-9463 Sht 001 242022-04-21
Title
69 LOCAL DMZ L32.5 NGFWS

A
6.19.1 SECURITY ZONES ARCHITECTURE
General overview of the firewall in Level 23.5 with identification of the different zones is shown in below:section 9.1, Table 9-1 Security zone for L2.5 and L3
NGFWs.
4253-AMPF-7-95-9462 Sht 0014253-AMPF-7-95- 2022-02-242022-
0014253-AMPF-7-95-9463 Sht 001 242022-04-21
Title
Figure 8-1: Local DMZ L23.5 NGFWs zones

Date 03 APR CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-

2023 DESIGN SPECIFICATION (FDS) FOR 00152
REV 0 ELECTRICAL DISTRIBUTION Page 63 of 223
CONTROL SYSTEM (ELICS)
Based on customer requirements and best practices, each zone shall have different
vLANs to segregate the systems and limit the communication traffic between them. The
vLANs under each security zone shall be defined as following.
Table 3-1: vLANs against each security zone for L3 NGFWs

# Security Zone vLANs Systems
1. OPC_PI OPC Server for OSI PI interface
2. Process Historian server
DCS OS
3. Alarm Station
4. NMS
Log collection
5.
Trusted Lollector
(Level
6. 3) Backup Backup server
7. Remote Terminal Server
8. WSUS
Update Servers
9. ePO server
10. DC Domain controllers
11. OPC_PI OSI PI server
12. Log collection QatarGas DMZ Log Collector
DMZ
13. Remote QatarGas DMZ OT PAM
(Level 3.5)
14. QatarGas DMZ WSUS
Update Servers
15. QatarGas DMZ ePO server
16. OPC_PI OSI PI server
17. Log collection QatarGas SIEM
Untrusted
18. Remote Remote Station
(Level 4)
19. QatarGas central WSUS
Update Servers
20. QatarGas central ePO server

6.2 LOCAL DMZ L3.5 NGFWS

The number of connections required for these firewalls as shown in Appendix 1 - 4253-
AMPF-7-95-9461 Sht 001_CYBER-Network_Rev0 is five connections.
Based on the number of connected devices, PA-440 Next Generation Firewall has
been selected in which it can accommodate to Eight connections. In later section, the
hardware platform of the selected firewalls shall be detailed and explained.
6.39.2 THREAT PREVENTION

As mentioned earlier, the Local DMZ L23.5 NGFWs shall beare supplied with Threat
Prevention licenses in which it defends your network against both commodity threats
which are pervasive but not sophisticated and targeted, advanced threats perpetuated
by organized cyber adversaries. This is required to monitor the outgoing and incoming
traffic from the Local DMZ L23.5 network and prevent the traffic in case of any suspicious
or abnormal activity.
Threat Prevention includes comprehensive exploit, malware, and command-and-control
protection, and Palo AltoFortinet Networks publishes updates that equip the firewall with
the very latest threat intelligence. These updates are recommended to be pushed on
weekly basis from QatarGasQatar Gas Network once a week. All threat threats
definitions shall be published and available on Palo AltoFortinet Portal and can be access
by Qatar Gas Threat Vault portal and can be pulled by L4 QatarGas firewall. account.

A L3 NGFWS
SECURITY ZONES ARCHITECTURE

General overview of the firewall in Level 3 with classification of the different zones is
shown in below:
Figure 4-1: L3 NGFWs zones

10 L3 NGFWS
10.1 SECURITY ZONES ARCHITECTURE

General overview of the firewall in Level 3 and L2.5 with classification of the different zones is shown
in below:
Based on customer requirements and best practices, each zone shall have different vLANs zones to
segregate the systems and limit the communication traffic between them. The vLANs different under
each security zone shall be defined as following.
Table 910-1: vLANs against each sSecurity zone for L2.5 & L3 NGFWs
# Security Zone Network Segregation Systems
ELICS EWSHVAC WinCC Panel
1.
Mounted IPC
Trusted
2. ELICS ServersDCS EWS
ELICS Terminal Bus Network
(Level 2)
3. ELICS OWSELICS Servers
4. Process Historian serverELICS OWS
5. OPC Server
6. NMS
7. Backup server
8.
DMZ Terminal Server
DMZ (Level 2.5)
(Level
9. 2.5) WSUS
10. ePO Station
11. Domain controllers
12. Simatic Management Console Station
13.
Untrusted Log collection /SIEM Qatar Gas SIEM
(Level
14. 3) POIS & ETAP POIS & ETAP Servers
These security zones shall be used to define the security rules required to block or allow a session
based on traffic attributes, such as the source and destination security zone, the source and
destination IP address, the application, the user, and the service.

6.4 L3 NGFWS CONNECTIONS

The number of connections required for these firewalls as shown in Appendix 1 - 4253-AMPF-7-95-
9461 Sht 001_CYBER-Network_Rev0 is Seven connections.
Based on the number of connected devices, PA-440 Next Generation Firewall has been selected in
which it can accommodate to Eight connections. In section 7, the hardware platform of the selected
firewalls shall be detailed and explained.

A Security Rules
Security policy protects network assets from threats and disruptions and helps to optimally allocate network
resources for enhancing productivity and efficiency in the processes. All traffic passing through the firewall is
matched against a session and each session is matched against a Security policy rule. When a session match
occurs, the firewall applies the matching Security policy rule to bidirectional traffic in that session (client to
server and server to client). For traffic that doesn’t match any defined rules, the default rules apply. By default,
all intra-zone communication is allowed and all interzone communication is denied. Traffic that matches a rule
generates a log entry at the end of the session in the traffic log since logging shall be enabled for both L3 and
Local DMZ L3.5 NGFWs.
Below table details the basic firewall rules that shall be configured for the commissioned systems. The
supplied firewalls shall be commissioned in the learning mode to observe all the required traffic to be allowed
in accordance with below firewall rule table and then rules will be optimized based on that. The same shall
be reflected in the As-built document revision where all rules will be finalized, tested, and confirmed. As for
the Local DMZ L3.5 and L3 NGFWs, the basic security rules are detailed in Appendix 2 .
11 L2 FWS
11.1 SECURITY ZONES ARCHITECTURE

General overview of the firewall in Level 2 with classification of the different zones.
The L2 firewalls are deployed for the connection of the Third-Party packages such GTG’s Packages,
Offshore ELICS package and DesalinationDestination package.
The L2 firewall are for Stateful firewall Monitoring the Modbus communication network between the
ELICS and Third-party packages.
11.2 L2 FIREWALL HARDWARE PLATFORM

The below table details the specifications and quantity considered for the NGFWsstateful firewalls
(L3 and L2.5L2) as part of the scope of this project.
Description Qty
Firewall as per the Approved ICS Vendor list
Make - Fortinet or TofinoSiemens SCALANCE SC636-2C
Stateful Packet Inspection (SPI)
TCP, UDP, and non-IP protocols supported 714
Deny by default: all network traffic that is not on the ‘allowed’ list is automatically blocked and
reported
12 SECURITY RULES
Security policy protects network assets from threats and disruptions and helps to optimally allocate
network resources for enhancing productivity and efficiency in the processes. All traffic passing

through the firewall is matched against a session and each session is matched against a Security
policy rule. When a session match occurs, the firewall applies the matching Security policy rule to
bidirectional traffic in that session (client to server and server to client). For traffic that doesn’t match
any defined rules, the default rules apply. By default, all intra-zone communication is allowed and all
interzone communication is denied. Traffic that matches a rule generates a log entry at the end of
the session in the traffic log since logging shall be enabled for both L3 and Local DMZ L2.5 NGFWs.
Below table detailsThe next sections define the ports for the basic firewall rules that shall be
configured for the commissioned systems. The supplied firewalls shall be commissioned in the
learning mode to observe all the required traffic to be allowed in accordance with below firewall rule
table and then rules will be optimized based on that. The same shall be reflected in the As-built
document revision where all rules will be finalized, tested, and confirmed. As for the Local DMZ L2.5
and L3 NGFWs, the basic security rules are detailed in Appendix 2.

713 ELIGIBLE PORTS FOR COMMUNICATION

As there are multiple solutions implemented as part of the scope of this project, each solution requires
certain application ports to be opened to have a successful communication with the
agents/machines. Hence, below sections shall details the required ports that will be opened in the
firewall for a successful communication.
7.113.1 NETWORK MANAGEMENT SYSTEM (NMS)

Below table lists all the required and reserved ports against its purpose.
Table 1312-1: NMS Reserved ports
Service/ Protocol Port Description Direction
execution of SSH-based policies
SSH (Secure Shell) TCP / 22 Bi-directional
and detection of device functions.
SIMATIC S7 TCP / 102 SIMATIC communication. Bi-directional
read-out of device information or
SNMP UDP / 161 Bi-directional
detection of device functions
SNMP Traps / Informs UDP / 162 trap receipt in Operation Bi-directional
HTTPS (Control) TCP / 443 Web interface of the Control Bi-directional
communication with Syslog
Syslog UDP / 514 Bi-directional
server
TCP / 4897
Internal communication
TCP / 4998 Operation start-up Bi-directional
of SINEC NMS
TCP / 4999
TCP / 5432
PostgreSQL saving of events / reports Bi-directional
TCP / 5433
TCP / 4369
Communication be-
TCP / 5671 For the Operation to be reachable
tween Control and Bi-directional
TCP / 15671 from the Control
Operation
TCP / 25672
Web interface of the operations
HTTPS (Operation) TCP / 8443 can be reached, to detect device Bi-directional
functions
UMC server TCP / 8444 UMC-based authentication Bi-directional
TCP / 49111- 49116 communication between Control
TCP / 49125- 49126 and Operation or between Bi-directional
of SINEC NMS
TCP / 49135- 49136 Operation and operation Monitor
TCP / 49101
Operation Monitoring function of some Web pages or
TCP / 49103 Bi-directional
(Server) export services in the operation
TCP / 49104
file synchronization (firm-
SFTP TCP / 49131 ware containers / logs) between Bi-directional
Control and Operation
UMC-internal
TCP / 49133 UMC-based authentication Bi-directional
communication

7.213.2 EPO SERVER
There are certain ports need to be configured on both of the ePO and Firewall to have a successful
communication path between the ePO and its agents through the FW as shown in below. Whenever
a request is sent by any ePO agent to the ePO server, it will go through the firewall where it will check
if its coming from the already configured list of allowed ports or not. This concept applies on the
bidirectional communication between the ePO and its agents. Below table illustrates the configured
list of ports on the FW as well as their traffic direction.
Table 1213-2: configured ports on firewall side
TCP port that the McAfee ePO

server service uses to receive
requests from agents and
Inbound connection to the
Remote Agent Handlers.
Agent Handler and the
Agent-server communication McAfee ePO server from the
server'’s Software Manager uses
secure port McAfee Agent. Inbound
to connect to McAfee.
TCP / connection to the McAfee
Software Manager, Product 443 ePO server from the Remote
server uses to connect to the
Compatibility List, and Agent Handler.
McAfee software updates server
License Manager port Outbound connection from
(s-download.mcafee.com),
the McAfee ePO server to
McAfee license server
McAfee servers.
(lc.mcafee.com), and McAfee
Product Compatibility List
(epo.mcafee.com).
TCP port that agents use to
receive agent wake-up requests
Inbound connection from the
from the McAfee ePO server or
ePO server/Agent Handler to
Agent wake-up Agent Handler.
the McAfee Agent.
communication port TCP / TCP port that the SuperAgents
Inbound connection from
8081 configured as repositories that
client systems to
SuperAgent repository port are used to receive content from
SuperAgents configured as
the McAfee ePO server during
repositories.
repository replication, and to
serve content to client systems.
UDP port that the SuperAgents Outbound connection from
Agent broadcast UDP /
use to forward messages from the SuperAgents to other
communication port 8082
the ePO server/Agent Handler. McAfee Agent.
TCP port that the ePO Inbound connection to the
Console-to-application TCP /
Application Server service uses McAfee ePO server from the
server communication port 8443
to allow web browser UI access. ePO console.
TCP Port that the Agent Handler
Client-to-server uses to communicate with the Outbound connection from
TCP /
authenticated McAfee ePO server to get Remote Agent Handlers to
8444
communication port required information (such as the McAfee ePO server.
LDAP servers).
TCP port used to communicate
with the SQL Server. This port is Outbound connection from
TCP /
SQL Server TCP port specified or determined the ePO server/Agent
1433
automatically during the setup Handler to the SQL Server.
process.

UDP port used to request the

Outbound connection from
UDP / TCP port that the SQL instance
SQL Server UDP port the ePO server/Agent
1434 hosting the ePO database is
Handler to the SQL Server.
using.
TCP port used to retrieve LDAP Outbound connection from
TCP /
LDAP server port information from Active Directory the ePO server/Agent
389
servers. Handler to an LDAP server.
TCP /
SSL LDAP server port information from Active Directory the ePO server/Agent
636
TCP port used for ePO console
SMB Windows domain TCP / the McAfee ePO server
logon when authenticating Active
controller port 445 to the domain controller
Directory users.
(Active Directory) server.
Default port for Syslog using Outbound from the McAfee
UDP /
Syslog server port TLS: only required if for syslog ePO server / Agent Handlers
6514
forwarding is configured to registered syslog server.

7.313.3 BACKUP SERVER

To allow Acronis software to operate properly in the network, it is mandatory to open specific ports
in Firewall settings as below.
Table 13-3: configured ports on firewall side TCP ports 7780, 9877 for communication between components
• TCP ports 443 and 902 to access the vCenter Server and ESX(i) hosts
• TCP port 2600, 2700 for Archive Server Core
• TCP port 6110 for Acronis Cyber Backup service
• TCP port 9999 for Authorization and routing requests for different components
• TCP port 1337 for syncing Backup policies between server and agent
• TCP port 8081 for Acronis Scheduler2 service
• TCP port 9772 for Acronis Cyber Backup Agent
• TCP 9876, 9852 for storage node
The purpose of these ports is illustrated in the below architecture.
Communication For communication between
TCP / 7780 & 9877 Bi-directional
between components Acronis components
Access to vCenter & To collect backups of VMs and
TCP / 443 & 902 Bi-directional
ESXi ESXI host
Archive Server Core TCP / 2600 & 2700 Required by Acronis system Bi-directional
Acronis Cyber Backup
TCP / 6110 Internal Acronis services Bi-directional
Service
Authorization and
TCP / 9999 For different components Bi-directional
routing requests
For syncing Backup policies
Policies Syncing TCP / 1337 Bi-directional
between server and agent
Acronis Scheduler2
TCP / 8081 for scheduling backup plans Bi-directional
service
Acronis Cyber Agent TCP / 9772 For taking backups Bi-directional
Used for communication with
Storage node TCP 9876 & 9852 Bi-directional
storage location typically NAS
The purpose of these ports is illustrated in the architecture on the next page.

Figure 13-1 backup system overview



7.4 SIEM
The below table illustrates the required ports to be allowed by L3 NGFW.
Table 6-3: required ports by SIEM.
Active Directory. Port 3268 is used
Active Directory TCP 389, 3268 Out
for LDAP.
Backup and Restore – CIFS use
Backup TCP 4451112049 In/out
445; NFS uses 111 and 2049
DNS UDP 53 Primary, Secondary DNS server Out
Rules Server - www.nitroguard.com
HTTP TCP/UDP 80 (out), Redirection to web server on In/out
port 443 (in)
HTTPS TCP/UDP 443 Client logon. In/out
Port used by databus for
Kafka 1 TCP 9092 Out
broadcasting and consuming data.
NTP UDP 123 NTP server Out
Traps received from McAfee
SNMP TCP/UDP 161162 appliances or sent to SNMP Trap In/out
collector
All McAfee appliances and to access
SSH TCP/UDP 22 In/out
command line
Snowflex/jdbc gossip Port used for
EDB Secure Port 1 TCP 8103 clustered environment behind a In/out
firewall
Databus Snowflex Port used for clustered
TCP 1211 In/out
management port1 environment behind a firewall

13.4 WSUS
WSUS server requires the following ports for communication with clients.
Table 13-4: required ports by Wsus.
Client to Server
TCP / 8530 HTTP port Uni-directional
communication
Client to Server
TCP / 8531 HTTPS port Uni-directional
communication
WSUS will use port 8530 for HTTP and 8531 for HTTPS. The L3 and Local DMZ L23.5 NGFWs must
be configured to allow inbound traffic on these ports.
7.513.5 PROCESS HISTORIAN

Process Historian Server and PH-Ready require the following settings for operation:
Table 1213-534: required ports by PH.
Service/ Protocol Port Direction

PH Discovery Services TCP 5048 Bi-Directional
PH Network Discovery UDP 137 Bi-Directional
PH Redundancy Services TCP 60000 Bi-Directional
PH WCF Message Queue Service (SQL Mirroring Setup) TCP 60002 Bi-Directional
PH SQL-Mirroring Port (TCP) TCP 5022 Bi-Directional
PH SQL-Mirroring Port (UDP) UDP 5022 Bi-Directional
PH SQL-Server Monitor Port UDP 1434 Bi-Directional
PH SQL-Server Port TCP 3723 Bi-Directional
PH LLMNR-UDP-In UDP 5355 Bi-Directional
PH RPC for MSMQ TCP 135 Bi-Directional
13.6 NTP SERVER

The following table mentions the ports required by NTP Servers for Time synchronization.
Table 13-6: required ports by NTP Server.
NTP Client to Server UDP / 123 Used by NTP server Uni-directional
NTP Server to Client UDP / 1023 Used by Clients Uni-directional
NTP is a built-on UDP, where port 123 is used for NTP server communication and NTP clients use port 1023
(for example, a desktop)

8 NGFW PLATFORM

The selected model for the four PA NGFWs is PA-440 model which has the below key features:
• 3.0/2.4 Gbps firewall throughput (HTTP/appmix)
• 0.9/1.0 Gbps Threat Prevention throughput (HTTP/appmix)
• 1.6 Gbps IPsec VPN throughput
• 200,000 max sessions
• 39,000 new sessions per second
The below table details the specifications and quantity considered for the PA NGFWs (L3 and L3.5)
Description Qty
Palo Alto Next Generation Firewall (PA-440-HA) including:
- 2 x PA-440 NGFWs
2
- 2 x PA-400 W power adaptors
- Rackmount kit for redundant firewalls
8.2 SOFTWARE PLATFORM

The below table details the NGFW support and subscription licenses for both L3 and L3.5 considered
Description Qty
Next Generation Firewall (PA-440-HA)
2
Palo Alto Firewall Premium Support, 5 years
1
Palo Alto Firewall Threat prevention subscription, 5 years

13. NGFW SOLUTION OVERVIEW
a. INTRODUCTION
To monitor all network traffic and can identify and block unwanted traffic, Next Generation Firewalls
are utilized as they are application aware and make decisions based on application, user, and
content. Their natively integrated design simplifies operation and improves security posture of the
network.
The selected NGFWs are based on Palo Alto where Four of them shall be provided as part of the
scope of this project and shall be allocated as shown in the below architecture.
Figure 2-1: Typical architecture
The four NGFWs shall be located as following:

- L3.5 Local DMZ NGFWs: Redundant NGFWs (a pair of two) shall be used to segment Level 3
and L3.5 Local DMZ networks. These firewalls shall be supplied with Threat prevention
subscription that shall be used to add integrated protection against network-borne threats. These
threats include exploits, malware, command and control traffic and a variety of hacking tools.
The NGFWs shall be configured in high availability mode as active-passive scheme.
- Level 3 NGFWs: Redundant NGFWs (a pair of two) shall be used to segment the operation
Level (Level 2) and the management level (Level 3). The NGFWs shall be configured in high
availability mode as active-passive scheme.
b. SECURITY ZONES
Security zones are a logical way to group physical and virtual interfaces on the firewall to control and
log the traffic that traverses specific interfaces on your network. An interface on the firewall must be
assigned to a security zone before the interface can process traffic. Based on the architecture and
customer specifications, the security zones shall be defined.
c. NGFWS SIZING
Firewalls come in all sorts of shapes and sizes and selecting the right model shall be based on the
below criteria:

- Number of required connections (Ports & Interfaces)

Accordingly, each set of the NGFWs have been selected based on above required connections.
NORTH FIELD EAST PROJECT Onshore LNG Facilities
Date 03 APR 2023 CYBERSECURITY FUNCTIONAL DESIGN 3945_18-EL20613A-00152

SPECIFICATION (FDS) FOR ELECTRICAL
REV 0 DISTRIBUTION CONTROL SYSTEM (ELICS) Page 81 of 223
14. LOCAL DMZ L3.5 NGFWS
a. SECURITY ZONES ARCHITECTURE

• General overview of the firewall in Level 3.5 with identification of the different zones is shown in below: Figure 3-1: Local DMZ L3.5 NGFWs zones
Date 03 APR 2023 CYBERSECURITY FUNCTIONAL DESIGN 3945_18-EL20613A-00152

SPECIFICATION (FDS) FOR ELECTRICAL
Date 03 APR CYBERSECURITY FUNCTIONAL DESIGN 3945_18-EL20613A-

2023 SPECIFICATION (FDS) FOR ELECTRICAL 00152
15. Based on customer requirements and best practices, each zone shall have different vLANs to
segregate the systems and limit the communication traffic between them. The vLANs under each
security zone shall be defined as following.
16.
• Table 3-1: vLANs against each security zone for L3.5 NGFWs
OPC_PI OPC Server for OSI PI interface
Process Historian server
DCS OS
Alarm Station
NMS
Log collection IDS
Trusted
Log Collector
(Level 2.5)
Backup Backup server
Remote Terminal Server
WSUS
Update Servers
ePO server
DC Domain controllers
OPC_PI OSI PI server
DMZ Remote QatarGas DMZ OT PAM
(Level 3) QatarGas DMZ WSUS
Update Servers
QatarGas DMZ ePO server
Log collection QatarGas SIEM
Date 03 APR CYBERSECURITY FUNCTIONAL DESIGN 3945_18-EL20613A-

2023 SPECIFICATION (FDS) FOR ELECTRICAL 00152
a. LOCAL DMZ L3.5 NGFWS

17. The number of connections required for these firewalls as shown in Appendix 1 - 4253-AMPF-
7-95-9461 Sht 001_CYBER-Network_Rev0 is five connections.
18. Based on the number of connected devices, PA-440 Next Generation Firewall has been
selected in which it can accommodate to Eight connections. In later section, the hardware platform
of the selected firewalls shall be detailed and explained.
a. THREAT PREVENTION
As mentioned earlier, the Local DMZ L3.5 NGFWs shall be supplied with Threat Prevention licenses
in which it defends your network against both commodity threats which are pervasive but not
sophisticated and targeted, advanced threats perpetuated by organized cyber adversaries. This is
required to monitor the outgoing and incoming traffic from the Local DMZ L3.5 network and prevent
the traffic in case of any suspicious or abnormal activity.
Threat Prevention includes comprehensive exploit, malware, and command-and-control protection,
and Palo Alto Networks publishes updates that equip the firewall with the very latest threat
intelligence. These updates are recommended to be pushed on weekly basis from QatarGas Network
once a week. All threats shall be published and available on Palo Alto Threat Vault portal and can
be pulled by L4 QatarGas firewall.
Date 03 APR 2023 CYBERSECURITY FUNCTIONAL DESIGN SPECIFICATION (FDS) 3945_18-EL20613A-00152

FOR ELECTRICAL DISTRIBUTION CONTROL SYSTEM (ELICS)
A 19. L3 NGFWS
a. SECURITY ZONES ARCHITECTURE

20. General overview of the firewall in Level 3 with classification of the different zones is shown in below:
21. Figure 4-1: L3 NGFWs zones
Date 03 APR 2023 CYBERSECURITY FUNCTIONAL DESIGN SPECIFICATION (FDS) 3945_18-EL20613A-00152

FOR ELECTRICAL DISTRIBUTION CONTROL SYSTEM (ELICS)
Date 03 APR CYBERSECURITY DISASTER RECOVERY 3945_18-EL20613A-

2023 PLAN FOR ELECTRICAL DISTRIBUTION 00152209
REV 0 CONTROL SYSTEM (ELICS) Page 87 of 223
Based on customer requirements and best practices, each zone shall have different vLANs to
segregate the systems and limit the communication traffic between them. The vLANs under each
security zone shall be defined as following.
• Table 4-1: vLANs against each security zone for L3 NGFWs

HVAC HVAC WinCC Panel Mounted IPC
ESD, F&G EWS ESD/ F&G EWS
Trusted DCS EWS DCS EWS
(Level 2) DCS OS DCS OS
IPCMS IPCMS OWS
Utilities Time Sync, Printer, etc
OPC_PI OPC Server for OSI PI interface
Process Historian server
DCS OS
Alarm Station
NMS
Log collection
DMZ Log Collector
(Level 3) Backup Backup server
Remote Terminal Server
WSUS
Update Servers
ePO server
DC Domain controllers
OPC_PI OSI PI server
Log collection QatarGas central Log Collector
Untrusted
Remote QatarGas DMZ OT PAM
(Level 3.5)
QatarGas DMZ WSUS
Update Servers
QatarGas DMZ ePO server
These security zones shall be used to define the security rules required to block or allow a session
based on traffic attributes, such as the source and destination security zone, the source and
destination IP address, the application, the user, and the service.

a. L3 NGFWS CONNECTIONS
22. The number of connections required for these firewalls as shown in Appendix 1 - 4253-AMPF-
7-95-9461 Sht 001_CYBER-Network_Rev0 is Seven connections.
23.
Based on the number of connected devices, PA-440 Next Generation Firewall has been selected in
which it can accommodate to Eight connections. In section 7, the hardware platform of the selected
firewalls shall be detailed and explained.

A 9 SECURITY RULES
Security policy protects network assets from threats and disruptions and helps to optimally allocate
network resources for enhancing productivity and efficiency in the processes. All traffic passing
through the firewall is matched against a session and each session is matched against a Security
policy rule. When a session match occurs, the firewall applies the matching Security policy rule to
bidirectional traffic in that session (client to server and server to client). For traffic that doesn’t match
any defined rules, the default rules apply. By default, all intra-zone communication is allowed and all
interzone communication is denied. Traffic that matches a rule generates a log entry at the end of
the session in the traffic log since logging shall be enabled for both L3 and Local DMZ L23.5 NGFWs.
Below table details the basic firewall rules that shall be configured for the commissioned systems.
The supplied firewalls shall be commissioned in the learning mode to observe all the required traffic
to be allowed in accordance with below firewall rule table and then rules will be optimized based on
that. The same shall be reflected in the As-built document revision where all rules will be finalized,
tested, and confirmed. As for the Local DMZ L23.5 and L3 NGFWs., the basic security rules are
detailed in Appendix 2 .

Eligible ports for communication

As there are multiple solutions implemented as part of the scope of this project, each solution requires
certain application ports to be opened to have a successful communication with the agents/machines.
Hence, below sections shall details the required ports that will be opened in the firewall for a successful
communication.
NETWORK MANAGEMENT SYSTEM (NMS)
Below table lists all the required and reserved ports against its purpose.
Table 14-1: NMS Reserved ports
execution of SSH-based policies
SSH (Secure Shell) TCP / 22 Bi-directional
and detection of device functions.
SIMATIC S7 TCP / 102 SIMATIC communication. Bi-directional
read-out of device information or
SNMP UDP / 161 Bi-directional
detection of device functions
SNMP Traps / Informs UDP / 162 trap receipt in Operation Bi-directional
HTTPS (Control) TCP / 443 Web interface of the Control Bi-directional
communication with Syslog
Syslog UDP / 514 Bi-directional
server
TCP / 4897
TCP / 4998 Operation start-up Bi-directional
of SINEC NMS
TCP / 4999
TCP / 5432
PostgreSQL saving of events / reports Bi-directional
TCP / 5433
TCP / 4369
Communication be-
TCP / 5671 For the Operation to be reachable
tween Control and Bi-directional
TCP / 15671 from the Control
Operation
TCP / 25672
Web interface of the operations
HTTPS (Operation) TCP / 8443 can be reached, to detect device Bi-directional
functions
UMC server TCP / 8444 UMC-based authentication Bi-directional
TCP / 49111- 49116 communication between Control
TCP / 49125- 49126 and Operation or between Bi-directional
of SINEC NMS
TCP / 49135- 49136 Operation and operation Monitor
TCP / 49101
Operation Monitoring function of some Web pages or
TCP / 49103 Bi-directional
(Server) export services in the operation
TCP / 49104
file synchronization (firm-
SFTP TCP / 49131 ware containers / logs) between Bi-directional
Control and Operation
UMC-internal
TCP / 49133 UMC-based authentication Bi-directional
communication

EPO SERVER
There are certain ports need to be configured on both of the ePO and Firewall to have a successful
communication path between the ePO and its agents through the FW as shown in below. Whenever a
request is sent by any ePO agent to the ePO server, it will go through the firewall where it will check if itsit’s
coming from the already configured list of allowed ports or not. This concept applies on the bidirectional
communication between the ePO and its agents. Below table illustrates the configured list of ports on the FW
as well as their traffic direction.
Table 14-2: configured ports on firewall side
TCP port that the McAfee ePO McAfee ePO server from the
Agent-server communication
80 server service uses to receive McAfee Agent. Inbound
port
requests from agents. connection to the McAfee
ePO server from the Remote
Agent Handler.
server service uses to receive
requests from agents and
Remote Agent Handlers.
Agent-server communication McAfee ePO server from the
server's Software Manager uses
secure port McAfee Agent. Inbound
to connect to McAfee.
connection to the McAfee
443 TCP port that the McAfee ePO
Software Manager, Product ePO server from the Remote
server uses to connect to the
Compatibility List, and Agent Handler.
McAfee software updates server
License Manager port Outbound connection from
(s-download.mcafee.com),
the McAfee ePO server to
McAfee license server
McAfee servers.
(lc.mcafee.com), and McAfee
Product Compatibility List
(epo.mcafee.com).
TCP port that agents use to
receive agent wake-up requests
Inbound connection from the
from the McAfee ePO server or
ePO server/Agent Handler to
Agent wake-up Agent Handler.
the McAfee Agent.
communication port TCP port that the SuperAgents
8081 Inbound connection from
configured as repositories that
client systems to
SuperAgent repository port are used to receive content from
SuperAgents configured as
the McAfee ePO server during
repositories.
repository replication, and to
serve content to client systems.
UDP port that the SuperAgents Outbound connection from
Agent broadcast
8082 use to forward messages from the SuperAgents to other
communication port
the ePO server/Agent Handler. McAfee Agent.
TCP port that the ePO Inbound connection to the
Console-to-application
8443 Application Server service uses McAfee ePO server from the
server communication port
to allow web browser UI access. ePO console.
TCP Port that the Agent Handler
Client-to-server uses to communicate with the Outbound connection from
authenticated 8444 McAfee ePO server to get Remote Agent Handlers to
communication port required information (such as the McAfee ePO server.
LDAP servers).
TCP port used to communicate
with the SQL Server. This port is Outbound connection from
SQL Server TCP port 1433 specified or determined the ePO server/Agent
automatically during the setup Handler to the SQL Server.
process.


UDP port used to request the
TCP port that the SQL instance
SQL Server UDP port 1434 the ePO server/Agent
hosting the ePO database is
Handler to the SQL Server.
using.
LDAP server port 389 information from Active Directory the ePO server/Agent
SSL LDAP server port 636 information from Active Directory the ePO server/Agent
TCP port used for ePO console
SMB Windows domain the McAfee ePO server
445 logon when authenticating Active
controller port to the domain controller
Directory users.
(Active Directory) server.
Default port for Syslog using Outbound from the McAfee
Syslog server port 6514 TLS: only required if syslog ePO server / Agent Handlers
forwarding is configured to registered syslog server.

BACKUP SERVER
To allow Acronis software to operate properly in the network, it is mandatory to open specific ports in Firewall
settings as below.
TCP ports 7780, 9877 for communication between components
TCP ports 443 and 902 to access the vCenter Server and ESX(i) hosts
TCP port 2600, 2700 for Archive Server Core
TCP port 6110 for Acronis Cyber Backup service
TCP port 9999 for Authorization and routing requests for different components
TCP port 1337 for syncing Backup policies between server and agent
TCP port 8081 for Acronis Scheduler2 service
TCP port 9772 for Acronis Cyber Backup Agent
TCP 9876, 9852 for storage node
The purpose of these ports is illustrated in the below architecture.

Figure 6-1 backup system overview


SIEM
The below table illustrates the required ports to be allowed by L3 NGFW.
Table 6-3: required ports by SIEM.
Active Directory. Port 3268 is used
Active Directory TCP 389, 3268 Out
for LDAP.
Backup and Restore – CIFS use
Backup TCP 4451112049 In/out
445; NFS uses 111 and 2049
DNS UDP 53 Primary, Secondary DNS server Out
Rules Server - www.nitroguard.com
HTTP TCP/UDP 80 (out), Redirection to web server on In/out
port 443 (in)
HTTPS TCP/UDP 443 Client logon. In/out
Port used by databus for
Kafka 1 TCP 9092 Out
broadcasting and consuming data.
NTP UDP 123 NTP server Out
Traps received from McAfee
SNMP TCP/UDP 161162 appliances or sent to SNMP Trap In/out
collector
All McAfee appliances and to access
SSH TCP/UDP 22 In/out
command line
Snowflex/jdbc gossip Port used for
EDB Secure Port 1 TCP 8103 clustered environment behind a In/out
firewall
Databus Snowflex Port used for clustered
TCP 1211 In/out
management port1 environment behind a firewall

WSUS
WSUS will use port 8530 for HTTP and 8531 for HTTPS. The L3 and Local DMZ L3.5 NGFWs must be
configured to allow inbound traffic on these ports.
PROCESS HISTORIAN
Process Historian Server and PH-Ready require the following settings for operation:
Table 6-4: required ports by PH.
Service/ Protocol Port Direction
PH Discovery Services TCP 5048 Bi-Directional
PH Network Discovery UDP 137 Bi-Directional
PH Redundancy Services TCP 60000 Bi-Directional
PH WCF Message Queue Service (SQL Mirroring Setup) TCP 60002 Bi-Directional
PH SQL-Mirroring Port (TCP) TCP 5022 Bi-Directional
PH SQL-Mirroring Port (UDP) UDP 5022 Bi-Directional
PH SQL-Server Monitor Port UDP 1434 Bi-Directional
PH SQL-Server Port TCP 3723 Bi-Directional
PH LLMNR-UDP-In UDP 5355 Bi-Directional
PH RPC for MSMQ TCP 135 Bi-Directional
NTP SERVER
NTP is a built-on UDP, where port 123 is used for NTP server communication and NTP clients use port 1023
(for example, a desktop)

A NGFW PLATFORM
HARDWARE PLATFORM
The selected model for the four PA NGFWs is PA-440 model which has the below key features:
3.0/2.4 Gbps firewall throughput (HTTP/appmix)
0.9/1.0 Gbps Threat Prevention throughput (HTTP/appmix)
1.6 Gbps IPsec VPN throughput
200,000 max sessions
39,000 new sessions per second
The below table details the specifications and quantity considered for the PA NGFWs (L3 and L3.5) as part
of the scope of this project.

Description Qty
Palo Alto Next Generation Firewall (PA-440-HA) including:
2 x PA-440 NGFWs
2
2 x PA-400 W power adaptors
Rackmount kit for redundant firewalls
SOFTWARE PLATFORM
The below table details the NGFW support and subscription licenses for both L3 and L3.5 considered as part
of the scope of this project.

Description Qty
2
Palo Alto Firewall Premium Support, 5 years
1
Palo Alto Firewall Threat prevention subscription, 5 years

SYSTEM CONFIGURATION AND SETTING

NETWORK NAME DETAIL
Firewall and management port network details in and connectivity is detailed in:
4253-AMPF-7-95-9461 Sht 001 - CYBER-Network
USER ADMINISTRATION
Firewall Management users shall be detailed in:
4253-AMPF-7-95-9466 Sht 001 - CYBER-DC and User management.
CYBER SECURITY RELATED CONFIGURATION
System hardening is detailed in:
4253-AMPF-7-95-9412 Sht 001 - CYBER-Hardening - Detailing System Hardening.
CYBER Security - Backup System is detailed in:
4253-AMPF-7-95-9462 Sht 001 - CYBER Security - Backup System.
All supplied firewalls will be synchronized with NTP sync. Further detail can be found in:
4253-AMPF-7-95-9467 Sht 001 - CYBER-SYNC.
All supplied firewalls will be configured that all their events to be logged in the SIEM.
CYBER-Security Information and Event Management System (SIEM) is detailed in:
4253-AMPF-7-95-9464 Sht 001 - CYBER-Security Information and Event Management System (SIEM)
14 NMS SOLUTION OVERVIEW
14.1 NETWORK MONITORING AND CONFIGURATION MANAGEMENT

Design Requirements and Business Needs
Network management system is used to provide maximum transparency in industrial networks through
automatic topology recognition, constant network monitoring, as well as comprehensive diagnostics and
reporting functions. It is very important to highlight that NMS allows the networks to be monitored using
standardized diagnostics options such as SNMP, PROFINET, etc. The need of the NMS is based on IEC
62443 FR 6 - SR6.2 and DEL requirements.
Functional Requirement and Solution Description
In order to achieve full visibility of the network diagnostics and performance, SolarWinds Network performance
and configuration licenses shall be provided as part of this project. These licenses shall be used to upgrade
the existing licenses to the new version as per actual requirement.
The SINEC NMS software is a network management system for the central monitoring and managing of
industrial networks. SINEC NMS can fully visualize and monitor networks with tens of thousands of nodes.
Using SNMP v3, SSH and HTTPS for administration and simultaneous diagnostics via SNMP v3, SIMATIC
and PROFINET mechanisms, many aspects of plant diagnostics can be depicted in a single tool. The SINEC
NMS distributed approach enables network infrastructure expansion at any time. Captured data is stored in a
long-term archive and can be evaluated and presented as required.
SINEC NMS also facilitates configuration of the network infrastructure. The policy-based approach means
that configuration can take place independently of the type of devices in the network, and regular backups of
the device configurations can be made in order to learn of changes to configurations. In addition, two device
configurations can be compared with one anotherone another, and the differences highlighted in colour. The
NMS will take the backup configuration file and store it on the NMS server itself which will be backed up by the
backup server. Another important advantage is the central function for a firmware update/upgrade in the
network infrastructure. The NMS shall be located on the Hypervisor in Layer 2.53 as shown in the below
architectu.re

Figure 2-1: Typical cyber system architecture
The NMS shall covers all connected network devices as well as windows machines such as L2, L2.5 ,L3
switches, Lswitches, 2 firewalls, and NGFWs, etc. All network details related to these network devices shall
beare accessible from the NMS console.
9.114.2 SINEC NMS COMPONENTS

SINEC NMS consists of the "Control" component and at least one "Operation" component. The control is used
for monitoring and administration of the entire network. An operation is responsible for monitoring and
administering a subnetwork.
Monitoring settings can be configured to be used by the operations centrally at the control and then load them
onto the operations. The operations read the monitoring data from the devices and supply selected data and
summarized status information to the control. An operation can be installed on the same PC as the control or
on another PC. Only one operation can be installed on a PC. The control and each operation have its own
Web interface for displaying monitoring data and administering the network.
10
11
12
13
14
15
Figure 1314-1112: SINEC NMS components

14.3 SOFTWARE FUNCTIONS OVERVIEW
15.1.114.3.1 User and role management

User authorizations can be defined for accessing devices and functions in user and role
management. You can use definable hierarchies for roles and device areas to adapt the authorization
structure of SINEC NMS to the responsibilities planned for the users.
In this project, the NMS users shall be imported from the domain controller in order to assign the
rights and roles regarding the network accessibility.
For central storage of user data, SINEC NMS can beis connected to UMC (User Management
Component). Alternatively, user data can be stored on the control. Single sign-on is supported when
using UMC users. This means that when you switch between the Web interfaces for control and
operations, you do not need to log on again. UMC is set up during the installation of SINEC NMS.
The users’ role assignment and rights shall be detailed in CYBER-DC and User management 4253-
AMPF-7-95-9466 Sht 001 document.
Figure 14-2: User and role management

Figure 13-23: User and role management

15.1.214.3.2 Monitoring on control

TThe controlcontrols provides an overview of the monitoring data of all operations determined by the
devices.
Figure 1413-3334: Monitoring on control

15.1.314.3.3 Monitoring on operations

Each operation displays detailed information about its monitored devices and displays the
devices in network topologies if the devices provide the neighbourhood information.
Figure 1413-4445: Monitoring on operations
15.1.414.3.4 Reports
Reports offer exportable evaluations of the network monitoring in both text and graphic form.
Figure 1413-5556: Device availability report
15.1.514.3.5 Policy-based device configuration

Policy can beare used to schedule and perform tasks for configuring and managing devices. In addition,
enforcement of policies can be linked to conditions that SINEC NMS checks against existing device properties
and capabilities. Before enforcing a policy, you can use policy simulations to check which devices would be

configured by the policy, and in what order. As part of this project, all tasks will be enforced manually to avoid
any disruption in the network.
15.1.614.3.6 Firmware management

Firmware files for devices can be managed centrally in the firmware management on the control. Each change
in the firmware management is automatically synchronized with the operations. When firmware files are
uploaded to SINEC NMS, device compatibility information is automatically read out. Existing firmware files can
be uploaded to the corresponding devices via policies or individual configurations. Hence, all network devices
firmware update shall beis pushed from the SINEC console through pre-configured policies.
Figure 1413-6667: Firmware management

15.1.714.3.7 Management of device configuration

Each operation contains a directory for device configurations, which you can save in the directory using policies
or individual configurations and load onto the associated devices. To examine differences between device
configurations, you can compare device configurations.
Figure 1413-7778: Editor for device configuration

16 SINEC PLATFORM
16.114.4 VIRTUAL PLATFORM

The software selected to serve the functionality is based on SIEMENS NMS solution “SINEC NMS”. The
minimum requirements for the virtual machine hosting the software is detailed in below table.
Table 1413-1: RMinimum requirements for SINEC NMS server
Criteria Minimum requirements for Master update server
and Secondary update server.
Processor 64-bit Intel compatible
(Recommended) 24 cores minimum
RAM 164 GB
Ports Make sure that the ports you choose are not already in
use on the server system.
Operating system Windows server 2019
Supported Web Browsers - Google Chrome 78.0 or higher
- Firefox 70 or later
- Microsoft Edge*
- Internet Explorer 11.0*
16.214.5 SOFTWARE LICENSES

The software license for SINEC NMS solution considered as part of this project is highlighted in below table.
Item Description Qty
SINEC NMS 500 V1.0 Type of delivery DVD network

management software for administration of industrial
networks, monitoring, network configuration, license type
single Monitorable IP devices 500 Windows 10 Version 1709
(64-bit), Windows Server 2016 and 2019 Version 1607 (64-
6GK8781-1DA01-0AA0 bit)SINEC NMS 100 V1.0 type of delivery DVD network 1
management software for administration of industrial
networks, monitoring, network configuration, license type
single monitorable IP devices 100 Windows 10 Version 1709
(64-bit), Windows Server 2016 and 2019 version 1607 (64-
bit).

17 SINEC NMS DEPLOYMENT AND CONFIGURATION
17.1 INSTALLATION PROCEDURE

18 SIEMENS shall follow the steps for the installation procedure of SINEC management server.
1. Run the "Start.exe" file with administrator privileges on the installation medium.
2. Select the language for the installation wizard. Then click Next.
3. Select “single node installation” and “UMC” for SINEC NMS.
19
4. Define the UMC domain settings for SINEC NMS and enter the data of an administrator user for
this domain. Use the same Windows user login details.

5. Select the below service for receiving SNMP traps

SINEC NMS trap service: SNMP trap port 162 is used exclusively by Operations. Use the
Operation trap service when you want SINEC NMS to receive SNMPv3 traps or SNMPv3
informs.
6. Follow the instructions of the installation wizard.


7. Restart the PC once the installation is completed.

20 There will be two shortcuts created on the desktop, one for control and the other one for operation.
21

21.114.6 SINEC NMS CONFIGURATION

As mentioned earlier, the installation shall be as single node where both components “Operation”
and “Control” shall be installed on the same VM.
21.214.7 UMC CONFIGURATION

The user management of the User Management Component (UMC) enables for system-wide central
maintenance of users by integration with Microsoft Active Directory. The central user management,
therefore, forms the basis for an efficient and consistent administration of personalized access
permissions within the system. This can significantly reduce security risks.
The UMC allows the establishment of a central user administration. This means that you can transfer
Users and user groups from a Microsoft Active Directory (AD). The UMC Server receives the login
requests of the connected applications and checks the entered user data. The application then
receives a response as to whether the login data is correct and the login is approved. The same is
shown in the below figure.
SINEC Server
22
23
24
25
26
27
28
29
30
31
All user groups shall be detailed in CYBER-DC and User management - 4253-AMPF-7-95-9466 Sht 001
document. The configuration steps shall be followed as per SIEMENS manual detailed in “Connection of
SINEC NMS to UMC”- section 3 in the following link.

https://support.industry.siemens.com/cs/ww/en/view/109780337
UMC CONFIGURATION
31.114.8 SINEC SERVER CONFIGURATION

The SINEC NMS software shall beare configured to monitor and scan all the connected network
devices in the network. the SINEC NMS shall scan the network to detect all the connected network
devices and get all the details including mac address, IP address, firmware version, etc.
Once UMC configuration is done, Thethe configuration steps shall be followed as per SIEMENS
manual “Network management SINEC NMS – operations instructions” as Appendix-B.

SWITCH CONFIGURATION
31.314.9 SWITCH
Using SNMP, information about network components can be called up or their parameters changed
by a remote Network Management System (NMS). Accordingly, all switches shall be configured as
SNMP server. SNMP is defined in three versions; SNMPv1, SNMPv2 and SNMPv3. In contrast to
SNMPv1 and SNMPv2, in SNMPv3 version, the security mechanisms were significantly expanded.
The security functions are implemented by the following mechanisms:
● Fully encrypted user authentication.
● Encryption of the entire data traffic.
● Access control of the MIB objects at the user/group level.
The SINEC NMS VM shall be configured as the SNMP client that shall send all the SNMP “get”
requests to the servers. Since SNMPv3 will be used, the defined community credentials shall match
on both sides “server” and “client” in order to have a successful communication established. Below
pictures are an example of the required details to be entered when configuring the SNMP profile for
each device.
Figure 1413-8881: SNMP configuration on SINEC NMS side
Figure 1413-9992: SNMP configuration on switch side
The below details shall be considered with all SNMP devices:


Authentications protocol: SHA-256

• Username and password shall be detailed in CYBER-DCDomain Controller as per the User
management documentsand User management- 4253-AMPF-7-95-9466 Sht 001 document.
• SNMPv3 auth and priv passwords are set as per the password specifications read/write
community string: Private
• SNMP read community string: Public
In addition, the SINEC NMS shall beis configured as SNMP trap receiver in which all the SNMP
agent sends a trap datagram unsolicited to the SNMP manager if an error/fault occurs to inform the
manager immediately that an error/fault has occurred. The IP address of the SINEC NMS shall beis
entered in the trap receiver tab.
Further details shall be followed as per SIEMENS manual “ Network management Diagnostics and
configuration with SNMP” as Appendix-A. All IPs for the clients and server shall be detailed in
CYBER-Network - 4253-AMPF-7-95-9461 Sht 001 document.
31.414.10 FIREWALL CONFIGURATION

All NGFWs under the scope of supply of this project shall be monitored by the NMS, this includes:
o L3 NGFWs
o L23.5 NGFWs (Front & back security Firewall)
The steps in below link shall be followed on each firewall to configure the SNMP traps.
How to Configure Sending SNMPv3 Traps - Knowledge Base - Palo Alto Networks


32 SYSTEM CONFIGURATION AND SETTING
32.1 VM NAME AND NETWORK NAME DETAIL

VM name and network detail shall be as per document:
• CYBER-Network - 4253-AMPF-7-95-9461 Sht 001.
32.2 USER ADMINISTRATION

All NMS users shall be integrated with the domain controller and shall be detailed in:
• CYBER-DC and User management - 4253-AMPF-7-95-9466 Sht 001.
32.3 CYBER SECURITY RELATED INSTALLATIONS

• CYBER-Hardening - 4253-AMPF-7-95-9412 Sht 001
33 CYBER Security - Backup System is detailed in:
• 4253-AMPF-7-95-9462 Sht 001 - CYBER Security - Backup System
34 Synchronization procedure and configuration is detailed in:
• 4253-AMPF-7-95-9467 Sht 001- CYBER-SYNC
35 SIEM Log collection agent installation and configuration procedure is detailed in:
• 4253-AMPF-7-95-9464 Sht 001- CYBER-SIEM
CYBER-Endpoint Security and Application Control (ENS & AC) is detailed in:
• 4253-AMPF-7-95-9411 Sht 001 - CYBER – ENS&AC.
36 WSUS installation and configuration procedure is detailed in:
• 4253-AMPF-7-95-9469 Sht 001- CYBER-WSUS
3715 VIRTUALIZATION SOLUTION OVERVIEW
37.115.1 INTRODUCTION
Virtualization is a method to divide physical hardware resources of a computer into several logical
(virtual) environments.
Virtualization decouples a computer's operating system and user software from its hardware and
makes them available in the form of a virtual machine (VM).
On a real, physical computer (host system) several virtual machines can be implemented isolated
from each other. Isolation prevents conflicts due to software dependencies and provides the ability
to start and stop virtual machines independently. Isolation prevents conflicts due to software
dependencies and provides the ability to start and stop virtual machines independently.
Furthermore, the physical computer (host system) can be upgraded without influencing or changing
the virtual machines. There is no impact while migrating from one hardware platform to another, as
long as the bare metal hypervisor is the same..
37.215.2 TERMINOLOGY
Virtualization is associated with several key concepts, products, and features. The actual project
specifications can be found in section 16, Table 16-1.

Table 1514-1 Key Concepts

Term Definition Examples
Virtual machine Specialized application that abstracts hardware resources
(VM) into software and includes Operating system and
Application
Operating System Software designed to allocate physical resources to Microsoft
(OS) applications Windows, Linux
Application (APP) Software that runs on an operating system, consuming NMS, WSUS,
physical resources eEPO, etc.
Virtualization Consists of Software (Hypervisor) and Hardware (Host)
server components. This is managed by vSphere
Hypervisor Specialized operating system designed to run VMs ESXi, Fusion
Host Physical computer that provides resources to the ESXi Dell or HPDell
hypervisor
vSphere Server virtualization product of VMware that combines the
ESXi hypervisor and the vCenter Server management
platform
Figure 1514-1 - Multiple VMs, running on a physical host, share the CPU, memory, network, and storage
resources of the host.

37.315.3 VIRTUAL MACHINES

A virtual machine (VM) is a software representation of a physical computer and its components. The
virtualization software converts the physical machine and its components into files.
Virtual Machine Components:
• Guest operating system
• VMware Tools
• Virtual resources, such as:
o CPU and memory
o Network adapters
o Disks and controllers
o Parallel and serial ports
37.415.4 THE VIRTUALIZATION SERVER

The virtualization system consists of software and hardware components that are optimally matched
to each other and thus offer high performance. These include:
• Hardware
• Virtualization server (e.g., DELL PowerEdge R750xs Server or HP Server)
• Thin Client/s
• Software
• VMware vSphere which can be
– ESXi (Hypervisor)
– vSphere Web Client or VMware Host Client

37.515.5 BILL OF VSPHERE PLATFORM

A
Refer to 4253-AMPF-7-95-9468 Sht 001_CYBER-Virtual Machines, below material will be procured:
Table 1514-2221
Item Item Description Part No. Qty.
Dell
1. PowerEdge R750xs or HP ProLiant DL380
with:R750xs
• 2.5" Chassis with up to 16 Hard Drives
(SAS/SATA), 2 CPU with VMware ESXi 7.0
U2 Embedded Image
Intel Xeon Silver 4309Y 2.8G, 8C/16T,
10.4GT/s,12M Cache, Turbo, HT (105W)
• DDR4-2666 2 x Intel Xeon Silver 4314 2.4G,
16C/32T, 10.4GT/s, 24M Cache, Turbo, HT
(135W) DDR4-2666
- 1
3 x 1.2TB Hard Drive SAS 12Gbps 10k 512n
2.5in Hot-Plug in RAID 105 configuration
• 4 x 32GB RDIMM, 3200MT/s, Dual Rank
16Gb BASE x8
• 2 x Broadcom 5719 Quad Port 1GbE BASE-T
Adapter, PCIe Low Profile
• Dual, Hot-plug AC power supply
• Included 5 x VM for Windows Server 2019
Standard Edition (LTSC)

3816 VIRTUALIZATION SYSTEM REQUIREMENTS

The typical architecture of the virtualization solution comprises of a VMware Hypervisor hosted on a
Dell/HP machine with management console for monitoring and managing the VMs.
The hypervisor shall host six virtual machines as detailed in the system architecture.
The hypervisor software is vSphere that shall transform the systems into aggregated computing
infrastructures which include CPU, storage, and networking resources.
vSphere manages these infrastructures as a unified operating environment and provides the required
tools to administer the hosted systems.
All the hosted VMs shall share the CPU, memory, network, and storage resources of the physical
host.
The below table summarize and illustrates the estimated resources for each virtual machine based
on the recommended requirements.
Table 1916-1: Virtual machines resource assignment
Virtual OS required resources

operating
Machine RAM Storage Virtual
system
Application (GB) (GB) Cores
Windows
WSUS 8 100 2
Server
Windows
NMS 8 100 2
Server
Backup Windows
8 100 2
server Server
Simatic
Windows
Management 8 100 2
Server
Console
Windows
ePO server 8 100 2
Server
Total 40 500 10
Following above table, minimum requirement for the hardware will be:
• Minimum 16 cores CPU
• Minimum 64 GB RAM
• Minimum 1.02 TB hard disk

39 HARDWARE DEPLOYMENT
A
Based on the required resources mentioned in section 3, requirements Virtualization, the hardware
is selected to satisfy these requirements considering enough spare capacity required for backup
verification and emergency implementation of the backup machines.
The selected hypervisor hardware is based on Dell PowerEdge server or similarly models from other
vendors as per the approved ICS vendor list with the below specifications.
Table 4-1: Hypervisor hardware specifications

Item Specifications
• 2.5" Chassis with up to 16 Hard Drives (SAS/SATA), 2 CPU

with VMware ESXi 7.0 U2 Embedded Image
• 2 x Intel Xeon Silver 4314 2.4G, 16C/32T, 10.4GT/s, 24M
Cache, Turbo, HT (135W) DDR4-2666
PowerEdge R750xs or • 3 x 1.2TB Hard Drive SAS 12Gbps 10k 512n 2.5in Hot-Plug
similarly models from other in RAID 5 configuration
vendors with these • 4 x 32GB RDIMM, 3200MT/s, Dual Rank 16Gb BASE x8
specifications
• 2 x Broadcom 5719 Quad Port 1GbE BASE-T Adapter,
PCIe Low Profile
• Dual, Hot-plug AC power supply
• Included 5 x VM for Windows Server 2019 Standard Edition
(LTSC)
Notes:
• Supplied Host as above and required configuration console to be installed in the cyber
security cabinet.

4017 SOFTWARE DEPLOYMENT
40.117.1 VMWARE VSPHERE

The two core components of vSphere are ESXi and VMware Host Client. ESXi is the virtualization
platform where you create and run virtual machines and virtual appliances. VMware Host Client is
the service through which you manage hypervisor VMs connected in a network and pool host
resources.
40.2 CONFIGURATION OF THE ESXI

VMware ESX Server is a data center-class virtualization platform. ESX Server runs directly on the
system hardware and provides fine-grained hardware resource control ESX Server virtualizes CPU,
memory, storage, networking, and other resources. Operating systems running inside virtual
machines use virtualized resources, although from the operating system standpoint the resources
appear as physical, dedicated hardware.
The key elements of the ESX Server system are:
• The VMware virtualization layer, which provides a standard hardware environment and
virtualization of underlying physical resources
• The resource manager, which enables the partitioning and guaranteed share of CPU,
memory, network bandwidth and disk bandwidth to each virtual machine
• The hardware interface components, including device drivers, which enable hardware-
specific service delivery while hiding hardware differences from other parts of the system
The virtualization server is delivered with a password and a preconfigured IP address. The password
and IP address will be specified in 4253-AMPF-7-95-9466 Sht 001-CYBER-DC and User
management and 4253-AMPF-7-95-9461 Sht 001-CYBER-Network.
The data entered on the virtualization server will be recorded down and treated confidentially. They
are required for further configuration steps.
Requirements:
The following requirements must be met:
• The virtualization server is mounted and commissioned according to the manufacturer's
instructions.
• A monitor and a keyboard are connected to the virtualization server.

Procedure:
To configure the virtualization server, proceed as follows:
1. Switch the virtualization server on via the mains/standby switch. The start-up application of
the server is displayed.
Figure 5-1
2. Press the F2 key. The dialog for logging on to the virtualization server opens.
3. Enter the following login data:
▪ Login name: as detailed in manufacture specification
▪ Password: Password for the virtualization server as detailed in manufacture specification
Figure 5-2
4. Press 'Enter'. The options for customizing the virtualization server system properties are
displayed.
5. Navigate to the "Configure Password" entry and press the Enter key.

Figure 5-3
The dialog for changing the password is opened.

6. Enter the supplied password for the virtualization server in the "Old Password” line.
Figure 5-4
7. Enter a new password for the virtualization server in the "New Password" and "Confirm
Password" lines.

Figure 5-5
8. Press Enter to save the change. Note Use the <Esc> button to discard the changes and exit
the dialog.
9. Navigate to the "Configure Management Network" entry and press Enter. The options for
changing the network settings are displayed.
10. Navigate to the "IP Configuration" entry and press Enter. The dialog box for changing the IP
address opens.
11. Enter the desired IP address.
Figure 5-6
12. Enter the desired subnet mask.

Figure 5-7

13. Press Enter to save the change and confirm by pressing the Y key (default keyboard layout:
EN).
14. A summary of the settings is displayed under the entry "IP Configuration".
15. Press the <Esc> button to reach the initial dialog.
16. Press the <Esc> button again to log out of the system.

40.317.2 VIRTUAL MACHINE DEPLOYMENT AND CONFIGURATION

The VMware Host Client is an HTML5-based client that is used to connect to and manage
single ESXi hosts.
The VMware Host Client is used to perform administrative and basic troubleshooting tasks, and
advanced administrative tasks on your target ESXi host.
VMware Host Client functions include, but are not limited to the following operations:
• Basic virtualization operations, such as deploying and configuring virtual machines of various
complexity
• Creating and managing networking and datastores
• Advanced tuning of host level options to improve performanceperformance.
Virtual Machine creation and resource allocation
1. Type in the IP address of the ESXi server and press Enter. The browser will give an error
message that the certificate is not trusted. Click Go on to the webpage. The below web
interface is displayed. Enter the username and password.
IP address detail and username password can be found in 4253-AMPF-7-95-9466 Sht 001 -
CYBER-DC and User management and 4253-AMPF-7-95-9461 Sht 001-CYBER-Network. in
the IP address list document and user management document.
Figure 5-8

2. The ESXi host console screen will open.

Figure 5-9
3. Right click storage and select New datastore.

4. Select creation type Create new VMFS datastore
Figure 5-10
5. Select the devices for datastore and name the new datastore as datastore1

6. Select partition option as below. Use full disk

Figure 5-11
7. Datastore is created
Figure 5-12
Depending on the functionality of the target VM, installation procedure may be different. In this
project, readymade VM machines prepared by host vendor will be utilized.
However, in case of requirement, below procedure will be followed to create fresh VM. For
installation purpose, the ISO file for Windows installation can uploaded to the datastore from
remote computer as shown below


Figure 5-13
8. Click Create/Register VM as shown below

Figure 5-14

9. Select creation type Create a new virtual machine

Figure 5-15
10. Specify the following as shown below

Figure 5-16
Computer Name: the new VM name, IP, and OS family to be filled as 4253-AMPF-7-95-9466 Sht
001 - CYBER-DC and User management and 4253-AMPF-7-95-9461 Sht 001 -CYBER-Network.

11. Select the storage for the VM which will be datastore1

Figure 5-17
12. Specify hard disk space, CPU and RAM as per minimum requirement of target VM.
Figure 5-18


13. Newly created VMs will appear under Virtual Machines as shown below.
Figure 5-19
14. Right click the newly created VM and Launch VMware Remote console as shown below
Note: VMware Remote Console (VMRC) application must be downloaded and installed on
remote computer
Figure 5-20

Virtual Machine network configuration

Virtual switches connect VMs to the physical network. They provide connectivity between VMs on
the same ESXi host or on different ESXi hosts. A virtual switch has specific connection types:
• VM port groups
• VMkernel port: For ESXi management network and other services
• Uplink ports
More than one network can coexist on the same virtual switch or on separate virtual switches.
ESXi supports 802.1Q VLAN tagging. Virtual switch tagging is one of the supported tagging policies:
• Frames from a VM are tagged as they exit the virtual switch.
• Tagged frames arriving at a virtual switch are untagged before they are sent to the
destination VM.
• The effect on performance is minimal.
• ESXi provides VLAN support by assigning a VLAN ID to a port group.
Figure 1716-11121Virtual Machine network Configuration
New standard switches to be added as per the network plan to ESXi host and to be configured:

Figure 1716-22222
The Physical adapters pane shows adapter details such as speed, duplex, and MAC address
settings. Although the speed and duplex settings are configurable, the best practice is to leave the
settings at auto negotiate.
The physical network cards to be configured with IP address detailed in 4253-AMPF-7-95-9461 Sht
001 -CYBER-Network.
Figure 1716-33323
Each virtual network card has its own MAC address and shall have its own IP address as detailed in
4253-AMPF-7-95-9461 Sht 001 -CYBER-Network. and connects to the corresponding virtual
network switch.

The ESX Server manages both the allocation of resources and the secure isolation of traffic meant
for different virtual machines even when they are connected to the same physical network card.
The allocation of each VM NIC to created virtual switch will be optimized during FAT for the best
performance.

Virtual Machine installation
1. The remote console opens as shown below. Go to Virtual Machine Settings as shown below.
Figure 5-24
2. In the Virtual Machine Settings, browse and attach the ISO image for Windows Server 2019
(or any other OS, depending on the target VM functionality) setup which was uploaded to
datastore1 in previous steps.

Figure 5-25
3. Power on the VM. The VM will boot through the ISO and start loading the pre-installation
environment for Windows Server 2019.
Figure 5-26
4. Complete the installation of Windows Server 2019


Configure network connection for the VM. as 4253-AMPF-7-95-9461 Sht 001 -CYBER-
Network.
Figure 5-27
5. Add the VM to Domain.

6. Now the VM is ready to be configured further into the following
• ePO for AV and AW
• NMS for network monitoring
• WSUS Server
• Terminal Server for remote connection
• SIEM
• Backup Server
40.4 GENERAL FOR ALL VIRTUAL MACHINES

1. For each virtual machine in the ESXi web interface, install VMWare tools.
1. Right click on VM-> Guest OS->Install VMWare Tools

Figure 5-28
2. Open the machine either using the console or VNC and verify that VMWare tools are mounted
in the DVD drive.
Figure 5-29

3. Double click to run the-Installer and follow the instructions on screen.

Figure 5-30
4. The only selectable option is set up type-> Choose Typical>Click Next.

Figure 5-31
5. Restart the machine when the popup appears.


Figure 5-32
41 C SYSTEM CONFIGURATION AND SETTING

New supplied VMs will be integrated in the terminal bus network, with all related cybersecurity
features and configuration as detailed in below:
41.1 …USER ADMINISTRATION USING

Administration of user authorizations, group authorizations, and operation authorizations involves the
assignment of authorizations in the Windows environment as well as the assignment of users to
activity-oriented roles. These procedures are rigorously separated from each other, but both are
strictly applied under the principle of minimum required rights.
A simple check can be performed with the following questions:
• Who has to do what?
• Who is allowed to do what?
All password detail, and users who should have access to this system shall be added in related
user groups in domain. Detail can be found in documents:
• 4253-AMPF-7-95-9466 Sht 001 --CYBER-DC and User management
CYBER SECURITY RELATED INSTALLATIONS

4253-AMPF-7-95-9412 Sht 001 - CYBER-Hardening - Detailing System Hardening
Backup software agent installation and configuration procedure is detailed in:
4253-AMPF-7-95-9462 Sht 001 - CYBER-Backup System
Ani-Virus and application whitelisting agent installation and configuration procedure is
detailed in:
4253-AMPF-7-95-9411 Sht 001 - CYBER-Endpoint Security and Application Control (ENS & AC)
Synchronization procedure and configuration is detailed in:
4253-AMPF-7-95-9467 Sht 001- CYBER-SYNC
SIEM Log collection agent installation and configuration procedure are detailed in:
4253-AMPF-7-95-9464 Sht 001 - CYBER-Security Information and Event Management System
(SIEM)
Windows Software update via WSUS and configuration procedure is detailed in:

42
4218 WSUS SOLUTION OVERVIEW

The WSUS virtual machine in L 2.5 hosted on the ESXi hypervisor will be provided with manual
updates using USB drives. These updates will be pushed to all the windows machines associated
with the domain.The typical architecture of the WSUS solution comprises of three servers of which
two of them are managed by Qatar Gas (Upstream in L34 and downstream in L2.53.5 common DMZ)
and the third WSUS server at L2.5 shall be hosted on the Hypervisor in layer 32.5. The L34 upstream
server shall pull Microsoft product updates from Microsoft update server. After that, the patches shall
be distributed to the L32.5 common DMZ WSUS server and L3 server. . The same is illustrated in
the below architecture. All windows-based machines shall be patched and updated by the L3 WSUS
server. as highlighted in below architecture with the symbol . A better view of the architecture
is attached in Appendix-B.
43 Figure 2-1: Typical system architecture.

44
45
4619 WSUS SYSTEM PLATFORM

The WSUS server shall provideprovides the ability to manage and distribute updates through its
management console. WSUS is considered as a passive component since the communication and
update process is initiated by client computers. The WSUS server scans the client computer for
installed and needed updates the first time the computer contacts the WSUS server. After the
administrator approves an update for client to install, the update is downloaded by the client the next
time it contacts the WSUS server. This means that its not possible to push an update to the client
unless a connection is initiated with the WSUS server. Therefore, a procedure how and when each
client computer will download and install updates must be configured on client’s side. This can be
done through:
o Active Directory Group Policies
o Local Group Policies or Registry Editing
o Custom scripts or programs
o Windows Updates user interface
Configuration through AD policies can be performed centrally with minor effort. All the configurations
are performed in background and do not require interruption of normal operation. In case if any
changes are required, they can be rolled out automatically to all the clients at the same time.
Configuration using local policies is more time consuming however it is an acceptable method for
individual control systems without domain environment. Configuration via custom programs or scripts
is outside of the scope of this project.
46.119.1 VIRTUAL MACHINE REQUIREMENTS

As mentioned earlier, the L4 eand L23.5 common DMZ WSUS shall be hosted on a virtual machine.
The minimum virtual requirements for WSUS servers are:
• Processor: 2 cores.
• Memory: WSUS requires an additional 2 GB of RAM more than what is required by the server
and all other services or software.

• Available disk space: 40 GB or greater is recommended.

• Network adapter: 100 megabits per second (Mbps) or greater (1GB is recommended).
Refer to Table 15-1 for complete details.
4720 SOFTWARE DEPLOYMENT AND CONFIGURATION

The following main implementation steps have to beare executed:
• Design and planning of the network structure and address ranges
• Configuration of the firewall
• Installation and configuration of the WSUS server
• Configuration of the WSUS clients
47.120.1 DESIGN AND PLANNING OF THE NETWORK

For the implementation in the first step, the design and planning of the network structure and address
ranges depending on the different network security zones is necessary as well as the assigning of
IP addresses to the according network components. The DMZ network address range has to fit with
the new or possibly already existing network address ranges of the underlying network(s). Also at
least one free IP address within the relating networks have to be reserved for gateway / router or the
WSUS server itself.
SIEMENS shall follow the network designed detailed in 4253-AMPF-7-95-9461 Sht 001 - CYBER-
Network document.
47.2 Configuration of the firewall

During configuration the access rules of the NGFW, the protocols and ports needed by the WSUS
for communication between the computers to be patched and the WSUS itself must be allowed. The
following firewall rules apply to access of the WSUS server in the Perimeter network (DMZ) and L3.
Table 4-1: WSUS Client access rule
Access Rule Action Protocols From To
Client access to WSUS Allow HTTP or IP address range of IP address of WSUS
L3 server TCP/8530 WSUS clients server (L3)
An additional rule has to be configured to allow the WSUS in L3 to pull the updates from DMZ WSUS
as following.
Table 4-2: L3 WSUS access rule
L3 WSUS access to Allow HTTP or IP address of L3 IP address of WSUS
L3.5 common DMZ TCP/8530 WSUS server (DMZ)
WSUS server (DMZ)
The following access rules are required for access of the WSUS server in the Perimeter network
(DMZ) to the L4 WSUS server.
Table 4-3: L3.5 common DMZ WSUS access rule
L3.5 common DMZ Allow HTTP or IP address of L3.5 IP address of L4
WSUS server to L4 TCP/8530 common DMZ WSUS server
WSUS server WSUS

The below rule is required for the L4 WSUS server to communicate with external network for
downloading security updates and critical updates from the Microsoft Update pages or rather
Microsoft Update sites (Microsoft Update Server) via the NGFW.
Table 4-4: L4 WSUS access rule
L4 WSUS access Allow HTTP/ IP address Microsoft Update sites:
to Microsoft HTTPS of WSUS http://windowsupdate.microsoft.com
Update Server server (L4) http://*.windowsupdate.microsoft.com
(Microsoft Update https://*.windowsupdate.microsoft.com
sites) http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://test.stats.update.microsoft.com
http://ntservicepack.microsoft.com
Detailed information about configuring the group policy for the Windows Update service is provided
in the document “SIMATIC Process Control System PCS 7 Compendium Part F - Industrial Security”.
In addition, the following rules are required within a Siemens IT environment.
Table 4-5: general rules
NTP Time Synchronization Allow UDP/123 IP address of L2 NTP system
(optional) L3 WSUS server
47.3 Installation and configuration of the WSUS server

In general, the following main steps have to be proceeded for installing and configuring a WSUS
server regardless of the used software versions for windows server operating system and WSUS:
• Basis installation of the windows server operating system
• Installing prerequisites for subsequent WSUS server installation
• Installing WSUS server role
• Basic configuration of WSUS
• Configuration and managing computer groups and client updates
The windows server operating system used for the WSUS has to be installed and configured
according to the rules and regulations of Siemens detailed in chapter 8 “SIMATIC Process Control
System PCS 7 Compendium Part F”.
The WSUS server must be installed on the basis of the Windows Server 2019 operating system. For
the installation and configuration of the WSUS server (windows operating system, WSUS role, etc.)
a local (impersonal) user with administrative rights has to be used. This user will also become the
owner of the WSUS database when installing the WSUS role.

47.4 Basis installation of the windows server operating system

The installation of the WSUS is based on the default installation of a Windows Server 2019 operating
system. It is assumed that the basic settings (e.g. server name, network configuration incl. static IP
address, DNS server(s), Default Gateway, etc.) are already configured. For DNS name resolution
the DNS server(s) of QatarGas network have to be configured in the corresponding network settings
of the WSUS server.
47.4.1 INSTALLING PREREQUISITES FOR SUBSEQUENT WSUS INSTALLATION

For the subsequent WSUS installation the following software components have to be installed
additionally:
• Feature Microsoft .NET Framework 4.0 via the windows ‘Add Roles and Features Wizard’.
• Dism.exe /online /enable-feature /featurename: NetFx3 /All /Source:<DVD drive
letter>:\sources\sxs /LimitAccess
• Microsoft Report Viewer Runtime 2012 needed for displaying WSUS reports
47.4.2 INSTALLATION OF WSUS ROLE

SIEMENS shall follow the steps in chapter 8.2.2 ““SIMATIC Process Control System PCS 7
Compendium Part F”.
On the “Content location selection”, It is recommended to store the update files on a separate
partition with enough free disk space and not on the system partition, for example
“D:\WSUS\WSUS_Updates”.
Detailed and additional information regarding the installation is provided in “Microsoft WSUS - Step
2: Install the WSUS server role” found in below link.
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/deploy/1-install-the-wsus-server-role .
After installing the WSUS server role and rebooting the server, the post-installation tasks have to be
executed via the Server Manager Dashboard under notifications.
47.4.3 BASIC CONFIGURATION OF WSUS

The basic configuration of the WSUS shall be done via the WSUS configuration wizard. The WSUS
configuration wizard is launched the first time the WSUS management console is opened. Of course,
all the settings can also be configured and modified later on the relevant options pages within the
WSUS management console.
In this step, the configuration of the upstream differs from the downstream server.
47.4.3.1 Upstream Server

Once the wizard starts, the below steps shall be followed for the L43 WSUS upstream server.
• Deselect option to join the Microsoft Update Improvement Program
• On the “Choose Upstream Server” page choose option “Synchronize from Microsoft Update”
• On the “Specify Proxy Server” page, select the “Use a proxy server when synchronizing” check box
and type the regarding proxy server name and port number of QatarGas internet proxy server.
Additionally select option “Use user credentials to connect to the proxy server” and provide the required
user credentials of the (technical) domain account.

On the “Connect to Upstream Server” page click “Start Connecting”. Thereby the initial download of
update information (available updates, products and languages, etc.) is started. After some time the
initial download is finished.
In the “Choose Languages” page select English.
On the “Choose Products” all relevant Microsoft products shall be selected “Office, SQL Server,
Windows).
On the “Choose Classifications” page select the update classifications that you want to obtain. According
to SIEMENS, the following classifications have to be selected for a secure system.
Critical Updates
Definition Updates
Security Updates
Update Rollups
Updates
On the “Set Sync Schedule” page select option “Synchronize automatically”, a time for the “First
synchronization” and the number of synchronizations once per day.
Select the “Begin initial synchronization” check box on the “Finished” page.
A detailed additional information is provided here: Microsoft WSUS – Step 3: Configure WSUS.
services/deploy/2-configure-wsus
Downstream Server
Once the wizard starts, the below steps shall be followed for the L3 and L23.5 common DMZ
WSUS downstream servers.
Deselect option to join the Microsoft Update Improvement Program
On the “Choose Upstream Server” page choose option “Synchronize from Another Windows Server
Update Services”. Then the domain name of the upstream server shall be used with the port 8531.
On the “Connect to Upstream Server” page click “Start Connecting”. Thereby the initial download of
update information (available updates, products and languages, etc.) is started. After some time the
initial download is finished.
In the “Choose Languages” page select English.
On the “Choose Products” all relevant Microsoft products shall be selected “Office, SQL Server,
Windows).
On the “Choose Classifications” page select the update classifications that you want to obtain. According
to SIEMENS, the following classifications have to be selected for a secure system.
Critical Updates
Definition Updates
Security Updates
Update Rollups
Updates
On the “Set Sync Schedule” page select option “Synchronize automatically”, a time for the “First
synchronization” and the number of synchronizations once per day.
Select the “Begin initial synchronization” check box on the “Finished” page.
A detailed additional information is provided here: Microsoft WSUS – Step 3: Configure WSUS.

services/deploy/2-configure-wsus

47.4.4 CONFIGURATION AND MANAGING COMPUTER GROUPS AND CLIENT UPDATES

Computer groups defined within the WSUS management console are an important part of Windows
Server Update Services (WSUS) deployments. Computer groups permit to test and target updates
to specific computers. There are two default computer groups after installation: “All Computers” and
“Unassigned Computers”. By default, when a client computer first contacts the WSUS server, the
server adds that client computer to both of these groups. It is possible to create additional custom
computer groups to manage updates in the environment. As a best practice, SIEMENS shall create
separate computer groups to test updates before deploying the updates to other computers within
the environment. It is also recommended to have each redundant pair in different computer groups.
Accordingly, SIEMENS shall create the below computer groups:
• SIEMENS Redundant Server GRP1
• SIEMENS Redundant Server GRP2
• SIEMENS Redundant Client GRP1
• SIEMENS Redundant Client GRP2
• Non-SIEMENS Server machines
• Non-SIEMENS Client machines
Additional policies are followed as per SIEMENS manual “SIMATIC Process Control System PCS 7
Compendium Part F - Industrial Security” chapter 8.2.3.
47.5 CONFIGURATION OF THE WSUS CLIENTS

All Microsoft Windows computer in the environment including the WSUS server itself have to be
configured as WSUS clients. If the client is member of an Active Directory domain, the group policy
settings can alternatively be made centrally and distributed to the according systems.
Detailed information about configuring the group policy for the Windows Update service for the clients
is provided
• Microsoft WSUS - Step 5: Configure group policy settings for automatic updates.
services/deploy/4-configure-group-policy-settings-for-automatic-updates#group-policy-settings-for-
wsus-client-updates
The table below lists the planned group policy settings for operating system Windows 10 Enterprise
2015 LTSB (64-Bit) clients.
Table 23-16: Windows update policies
Windows Update policy setting State Options
Configure Automatic Updates Enabled Configure automatic updating:
Notify for download and notify for install
Specify intranet Microsoft update Enabled Intranet update service:
service location http://<IP address of WSUS server>:8530
Intranet statistics server:
http://<IP address of WSUS server>:8530
Defer Upgrade Enabled
Automatic Updates detection Enabled Check for updates at the following interval
frequency (hours):
22 (= default value)
Do not connect to any Windows Enabled
Update Internet locations

Windows Update policy setting State Options

Allow non-administrators to receive Disabled
update notifications
Allow Automatic Updates immediate Disabled
installation
No auto-restart with logged on users Enabled
for scheduled automatic updates
installations
Re-prompt for restart with scheduled Disabled
installations
Reschedule Automatic Updates Enabled Wait after system startup (minutes): 5
scheduled installations
4821 PATCHING PROCEDURE

The below flowchart illustrates the patching procedure which shall be followed as part of this project.
Figure 2120-1: Patch procedure
48.121.1 WSUS ROLL-BACK

It is important to highlight that the patch procedure shall be initiated only after the full backup of the
systems has been taken. This is crucial in case patch impedes system functionality and cannot be
successfully removed then the whole system can be recovered immediately.

48.221.2 PATCH TESTING

For redundant groups, the patching procedure shall be done on each redundant pair separately. This
scenario allows patching activities to be conducted with negligible impact on operations. However,
for the single stations, each station shall be patched separately.
To check the updates tested under SIMATIC PCS 7, below steps shall be followed.
• Download the Excel table "Security_Patches_iec.xls" to your computer from the following
FAQ:
"Which Microsoft updates have been tested for compatibility with SIMATIC PCS 7?"
(https://support.industry.siemens.com/cs/ww/en/view/18490004)
• Open the table and filter the "PassedProduct" column for all entries except "PCS7Vxy".
• Check the "Comments" column to see whether these updates were replaced.
This procedure shall be repeated manually once per month since the “excel table” gets updated on
monthly basis. The user shall have administrative rights and part of the local Administrators group.
For the other SIEMENS provided applications, SIEMENS shall follow the below links to check the
compatibility and procedure for each application with the corresponding released Microsoft updates.
These links are always updated whenever a new Microsoft patch is released and tested.
Table 2120-1: Applications pacthing compatibility
Application Link
ePO server Section “server operating systems”
https://kc.mcafee.com/corporate/index?page=content
&id=KB51569
End point Security platform (ENS) Section “Supported Microsoft Windows Server
operating systems””
&id=KB82761
Application Control (AC) Both Sections :
Supported Windows 10 operating systems
Supported Windows (other) operating systems
&id=KB73341
48.321.3 PATCH MANAGEMENT PROCEDURE AND STRATEGY FOR RELEASING AND INSTALLING
MICROSOFT SECURITY UPDATES
The procedure of releasing the updates to the clients shall be followed as per the below steps.
• Select all available and not yet approved updates. Next, deselect only the updates that are
incompatible with SIMATIC PCS 7 according to the Excel table above. Release the selected
updates for installation in the created groups. Proceed group-by-group to ensure the availability
and operability of your system.
• Exclude all patches other than "Security Patches" and "Critical Patches" from the update of the
systems.
• Log on to the systems connected to the WSUS with an administrator account. The systems are
configured accordingly to receive the updates from the WSUS.
• To do so, use the function that can be accessed via "Notification icon > All settings > Update
and Security" and initiate the search for available updates there.
• Make sure that SIMATIC PCS 7 Runtime is stopped for Redundant Servers GRP1.

• Install the offered updates and restart the relevant systems.

• After some days with no negative impact on the systems, you can release the updates also for
the other computer groups.
• If a used product appears in the "FailedProduct" column, reject the relevant update for affected
systems.
• Once GRP1 servers are updated, then the same procedure can be followed for GRP2.
• The same steps shall be followed with Clients.
With this procedure only the needed updates are downloaded. Thus, disk space and performance is
saved on the WSUS server. In addition, software packages are not in the scope of the native PCS 7
or WinCC compatibility tests.
Based on the configured settings and policies, the WSUS strategy shall be as following.
• The WSUS server periodically synchronizes the update status with the Microsoft Update Server
once per day.
• WSUS client computers periodically check for new relevant updates on the WSUS server and
create status reports accordingly at least once a day.

4922 BACKUP STRATEGY PLANNING

The covered machines are identified as per the architecture in the previous section which will ensure
a full back-up recovery in case of any disaster or abnormal activities. There will be different types of
back-ups taken by our back-up server based on the data type and how frequent. An overview of the
backup concept needs to cover
o description of the data to be covered (What)
o a backup schedule (When)
o storage on and handling of suitable backup media (Where).
This section summarizes the overall backup and restore concept and best practice recommendations
for the provided solution. Additional information is available in SIEMENS manual “SIMATIC Process
Control System PCS 7 Compendium Part F - Industrial Security” section 10.
Figure 2-1: Backup system architecture
49.122.1 DATA TYPE (WHAT)

Data backup will be categorized as:
System Backup
System backup refers to a complete system image, e.g. a snapshot of current system which is usually
called as OS drive. The data included will be as following:
o Hardware-specific files (drivers)
o Windows operating system files and settings
o Installed programs and their configurations
o Host devices (Hardware-specific files (drivers), Windows operating system files and settings,
Installed programs and their configurations)
o Virtual machines
Following the cybersecurity guidelines and implementation of the application whitelisting, the OS and
related installation will remain the same during the life cycle of project. The OS installation may be
changed following any system updated through WSUS.
Apart from the 1st full backup, it is recommended to have verified OS backup, only before and after
any update.

All system backups including the OS, apart from the 1 st full backup, shall be backed up as part of
scheduled full and differential backup.
Engineering Project Backup

Engineering Project backup mainly refers to the backup of the PCS 7 Multiproject, S7 project of both
HVAC and IPCMS. SIMATIC Manager is used for project backup.
The project backup includes the entire project data and can be archived as a ZIP file that contains
all configuration data using the SIMATIC Manager tool.
Procedure:
The project objects that you wish to archive should not be open and also all online monitoring and
simulations of the project should be closed to be archived.
• To archive the project, in the SIMATIC Manager, go to "File > Archive" and choose the "User
projects" tab in the "Archiving" dialog.
• Mark the required project with the cursor and acknowledge with OK.
• Save the file to a network path on the NAS E:\Archive\Project Name\
• On the file name type the name of the Multiproject, date and time of the backup. (e.g.:
DCS_2022-03-01_10h15.zip)
• The project name will be changed. After that, acknowledge the message displayed with "OK".
The project will then be archived.
Based on best practices and SIEMENS recommendation, this Backup should be taken following the
change management procedure, before and after any major engineering changes.
In case, there is no change in the project, it is recommended to take project backups on monthly
basis. After the SAT, it is not expected to have a major change in the projects.
Prepared backup name should have minimum, project name, date, and time.
All project backups, stored in dedicated location for each system, apart from the 1 st full backup, shall
be backed up as part of scheduled full and differential backup.
Real-Time data backup

Real time data will be stored in SQL data bases of the PCS 7/WinCC project as per the project setting
in WinCC or PCS 7. The data base size and storage duration will be as per the current project setting.
This data base will be overwritten as soon as it reaches to the size or storage age.
For PCS 7 system, as this storage is longer, a process historian is considered.
All required parametrization and configuration for these data will be done in WinCC or PCS 7. The
whole WinCC/PCS 7 project folder including the related real time and archive databases, stored in
the default project folder D:\Project Name\.... will be part of backup up.
All real-time backups, stored in dedicated location for each system, apart from the 1st full backup,
shall be backed up as part of scheduled full and differential backup.
Component Specific Data

Component specific data like databases, or individual configuration of network devices requires to
be backed up. Recommendations for components where specific data requires backup, are
summarized in section Error! Reference source not found.6.
In this project, below table provides an overview of the data backup type per component type.

Table 2221-1: Backup data types per device type

Device Type
Host/VM Network
Data Type
System System Image Firmware/OS
Engineering Project via Engineering Station NA
Component specific Databases, GPOs, Device Configuration
WSUS DB, etc
49.222.2 ESTIMATED BACKUP SIZE

Following above, Siemens has estimated required backup space for each component
Table 2221-2: General estimated Backup size
Device Type
Host/VM Network
Data Type
Engineering Project 10-15 GB NA
System and Component specific 100 GB 500MB
Component specific (like PH, 2000 GB -
Log collector , etc.)
49.322.3 BACKUP SCHEDULE (WHEN)

Backup for the different data types is required in below scenarios.
• In cases where changes have occurred to the system and its components (e.g., software
updates or relevant configuration changes)
• During important milestones (e.g. for prior to and after acceptance testing)
• In general, at regular intervals. These intervals may be per device type and data type as well
as lifecycle phase (e.g., engineering, operation).
Backup Types
There are different types of back-up used in the industrial environments as following:
• Full Backup: The most basic and complete type of backup operation is a full backup. As the
name implies, this type of backup makes a copy of all data to a storage device, such as a disk
or tape. The primary advantage to performing a full backup during every operation is that a
complete copy of all data is available with a single set of media. This results in a minimal time
to restore data, a metric known as a recovery time objective. However, the disadvantages are
that it takes longer to perform a full backup than other types, and it requires more storage
space.
• Incremental Backup: An incremental backup operation will result in copying only the data that
has changed since the last backup operation of any type. It typically uses the modified time
stamp on files and compares it to the time stamp of the last backup. Backup applications track
and record the date and time that backup operations occur in order to track files modified since
these operations.

Because an incremental backup will only copy data since the last backup of any type, an
organization may run it as often as desired, with only the most recent changes stored. The
benefit of an incremental backup is that it copies a smaller amount of data than a full. However,
the disadvantage is that if one of these incremental backups was corrupted then it will not be
possible to restore the backup copy and hence the recovery will be only possible from the last
full backup taken.
• Differential Backup: A differential backup operation is similar to the incremental in means that
it will copy all data changed from the previous backup. However, each time it runs afterwards,
it will continue to copy all data changed since the previous full backup. Thus, it will store more
backed up data than an incremental on subsequent operations, although typically far less than
a full backup. However, the differential backup is recommended in the industrial environments
since it is reliable and efficient. Below figure illustrates the process of the differential backup
compared to the other types.
Figure 2221-1112: Differential backup operation
The backup schedule shall be as per below table. However, any changes in the site shall be reflected
in the As-built documents.
49.422.4 PROJECT RECOMMENDED BACKUP SCHEDULE

To have the efficient backup and system operation in parallel, the dedicated network load will be
adjusted to maximum 20% and full back up of each machine will be scheduled individually to avoid
parallel system backup and system load. Following above introduction, Siemens is recommending
below schedule:
In this project, we will have below backup schedule
• First back-up: The first back-up shall be as “full Backup” taking a backup of all machines
manually and shall be kept on the back-up server. In this backup, all project data and system
data will be backed-up and hence an image of each machine shall be available on the NAS
server.

• Differential back-up: Once First backup is done and stored to the NAS, a differential back-
up of the machines shall be taken on monthly basis. The same is detailed in the below Table.
• Full back-up: A full back-up of the automation machines shall be captured every 3 months
since this is a backup for the automation systems not the online archives. In other words,
these systems are expected to have a minimal change of approximately 5% per month. On
the other hand, the online data and archives shall be backed up on the historian server.
Table 2221-3: Recommended backup schedule per device type

Device Type
Host/VM Network
Data Type
Important milestones, Important milestones, FAT/SAT,
FAT/SAT, important software important software updates.
updates. Full image-based back up shall be
System and
taken Quarterly with monthly
Component specific
Full OS image-based back up differential backup.
shall be taken Quarterly with
monthly differential backup.
Important milestones, FAT/SAT
Project NA
A differential backup shall be
taken on Monthly basis
5023 BACKUP PLATFORM

In order to size the required backup size, SIEMENS has consulted with Acronis. As per Acronis sizing
guidelines, It is estimated that the total online backup size considering 3 4 months of retention period
and 35% data change will be around 14TB 26 TB and hence the backup hardware has been selected
as detailed in below the next section with enough spare.
Table 23-1: Backup Size Estimation
Criteria Value
Physical Machines
Total Number of Servers 17
Total Number of Workstations 5
Virtual Machines
Number of Hypervisor Hosts 1
Total Number of Virtual Machines 4
Data Size
Average Server Backup Data Size 250 GB
Average Workstation Backup Data Size 150 GB
Average Virtual Machine Data Size 250 GB
Daily Data Change Rate 3.00 %
Unchanging Data 30.0 %
Total Data to Backup 6 TB
Backup and Retention Policy

Criteria Value
Incremental Backup Everyday Yes
Full Backup every X day 60 days
Days to keep full backups 130 days
Days to keep Incremental backup 7 days
Recommended Hardware (Storage)
Initial backup size 5 TB
Total data Size Between Full backups 21 TB
Total Backup Size 26 TB
50.123.1 HARDWARE PROFILE

The Back-up solution consists of the Back-up Server and Network Attached Storage (NAS). The total
size of the back-up will be around 14 TB and hence we have considered a NAS server with the
capability to store up to 3224 TB of data considering future growth in customer environment. Below
table illustrates the hardware of the NAS drive along with its specifications.
Table 2322-21: NAS hardware specifications
Item Specifications
Network Attached Storage (NAS) Intel Xeon Bronze 3204 1.9G, 6C/6T, 9.6GT/s, 8.25M
As per the ICS Vendor list Cache, No Turbo, No HT (85W) DDR4-
Dell or HP make NAS shall be Dell EMC NX3240, Chassis with up to 12 x 3.5" HDDs
selectedDell EMC NX3240 on BP, 4 x 3.5" HDDs on MP and 2 x 3.5" HDDsChassis
with up to 12 x 3.5" HDDs on BP, 4 x 3.5"
HDDs on MP and 2 x 3.5" HDDs Flexbay, 61,
84TB 7.2K RPM NLSAS ISE 12Gbps 512n 3.5in Hard
Drive (ZR) Flexbay, 1 and 2CPU Configuration, with 5x
8TB 7.2K RPM SAS 12Gbps 512e 3.5in Hard Drive,
RAID 6, Broadcom 57412 Dual Port 10GbE SFP+ &
5720 Dual Port 1GbE BASE-T, rNDC
600GB 10K RPM SAS ISE 12Gbps 512n 2.5in Flex
Bay Hard Drive, 3.5in HYB CARR (ZR)
Broadcom 5720 Quad Port 1GbE BASE-T, rNDC (ZR)

Item Specifications
External hard disk 1 x 6 TB Hard disk
50.223.2 SOFTWARE PROFILE

Acronis Cyber Backup management Server is the central point for managing all the backups. With
the on-premises deployment, it is installed at layer 3 network. The web interface to this server is
named as Cyber Protect web console.
The Management Server is responsible for the communication with Cyber Backup Agents and
performs general plan management functions. Before every backup activity, agents refer to the
management server to verify the prerequisites. Sometimes, the connection to the management
server could be lost, which will prevent the deployment of new Backup plans. However, if a Backup
plan has already been deployed to a machine, the agent continues the Backup operations for 30
days after the communication with the management server is lost. The Backup agent is installed on
each machine that you want to back up.
Accordingly, Acronis Cyber Backup 15 software shall be utilized as the main management server
console for all automated backups. The Advanced edition is considered based on the size of the
proposed architecture. Essentially, according to Acronis, the Virtual machine shall be equipped with
a processor of minimum 2 GB RAM, 2 GB disk space and Windows or Linux 64 bit OS. The below
figure shows the view of assets in the management console.
Figure 2322-1: Acronis agent devices


Each machine included in the above list shall be equipped with Acronis agent which performs backup
and restore operations. When a backup or restore operation is requested, the Management Console
wakes the previously deployed Backup Agent. While executing the requested operation, the agent
periodically sends messages to the Management Service to backup or recover the machine.
Depending to the OS (if it is windows server or Windows 10) and installed databases, different type
of Acronis agent will be required. In below table, the licenses shall cover all supplied VMs, IPC and
PI server as per the below table.
Table 2322-32: Acronis agent licneses
A
Sr Equipment Name Operating system Acronis agent
1. WS-6502-03 L2- Windows 2019 Acronis Cyber agent – Server
ELICS-EWS-1L2- ServerWindows 10 ClientAcronis Cyber agent – Windows
DCS-EWS-1 Client
2. WS-6007-02 L2- Windows 10 Acronis Cyber agent – Windows Client
ELICS-EWS-2L2-DCS-
OWSC-1
ELICS-EWS-3L2-DCS-
OWSC-2
ELICS-OWS-1L2-DCS-
OWSC-3
ELICS-OWS-2L3-DCS-
ALR-1
6. WS-6007-01 Windows 10 Acronis Cyber agent – Windows Client
7. SRV-6502-01A L2- Windows 2019 Acronis Cyber agent – Server Client
ELICS-SVR-1L3-DCS- ServerWindows 10 Acronis Cyber agent – Windows Client
OPC-1
8. SRV-6502-01B L2- Windows 2019 Acronis Cyber agent – Server Client
ELICS-SVR-2L2-ESD- ServerWindows 10 Acronis Cyber agent – Windows Client
EWS-1


ELICS-SVR-3L2- ServerWindows 10 Acronis Cyber agent - Server machine
IPCMS-OWS-1
ELICS-SVR-4L2- ServerWindows 10 Acronis Cyber agent – Windows Client
IPCMS-EWS-1
ELICS-SVR-5L2- ServerWindows 10 Acronis Cyber agent - Server machine
HVAC-OWS-1
ELICS-SVR-6L2-DCS- ServerWindows 2019 Acronis Cyber agent - Server machine
OWSS-1 Server
OWSS-2 Server
PH-1 Server
15. HS-6502-01L2-ELICS- Windows 2019 Server Acronis Cyber agent – Server Client
PH-1
16. HS-6502-02L2-ELICS- Windows 2019 Server Acronis Cyber agent – Server Client
PH-2
17. L325-CYBCYB- Windows 2019 Server
WSUSBUP-1
18. VRV-6007-02 L25-CYB- Windows 2019 Server
SMC-1L3-CYB-NMS-1
19. VSRV-6007-01L253- Windows 2019 Server Acronis Cyber agent – Hypervisor
CYB-BUPWSUS-1 (covering all hosted VMs)
20. EPO-6007-01L253- Windows 2019 Server
CYB-EPOTS-1
21. NMS-6007-01L325- Windows 2019 Server
CYB-EPONMS-1
22. PDC-6007-01L2.53- Windows 2019 Server Acronis Cyber agent - Server machine
CYB-DC-1
23. SDC-6007-01L2.53- Windows 2019 Server Acronis Cyber agent - Server machine
CYB-DC-2
24. POC-6007-01L23.5- Windows 2019 Acronis Cyber agent – Windows Client
CYB-PIOPC-1 Server10 Acronis Cyber agent - Server machine


25. SOC-6007-01 L25-CYB- Windows 10Windows Acronis Cyber agent – Windows Client
OPC-2Remote Station 10 Acronis Cyber agent – Windows Client
Any machine with an SQL database shall require Acronis server-based license and hence all single
stations shall have Acronis server license. Accordingly, the total number of software licenses utilized
as part of this project is detailed in below table.
Table 2322-34: Backup software licenses
Item Qty
Acronis Cyber Backup Advanced Management Console 1
Acronis Cyber agent - Server machine 11738
Acronis Cyber agent – Windows Client machine 659
Acronis Cyber agent – Hypervisor (covering all hosted VMs) 1

5124 SYSTEM BACKUP CONFIGURATION

In this section, the installation procedure shall be detailed for both, the management server, and the
agents.
51.124.1 BACKUP MANAGEMENT SERVER

To install the Backup Management Server, Siemens will follow all the required steps detailed in below
manual.
https://www.acronis.com/en-us/support/documentation/AcronisCyberProtect_15/#installation-in-
windows-52739.html
51.224.2 BACKUP AGENT

To install the Backup agent on each machine, Siemens will follow all the required steps detailed in
below manual.
https://www.acronis.com/en-us/support/documentation/AcronisCyberProtect_15/#installation-in-
windows.html
51.324.3 BACKUP SCHEDULING

To have the efficient backup and system operation in parallel, the dedicated network load will be
adjusted to maximum 20% and full back up of each machine will be scheduled individually to avoid
parallel system backup and system load.
The actual schedule will be updated following the SAT activity below table will be updated.
Table 2423-1: Acronis agent licnesesBackup Schedule
A Sr Equipment Name Week 1 Week 2 Week 3 Week 4

1. WS-6502-03L2- X X
ELICSDCS-EWS-1
2. WS-6007-02 L2-ELICS- X
EWS-2L2-DCS-OWSC-1
3. WS-6052-01 L2-ELICS- X X
EWS-3L2-DCS-OWSC-2
4. WS-6502-01 L2-ELICS- X X
OWS-1L2-DCS-OWSC-3
5. WS-6502-02 L2-ELICS- X X
OWS-2L3-DCS-ALR-1
6. WS-6007-01 X
L3-DCS-OPC-1 X
7. SRV-6502-01A L2- X X
ELICS-SVR-1L2-ESD-
EWS-1
8. SRV-6502-01B L2- X X
ELICS-SVR-2L2-IPCMS-
OWS-1

Sr Equipment Name Week 1 Week 2 Week 3 Week 4

9. SRV-6502-02A L2- X X
ELICS-SVR-3L2-IPCMS-
EWS-1
10. SRV-6502-02B L2- X X
ELICS-SVR-4L2-HVAC-
OWS-1
11. SRV-6502-03A L2- X
ELICS-SVR-5L2-DCS-
OWSS-1
12. SRV-6502-03B L2- X
ELICS-SVR-6L2-DCS-
OWSS-2
13. SRV-6502-04A L2- X X
ELICS-SVR-7L3-DCS-
PH-1
14. SRV-6502-04B L2- X X
ELICS-SVR-8L3-CYB-
WSUS-1
15. HS-6502-01 L2-ELICS- XX
PH-1L3-CYB-NMS-1
16. HS-6502-02 L2-ELICS- X X
PH-2L3-CYB-BUP-1
17. NMS-6007-01 L25-CYB- X
NMS-1L3-CYB-TS-1
18. VSRV-6007-01 L25-CYB- X
WSUS-1L3-CYB-EPO-1
19. VRV-6007-02 L25-CYB- X
SMC-1L3-CYB-DC-1
20. BKP-6007-01 L25-CYB- X
BUSVR-1L3-CYB-DC-2
21. EPO-6007-01 L25-CYB- X
EPO-1L3.5-CYB-PI-1
22. PDC-6007-01 L25-CYB- X X1
DC-1Remote Station
23. SDC-6007-01L25-CYB- X
DC-2
24. POC-6007-01L25-CYB- X
OPC-1
25. SOC-6007-01L25-CYB- X
PCC-2
1Remote Station is installed & located in Onshore Level 4 which is provided and managed by QatarGas.
All backups shall be managed / performed by QatarGas team.

51.424.4 BACKUP MEDIA (WHERE)

Acronis software will be configured in the way to store backup files on online removable backup
media “Network Attached Storage”. For control and management of removable backup media,
applicable SIEMENS policies shall be followed. In addition, applicable QatarGas policies shall be
clarified and followed prior to connecting removable backup media to the network. To organize the
backup files, the following naming convention is used:
<YY>_<MM>_<DD>_<OS>_<PID>_<ZN>_<Comp>_<DT>.[file extension]
Table 2423-2: Backup files naming convention
Legend
YY Year
MM Month
HH Hour
OS Operating System
PID Project ID (Name)
ZN Zone Name
Comp Component name
DT {System, Project, Config}
Further, it is important to highlight that all backup activities need to be documented. This can be done
in a corresponding log file that has to be kept with the backup files and for each backup file records.
The same shall be handled by the log collector.

5225 BACKUP VALIDATION AND RECOVERY STRATEGY

It is important to highlight that whenever a full backup is taken, a test of recovering the back-up shall
be done in order to ensure the integrity and reliability of the archived data.
The recovery of both physical and virtual machine using the web interface are explained. An overview
of the workflow in recovering a crashed component is illustrated in below.
Figure 2-3: Workflow for restoring a crashed component
Component HW or SW Reset to factory Reinstall latest

SW Host Device? No OK? No
crashed fault? default firmware/OS image
Yes Yes
Restore latest
Restore latest image application / config
data
HW
Spare unit
No Rebuild new unit System restored
available?
Yes
Yes
Replace defective
Use new HDD
unit with new one
No
HDD from old

Host Device? Yes
component ok?
No
It is important to note that the recovery of an operating system will require a reboot. It is optionally to
restart the machine automatically or assign it the interaction required status. Consequently, the
operation system goes online automatically. Furthermore, the below steps illustrate the recovery
steps of a physical machine:
1. Select the backed-up machine.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location. If the machine is
offline, the recovery points are not displayed. Do any of the following:
• If the backup location is cloud or shared storage (i.e. other agents can access it), click
Select machine, select a target machine that is online, and then select a recovery point.
• Select a recovery point on the Backups tab.
• Recover the machine as described in "Recovering disks by using bootable media".
The software automatically maps the disks from the backup to the disks of the target machine. To
recover to another physical machine, click Target machine, and then select a target machine that is
online.

Figure 2524-1: Acronis recovery options
4. If you are unsatisfied with the mapping result or if the disk mapping fails, click Disk mapping
to re-map the disks manually.
The mapping section also enables you to choose individual disks or volumes for recovery. You can
switch between recovering disks and volumes by using the Switch to... link in the top-right corner.

5326 COMPONENT SPECIFIC BACKUP
26.1 DOMAIN CONTROLLER

Once commissioning activities are done, the DC configuration shall be stored manually for the first
time on the NAS server.
Once commissioning activities are done, the DC configuration shall be stored manually for the first
time on the NAS server by following the below instructions.
Go to Start and type “Task Scheduler”, click on the program to open.
On the Task Scheduler Library, verify the “Backup Group Policy” task is with status Ready
Verify on the “Last Run Result” field the following message is displayed: “The Operation completed
successfully. (0x0)”
Open windows explorer and network path on the NAS E:\Archive\Project Name\
Transfer the latest backed up GPOs to the NAS server
53.126.2 LOG COLLECTOR

Once commissioning activities are done, the log collector configuration shall be backed up and stored
on the NAS server manually. in E:\Archive\Project Name\
All archives shall be forwarded to the Enterprise SIEM at QatarGas SOC.L3 SIEM.
53.226.3 FIREWALL CONFIGURATION

The configuration file of the firewall is extremely important since it holds all the customizations made
for QatarGas.
The firewall configuration backup file shall be automatically stored and moved to the NMS server.
Hence, the backup server shall take an image of the NMS server including the FW configuration and
NMS solution. The ultimate pass will be: E:\Archive\Project Name\
SIEMENS shall follow the below steps for backup and restore of the firewall configuration file.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7yCAC
53.326.4 SWITCH CONFIGURATION

The NMS is a separate PC available with the SINEC solution for network monitoring.
The backup of the switches shall be done by the NMS SINEC solution. SIEMENS shall follow the
backup procedure mentioned in the below manual section 3.2.
The ultimate path will be: E:\Archive\Project Name\
53.426.5 USER ADMINISTRATION

Administration of user authorizations, group authorizations, and operation authorizations involves
the assignment of authorizations in the Windows environment as well as the assignment of users to
activity-oriented roles. These procedures are rigorously separated from each other, but both are
strictly applied under the principle of minimum required rights.
A simple check can be performed with the following questions:
• Who has to do what?
• Who is allowed to do what?

The backup server shall be integrated with the domain controller for user management and
privileges. Each DC user can be assigned to one of the below groups:
• Regular users
o A regular user, such as a member of the Users group, has the following
management rights:
o Perform file-level backup and recovery of the files that the user has permissions to
access but without using a file-level backup snapshot.
o Create backup plans and tasks and manage them.
o View but not manage backup plans and tasks created by other users.
o View the local event log.
• Backup Operators
o This group has the following management rights:
o Perform file-level backup and recovery of any data
o Back up and recover the entire machine
o Create backup plans and tasks and manage them.
o View the local event log.
• Administrative users
o In addition to the above-mentioned privileges, a user who has administrative
privileges on the machine, such as a member of the Administrators can
o View and manage backup plans and tasks owned by any user on the machine.
All password detail, and users who should have access to this system shall be added in related
user groups in domain. Detail can be found in documents:
• 4253-AMPF-7-95-9466 Sht 001 - CYBER-DC and User management.

5427 MALWARE PREVENTION AND DETECTION
As of SIMATIC PCS 7 V9.1, it is recommended to use the Microsoft Defender Antivirus software integrated in
the standard Microsoft operating system. In terms of quality and above all security, it is comparable with the
current third-party products available on the market.
Benefits
• Integrated antivirus solution provided with Microsoft operating system.
No additional licenses required.
• Continuous antivirus protection based on Microsoft Defender Antivirus.
• Automatic download of Microsoft Defender Antivirus definition updates via Windows Server
Update Services (WSUS).
WSUS already used for operating system updates.
• Reduced hardware footprint and maintenance costs:
o No additional management or update server for antivirus software required.
o Existing WSUS used for Microsoft Defender Antivirus updates.
o Reduced effort for firewall configuration.
Costs
There are no additional costs associated with using Microsoft Defender Antivirus. There are no costs for
third-party licenses or the provision of an additional antivirus management or update server.
Compatibility
As of SIMATIC PCS 7 V9.1, only compatibility with Microsoft Defender Antivirus is checked and ensured by
default.
Compatibility statements already made for SIMATIC PCS 7 versions prior to V9.1 are not affected by the
change.
The compatibility of antivirus software with SIMATIC PCS 7 can be found in the Compatibility Tool.
Support when using alternative third-party endpoint protection products

The range of alternative third-party endpoint protection products is constantly increasing. Even if these
products are not tested by Siemens for compatibility with SIMATIC PCS 7, our customers can evaluate and
use them on their own responsibility if required.
When using alternative third-party Endpoint Protection products with SIMATIC PCS 7, we recommend that
you observe the generic notes (SIMATIC PCS 7 Administration of Virus Scanners 109760461) and test the
software for compatibility in an adequate customer test environment before productive use.
In order to guarantee the usual support from Siemens when using Endpoint Protection products in the event
of a support case, we recommend supplementing the project-specific installation with an individual Managed
System Service (MSS). Within the scope of this service, which is subject to a charge, your dedicated support
manager, who is familiar with the system-specific features, can provide you with even better support in the
operation of your system. For more information, please visit the following entry: 109810527.
Updates
Updates for Microsoft Defender Antivirus are provided via the same mechanism (WSUS) as for Microsoft
Updates. The security-relevant events generated by Microsoft Defender Antivirus are available via the
SIMATIC Management Console.

The update mechanism is shown as an example in the following figure:


5528 APPLICATION WHITELISTING SOLUTION OVERVIEW
55.128.1 APPLICATION CONTROL (WHITELISTING)
The utilization of whitelisting technologies in a process control system is only effective when they
are part of a comprehensive security concept. The sole use of whitelisting technologies cannot
comprehensively protect a process control system against malware attacks.
As a matter of principle, we therefore recommend adhering to the Security Concept PCS 7 / WinCC
and PCS 7 Compendium Part F, which are available on the Internet via the following link:
http://support.automation.siemens.com
Whitelisting in conjunction with the above referenced security concept is an additional security
measure (additional layer of defense) in order to counteract the increasing risk of attacks. In
principle, the whitelisting approach is based on a mistrust of all applications except those that have
been tested and classified as trustworthy. This means, a positive list is maintained (whitelist). This
positive list contains the applications that have been classified as harmless and that can safely be
run on the computer system. The principle of whitelisting is the exact opposite of blacklisting, which
works with a list of "“non-trustworthy"” applications (negative list = blacklist). An example for
blacklisting is a conventional virus scanner, which works with a blacklist, the virus patterns. Since
the number of "non-trustworthy"” applications increases constantly, this blacklist must be adjusted
on a regular basis. This means for example that the current blacklist (virus patterns) must be
available for the virus scanner at all times. The virus scanner can only recognize applications as
malware when they are listed on this blacklist. Since whitelisting works with a positive list, a
constant adaptation to new threats in the form of malware is not necessary. This minimizes the
administration and updating expense.
The application Control v8.2.x is an application installed on the same windows server-based
machine of the ePO server. Application Control (AC) offers a different approach to host security
than traditional HIDS/HIPS, anti-virus and other “blacklist” technologies. A “blacklist” solution
compares the monitored object to a list of what is known to be bad. This presents two issues:
• First, the blacklist must be continuously updated as new threats are discovered.
• Second, Certain attacks cannot be detected neither blocked, such as zero-days, and/or
known attacks since no available signatures are available.
A “whitelist” solution creates a list of what is known to be good and applies very simple logic—if it is
not on the list, block it. AC solutions apply this logic to the applications and files located on a host.
As a result, if a virus or Trojan successfully penetrates the control system’s perimeter
defencesdefenses and finds its way onto a target system, the host itself will prevent that malware
from executing—rendering it inoperable. In addition, it can also be used to prevent the installation of
un-authorized files on the file system. This becomes important to providing defencesdefenses
against exploits that may initially run entirely in memory and are difficult to detect until they place files
locally.
For this project, McAfee application control has been selected to serve the purpose of the application
whitelisting, the same shall be managed by the ePO server. This solution has been tested with
SIMATIC PCS 7 systems and its fully compatible and authorized to be installed in this environment.

How McAfee Application Control works

The goal is to prevent the execution of unauthorized and malicious programs. The software requires
the total contents of a file system to be read once, in order to map programs (EXEs) and software
libraries (DLLs). The reading will create a hashed (AKA digital signature) of the file’s contents which
are indexed by file name. When a new application or an updated version is installed in the system,
its signature is compared to the signature stored in the whitelisted database. When an update of a
program is required, the indexing of the file system content has to be repeated. During operation,
AWL compares the filename and the signature, if these two don’t match the application is denied
permission to execute as shown in the below figure.
Figure 28-1116: McAfee AC process
1) McAfee Application Control

establishes a White list in the
computer.
2) A user could try to execute
different programs in the
computer.
3) McAfee Application Control
crosschecks against the Whitelist
in the computer and determines
if it is listed or not.
4) A message is given to the final
user on whether or not the
software is not allowed to run.
(only message if not)
5629 EPO PLATFORM
56.129.1 VIRTUAL PLATFORM

The virtual machine of the ePO server shall meet the minimum requirements detailed in below table.
The ePO server shall be used as the management console of the ENS and AC.
Table 2928-1: Minimum requirements for ENS Master and Secondary update servers
Criteria Minimum requirements for Master update server
and Secondary update server.
Processor 64-bit Intel compatible
(Recommended) 24 cores minimum
RAM 8 GB
Ports Make sure that the ports you choose are not already in
use on the server system.
Hard disk space requirement 20 GB approximately

56.229.2 SOFTWARE PLATFORM

Depending to the OS (if it is windows server or Windows 10) and installed databases, different type
of agent will be required. In below table, the licenses shall cover all supplied VMs, IPCsELICS and
PI server as per the system architecture. Below table details the licenses used against each machine.
Table 2928-2: ENS and AC agent licneses
Sr Equipment Name Operating system ENS and AC agent
1. WS-6502-03L2- Windows 2019 AC Client and ENS Client
DCSL2-ELICS-EWS-1 ServerWindows 10
2. WS-6007-02 L2- Windows 10 AC Client and ENS Client
DCSL2-ELICS-
EOWSC-21
DCSL2-ELICS-
EOWSC-32
ELICS-OWS-1L2-
DCS-OWSC-3
ELICS-OWS-2L3-
DCS-ALR-1
6. WS-6007-01 Windows 10 AC Client and ENS Client
7. SRV-6502-01A L2- Windows 10 AC Client and ENS Client
ELICS-OWS-3L3-
DCS-OPC-1
8. SRV-6502-01B L2- Windows 2019 AC Client and ENS Client
ELICS-SVR-1L2-ESD- ServerWindows 10
EWS-1
ELICS-SVR-2L2- ServerWindows 10
IPCMS-OWS-1
10. SRV-6502-02B L2- Windows 2019 AC Client and ENS Client
IPCMS-EWS-1
HVAC-OWS-1
12. SRV-6502-03A L2- Windows 2019 Server AC Server and ENS Server
ELICS-SVR-5L2-DCS-
OWSS-1
13. SRV-6502-03B L2- Windows 2019 Server AC Server and ENS Server
ELICS-SVR-6L2-DCS-
OWSS-2
14. SRV-6502-04A L2- Windows 2019 Server AC Server and ENS Server
ELICS-SVR-7L3-DCS-
PH-1

Sr Equipment Name Operating system ENS and AC agent

15. SRV-6502-04B L2- Windows 2019 Server AC Server and ENS Server
ELICS-SVR-8L3-CYB-
WSUS-1
16. HS-6502-01 L25-DCS- Windows 2019 Server AC Server and ENS Server
PH-1L3-CYB-NMS-1
17. HS-6502-02 L25-DCS- Windows 2019 Server AC Server and ENS Server
PH-2L3-CYB-BUP-1
18. NMS-6007-01 L25- Windows 2019 Server AC Server and ENS Server
CYB-NMS-1L3-CYB-
EPO-1
19. VSRV-6007-01 L25- Windows 2019 Server AC Server and ENS Server
CYB-WSUS-1L3-CYB-
DC-1
20. VRV-6007-02 Windows 2019 Server AC Server and ENS Server
21. BKP-6007-01 Windows 2019 Server AC Server and ENS Server
L25-CYB-BUP-1L3.5- Windows 2019 Server AC Server and ENS Server
CYB-PI-1
22. EPO-6007-01 L25- Windows 2019 Server AC Server and ENS Server x 10
CYB-EPO-1Other
Windows servers in
QatarGas Platform in
Level 3.5
23. PDC-6007-01 L25- Windows 2019 AC Client and ENS Client
CYB-DC-1Remote ServerWindows 10
Station
24. Windows 2019 AC Client and ENS Client
SDC-6007-01 L25-
ServerWindows IOT
CYB-DC-2Thin client 1
10
25. POC-6007-01 L25- Windows 2019 AC Client and ENS ClientAC Client
CYB-OPC-1Thin client ServerWindows IOT and ENS Client
2 10
26. SOC-6007-01L25- Windows 2019 Server AC Client and ENS Client
CYB-OPC-2
27. THC-6007-01 Windows IOT 10 AC Client and ENS Client

The total number of software licenses utilized as part of this project is detailed in below table.
Item Description Qty
McAfee Application Control (AC) client bundle – LTS 5

McAfee Application Control (AC) server bundle – LTS 21

57 INSTALLATION ENVIRONMENT SETUP

After checking the compatibility and the system requirements, Both AC and ENS licenses shall be
downloaded from McAfee website along with their installation files. The installation environment for
the ePolicy Orchestrator can be prepared by following the below installation procedures and
requirements.
57.1 INSTALLATION FILES FOR ENS

The below files shall be available in order to install and configure the ENS.
• ENS Agent
• ENS extension
• ENS help file
57.2 INSTALLATION FILES FOR AC AND EPO

A total of four files must be available in order to carry out the complete McAfee installation
(Application Control and ePO) as listed below:
• ePO installation file.
• Solidcore Agent.
• Solidcore extension.
• License file for Application Control and ePO (text file).
The license keys for Application Control and ePO are provided in a text file. It must be observed that
both the client and the server variant of Application Control contain a separate key for ePO, which is
why in most cases two keys are included in the file of the ePO installation.
Before commencing with the actual installation of McAfee ePolicy Orchestrator, the server intended
for the installation must first be prepared. A newly setup server should be used. Yet, the following
steps must be performed additionally:
57.3 ACTIVATION OF THE .NET 8.3 NAMING CONVENTION

1) If it is not already available, install Microsoft .NET Framework 2.0 or higher.
1) Press Start, Run and then enter “regedit” in the command line. Pressing "OK" opens the
Windows registration editor.
2) Navigate to the following registration entry and select it:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
3) Double-click the entry “NtfsDisable8dot3NameCreation” to open its properties.
4) Change the entered value from 1 to 0 and confirm the change by clicking on OK. (On Windows
2008/2012 operating systems, this value is set to 2 by default and must also be set to 0.)

58 EPO SOFTWARE DEPLOYMENT AND CONFIGURATION

The ePO server in Layer 3 shall be supplied and configured by SIEMENS while Layer 4 and Common
DMZ for Layer 3.5 ePO servers shall be supplied by QatarGas and configured by Siemens. In other
words, the corresponding virtual machines of Layer 3.5 and Layer 4 ePO shall be supplied by
QatarGas as per with the minimum Hardware and software requirements mentioned in section 3.1
and 3.2 for ePO installation implementation.
As mentioned earlier, the upstream L4 ePO server shall get all the updates from the McAfee website
as its main repository. As for the L3.5 common DMZ downstream server, it shall receive all the
signature updates from the L4 ePO server. Similarly, the L3 ePO server shall receive the signature
updates from the common DMZ L3.5 ePO server as its main repository.
The first step for the software installation is to install and configure the central management console
(ePO). The installation for the three deployments (Layer 24, Layer 3.5 and Layer 3) shall be the
same, however, the configuration of the repositories shall differ. Consequently, the agents are then
distributed, which, in turn, will be responsible for the whitelisting and protecting the individual client
systems. This section shows how the console shall be installed and configured.
58.1 EPO SOFTWARE INSTALLATION
To install the ePO software, Siemens will follow all the required steps detailed in below manual.
https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-installation-guide/page/GUID-
8ABD4104-28BF-4CF9-B4B7-D4D71A530822.html
The username and password shall be integrated with the domain and detailed in 4253-AMPF-7-95-
9466 Sht 001 - CYBER-DC and User management document.
58.2 LAYER 4 EPO CONFIGURATION

After ePolicy Orchestrator is installed, all packages including ENS, AC and McAfee agents need to
be checked-in first in the Layer 4 server. Once installed and checked, it shall be configured to pull all
the required updates for these packages from McAfee website and update its master repository
accordingly. Once the master repository is updated, it shall be configured to replicate all the updates
and packages to the distributed repositories that shall be used by the secondary servers (L3.5 and
L3 ePO servers) for updates. Finally, these newly accepted packages must also be registered with
a valid license key.
Application Control Installation
58.2.1.1 Preparation/Installation of the Solidcore agent

1) Start the McAfee ePO console via Start > Programs > McAfee > ePolicy Orchestrator 5.xx-
Console.
2) Add this page to the "trusted sites" in the internet browser.

Figure 33-1: Trusted sites
Then, select the desired language and log in with the previously created user account.
Switch to the Software Manager and click ‘Refresh’ to establish synchronization with the McAfee database to be able to
obtain available updates for the McAfee agents. An internet connection is required for this step.
Figure 33-2: Software manager
Check the available updates for McAfee Agent 5.6.1. Then, update the components "ePO Agent Key Updater" and
"Install - Windows" by clicking the "Update" button for each case. If the plant has systems with operating systems other
than Windows, then the corresponding install components must also be updated. Consider the respective versions by the
number for the "minor version".

Figure 33-3: ePO agent key updator
In the window that follows, select the option "Move existing packages in the "Current" branch to the "Previous" branch.
Check to see whether the desired component has been selected and confirm by clicking on the "OK" button.
Note: Ensure that you don’t use components marked with “Embedded” for update procedure
58.2.1.2 Checking-in packages
58.2.1.3 Now switch to the Master Repository to check-in the updates. To

do this, choose Menu > Software > Master Repository.
58.2.1.4 The updated versions of the ePO Agent Key Updater and the
respective Installation components should now be listed in the
displayed window. These must be assigned to the "Current"
branch. Pay again special attention to the minor version. Click
the "Check-In Package" button to continue.
58.2.1.5 In the dialog window that appears, select the option "Product or
Update (.ZIP)" as package type and specify the current path of
the Solidcore agent via the "Browse..." button (here:
"SOLIDCOR613-432_WIN"). Click "Next" to continue.
58.2.1.6 In the package options that now appear, you get a brief overview
of the selected package. If the correct name, version, type and
language are listed, select "Current" as the branch and continue
with the check-in. Ensure that the package is signed, which is
also displayed in this window.
58.2.1.7 Finally, confirm the settings by clicking on the "Save" button and
check whether the agent is now listed under the packages in the
master repository.
Installing Extensions

After the ePO console has been set up, Application Control, which is used to control and manage the set-up
client systems later on. This configuration is also done via the Layer 2.5 ePO server.
After the agents have been integrated in the ePO, the Solidcore
extensions must now be installed to be able to work with the just
installed agents.
Switch to Menu > Software > Extensions


Figure 5-4: Sftware extensions
There, click on "Install Extension" and then select the Solidcore

extension via the "Browse..." button. Finally, confirm the entry
with the "OK" button.
Click on the "OK" button in the following summary and then

check whether the just selected package is listed in the list of all
installed extensions.
Figure 5-5: Installed extensions


Repeat the previous step for the second extension file

"help_solidcore_612.zip". After a successful installation, the
package is listed in the "Help" group. Existing expansions will be
overwritten.
After the ePO console has been set up, Application Control,
which is used to control and manage the set-up client systems
later on, must be configured in the following step. This
configuration is also done via the Layer 3 ePO server.

Entering Licenses
In order to use all functions of Solidcore, the corresponding

license must be stored in the McAfee ePO web console. Proceed
as follows:
Select Menu > Configuration > Server Settings to go to the

settings of the ePO server.
Select the "Solidcore" entry in the "Setting Categories" area on

the left and then click “Edit”
Then enter the license key for the procured McAfee products
which is shared by SIEMENS team. Use the key of the type
"Solidcore Extenstion". Then Click save to confirm your input.

ENS Installation
Similarly, the ENS packages need to be checked-in Layer 4 ePO server by following the below steps.
58.2.1.8 Check in ENS

1) In the Master Repository, check in the package as it was already done for Solidcore. In the dialog
window, select the option "Product or Update (.ZIP)" as the package type and specify the current
path of the ENS agent via the "Browse..." button. Click "Next" to continue.
2) The checked-in package is "ENS_Platform_10.7.x_Client.zip") and then click “Next”.
Figure 5-6: Checking in ENS
3) Select "Current" as the branch.


4) Click "Save" to continue with the check-in.

5) Repeat steps 1 to 4 for the following package:
ENS_Threat_Prevention_10.7.x_Client.zip into the "Current" branch
6) The Master repository should now include.
Table 5-1: Master repository check-in packages.
Name Version Branch

Endpoint Security Platform 10.7.x current
Endpoint Security Threat Prevention 10.7.x current
58.2.1.9 Installing Extensions

1) Go to Menu > Software > Extensions to view existing extensions.
2) Click "Install Extension" there.
3) Then select the ePO extension via "Browse..." (here:
ENS_Platform_10.7.x_Extension.zip).
4) Click "OK" to confirm your input.
5) Repeat steps 1 to 4 for the second extension files:
ENS_Threat_Prevention_10.7.x_Extension.zip
ENS_help_ecn_1070.zip
ENS_help_etp_1070.zip
Setting-up Master and Distributed Repositories

Once all packages are installed and checked-in, the server must be configured to be able to pull the
updates from the McAfee website. Hence, the master repository shall pull the updates from a source
repository (McAfee webiste) and then replicate the same to a one or more distributed repositories.
This shall alow the other servers to syncronize and get all the updates from the distributed
repositories .
In order to do this, please follow the below steps.
1) Go to “Master Repository” and click on “Pull now” choose the Source site as “McAfee HTTP”.
2) Click next, and select “selected packages” which were installed earlier.

3) Save and confirm your input.

Once the updates are done, then repository public shall be exported as following:
1) Log on to Layer 4 ePO console.
2) Click Menu, Configuration, Server Settings.
3) Select Security Keys in the Setting Categories list, and then click Edit.
4) Next to Local Master Repository key pair, make a note of the number of key pairs. You can have
one or two key pairs – a 1024-bit pair or a 2048-bit pair.
5) Click Export Public Key for the first key.
6) Click OK.
7) Click Save.
8) Browse to a shared location that both servers can access. The default file name
is rp<bit_size><server_name>.zip. For example, rp2048ePO-A.zip.
9) Click Save.
10) If you have two key pairs, click Export Public Key for the second key and save it in the same
location.
These keys shall be imported on Layer 3 and Layer 3.5 ePO servers which shall be explained later.
Now, create a UNC distributed repository in Layer 4 ePO server. The repository must be in a location
that is accessible from ePO-B. It can be on ePO-A itself but is not needed. When configuring the
repository, under Package Types, select the content that you want to provide to Layer 3 and 3.5
ePO servers. When you select packages, do not choose All Packages; instead, choose Selected
Packages, and select only the packages that you want to replicate. Do not select any of the
following package types:
• McAfee Agent
• ePO Agent Key Updater
We recommend that you select only the packages listed under Signatures and engines. Do not
select the Replicate legacy DATs option. The new distributed repository must be used only for
providing content to Layer 3 and 3.5 ePO servers. Disable it in your McAfee Agent policies, so that
client systems do not try to update from it.
After you have configured the new repository, run a Replicate Now task to populate it with the
selected content.
58.3 COMMON LAYER 3.5 EPO CONFIGURATION

After the ePO has been installed as per the detailed procedure in section 5.1, the common DMZ
layer 3.5 ePO server shall be synchronized with the distributed repositories for pull the updates.
Repository Synchronization
First, it is required to import the Public Keys from Layer 4 ePO server into layer 3.5 ePO server as
following:
1) Log on to the Layer 3.5 ePO console.
4) Next to Import and back up keys, click Import.
5) Browse to the location where you saved the exported .zip files, select the .zip file, and then
click Next.

6) Verify it is the appropriate Master Repository Public Key, and then click Save.
7) If you exported more than one key from ePO-A, repeat these steps for the remaining key.
8) Confirm that you can see Layer 4 ePO’s Public Keys listed in the Other repository public
keys section.
After that, a pull task shall be created to pull the updates from the distributed repositories.
1) In Layer 3.5 ePO console, click Menu, Automation, Server Tasks.
2) Click New Task, name the task, keep the Schedule status as Enabled, and then click Next.
3) Select Repository Pull from the Action drop-down list.
4) Select Layer 3.5 ePO as the Source Site, and select the packages you want to update from
the Available Source Site Packages. Click OK, and then click Next.
5) Schedule the task, and then click Next.
6) Verify that the settings are correct, and then click Save.
58.4 LAYER 3 EPO CONFIGURATION

After the ePO has been installed as per the detailed procedure in section 5.1, all the client and server
tasks shall be configured on this server since it is directly connected to the agents. The following
sections illustrates the configuration done for both ENS and AC.
58.5 REPOSITORY SYNCHRONIZATION

First, it is required to import the Public Keys from Layer 4 ePO server into layer 3 ePO server as
following:
1) Log on to the Layer 3 ePO console.
4) Next to Import and back up keys, click Import.
5) Browse to the location where you saved the exported .zip files, select the .zip file, and then
click Next.
6) Verify it is the appropriate Master Repository Public Key, and then click Save.
7) If you exported more than one key from ePO-A, repeat these steps for the remaining key.
8) Confirm that you can see Layer 4 ePO’s Public Keys listed in the Other repository public
keys section.
After that, a pull task shall be created to pull the updates from the distributed repositories.
7) In Layer 3 ePO console, click Menu, Automation, Server Tasks.
8) Click New Task, name the task, keep the Schedule status as Enabled, and then click Next.
9) Select Repository Pull from the Action drop-down list.
10) Select Layer 3 ePO as the Source Site, and select the packages you want to update from
the Available Source Site Packages. Click OK, and then click Next.
11) Schedule the task, and then click Next.
12) Verify that the settings are correct, and then click Save.

58.6 APPLICATION CONTROL CONFIGURATION
58.6.1.1 Creating Tags

1) Go to Menu > Systems > Tag Catalog.
2) Click "Import" to import new tags.
3) Click "Browse …" to select the file "Tag_Catalog.xml".
5) In the next window, you see all tags that can be imported.
6) Click "OK" to finish the import.
58.6.1.2 Configuration of required client tasks

In the first step, all required client tasks, i.e. the tasks and actions with which all Solidcore agents
are later controlled on the client systems, should be defined and assigned to a corresponding
group of client systems.
1) To define these client tasks, switch to Menu > Policy > Client Task Catalog.

Figure 33-47: Client task catalog
2) Create a new task under the client task type "McAfee Agent" by clicking on the "New Task" button.
Figure 33-58: New client task
3) In the selection menu for the task types, select "Product Deployment" and switch to the next page
via the "OK" button.
4) Select a unique task name, the required target platform and the product to be deployed. Finally,
confirm the configurations by clicking the "Save" button. The following settings must be made for
this task.
5) Task name: "10 MFE Agent install" (can be selected as required)
6) Target platforms: "Windows

7) Products: "McAfee Agent for Windows"

8) Then, the created task must be assigned to a node. To do so, click on "Assign" in the “Actions”
branch.
Figure 33-69: client task deployment
9) Select the global group "My Organization" here and click "Next" to continue.
10) In the dialog window that follows, select the two options "Unblocked (allow breaking inheritance
below this point)" and "Send this task to all computers". Click "Next" to continue.
Figure 33-710: Client task schedule
11) Now set the schedule for the created tasks by selecting the option "Disabled" for the Schedule
status and the option "Run immediately" for the Schedule type. Close the configuration by clicking
the "Save" button.
12) Repeat steps 1 to 8 for the product deployment of the below package:

“Task_Catalog.xml".
13) Click ok to finish.
58.6.1.3 Assigning Client Tasks

1) Go to Menu > Policy > Client Task Assignments.
2) Click Actions > Import Assignments to import the task assignments.
3) Click "Browse …" to select the file "Task_Assignment.xml".
4) Click "Next" to continue.

5) Click "Next" to have McAfee ePO resolve the conflicts.
58.6.1.4 Configuration of required rules

Defined exception rules are now created for the client systems in the following steps. These rules
outline the software components, which are not only able to execute themselves, but can also change
themselves or other data. This is important for updates.
Since the rules are to be carried out on all of the configured client systems, you can work with so-
called "tags". Since McAfee Application Control sorts the client systems into servers and clients by
default, created rules would always have to be applied for both groups. To simplify this, it is
recommended to create a tag once, which can then be used to address all of the client systems. To
do so, set up a new tag as follows:
1) Switch to Menu > Systems Section > Tag Catalog.
2) In the window that appears, create a tag that is valid for all systems via the button "New Tag".
3) Select a name (example ALL Systems) for the tag and click on "Next".
4) Select an "Available Property" which is valid for all systems by clicking on the left side of the
window and then define it on the right half of the window. In this example, the "IP area" in which

all of the systems are sorted is selected. Several properties can be linked to another via "and" or
"or" logic operations.

Figure 33-811: Tag Policy
5) In the next "Evaluation" dialog window, select for "Evaluate each system against the tag’s criteria"
the option "On each agent-server communication and when a "Run tag criteria" action is taken".
6) In the "Preview" dialog window, now for "Apply tag", select the option "Now apply the tag to all x
system(s) that satisfy the tag criteria". (if no system were created yet, the corresponding option
will be greyed out).
7) Confirm your entries with the "Save" button
The rules which in turn influence the behaviour of the system must now be created and are
summarized with the corresponding policies. Proceed as follows to create them:
1) Navigate to Menu > Policy > Policy Catalog.
2) In the window that appears, select McAfee Agent as the product.
Figure 33-912: Deployed McAfee agent

3) Click on the link "My Default", which is assigned with the category "General" and then change the
two following options:
• Policy enforcement interval: 720 minutes
• Agent-to-server communication interval: 1440 minutes
4) Close the configuration by clicking the "Save" button.
5) Choose "Solidcore: Application Control" as product.
6) Duplicate the existing "Blank Template" via the "Duplicate" button and select a suitable name for
the policy Catalog in the following dialog box. It is recommended that you create a Catalog, which
contains all of the rules needed and carried out by Siemens. In this case: "Siemens Basis".
7) Now, click on the link of the just created guideline and add the following Rule Groups via the
"Add" button. The selection made here will later be released to the clients as so-called Updaters.
This means that these applications can change themselves and other applications. For problem-
free operation of the clients, it is recommended that you define the following updaters:
• McAfee
• McAfee Publisher
• My SQL Server (if used)
• Windows AD Server
• Windows Defender
• Windows Update
8) Finish the configuration by clicking on the "Save" button
9) Then switch to Menu > Policy > Policy Assignments.
10) On the left half of the window, select the organizational group for which the just created rules
shall be applied. Starting with "My organization", an inheritance of the set policy takes place, but
it can be interrupted. On the right half of the window, select "Solidcore Application Control " as
the product ad click on the "Edit assignments" button for "Application control rules (Windows)".

11) For "Inherit from", select the option "Break inheritance and assign the policy and settings below".
Select the previously created policy as the "Assigned guideline" and then select the option
"Unblocked (allow breaking inheritance below this point)" at "Local policy inheritance".
End Point Security (ENS) Configuration
58.6.1.5 Creating Tags

1) Go to Menu > Systems > Tag Catalog.
2) Click "Import" to import new tags.
3) Click "Browse …" to select the file " .\ENS\Tag_Catalog.xml".
5) In the next window, you see all tags that can be imported.
6) Click "OK" to finish the import.
58.6.1.6 Assigning Client Tasks

1) Go to Menu > Policy > Client Task Assignments.
2) Click Actions > Import Assignments to import the task assignments.
3) Click "Browse …" to select the file "Task_Assignment.xml".
4) Click "Next" to continue.
5) Click "Next" to have McAfee ePO resolve the conflicts.
58.6.1.7 Configuration of required client tasks

In the next step, the policies for configuring the antivirus agent (VC) will be set to the policy Catalog.
Figure 5-13: Policy Catalog
58.6.1.8 McAfee Default (On-Access General Policies)

1) Duplicate the guideline McAfee Default (On-Access General Policies) and rename it to "Siemens
McAfee Default".

2) Edit the duplicated policy by clicking on their name (link).

3) Under "General" tab, disable the Artemis function as shown in the following figure.
Figure 5-14: Creating new policy
4) Select "Enable scanning of scripts" and, under Scripts scan exclusions, add the following process
"bfmappersrvx.exe".
5) In the tab "Blocking", deactivate the option "Block the connection when a file with a potentially
unwanted program is detected in a shared folder".
6) In the tab "Messages", deactivate all options.
Figure 5-15: Creating new policy
7) Save the settings and ensure that the settings have been made for both the servers and
workstations.

58.6.1.9 Buffer overflow protection policies

Now configure the policy for the buffer overflow protection. To do this, duplicate the default rule and
configure the duplicate as described:
(Buffer Overflow Protection Policies – Duplicate – Siemens default)
1) Configure the option "Scan Items" as Deactivate "When reading from disk" the Compressed files
category, activate and "Decode MIME-coded files"
2) Configure now the actions in the menu tab "Actions" as described:
When a threat is found:
• If the first action fails... – Deny access to file
When an unwanted program is found:
• If the first action is unsuccessful... – Deny access to file
Figure 5-16: Buffer Overflow rules
58.6.1.10 General options policies

Now configure the “General Options Policies". To do this, duplicate the default rule and configure the
duplicate as described: (General Options Policies – Duplicate – Siemens default)
1) Configure the display options as follows:
• System tray icons: Show the system tray icon with minimal menu options.
• Console options: Deactivate “Allow this system to make remote connection to other
systems”.
• Console options: Deactivate "Display managed tasks in the client console".
• Console options: Activate "Disable default Auto Update task schedule"
• Console options: Deactivate "Enable splash screen".
2) Set the password options "Password protection for all items listed" and set a password.

58.6.1.11 Updating DAT files for ENS

A client task must be created for deploying the virus pattern to the clients. The patterns should be
distributed to the systems with a temporal offset. At first, it should be distributed to an appropriate
client and a server system. If these do not have any errors, the remaining systems can also be
equipped with the corresponding patterns. To do this, proceed as described:
1) Create a new task in the Client Task Catalog for the Client Task Type McAfee Agent > Product
Update:
Figure 5-17: Product update
2) Select the task type "Product Update".

3) Select the name "Update" for the new task, select “Selected packages", as below and save the
task.
4) Now assign the task to your organization group and confirm with OK.
5) The next window can be confirmed with "Next".
6) Now disable the schedule status and select "Run immediately" as the schedule type.
Figure 5-18: Client task assignment

58.6.1.1229.2.1.1 General Recommendations

• Virus patterns/signatures for ePO should only be manually updated and be monitored at the
same time.
• It is recommended that the systems are divided into two separate organizational groups to
be able to deploy the signatures on the end systems. This is done by using two client tasks
with a temporal offset. There should be a specific amount of time between the updates, for
example, at least 1 day.
• These configured tasks must be changed under certain circumstances in a way that the
systems are automatically supplied with the corresponding signatures with a temporal offset.
In the current design, the virus patterns are only sent passively, i.e. by the manual initiation
of an employee.
As mentioned earlier, the ePO configuration shall differ based on the server location (in which layer),
hence below sections shall detail the configuration of each deployment accordingly.
Custom On-Demand Scheduled scans
In this section, the full scan of the machines shall be detailed in a way that no two stations are
scanned in the same time. The scan shall happen in the off-duty hours for the required files. Below
file types shall be excluded from the scan since Scanning some types of files can negatively affect
system performance.
• Files that have been migrated to storage
Some offline data storage solutions replace files with a stub file. When the scanner
encounters a stub file, which indicates that the file has been migrated, the scanner restores
the file to the local system before scanning. The restore process can negatively impact
system performance.
• Compressed archive files
Even if an archive contains infected files, the files can't infect the system until the archive is
extracted. Once the archive is extracted, the On-Access Scan examines the files and detects
any malware.

We recommend scheduling on-demand scans at regular intervals, with the interval based on the
system type.

Scanning Active User Workstations

Because some locations on active user workstations are often targets of malware
attacks, SIEMENS recommends scanning these workstations more frequently than other systems.
Because the locations are limited, the scans are less likely to affect users.
To scan active user workstations, configure a Custom On-Demand Scan:
Specify these locations to scan:
• User profile folder
• Temp folder
• Registered files (Windows only)
• Windows folder (Windows only)
Scanning Server Systems
To scan regular server workstations, configure a Custom On-Demand Scan:
Select the Boot sectors option (Windows only) and then Specify these locations to scan:
• Scan subfolders
• Memory for rootkits (Windows only)
• Running processes (Windows only)
• All local drives
The Full scan shall be scheduled on monthly basis for all types of machines (servers and
workstations). The table schedule shall be developed during SAT and below table will be updated.
Table 2933-1412: Monthly scan schedule
1. WS-6502-03L2-ELICS- X X
EWS-1
2. WS-6007-02L2-ELICS- X
EWS-2
3. WS-6052-01L2-ELICS- X
EWS-3
4. WS-6502-01L2-ELICS- X
OWS-1
5. WS-6502-02L2-ELICS- X X
OWS-2
6. WS-6007-01 X
7. SRV-6502-01AL2-ELICS- X
SVR-1
8. SRV-6502-01BL2-ELICS- X X
SVR-2
9. SRV-6502-02AL2-ELICS- X X
SVR-3
10. SRV-6502-02BL2-ELICS- X X
SVR-4
SVR-5

12. SRV-6502-03BL2-ELICS- X
SVR-6
SVR-7
14. SRV-6502-04BL2-ELICS- X
SVR-8
15. HS-6502-01L2-ELICS- X
PH-1
16. HS-6502-02L2-ELICS- X
PH-2
17. NMS-6007-01L25-CYB- X
NMS-1
18. VSRV-6007-01L25-CYB- X
WSUS-1
19. VRV-6007-02L25-CYB- X
SMC-1
20. BKP-6007-01L25-CYB- X
BUSVR-1
21. EPO-6007-01L25-CYB- X
EPO-1
22. PDC-6007-01L25-CYB- X
DC-1
23. SDC-6007-01L25-CYB- X
DC-2
24. POC-6007-01L25-CYB- X
OPC-1
25. SOC-6007-01L25-CYB- X
PCC-2
L2-DCS-EWS-1
2. x
L2-DCS-OWSC-1
3. X
L2-DCS-OWSC-2
4. X
L2-DCS-OWSC-3
5. X
L3-DCS-ALR-1
6. X
L3-DCS-OPC-1
7. X
L2-ESD-EWS-1
8. X
L2-IPCMS-OWS-1
9. X
L2-IPCMS-EWS-1
10. X
L2-HVAC-OWS-1
11. X
L2-DCS-OWSS-1
12. X
L2-DCS-OWSS-2
13. X
L3-DCS-PH-1
14. X

L3-CYB-WSUS-1
15. X
L3-CYB-NMS-1
16. X
L3-CYB-BUP-1
17. X
L3-CYB-TS-1
18. X
L3-CYB-EPO-1
19. x
L3-CYB-DC-1
20. x
L3-CYB-DC-2
21. X
L3.5-CYB-PI-1
22. X
Other
23. Windows servers in X
QatarGas Platform in
Level 3.5
Remote
24. Station X
Thin
25. client 1 X
Thin
26. client 2 X
On-Access Scans
When files, folders, and programs are accessed, the on-access scanner intercepts the operation and
scans the item, based on criteria defined in the settings. Scanning some types of files can negatively
affect system performance. For this reason, below options shall be deselected in the What to
Scan section of the On-Access Scan settings.
• On network drives
Scans resources on mapped network drives.
• Opened for backups
Scans files when accessed by backup software.
• Compressed archive files
Examines the contents of archive (compressed) files, including .jar files.
Even if an archive contains infected files, the files can't infect the system until the archive is
extracted. Once the archive is extracted, the On-Access Scan examines the files and detects
any malware.
Integrating Clients
Both ENS and AC clients shall be integrated and configured in Layer 3 ePO server. In order to do
so, we recommend at first to gather the information about the client systems you wish to integrate
beforehand. These should be available in text or table format (.csv) and include the following
information:
• Hostname of the client (including IP address, if available)
• Windows version including Service Pack
• Users with administrator rights on the client
• User password (might be not in writing)
Following that, SIEMENS shall follow the same steps detailed in “Whitelisting and Antivirus ENS in
PCS7” manual section 7 which is attached to this document as Appendix-B.

58.729.3 DASHBOARD AND REPORTS

It is useful to set up a customer-specific "dashboard" with some selected monitors. These monitors
are helpful in being able to detect the systems on which a McAfee Agent is installed and what status
the respective systems have. They can also display which system is currently protected by
whitelisting. The figure displayed below shows an example configuration of a dashboard. The
dashboard can be created via "Dashboard Actions > New". The following monitors were selected for
a clear display:
• Summary: Agent communication.
• Solidcore: Solidcore agents status report.
• Solidcore: Solidcore agents license overview.
• Solidcore: The ten systems with the most frequently detected system violations of the last 7
days.
By clicking on the corresponding displays, these selected monitors will provide an overview of the
additional information of the respective agents and system statuses. It is important to highlight that
the dashboard should be in public mode.
The standard dashboard shall be used, and all activities shall be logged and forwarded to SIEM.
Lightweight reporting script developed by QatarGas. Siemens to support for first installation on EPO
server and further troubleshooting will be done by QatarGas if required.
Figure 2928-111019: ePO dashboard interface
58.829.4 APPROVED PATCHES

SIEMENS shall will follow the Below links mentioned in table 20-1 under section 20.2, to have the
latest updated approved patches with Microsoft.

Table 28-23: Applications pacthing compatibility

Application Link
ePO server Section “server operating systems”
https://kc.mcafee.com/corporate/index?page=content&id=KB51569
End point Security platform Section “Supported Microsoft Windows Server operating systems””
(ENS) https://kc.mcafee.com/corporate/index?page=content&id=KB82761
Application Control (AC) Both Sections:
Supported Windows 10 operating systems
Supported Windows (other) operating systems
https://kc.mcafee.com/corporate/index?page=content&id=KB73341

5930 TIME SYNCHRONIZATION SOLUTION OVERVIEW

Plants in which Process Control Systems are used contain numerous components that exchange
data. Most plants require time synchronization for controlling processes and information. There are
additional requirements in terms of the documentation of event sequences. If the timing of
components in the overall system is not synchronized, these tasks can only be supported by the
internal clock of the individual components. Components that are equipped with an internal hardware
clock (RTC = Real Time Clock) include
• Domain Servers
• Servers
• Clients
• PC stations
• Virtual Machines
• Automation systems (AS and PLCs)
• I/O
• Sensors
Time synchronization means that one system component (time master) provides a precise time for
all the other components (time slaves). The time information (date and time) can either be distributed
by the time master or be requested by the time slaves. This time information must be evaluated within
the system by all components for the overall task.
The Time Server are connected via the DMZ zone Firewall network.L2.5 Firewall.
59.130.1 TIME DISPLAYED

Coordinated Universal Time (UTC)
Coordinated Universal Time (UTC) is an international time basis based on the precision of atomic
clocks. UTC refers to the Greenwich prime meridian near London. UTC does not take daylight saving
time into account.
Local time
East of the prime meridian, one or more hours is added to the universal time measured in Greenwich,
depending on the distance in question. West of the prime meridian, the hours are subtracted. are
subtracted.
Since PCS 7 plants generally operate on the basis of UTC internally, their specific components can
be distributed on a global scale. In order to safeguard the interplay of components - even across
different time zones we will UTC as the common time base in all PCS 7 plants. All plant components
running with UTC will display the same time after time synchronization.
59.230.2 TIME MASTER, TIME SLAVE, AND COOPERATIVE TIME MASTER

To ensure that all Process Control System components operate with as precise a time as possible,
one system component must be the time source for all other components. The precise time must be
permanently available and be used for synchronization on a cyclical basis (synchronization interval).
• Time master: The component that provides the precise time within a bus system is
referred to as the time master. Only one component within a stratum can be the active
time master.
• Time slave: The time slaves within a bus system are components which receive or fetch
their time from a time master.

• Cooperative time master: On OS servers, the communication processors used are

selected and the “Master” option is activated in the "Synchronization via System Bus
(Master/Slave)" area of the "Time Synchronization" editor in the OS project in WinCC
Explorer. The OS server works as a cooperative time master, i.e. the first active OS
server on the plant bus which does not receive time message frames on the plant bus
automatically switches to time "Master" mode. All other OS servers on the plant bus
detect the time message frame from the time master and automatically switch to time
"slave" mode.
Synchronization response
All time slaves and cooperative time masters on the terminal bus synchronize their internal clock with
the time message frames received. The time is synchronized as follows:
• Deviation ± 5 s: Slowing/accelerating of the internal clock
• Deviation > 5 s: Immediate reset (possible errors: Data packets sent off prior to the
change will have more recent time stamps than those sent off later)
59.330.3 TIME SYNCHRONIZATION IN A DOMAIN

The time is synchronized within a domain as follows:
• Time synchronization via terminal bus
o The domain controllers are synchronized directly by the central plant clock using
the NTP mode.
o The domain controllers synchronize all domain members using the NTP mode.
o The STG system shall be synchronised by the IRIG-B protocol.
• Time synchronization via plant bus:
o Option 1: Detailed in below:
▪ The plant bus is synchronized using the SICLOCK MEINBERG timer.
▪ The synchronization modes are dependent on the type of CPU or CP
that is used.
Figure 3029-1
o Option 2: Detailed in below:

▪ The plant bus is synchronized using the OS servers.

Figure 3029-2
Notes:
• A dashed line begins at a component: Components with orange dashed lines leading
away from them are time masters in this network.
• An arrow points to a component: Components to which an arrow is pointing are time
slaves in this network. (Exception: (M) on a component)
• (M) at a component next to a bus system: An (M) at a component next to a bus system
marks this component as a cooperative time master for this bus system.
59.430.4 TIME SYNCHRONIZATION LAYOUT

In this project, Siemens will follow the configuration as detailed under option 1 in section 2.329.3.
As part of this project, two redundant GPS clocks shall be provided to synchronize both the terminal
and plant bus stations as shown in the below figure.
In this project, DTS 4138S will be used as SICLOCK.
Figure 3029-3: Proposed Time Sync layout

Hypervisor with
hosted VMs
The DTS 4138S.tTimeserver selected here is an NTP Time Server for use in industrial environments
as per the approved vendor list from company. It shall be synchronized by the GPS 4500 Antenna
and act as an NTP server in the network for the Domain Controllers. Then, the DCs shall synchronize
all IPCs and VMs. As for the AS, they shall be synchronized directly by the SICLOCK through the
plant bus.
In addition, it shall be used as a master clock for NTP slave clocks, synchronized via multicast with
NTP and time zone table. As a “main “master clock the DTS 4138S can synchronize further master
clocks or other equipment by synthetic DCF. The DTS 4138S can send e-mails as well as SNMP
traps. Via SNMP configuration and system status can be requested and the DTS 4138S can be
operated. To maintain a redundant time source, two DTS 4138S shall be linked by an optical link as
shown above.

The DTS NTP Time server shall synchronize the Domain Controller through NTP service and
accordingly the DC shall synchronize the OS ELICS serversServers and Workstations.
All the VMs shall get synchronized with DC as their NTP server considering all the virtual machines
are within the domain.
All AS ELICS RTU and PLC will be synchronized with NTP server directly.

6031 TIME SYNCHRONIZATION HARDWARE

The time synchronization shall be handled by two GPS 4500 antennas with the below specifications:
Table 3130-1: GPS and NTP server hardware specifications
Item Specifications Qty
- NTP/SIMATIC Timeserver, SPPA-Tx000 / PCS
7Timeserver
- 22x RJ-45 (100/1000 BaseT)
MeinbergDTS - GPS 4500 (DCF-77 coded, current-loop), IRIG-B12x
4138S.timeserver OR as - Signal outputs:
per the ICS approved • 1x DCF 77 Timecode (passive Current Loop)
2
vendor listMEINBERG • 21x IRIG-B Ouput
M300/GPS/LNE/TC-1-
• 1x Serial Interface (RS 232/422/485),
1/AD10
1x configurable DCF/ Pulse/ Frequency via RS
422 or passive current loop.
2x 24V DC +20%/-10%, max. 10W redundant
power supply with DC/DC
- GPS clock with related required accessories.

GNSS 4500 GPS antenna - 100m cable 2

A TIME SYNCHRONIZATION CONFIGURATION
60.1 CONFIGURATION OF THE TIME SERVER

The DTS synchronization procedure with basic configuration shall be followed as per the manual
“Process control system PCS 7- Time Synchronization (V9.1)” – section 6.3.2. and instruction
detailed in MOUNTING AND INSTRUCTION MANUAL DTS 4138S.timeserver, DTS 4138S.
Supplied Filed PG part of IPCMS/HVAC engineering package shall be used for configuration of the DTS.
During this installation and configuration:
• Firmware to be updated to the latest version
• Default password to be changed and recorded as per 4253-AMPF-7-95-9466 Sht 001-
CYBER-DC and User managementthe user management document
• All other access links to be disabled
• Use Putty for configuration through SSH
• All configuration steps screenshots will be recorded for easy system maintenance
• The new IP details shall be used as per the 4253-AMPF-7-95-9461 Sht 001 - Cyber Network
document. Once done, Eth1 can be connected directly to the terminal bus and Eth2 to be
used for plant bus.IP addressing for the Time Server shall be as per the company approved
IP address list document
• Both DTS to be configured in redundant configuration
• SNMP to be activated for available alarms and the same to be monitored in NMS.
• All the DTS configuration to be backed up part of project engineering files in IPCMS/HVAC
Field PG (D:\Cyber Security\Time Synchronization\Backups). The same shall be backed up
to the NAS drive as well.
60.2 DC TIME SYNCHRONIZATION CONFIGURATION

A basic configuration steps are required to be done on the DC as following steps.
1. Open the Repository editor from the start menu.
Figure 36-1: Repository Editor


2. Open “w32Time” editor from the left menu.

Figure 36-2: Current control set
3. Expand the “W32Time”,click on “parameters” and then change the settings as in below.
Figure 36-3: Parameters list
4. Open the CLI and type the below commands.

Figure 36-4: CLI

A
60.3 PARAMETER ASSIGNMENT FOR AN OS SERVER IN A WINDOWS DOMAIN
The OS server synchronization procedure with basic configuration shall be followed as per Appendix
1 - “Process control system PCS 7- Time Synchronization (V9.1)” – section 6.3.4.1
60.4 PARAMETER ASSIGNMENT FOR AN OS CLIENT IN A WINDOWS DOMAIN

The OS client synchronization procedure with basic configuration shall be followed as per Appendix
1 - “Process control system PCS 7- Time Synchronization (V9.1)” – section 6.3.5
60.5 PARAMETER ASSIGNMENT FOR A VM IN A WINDOWS DOMAIN

The VM synchronization procedure with basic configuration shall be followed as per Appendix 1 -
“Process control system PCS 7- Time Synchronization (V9.1)” – section 6.5
60.6 PARAMETER ASSIGNMENT FOR AN AS

The AS synchronization procedure with basic configuration shall be followed as per Appendix 1 -
“Process control system PCS 7- Time Synchronization (V9.1)” – section 6.6

61 SYSTEM CONFIGURATION AND SETTING

New supplied IPC and Field PG will be integrated in the terminal bus network, with all related
cybersecurity features and configuration as detailed in below:
61.1 MODULE AND NETWORK NAME DETAILS

All required modules name and network details shall be as per document:
• 4253-AMPF-7-95-9461 Sht 001-CYBER-Network.
61.2 USER ADMINISTRATION

All users who should have access to this system shall be added in related user groups in domain.
Detail can be found in documents:
• 4253-AMPF-7-95-9466 Sht 001-CYBER-DC and User management.
61.3 CYBER SECURITY RELATED INSTALLATIONS

• System hardening is detailed in:
o 4253-AMPF-7-95-9412 Sht 001- CYBER-Hardening - Detailing System
Hardening
• Backup software agent installation and configuration procedure is detailed in:
o 4253-AMPF-7-95-9462 Sht 001 - CYBER-Backup System

5.13. Asset Inventory
VENDOR shall have a documented policy that requires the maintenance of an asset inventory of
all ICS components. It shall include equipment supplied by the principal or sub-contractor. For
each ICS component, the following typical information shall be documented: (for Asset Inventory
Template, refer to System Integration And OT (Operational Technology) Cybersecurity
Philosophy 60-00-IC-SPC-00003 - Appendix 02)
Component Name Description
Facility NFE
SYSTEM DCS
HOSTNAME The logical name assigned to a machine
TAGNAME Physical tag, if different than hostname
Device Type {Server | Switch | Router | PLCs, etc.}
Device Function
Use in this project
e.g., Core switch, Domain Controller,
Operator Console
Device Description (technical specification of the device from
manufacturer)
MANUFACTURER DELL
VENDOR Supplied by
Antivirus Software/Version McAfee
Major Application Software/Version
List of software comma separated
e.g., soft-1 ver. A1; soft-2 ver. A2; soft -3 ver.


A3; soft 4 ver. A4
Service Tag (applicable to physical machine only)
S/N:
MODEL device model
(use the name given by manufacturer)
Location ITR, NMCR
Room Rack Room
Rack RACK/Cabinet tag name
Domain Windows Domain Name
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
Switches and Switch-port connected to SW01_Gi/0/0/1
L2 Primary IP address
L2 Primary IP Subnet

Component Name Description
L2 Primary IP Gateway(1st)
L2 Primary IP Gateway(2nd)
L2 Primary Physical(MAC) address
KVM IP address
KVM IP address Physical(MAC) address
Remote Access Mechanism
Windows Accounts List
Owner and contact details
System Admin and contact detail
Remarks


North Field East Project Onshore LNG Facilities

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

North Field East Project Onshore LNG Facilities

Uploaded by

Copyright:

Available Formats

NORTH FIELD EAST PROJECT

Onshore LNG Facilities

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

9 LOCAL DMZ L2.5 NGFWS .........................................................................................................61

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

19.1 VIRTUAL MACHINE REQUIREMENTS 144

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

30 TIME SYNCHRONIZATION SOLUTION OVERVIEW ..............................................................209

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

App Document No Description

NAS Network Attached Storage

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

1.1 DOCUMENT OWNERSHIP, AUTHORITY & CONTRACTUAL STATUS

1.2 PURPOSE & SCOPE

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

1.3 SECURITY FRAMEWORK SPECIFICATION

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Control of physical access to spaces, buildings, individual rooms, cabinets, devices,

Compendium Part F - Industrial Security (V9.0)

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

communication is possible using protocols that are secured by server-based certificates,

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

requirements for automatic recovery and restart of systems.

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Hardening PCS 7 PCS 7 PCS 7 PCS 7 Other Hypervisor

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Security Topic Hardening Measures

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Security Topic Hardening Measures

• PCS7 Process Historian

• Other hosts (Security Server/Machines)

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Security Topic Hardening Measures

1.42.1 REMOVING WINDOWS COMPONENTS

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Disable the Media Features.

Confirm the changes with "OK".

1.52.2 DISABLING SERVICES

• Diagnostic Policy Service

• Diagnostic Service Host

• Windows ColorColour System

• Windows Connect Now - Config Registrar

• Performance Logs and Alerts

• Windows Presentation Foundation Font Cache

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Under "Service status", click "Stop" to stop the service.

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

1.62.3 SETTING OF DATA PROTECTION AND TELEMETRY DATA IN WINDOWS 10

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

Figure 2-1: Group Policy Object

1.72.4 SMB SIGNING

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152

1.82.5 REMOTE DESKTOP SECURITY SETTING

Date 03 APR 2023 CYBERSECURITY FUNCTIONAL 3945_18-EL20613A-00152