Professional Documents
Culture Documents
North Field East Project Onshore LNG Facilities
North Field East Project Onshore LNG Facilities
Table of Contents
Page
1 INTRODUCTION ............................................................................................................................7
1.1 DOCUMENT OWNERSHIP, AUTHORITY & CONTRACTUAL STATUS 7
1.2 PURPOSE & SCOPE 7
1.3 SECURITY FRAMEWORK SPECIFICATION 8
2 SYSTEM HARDENING ................................................................................................................13
2.1 REMOVING WINDOWS COMPONENTS 19
2.2 DISABLING SERVICES 20
2.3 SETTING OF DATA PROTECTION AND TELEMETRY DATA IN WINDOWS 10 23
2.4 SMB SIGNING 25
2.5 REMOTE DESKTOP SECURITY SETTING 26
2.6 DISABLING SMBV1 27
2.7 WINDOWS FIREWALL 27
2.8 BLOCKING ACCESS TO ALL USB STORAGE MEDIA 33
2.9 PASSWORD MEASURES 35
2.10 DISABLING AUTORUN / AUTOPLAY FOR EXTERNAL DRIVES AND STORAGE MEDIA 37
2.11 BIOS SETTINGS 42
2.12 SECURITY OPTIONS 45
2.13 ESXI SECURITY OPTIONS 46
2.14 TWO FACTOR AUTHENTICATION 47
3 NETWORK HARDENING ............................................................................................................48
3.1 SWITCHES AND ROUTERS 48
3.2 NEXT GENERATION FIREWALLS (NGFWS) 49
4 PLC CONTROLLER/CPU HARDENING.....................................................................................51
4.1 ENGINEERING SOFTWARE SETTINGS 51
5 L2.5 NETWORK SWITCHES ......................................................................................................53
5.1 HARDWARE PLATFORM 53
6 FIREWALLS ................................................................................................................................54
6.1 HARDWARE PLATFORM 54
6.2 SOFTWARE PLATFORM 55
7 NGFW SOLUTION OVERVIEW ..................................................................................................55
7.1 INTRODUCTION 55
7.2 SECURITY ZONES 58
7.3 NGFWS SIZING 58
8 NETWORK SECURITY MONITORUNG SOLUTION ..................................................................59
8.1 INTRODUCTION 59
8.2 HARDWARE PLATFORM 59
8.3 SOFTWARE PLATFORM 60
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Appendices
LegendAbbreviations
1 INTRODUCTION
4.1. Overview
An Industrial Control System (ICS) is composed of diversified automation control components for
real-time operation, monitoring, and data collection.
The primary objective of the ICS security shall be based on the following unique attributes listed
according to their priority levels. VENDOR shall concur with these and generate relevant
documentation concerning each of system compliance components and applicable checklists.
1) Integrity
It is paramount to maintain the consistency, accuracy, and trustworthiness of data over its
entire lifecycle. ICS data shall not be changed, destroyed, or lost in an unauthorized or
accidental manner. VENDOR shall implement policies and procedures to protect systems
and their data from flaws and unauthorized modification using functionality verification, data
integrity checking, intrusion detection, malicious code detection, and security alert and
advisory controls.
2) Availability
Another critical aspect of control system performance measurement is its Availability. The
implemented architecture shall avoid a single point of failures using equipment high
availability, redundancy and alternate implementations across all communication and control.
In case of redundant virtualization hardware, primary/secondary virtualization hardware shall
be located at different building.
3) Confidentiality
Preserving authorized restrictions on information access and disclosure is regarded as
confidentiality. It is the prevention of sensitive information from reaching the undesired
personal like a foe or attacker. VENDOR shall comply with the secrecy of COMPANYCOMPANY.
proprietary data from the Industrial Control and Safety System or relevant policies or
procedure, which can jeopardize reputation.
Plant security
● Physical security measures
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Security strategies
4.2 Concept of "defensedefence in depth"
Network security
● Division into security cells
A comprehensively secured network architecture subdivides the control network into
different task levels.
Perimeter zone techniques should be employed for this. This means that systems set up
in the perimeter network (DMZ) are shielded by one or more firewalls (front-end firewall
and back-end firewall or three-homed firewall) from other networks (e.g. Internet, office
network). This separation enables access to data in the perimeter network without having
to simultaneously allow access to the internal network to be protected (e.g. automation
network). As a result, risks of access violations can be significantly reduced.
● Securing access points to the security cells
A single access point to each security cell (should be realized by a firewall) for
authentication of users, employed devices and applications, for direction-based access
control, for assignment of access authorizations, and for detection of intrusion attempts.
The single access point functions as the main access point to the network of a security
cell and serves as the first point of a control of access rights to a network level.
● Securing the communication between two security cells over an "insecure" network
Certificate-based, authenticatedauthenticated, and encrypted communication should always be used
when the perimeter zone technique is used and there is communication across the
access points. Tunnel protocols such as PPTP (Point Toto Point TunnelingTunnelling Protocol),
L2TP
(Layer Two TunnelingTunnelling Protocol) and IPSecIPsec (IPSecurityIP Security) can be used for
this. Furthermore,
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
2 SYSTEM HARDENING
All the System Hardening listed below shall be part of Domain Policy configurations.
System hardening measures shall be implemented such that they do not conflict with
operational
• PCS7 OS Server
The below table illustrates the applicable sections against each required Hardening measure for the
PCS7 OS servers.
Table 2-1: Applicable hardening measures for OS servers.
Security Topic Hardening Measures
Secure Network • No action required
Identity and Access Management • Section 2.4
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
Attack Surface Reduction • Section 2.1
• Section 2.2
• Section 2.8
• Section 2.14
Secure Channels & Encryption • Section 2.5
System Integrity • ENS and AC agent as detailed in 4253-AMPF-7-95-9411
Sht 001.
• Time Synchronization as detailed in 4253-AMPF-7-95-
9467 Sht 001.
Logging and Monitoring • Syslog and WMI enabled as detailed in 4253-AMPF-7-
95-9464 Sht 001 document.
• PCS7 OS Clients
The below table illustrates the applicable sections against each required Hardening measure for the
PCS7 OS Clients.
Table 2-2: Applicable hardening measures for OS Clients.
Security Topic Hardening Measures
Secure Network • No action required
Identity and Access Management • Section 2.4
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
• PCS7 EWS
The below table illustrates the applicable sections against each required Hardening measure for
PCS7 EWS.
Table 2-3: Applicable hardening measures for EWS.
Security Topic Hardening Measures
Secure Network • No action required
Identity and Access Management • Section 2.4
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
Attack Surface Reduction • Section 2.1
• Section 2.2
• Section 2.3
• Section 2.8
• Section 2.14
Secure Channels & Encryption • Section 2.5
System Integrity • ENS and AC agent as detailed in 4253-AMPF-7-95-9411
Sht 001.
• Time Synchronization as detailed in 4253-AMPF-7-95-
9467 Sht 001.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The below table illustrates the applicable sections against each required Hardening measure for any
security machine including WSUS, NMS, Backup Server, ePO server and Terminal Server VMs.
Table 2-57: Applicable hardening measures for security server.
Security Topic Hardening Measures
Secure Network • No action required
Identity and Access Management • Section 2.4
• Section 2.6
• Section 2.7
• Section 2.9
• Section 2.10
• Section 2.11
• Section 2.12
Attack Surface Reduction • Section 2.1
• Section 2.2
• Section 2.8
Secure Channels & Encryption • Section 2.5
System Integrity • ENS and AC agent as detailed in 4253-AMPF-7-95-9411
Sht 001.
• Time Synchronization as detailed in 4253-AMPF-7-95-
9467 Sht 001.
Logging and Monitoring • Syslog and WMI enabled as detailed in 4253-AMPF-7-
95-9464 Sht 001 document.
• Hypervisor
The below table illustrates the applicable sections against each required Hardening measure for the
hypervisor.
Table 2-68: Applicable hardening measures for Hypervisor.
Security Topic Hardening Measures
Secure Network • No action required
Identity and Access Management • Section 2.5
• Section 2.9
• Section 2.11
• Section 2.13
Attack Surface Reduction • Section 2.13
• Section 2.14
Secure Channels & Encryption • Section 2.5
System Integrity • Time Synchronization as detailed in 4253-AMPF-7-95-
9467 Sht 001.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Click the "Turn Windows features on or off" entry in the navigation pane. Enter the administrator
password, if required. If you are already logged on as an administrator, confirm the execution of
the application. Then, the "Windows Features" dialog box opens.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
If you select the "System hardening" option during installation via the SIMATIC PCS 7 Setup, the
services listed in the table are disabled by the installation.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
To disable the above-mentioned services manually, follow these steps (using Windows 10 as an
example):
• In the Window Start menu, right-click on the "Computer Management" command from the
shortcut menu. Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application. The "Computer Management" dialog
opens.
In the navigation pane, select "Services and Applications > Services". The right pane of the dialog lists all
available services. The "Status" column indicates whether the service is currently running. The "Startup Type"
column shows how the service is started, "Manual", "Automatic", "Automatic (Delayed Start)" or "Disabled"
(service cannot be started).
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
In the right area, select the service to be disabled, and open the properties dialog of the service by double-
clicking on it. Only the services listed above may be disabled.
Select "Disabled" as the start-up type and confirm your changes with "OK".
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
In the "Settings" navigation area, click the "Privacy – Location, Camera" entry.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Go step by step through the privacy settings and disable them if this is possible.
Close the "Settings" window. Additional Windows 10 data protection functions can be enabled via group policy
settings. To do this, start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
command prompt (these settings can be made centrally in a domain) and configure the following policy settings
(Group Policy Object or GPO).
The following settings are found under policy setting "Computer Configuration > Windows Settings >
Security Settings > Local Policies > Security Options":
Microsoft network (client): Digitally sign communication (always)
Microsoft network (server): Digitally sign communication (always)
Microsoft network (server): Digitally sign communication (if client agrees)
These three settings must be enabled for use of SMB signing.
On all PCS 7 systems, except when necessary, on OS clients (e.g. in virtual environments), the
setting "Computer Configuration > Administrative Templates > Windows Components > Remote
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely
using Remote Desktop Services" must be disabled. This prevents users from logging on to systems
using RDP.
Enter the administrator password, if required. If you are already logged on as an administrator,
confirm the execution of the application. The "Windows Firewall" dialog box opens.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
4. Open the properties of an active file and printer sharing rule (according to the network profile
domain used, Private or Public) with a double-click. The properties dialog of this rule opens.
5. Open the "Scope" tab. The "Remote IP address" area shows the IP address range for which
this firewall rule is valid and, for example, does not block the inbound communication.
In the case of the figure below, the communication is allowed only with computers in the "Local
subnet". Communication of computers in a different subnet is thus blocked.
6. In order to allow communication of, click the "Add" button in the "Remote IP Address".
7. Select the option "This IP address or subnet:" and enter the IP address of the communication
partner and confirm the entry with the "OK" button.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
9. Adapt all inbound and outbound rules marked in the following figure according to your
environment (e.g. workgroup, Windows domain, subnets). In addition, all inbound rules of the
"Automation …" and "SIMATIC …" group must also be checked or adapted.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative command prompt
(these settings can be made centrally in a domain) and configure the following policy settings (Group Policy
Object or GPO).
Select the folder "Computer Configuration > Administrative Templates System > Removable Storage Access".
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Double-click the group policy "All Removable Storage classes: Deny all access". The properties dialog of the
group policy opens.
The following procedure is described using the example of a "Windows 10" operating system. To
implement the password policies, follow these steps:
1. Start the Group Policy Editor for the local group policies "gpedit.exe" in an administrative
command prompt (these settings can be made centrally in a domain) and configure the following
policy settings (Group Policy Object or GPO).
2. Select "Computer Configuration > Windows Settings > Security Settings > Account Policies >
Password Policy" in the left navigation pane. The password policies are displayed.
• Service Accounts
As for Service accounts, the password hardening measures shall beare as followsing:
A 1. passwords shall be of at least 20 characters.
2. A process for changing service account passwords shall be implemented.
3. All service accounts shall beare in a dedicated organizational unit (OU) in AD so that
they can be managed separately from other accounts.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Select the folder "Computer Configuration > Administrative Templates > Windows Components
> Autoplay Policies". The associated policies for the folder are displayed in the right pane of the
editor.
Double-click the group policy "Turn off Autoplay". The properties dialog of the group policy opens.
Select the "Enabled" option, and from the drop-down list in the "Turn off Autoplay on:" area, select
the "All drives" option.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Select the folder "Computer Configuration > Administrative Templates > Windows Components > Autoplay
Policies". The right pane of the editor shows the policies associated with the folder.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Double-click the group policy "Specify Default Autorun BehaviorBehaviour". The properties dialog of the group
policy opens.
Select the "Enabled" option, and from the drop-down list in the "Default Autorun BehaviorBehaviour" area,
select the "Do not execute any autorun commands" option.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
o Restart the PC, and press F2 continuously to the following interface. Select the security with
the cursor and choose "Set User" password or "Set User Password". Note: The difference
between Set User Password and Set Supervisor Password: User password controls access
to the system at boot; supervisor password controls access to the setup utility.
• The order of the boot media of the computer must beis set in such a way that the first boot attempt is
from the hard disk containing the operating system installation and SIMATIC PCS 7. The BIOS boot
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
manager should beis disabled. These measures will make it difficult to boot from other media, such as
CDs or USBs.
• Restart your PC, and press the F2 or Del key to get into the BIOS/UEFI
• Disabling the USB ports are disabled through BIOS. with below measures.
• In the first step, you have to go to the Start menu and then open Run dialog box or Press "Window +
R" combination to directly open the RUN window.
Then type "regedit.exe" and then click on enter to open the Registry Editor as shown in the figure below.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Registry Editor Window will be launched, now Navigate to the following path:
Now you have to click on the start option to open the "Edit DWORD (32-bit) Value" Window.
After pressing Start, you have to change the "value data" field to ‘4’ to disable the USB Drives or Ports and
then click on OK. Once done USB drives and ports on your system will be disabled.
To enable back the USB Ports or Drives, change this data value to 3 and then click on OK, as depicted in the
figure below. Once done USB drives and ports on your system will be enabled back.
• You can restart your system to check the applied effects.
• TPM shall beis enabled. To check if TPM is enable, below steps shall be followed:
o Restart your PC, and press the F2 or Del key to get into the BIOS/UEFI
o Locate Security Section or Advanced or something similar
o If TPM is available, enable it.
o Once enabled, you need to switch from discrete TPM to a firmware TPM
o Save the settings, and exit the BIOS or UEFI
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
o Reboot your machine and run tpm.msc again. It should now report that TPM is ready for use.
23 NETWORK HARDENING
The strategy for dividing plants and connected plants into security cells increases the availability of
the overall system. Failures or security threats that result in failure can thereby be restricted to the
immediate vicinity. During the planning of the security cells, the plant is first divided into process cells
and then into security cells based on the security measures. The security cells can be achieved by
network components and hence hardening these devices is crucial to the overall plant security.
Network access points normally block prohibited data traffic to the process control and process
visualization systems, in addition to, enabling permitted data traffic and the normal operation of the
process control and process visualization systems. The following table shows several access points.
Table 3-1: Access Points
6 FIREWALLS
Design Requirements and Business Needs
Perimeter IPS is used to efficiently monitor and analyse user and system activity, audit system
configurations and vulnerabilities, assess the integrity of any critical system and data files, perform
statistical analysis of activity patterns based on the matching to known attacks, detect abnormal
activity and audit operating systems. The need of the IPS is based on IEC 62443 -3-3 SR-3.2 and
DEL requirements.
Description Qty
Firewall as per the Approved ICS Vendor list
Fortinet or SonicWallFG-101F
225 x GE RJ45 ports (including 2 x WAN ports, 1 x DMZ port, 1 x MGMT port,
2 x HA ports, 16 x switch ports with 4 SFP ports shared media), 4 SFP ports,
2 x 10G SFP+ Fortilinks, 480 GB onboard storage, dual power supply redundancy. 2 x GE
4
SFP slots
Threat Protection
IPS, Advanced Malware Protection Service, Application Control
Bi-directional inspection
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Firewall Specification
Table 6-2: Performance and Capacities for the Firewall
Description Details
Firewall inspection throughput1Firewall 1.63 GbpsTBA
throughput (HTTP/appmix)
Threat Prevention throughput (HTTP/appmix) TBA1.5 Gbps
Application inspection throughput 12 GbpsTBA
(approx.)IPsec VPN throughput
Max sessions TBA
New sessions per second TBA
Latency ˂5100 microseconds
Description Qty
5.17.1 INTRODUCTION
To monitor all network traffic and can identify and block unwanted traffic, Next Generation Firewalls
are utilized as they are application aware and make decisions based on application, user, and
content. Their natively integrated design simplifies operation and improves security posture of the
network.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The selected NGFWs are based on Palo Alto where Four of them shall be provided as part of the
scope of this project and shall be allocated as shown in the below architecture.The below Architecture
shows the Firewall representation.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
- L2.53.5 Local DMZ NGFWsFront Security DMZ NGFWs- : Redundant NGFWs (a pair of two)
are shall be used to segment Level 3 and L23.5 Local DMZ networks. These firewalls shall beare
supplied with Threat prevention subscription that shall be used to add integrated protection
against network-borne threats. These threats include exploits, malware, command and control
traffic and a variety of hacking tools. The NGFWs shall be configured in high availability mode
as active-passive scheme.
- Level 2.53 NGFWs: Redundant NGFWs (a pair of two) shall beare used to segment the
operation Level (Level 2) and the management level (Level 3). The NGFWs shall be configured
in high availability mode as active-passive scheme.
8.1 INTRODUCTION
Network Security Monitoring Solution provides detection of advanced threats, increase security awareness, and accelerate response time to the event and
maintaining the availability of communication networks. NSM is able to detect the following network threats:
• Application Layer Threats
• Hidden Payloads
• Data Lateral Movements
• Malicious Traffic
• Covert Traffic
NSM Solution facilitates the following:
• Visibility into Network Behaviour
• Detect Advanced Threats
• Improve Cybersecurity Posture
• Maintain System Availability
• Mitigate Risks
Description Qty
RUGGEDCOM RX1524 Nozomi-Based NIDS Pre-Installed on APE1808
1
Part number - 6GK60001AM010AA3
Document No. Rev. Date Status Page
4253-AMPF-7-95-9462 Sht 0014253-AMPF-7-95- 2022-02-242022-
9462 Sht 0014253-AMPF-7-95-9462 Sht A 02-242022-02- AFC 60 of 223
0014253-AMPF-7-95-9463 Sht 001 242022-04-21
Title
Cyber Security - Backup SystemCyber Security - Backup SystemCyber Security - Backup
SystemCYBER-Firewall
Description Qty
HI = 88-300 VDC or 85-264 VAC, screw terminal block
HI = 88-300 VDC or 85-264 VAC, screw terminal block
RM = 19" Rack Mount Kit
L3 = Layer 3 Switch
L3SECL3HW = Layer 3 Security Edition (with L3 HW)
APE1808LNX = Application Processing Engine, Atom X5-E3940, 8GB RAM, 64GB eMMC, DisplayPort, uSD, USB, Linux
6TX01 = 6x 10/100TX RJ45
6FX50 = 6x 100FX SFP Blank (no optical transceiver)
6FX50 = 6x 100FX SFP Blank (no optical transceiver)
Description Qty
Based on customer requirements and best practices, each zone shall have different
vLANs to segregate the systems and limit the communication traffic between them. The
vLANs under each security zone shall be defined as following.
A L3 NGFWS
10 L3 NGFWS
Table 910-1: vLANs against each sSecurity zone for L2.5 & L3 NGFWs
# Security Zone Network Segregation Systems
ELICS EWSHVAC WinCC Panel
1.
Mounted IPC
Trusted
2. ELICS ServersDCS EWS
ELICS Terminal Bus Network
(Level 2)
3. ELICS OWSELICS Servers
4. Process Historian serverELICS OWS
5. OPC Server
6. NMS
7. Backup server
8.
DMZ Terminal Server
DMZ (Level 2.5)
(Level
9. 2.5) WSUS
10. ePO Station
11. Domain controllers
12. Simatic Management Console Station
13.
Untrusted Log collection /SIEM Qatar Gas SIEM
(Level
14. 3) POIS & ETAP POIS & ETAP Servers
These security zones shall be used to define the security rules required to block or allow a session
based on traffic attributes, such as the source and destination security zone, the source and
destination IP address, the application, the user, and the service.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Based on the number of connected devices, PA-440 Next Generation Firewall has been selected in
which it can accommodate to Eight connections. In section 7, the hardware platform of the selected
firewalls shall be detailed and explained.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
A Security Rules
Security policy protects network assets from threats and disruptions and helps to optimally allocate network
resources for enhancing productivity and efficiency in the processes. All traffic passing through the firewall is
matched against a session and each session is matched against a Security policy rule. When a session match
occurs, the firewall applies the matching Security policy rule to bidirectional traffic in that session (client to
server and server to client). For traffic that doesn’t match any defined rules, the default rules apply. By default,
all intra-zone communication is allowed and all interzone communication is denied. Traffic that matches a rule
generates a log entry at the end of the session in the traffic log since logging shall be enabled for both L3 and
Local DMZ L3.5 NGFWs.
Below table details the basic firewall rules that shall be configured for the commissioned systems. The
supplied firewalls shall be commissioned in the learning mode to observe all the required traffic to be allowed
in accordance with below firewall rule table and then rules will be optimized based on that. The same shall
be reflected in the As-built document revision where all rules will be finalized, tested, and confirmed. As for
the Local DMZ L3.5 and L3 NGFWs, the basic security rules are detailed in Appendix 2 .
11 L2 FWS
Description Qty
Firewall as per the Approved ICS Vendor list
Make - Fortinet or TofinoSiemens SCALANCE SC636-2C
Stateful Packet Inspection (SPI)
TCP, UDP, and non-IP protocols supported 714
Deny by default: all network traffic that is not on the ‘allowed’ list is automatically blocked and
reported
12 SECURITY RULES
Security policy protects network assets from threats and disruptions and helps to optimally allocate
network resources for enhancing productivity and efficiency in the processes. All traffic passing
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
through the firewall is matched against a session and each session is matched against a Security
policy rule. When a session match occurs, the firewall applies the matching Security policy rule to
bidirectional traffic in that session (client to server and server to client). For traffic that doesn’t match
any defined rules, the default rules apply. By default, all intra-zone communication is allowed and all
interzone communication is denied. Traffic that matches a rule generates a log entry at the end of
the session in the traffic log since logging shall be enabled for both L3 and Local DMZ L2.5 NGFWs.
Below table detailsThe next sections define the ports for the basic firewall rules that shall be
configured for the commissioned systems. The supplied firewalls shall be commissioned in the
learning mode to observe all the required traffic to be allowed in accordance with below firewall rule
table and then rules will be optimized based on that. The same shall be reflected in the As-built
document revision where all rules will be finalized, tested, and confirmed. As for the Local DMZ L2.5
and L3 NGFWs, the basic security rules are detailed in Appendix 2.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
There are certain ports need to be configured on both of the ePO and Firewall to have a successful
communication path between the ePO and its agents through the FW as shown in below. Whenever
a request is sent by any ePO agent to the ePO server, it will go through the firewall where it will check
if its coming from the already configured list of allowed ports or not. This concept applies on the
bidirectional communication between the ePO and its agents. Below table illustrates the configured
list of ports on the FW as well as their traffic direction.
Table 1213-2: configured ports on firewall side
Table 13-3: configured ports on firewall side TCP ports 7780, 9877 for communication between components
• TCP ports 443 and 902 to access the vCenter Server and ESX(i) hosts
• TCP port 2600, 2700 for Archive Server Core
• TCP port 6110 for Acronis Cyber Backup service
• TCP port 9999 for Authorization and routing requests for different components
• TCP port 1337 for syncing Backup policies between server and agent
• TCP port 8081 for Acronis Scheduler2 service
• TCP port 9772 for Acronis Cyber Backup Agent
• TCP 9876, 9852 for storage node
The purpose of these ports is illustrated in the below architecture.
Service/ Protocol Port Description Direction
Communication For communication between
TCP / 7780 & 9877 Bi-directional
between components Acronis components
Access to vCenter & To collect backups of VMs and
TCP / 443 & 902 Bi-directional
ESXi ESXI host
Archive Server Core TCP / 2600 & 2700 Required by Acronis system Bi-directional
Acronis Cyber Backup
TCP / 6110 Internal Acronis services Bi-directional
Service
Authorization and
TCP / 9999 For different components Bi-directional
routing requests
For syncing Backup policies
Policies Syncing TCP / 1337 Bi-directional
between server and agent
Acronis Scheduler2
TCP / 8081 for scheduling backup plans Bi-directional
service
Acronis Cyber Agent TCP / 9772 For taking backups Bi-directional
Used for communication with
Storage node TCP 9876 & 9852 Bi-directional
storage location typically NAS
The purpose of these ports is illustrated in the architecture on the next page.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
7.4 SIEM
The below table illustrates the required ports to be allowed by L3 NGFW.
Table 6-3: required ports by SIEM.
Service/ Protocol Port Description Direction
Active Directory. Port 3268 is used
Active Directory TCP 389, 3268 Out
for LDAP.
Backup and Restore – CIFS use
Backup TCP 4451112049 In/out
445; NFS uses 111 and 2049
DNS UDP 53 Primary, Secondary DNS server Out
Rules Server - www.nitroguard.com
HTTP TCP/UDP 80 (out), Redirection to web server on In/out
port 443 (in)
HTTPS TCP/UDP 443 Client logon. In/out
Port used by databus for
Kafka 1 TCP 9092 Out
broadcasting and consuming data.
NTP UDP 123 NTP server Out
Traps received from McAfee
SNMP TCP/UDP 161162 appliances or sent to SNMP Trap In/out
collector
All McAfee appliances and to access
SSH TCP/UDP 22 In/out
command line
Snowflex/jdbc gossip Port used for
EDB Secure Port 1 TCP 8103 clustered environment behind a In/out
firewall
Databus Snowflex Port used for clustered
TCP 1211 In/out
management port1 environment behind a firewall
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
13.4 WSUS
WSUS server requires the following ports for communication with clients.
Table 13-4: required ports by Wsus.
Service/ Protocol Port Description Direction
Client to Server
TCP / 8530 HTTP port Uni-directional
communication
Client to Server
TCP / 8531 HTTPS port Uni-directional
communication
WSUS will use port 8530 for HTTP and 8531 for HTTPS. The L3 and Local DMZ L23.5 NGFWs must
be configured to allow inbound traffic on these ports.
NTP is a built-on UDP, where port 123 is used for NTP server communication and NTP clients use port 1023
(for example, a desktop)
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
8 NGFW PLATFORM
Description Qty
Palo Alto Next Generation Firewall (PA-440-HA) including:
- 2 x PA-440 NGFWs
2
- 2 x PA-400 W power adaptors
- Rackmount kit for redundant firewalls
Description Qty
Next Generation Firewall (PA-440-HA)
2
Palo Alto Firewall Premium Support, 5 years
Next Generation Firewall (PA-440-HA)
1
Palo Alto Firewall Threat prevention subscription, 5 years
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
a. INTRODUCTION
To monitor all network traffic and can identify and block unwanted traffic, Next Generation Firewalls
are utilized as they are application aware and make decisions based on application, user, and
content. Their natively integrated design simplifies operation and improves security posture of the
network.
The selected NGFWs are based on Palo Alto where Four of them shall be provided as part of the
scope of this project and shall be allocated as shown in the below architecture.
Figure 2-1: Typical architecture
b. SECURITY ZONES
Security zones are a logical way to group physical and virtual interfaces on the firewall to control and
log the traffic that traverses specific interfaces on your network. An interface on the firewall must be
assigned to a security zone before the interface can process traffic. Based on the architecture and
customer specifications, the security zones shall be defined.
c. NGFWS SIZING
Firewalls come in all sorts of shapes and sizes and selecting the right model shall be based on the
below criteria:
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
15. Based on customer requirements and best practices, each zone shall have different vLANs to
segregate the systems and limit the communication traffic between them. The vLANs under each
security zone shall be defined as following.
16.
• Table 3-1: vLANs against each security zone for L3.5 NGFWs
# Security Zone vLANs Systems
OPC_PI OPC Server for OSI PI interface
Process Historian server
DCS OS
Alarm Station
NMS
Log collection IDS
Trusted
Log Collector
(Level 2.5)
Backup Backup server
Remote Terminal Server
WSUS
Update Servers
ePO server
DC Domain controllers
OPC_PI OSI PI server
DMZ Remote QatarGas DMZ OT PAM
(Level 3) QatarGas DMZ WSUS
Update Servers
QatarGas DMZ ePO server
Log collection QatarGas SIEM
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
a. THREAT PREVENTION
As mentioned earlier, the Local DMZ L3.5 NGFWs shall be supplied with Threat Prevention licenses
in which it defends your network against both commodity threats which are pervasive but not
sophisticated and targeted, advanced threats perpetuated by organized cyber adversaries. This is
required to monitor the outgoing and incoming traffic from the Local DMZ L3.5 network and prevent
the traffic in case of any suspicious or abnormal activity.
Threat Prevention includes comprehensive exploit, malware, and command-and-control protection,
and Palo Alto Networks publishes updates that equip the firewall with the very latest threat
intelligence. These updates are recommended to be pushed on weekly basis from QatarGas Network
once a week. All threats shall be published and available on Palo Alto Threat Vault portal and can
be pulled by L4 QatarGas firewall.
NORTH FIELD EAST PROJECT Onshore LNG Facilities
A 19. L3 NGFWS
Based on customer requirements and best practices, each zone shall have different vLANs to
segregate the systems and limit the communication traffic between them. The vLANs under each
security zone shall be defined as following.
These security zones shall be used to define the security rules required to block or allow a session
based on traffic attributes, such as the source and destination security zone, the source and
destination IP address, the application, the user, and the service.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
a. L3 NGFWS CONNECTIONS
22. The number of connections required for these firewalls as shown in Appendix 1 - 4253-AMPF-
7-95-9461 Sht 001_CYBER-Network_Rev0 is Seven connections.
23.
Based on the number of connected devices, PA-440 Next Generation Firewall has been selected in
which it can accommodate to Eight connections. In section 7, the hardware platform of the selected
firewalls shall be detailed and explained.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
A 9 SECURITY RULES
Security policy protects network assets from threats and disruptions and helps to optimally allocate
network resources for enhancing productivity and efficiency in the processes. All traffic passing
through the firewall is matched against a session and each session is matched against a Security
policy rule. When a session match occurs, the firewall applies the matching Security policy rule to
bidirectional traffic in that session (client to server and server to client). For traffic that doesn’t match
any defined rules, the default rules apply. By default, all intra-zone communication is allowed and all
interzone communication is denied. Traffic that matches a rule generates a log entry at the end of
the session in the traffic log since logging shall be enabled for both L3 and Local DMZ L23.5 NGFWs.
Below table details the basic firewall rules that shall be configured for the commissioned systems.
The supplied firewalls shall be commissioned in the learning mode to observe all the required traffic
to be allowed in accordance with below firewall rule table and then rules will be optimized based on
that. The same shall be reflected in the As-built document revision where all rules will be finalized,
tested, and confirmed. As for the Local DMZ L23.5 and L3 NGFWs., the basic security rules are
detailed in Appendix 2 .
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
EPO SERVER
There are certain ports need to be configured on both of the ePO and Firewall to have a successful
communication path between the ePO and its agents through the FW as shown in below. Whenever a
request is sent by any ePO agent to the ePO server, it will go through the firewall where it will check if itsit’s
coming from the already configured list of allowed ports or not. This concept applies on the bidirectional
communication between the ePO and its agents. Below table illustrates the configured list of ports on the FW
as well as their traffic direction.
Table 14-2: configured ports on firewall side
Service/ Protocol Port Description Direction
Inbound connection to the
Agent Handler and the
TCP port that the McAfee ePO McAfee ePO server from the
Agent-server communication
80 server service uses to receive McAfee Agent. Inbound
port
requests from agents. connection to the McAfee
ePO server from the Remote
Agent Handler.
TCP port that the McAfee ePO
server service uses to receive
requests from agents and
Inbound connection to the
Remote Agent Handlers.
Agent Handler and the
TCP port that the McAfee ePO
Agent-server communication McAfee ePO server from the
server's Software Manager uses
secure port McAfee Agent. Inbound
to connect to McAfee.
connection to the McAfee
443 TCP port that the McAfee ePO
Software Manager, Product ePO server from the Remote
server uses to connect to the
Compatibility List, and Agent Handler.
McAfee software updates server
License Manager port Outbound connection from
(s-download.mcafee.com),
the McAfee ePO server to
McAfee license server
McAfee servers.
(lc.mcafee.com), and McAfee
Product Compatibility List
(epo.mcafee.com).
TCP port that agents use to
receive agent wake-up requests
Inbound connection from the
from the McAfee ePO server or
ePO server/Agent Handler to
Agent wake-up Agent Handler.
the McAfee Agent.
communication port TCP port that the SuperAgents
8081 Inbound connection from
configured as repositories that
client systems to
SuperAgent repository port are used to receive content from
SuperAgents configured as
the McAfee ePO server during
repositories.
repository replication, and to
serve content to client systems.
UDP port that the SuperAgents Outbound connection from
Agent broadcast
8082 use to forward messages from the SuperAgents to other
communication port
the ePO server/Agent Handler. McAfee Agent.
TCP port that the ePO Inbound connection to the
Console-to-application
8443 Application Server service uses McAfee ePO server from the
server communication port
to allow web browser UI access. ePO console.
TCP Port that the Agent Handler
Client-to-server uses to communicate with the Outbound connection from
authenticated 8444 McAfee ePO server to get Remote Agent Handlers to
communication port required information (such as the McAfee ePO server.
LDAP servers).
TCP port used to communicate
with the SQL Server. This port is Outbound connection from
SQL Server TCP port 1433 specified or determined the ePO server/Agent
automatically during the setup Handler to the SQL Server.
process.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
BACKUP SERVER
To allow Acronis software to operate properly in the network, it is mandatory to open specific ports in Firewall
settings as below.
TCP ports 7780, 9877 for communication between components
TCP ports 443 and 902 to access the vCenter Server and ESX(i) hosts
TCP port 2600, 2700 for Archive Server Core
TCP port 6110 for Acronis Cyber Backup service
TCP port 9999 for Authorization and routing requests for different components
TCP port 1337 for syncing Backup policies between server and agent
TCP port 8081 for Acronis Scheduler2 service
TCP port 9772 for Acronis Cyber Backup Agent
TCP 9876, 9852 for storage node
The purpose of these ports is illustrated in the below architecture.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
SIEM
The below table illustrates the required ports to be allowed by L3 NGFW.
Table 6-3: required ports by SIEM.
Service/ Protocol Port Description Direction
Active Directory. Port 3268 is used
Active Directory TCP 389, 3268 Out
for LDAP.
Backup and Restore – CIFS use
Backup TCP 4451112049 In/out
445; NFS uses 111 and 2049
DNS UDP 53 Primary, Secondary DNS server Out
Rules Server - www.nitroguard.com
HTTP TCP/UDP 80 (out), Redirection to web server on In/out
port 443 (in)
HTTPS TCP/UDP 443 Client logon. In/out
Port used by databus for
Kafka 1 TCP 9092 Out
broadcasting and consuming data.
NTP UDP 123 NTP server Out
Traps received from McAfee
SNMP TCP/UDP 161162 appliances or sent to SNMP Trap In/out
collector
All McAfee appliances and to access
SSH TCP/UDP 22 In/out
command line
Snowflex/jdbc gossip Port used for
EDB Secure Port 1 TCP 8103 clustered environment behind a In/out
firewall
Databus Snowflex Port used for clustered
TCP 1211 In/out
management port1 environment behind a firewall
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
WSUS
WSUS will use port 8530 for HTTP and 8531 for HTTPS. The L3 and Local DMZ L3.5 NGFWs must be
configured to allow inbound traffic on these ports.
PROCESS HISTORIAN
Process Historian Server and PH-Ready require the following settings for operation:
Table 6-4: required ports by PH.
Service/ Protocol Port Direction
PH Discovery Services TCP 5048 Bi-Directional
PH Network Discovery UDP 137 Bi-Directional
PH Redundancy Services TCP 60000 Bi-Directional
PH WCF Message Queue Service (SQL Mirroring Setup) TCP 60002 Bi-Directional
PH SQL-Mirroring Port (TCP) TCP 5022 Bi-Directional
PH SQL-Mirroring Port (UDP) UDP 5022 Bi-Directional
PH SQL-Server Monitor Port UDP 1434 Bi-Directional
PH SQL-Server Port TCP 3723 Bi-Directional
PH LLMNR-UDP-In UDP 5355 Bi-Directional
PH RPC for MSMQ TCP 135 Bi-Directional
NTP SERVER
NTP is a built-on UDP, where port 123 is used for NTP server communication and NTP clients use port 1023
(for example, a desktop)
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
A NGFW PLATFORM
HARDWARE PLATFORM
The selected model for the four PA NGFWs is PA-440 model which has the below key features:
3.0/2.4 Gbps firewall throughput (HTTP/appmix)
0.9/1.0 Gbps Threat Prevention throughput (HTTP/appmix)
1.6 Gbps IPsec VPN throughput
200,000 max sessions
39,000 new sessions per second
The below table details the specifications and quantity considered for the PA NGFWs (L3 and L3.5) as part
of the scope of this project.
The SINEC NMS software is a network management system for the central monitoring and managing of
industrial networks. SINEC NMS can fully visualize and monitor networks with tens of thousands of nodes.
Using SNMP v3, SSH and HTTPS for administration and simultaneous diagnostics via SNMP v3, SIMATIC
and PROFINET mechanisms, many aspects of plant diagnostics can be depicted in a single tool. The SINEC
NMS distributed approach enables network infrastructure expansion at any time. Captured data is stored in a
long-term archive and can be evaluated and presented as required.
SINEC NMS also facilitates configuration of the network infrastructure. The policy-based approach means
that configuration can take place independently of the type of devices in the network, and regular backups of
the device configurations can be made in order to learn of changes to configurations. In addition, two device
configurations can be compared with one anotherone another, and the differences highlighted in colour. The
NMS will take the backup configuration file and store it on the NMS server itself which will be backed up by the
backup server. Another important advantage is the central function for a firmware update/upgrade in the
network infrastructure. The NMS shall be located on the Hypervisor in Layer 2.53 as shown in the below
architectu.re
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The NMS shall covers all connected network devices as well as windows machines such as L2, L2.5 ,L3
switches, Lswitches, 2 firewalls, and NGFWs, etc. All network details related to these network devices shall
beare accessible from the NMS console.
15.1.414.3.4 Reports
Reports offer exportable evaluations of the network monitoring in both text and graphic form.
Figure 1413-5556: Device availability report
configured by the policy, and in what order. As part of this project, all tasks will be enforced manually to avoid
any disruption in the network.
16 SINEC PLATFORM
19
4. Define the UMC domain settings for SINEC NMS and enter the data of an administrator user for
this domain. Use the same Windows user login details.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
SINEC Server
22
23
24
25
26
27
28
29
30
31
All user groups shall be detailed in CYBER-DC and User management - 4253-AMPF-7-95-9466 Sht 001
document. The configuration steps shall be followed as per SIEMENS manual detailed in “Connection of
SINEC NMS to UMC”- section 3 in the following link.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
https://support.industry.siemens.com/cs/ww/en/view/109780337
UMC CONFIGURATION
SWITCH CONFIGURATION
31.314.9 SWITCH
Using SNMP, information about network components can be called up or their parameters changed
by a remote Network Management System (NMS). Accordingly, all switches shall be configured as
SNMP server. SNMP is defined in three versions; SNMPv1, SNMPv2 and SNMPv3. In contrast to
SNMPv1 and SNMPv2, in SNMPv3 version, the security mechanisms were significantly expanded.
The security functions are implemented by the following mechanisms:
● Fully encrypted user authentication.
● Encryption of the entire data traffic.
● Access control of the MIB objects at the user/group level.
The SINEC NMS VM shall be configured as the SNMP client that shall send all the SNMP “get”
requests to the servers. Since SNMPv3 will be used, the defined community credentials shall match
on both sides “server” and “client” in order to have a successful communication established. Below
pictures are an example of the required details to be entered when configuring the SNMP profile for
each device.
Figure 1413-8881: SNMP configuration on SINEC NMS side
37.115.1 INTRODUCTION
Virtualization is a method to divide physical hardware resources of a computer into several logical
(virtual) environments.
Virtualization decouples a computer's operating system and user software from its hardware and
makes them available in the form of a virtual machine (VM).
On a real, physical computer (host system) several virtual machines can be implemented isolated
from each other. Isolation prevents conflicts due to software dependencies and provides the ability
to start and stop virtual machines independently. Isolation prevents conflicts due to software
dependencies and provides the ability to start and stop virtual machines independently.
Furthermore, the physical computer (host system) can be upgraded without influencing or changing
the virtual machines. There is no impact while migrating from one hardware platform to another, as
long as the bare metal hypervisor is the same..
37.215.2 TERMINOLOGY
Virtualization is associated with several key concepts, products, and features. The actual project
specifications can be found in section 16, Table 16-1.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Following above table, minimum requirement for the hardware will be:
• Minimum 16 cores CPU
• Minimum 64 GB RAM
• Minimum 1.02 TB hard disk
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
39 HARDWARE DEPLOYMENT
A
Based on the required resources mentioned in section 3, requirements Virtualization, the hardware
is selected to satisfy these requirements considering enough spare capacity required for backup
verification and emergency implementation of the backup machines.
The selected hypervisor hardware is based on Dell PowerEdge server or similarly models from other
vendors as per the approved ICS vendor list with the below specifications.
PowerEdge R750xs or • 3 x 1.2TB Hard Drive SAS 12Gbps 10k 512n 2.5in Hot-Plug
similarly models from other in RAID 5 configuration
vendors with these • 4 x 32GB RDIMM, 3200MT/s, Dual Rank 16Gb BASE x8
specifications
• 2 x Broadcom 5719 Quad Port 1GbE BASE-T Adapter,
PCIe Low Profile
• Dual, Hot-plug AC power supply
• Included 5 x VM for Windows Server 2019 Standard Edition
(LTSC)
Notes:
• Supplied Host as above and required configuration console to be installed in the cyber
security cabinet.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Requirements:
The following requirements must be met:
• The virtualization server is mounted and commissioned according to the manufacturer's
instructions.
• A monitor and a keyboard are connected to the virtualization server.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Procedure:
To configure the virtualization server, proceed as follows:
1. Switch the virtualization server on via the mains/standby switch. The start-up application of
the server is displayed.
Figure 5-1
2. Press the F2 key. The dialog for logging on to the virtualization server opens.
3. Enter the following login data:
▪ Login name: as detailed in manufacture specification
▪ Password: Password for the virtualization server as detailed in manufacture specification
Figure 5-2
4. Press 'Enter'. The options for customizing the virtualization server system properties are
displayed.
5. Navigate to the "Configure Password" entry and press the Enter key.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 5-3
7. Enter a new password for the virtualization server in the "New Password" and "Confirm
Password" lines.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 5-5
8. Press Enter to save the change. Note Use the <Esc> button to discard the changes and exit
the dialog.
9. Navigate to the "Configure Management Network" entry and press Enter. The options for
changing the network settings are displayed.
10. Navigate to the "IP Configuration" entry and press Enter. The dialog box for changing the IP
address opens.
11. Enter the desired IP address.
Figure 5-6
13. Press Enter to save the change and confirm by pressing the Y key (default keyboard layout:
EN).
14. A summary of the settings is displayed under the entry "IP Configuration".
15. Press the <Esc> button to reach the initial dialog.
16. Press the <Esc> button again to log out of the system.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 5-8
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
5. Select the devices for datastore and name the new datastore as datastore1
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
7. Datastore is created
Figure 5-12
Depending on the functionality of the target VM, installation procedure may be different. In this
project, readymade VM machines prepared by host vendor will be utilized.
However, in case of requirement, below procedure will be followed to create fresh VM. For
installation purpose, the ISO file for Windows installation can uploaded to the datastore from
remote computer as shown below
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 5-13
Computer Name: the new VM name, IP, and OS family to be filled as 4253-AMPF-7-95-9466 Sht
001 - CYBER-DC and User management and 4253-AMPF-7-95-9461 Sht 001 -CYBER-Network.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
12. Specify hard disk space, CPU and RAM as per minimum requirement of target VM.
Figure 5-18
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
13. Newly created VMs will appear under Virtual Machines as shown below.
Figure 5-19
14. Right click the newly created VM and Launch VMware Remote console as shown below
Note: VMware Remote Console (VMRC) application must be downloaded and installed on
remote computer
Figure 5-20
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
New standard switches to be added as per the network plan to ESXi host and to be configured:
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 1716-22222
The Physical adapters pane shows adapter details such as speed, duplex, and MAC address
settings. Although the speed and duplex settings are configurable, the best practice is to leave the
settings at auto negotiate.
The physical network cards to be configured with IP address detailed in 4253-AMPF-7-95-9461 Sht
001 -CYBER-Network.
Figure 1716-33323
Each virtual network card has its own MAC address and shall have its own IP address as detailed in
4253-AMPF-7-95-9461 Sht 001 -CYBER-Network. and connects to the corresponding virtual
network switch.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The ESX Server manages both the allocation of resources and the secure isolation of traffic meant
for different virtual machines even when they are connected to the same physical network card.
The allocation of each VM NIC to created virtual switch will be optimized during FAT for the best
performance.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
1. The remote console opens as shown below. Go to Virtual Machine Settings as shown below.
Figure 5-24
2. In the Virtual Machine Settings, browse and attach the ISO image for Windows Server 2019
(or any other OS, depending on the target VM functionality) setup which was uploaded to
datastore1 in previous steps.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 5-25
3. Power on the VM. The VM will boot through the ISO and start loading the pre-installation
environment for Windows Server 2019.
Figure 5-26
Configure network connection for the VM. as 4253-AMPF-7-95-9461 Sht 001 -CYBER-
Network.
Figure 5-27
Figure 5-28
2. Open the machine either using the console or VNC and verify that VMWare tools are mounted
in the DVD drive.
Figure 5-29
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 5-32
42
44
45
The below rule is required for the L4 WSUS server to communicate with external network for
downloading security updates and critical updates from the Microsoft Update pages or rather
Microsoft Update sites (Microsoft Update Server) via the NGFW.
Table 4-4: L4 WSUS access rule
Access Rule Action Protocols From To
L4 WSUS access Allow HTTP/ IP address Microsoft Update sites:
to Microsoft HTTPS of WSUS http://windowsupdate.microsoft.com
Update Server server (L4) http://*.windowsupdate.microsoft.com
(Microsoft Update https://*.windowsupdate.microsoft.com
sites) http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.com
http://test.stats.update.microsoft.com
http://ntservicepack.microsoft.com
Detailed information about configuring the group policy for the Windows Update service is provided
in the document “SIMATIC Process Control System PCS 7 Compendium Part F - Industrial Security”.
In addition, the following rules are required within a Siemens IT environment.
Table 4-5: general rules
Access Rule Action Protocols From To
NTP Time Synchronization Allow UDP/123 IP address of L2 NTP system
(optional) L3 WSUS server
On the “Connect to Upstream Server” page click “Start Connecting”. Thereby the initial download of
update information (available updates, products and languages, etc.) is started. After some time the
initial download is finished.
In the “Choose Languages” page select English.
On the “Choose Products” all relevant Microsoft products shall be selected “Office, SQL Server,
Windows).
On the “Choose Classifications” page select the update classifications that you want to obtain. According
to SIEMENS, the following classifications have to be selected for a secure system.
Critical Updates
Definition Updates
Security Updates
Update Rollups
Updates
On the “Set Sync Schedule” page select option “Synchronize automatically”, a time for the “First
synchronization” and the number of synchronizations once per day.
Select the “Begin initial synchronization” check box on the “Finished” page.
A detailed additional information is provided here: Microsoft WSUS – Step 3: Configure WSUS.
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/deploy/2-configure-wsus
Downstream Server
Once the wizard starts, the below steps shall be followed for the L3 and L23.5 common DMZ
WSUS downstream servers.
Deselect option to join the Microsoft Update Improvement Program
On the “Choose Upstream Server” page choose option “Synchronize from Another Windows Server
Update Services”. Then the domain name of the upstream server shall be used with the port 8531.
On the “Connect to Upstream Server” page click “Start Connecting”. Thereby the initial download of
update information (available updates, products and languages, etc.) is started. After some time the
initial download is finished.
In the “Choose Languages” page select English.
On the “Choose Products” all relevant Microsoft products shall be selected “Office, SQL Server,
Windows).
On the “Choose Classifications” page select the update classifications that you want to obtain. According
to SIEMENS, the following classifications have to be selected for a secure system.
Critical Updates
Definition Updates
Security Updates
Update Rollups
Updates
On the “Set Sync Schedule” page select option “Synchronize automatically”, a time for the “First
synchronization” and the number of synchronizations once per day.
Select the “Begin initial synchronization” check box on the “Finished” page.
A detailed additional information is provided here: Microsoft WSUS – Step 3: Configure WSUS.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-
services/deploy/2-configure-wsus
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Additional policies are followed as per SIEMENS manual “SIMATIC Process Control System PCS 7
Compendium Part F - Industrial Security” chapter 8.2.3.
48.321.3 PATCH MANAGEMENT PROCEDURE AND STRATEGY FOR RELEASING AND INSTALLING
MICROSOFT SECURITY UPDATES
The procedure of releasing the updates to the clients shall be followed as per the below steps.
• Select all available and not yet approved updates. Next, deselect only the updates that are
incompatible with SIMATIC PCS 7 according to the Excel table above. Release the selected
updates for installation in the created groups. Proceed group-by-group to ensure the availability
and operability of your system.
• Exclude all patches other than "Security Patches" and "Critical Patches" from the update of the
systems.
• Log on to the systems connected to the WSUS with an administrator account. The systems are
configured accordingly to receive the updates from the WSUS.
• To do so, use the function that can be accessed via "Notification icon > All settings > Update
and Security" and initiate the search for available updates there.
• Make sure that SIMATIC PCS 7 Runtime is stopped for Redundant Servers GRP1.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
System Backup
System backup refers to a complete system image, e.g. a snapshot of current system which is usually
called as OS drive. The data included will be as following:
o Hardware-specific files (drivers)
o Windows operating system files and settings
o Installed programs and their configurations
o Host devices (Hardware-specific files (drivers), Windows operating system files and settings,
Installed programs and their configurations)
o Virtual machines
Following the cybersecurity guidelines and implementation of the application whitelisting, the OS and
related installation will remain the same during the life cycle of project. The OS installation may be
changed following any system updated through WSUS.
Apart from the 1st full backup, it is recommended to have verified OS backup, only before and after
any update.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
All system backups including the OS, apart from the 1 st full backup, shall be backed up as part of
scheduled full and differential backup.
Backup Types
There are different types of back-up used in the industrial environments as following:
• Full Backup: The most basic and complete type of backup operation is a full backup. As the
name implies, this type of backup makes a copy of all data to a storage device, such as a disk
or tape. The primary advantage to performing a full backup during every operation is that a
complete copy of all data is available with a single set of media. This results in a minimal time
to restore data, a metric known as a recovery time objective. However, the disadvantages are
that it takes longer to perform a full backup than other types, and it requires more storage
space.
• Incremental Backup: An incremental backup operation will result in copying only the data that
has changed since the last backup operation of any type. It typically uses the modified time
stamp on files and compares it to the time stamp of the last backup. Backup applications track
and record the date and time that backup operations occur in order to track files modified since
these operations.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Because an incremental backup will only copy data since the last backup of any type, an
organization may run it as often as desired, with only the most recent changes stored. The
benefit of an incremental backup is that it copies a smaller amount of data than a full. However,
the disadvantage is that if one of these incremental backups was corrupted then it will not be
possible to restore the backup copy and hence the recovery will be only possible from the last
full backup taken.
• Differential Backup: A differential backup operation is similar to the incremental in means that
it will copy all data changed from the previous backup. However, each time it runs afterwards,
it will continue to copy all data changed since the previous full backup. Thus, it will store more
backed up data than an incremental on subsequent operations, although typically far less than
a full backup. However, the differential backup is recommended in the industrial environments
since it is reliable and efficient. Below figure illustrates the process of the differential backup
compared to the other types.
The backup schedule shall be as per below table. However, any changes in the site shall be reflected
in the As-built documents.
• Differential back-up: Once First backup is done and stored to the NAS, a differential back-
up of the machines shall be taken on monthly basis. The same is detailed in the below Table.
• Full back-up: A full back-up of the automation machines shall be captured every 3 months
since this is a backup for the automation systems not the online archives. In other words,
these systems are expected to have a minimal change of approximately 5% per month. On
the other hand, the online data and archives shall be backed up on the historian server.
Project NA
A differential backup shall be
taken on Monthly basis
Criteria Value
Incremental Backup Everyday Yes
Full Backup every X day 60 days
Days to keep full backups 130 days
Days to keep Incremental backup 7 days
Recommended Hardware (Storage)
Initial backup size 5 TB
Total data Size Between Full backups 21 TB
Total Backup Size 26 TB
Item Specifications
External hard disk 1 x 6 TB Hard disk
Each machine included in the above list shall be equipped with Acronis agent which performs backup
and restore operations. When a backup or restore operation is requested, the Management Console
wakes the previously deployed Backup Agent. While executing the requested operation, the agent
periodically sends messages to the Management Service to backup or recover the machine.
Depending to the OS (if it is windows server or Windows 10) and installed databases, different type
of Acronis agent will be required. In below table, the licenses shall cover all supplied VMs, IPC and
PI server as per the below table.
Table 2322-32: Acronis agent licneses
A
Sr Equipment Name Operating system Acronis agent
1. WS-6502-03 L2- Windows 2019 Acronis Cyber agent – Server
ELICS-EWS-1L2- ServerWindows 10 ClientAcronis Cyber agent – Windows
DCS-EWS-1 Client
2. WS-6007-02 L2- Windows 10 Acronis Cyber agent – Windows Client
ELICS-EWS-2L2-DCS-
OWSC-1
3. WS-6052-01 L2- Windows 10 Acronis Cyber agent – Windows Client
ELICS-EWS-3L2-DCS-
OWSC-2
4. WS-6502-01 L2- Windows 10 Acronis Cyber agent – Windows Client
ELICS-OWS-1L2-DCS-
OWSC-3
5. WS-6502-02 L2- Windows 10 Acronis Cyber agent – Windows Client
ELICS-OWS-2L3-DCS-
ALR-1
6. WS-6007-01 Windows 10 Acronis Cyber agent – Windows Client
7. SRV-6502-01A L2- Windows 2019 Acronis Cyber agent – Server Client
ELICS-SVR-1L3-DCS- ServerWindows 10 Acronis Cyber agent – Windows Client
OPC-1
8. SRV-6502-01B L2- Windows 2019 Acronis Cyber agent – Server Client
ELICS-SVR-2L2-ESD- ServerWindows 10 Acronis Cyber agent – Windows Client
EWS-1
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Any machine with an SQL database shall require Acronis server-based license and hence all single
stations shall have Acronis server license. Accordingly, the total number of software licenses utilized
as part of this project is detailed in below table.
Table 2322-34: Backup software licenses
Item Qty
Acronis Cyber Backup Advanced Management Console 1
Acronis Cyber agent - Server machine 11738
Acronis Cyber agent – Windows Client machine 659
Acronis Cyber agent – Hypervisor (covering all hosted VMs) 1
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
1Remote Station is installed & located in Onshore Level 4 which is provided and managed by QatarGas.
All backups shall be managed / performed by QatarGas team.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Legend
YY Year
MM Month
HH Hour
OS Operating System
PID Project ID (Name)
ZN Zone Name
Comp Component name
DT {System, Project, Config}
Further, it is important to highlight that all backup activities need to be documented. This can be done
in a corresponding log file that has to be kept with the backup files and for each backup file records.
The same shall be handled by the log collector.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Yes Yes
Restore latest
Restore latest image application / config
data
HW
Spare unit
No Rebuild new unit System restored
available?
Yes
Yes
Replace defective
Use new HDD
unit with new one
No
No
It is important to note that the recovery of an operating system will require a reboot. It is optionally to
restart the machine automatically or assign it the interaction required status. Consequently, the
operation system goes online automatically. Furthermore, the below steps illustrate the recovery
steps of a physical machine:
1. Select the backed-up machine.
2. Click Recovery.
3. Select a recovery point. Note that recovery points are filtered by location. If the machine is
offline, the recovery points are not displayed. Do any of the following:
• If the backup location is cloud or shared storage (i.e. other agents can access it), click
Select machine, select a target machine that is online, and then select a recovery point.
• Select a recovery point on the Backups tab.
• Recover the machine as described in "Recovering disks by using bootable media".
The software automatically maps the disks from the backup to the disks of the target machine. To
recover to another physical machine, click Target machine, and then select a target machine that is
online.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
4. If you are unsatisfied with the mapping result or if the disk mapping fails, click Disk mapping
to re-map the disks manually.
The mapping section also enables you to choose individual disks or volumes for recovery. You can
switch between recovering disks and volumes by using the Switch to... link in the top-right corner.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The backup server shall be integrated with the domain controller for user management and
privileges. Each DC user can be assigned to one of the below groups:
• Regular users
o A regular user, such as a member of the Users group, has the following
management rights:
o Perform file-level backup and recovery of the files that the user has permissions to
access but without using a file-level backup snapshot.
o Create backup plans and tasks and manage them.
o View but not manage backup plans and tasks created by other users.
o View the local event log.
• Backup Operators
o This group has the following management rights:
o Perform file-level backup and recovery of any data
o Back up and recover the entire machine
o Create backup plans and tasks and manage them.
o View the local event log.
• Administrative users
o In addition to the above-mentioned privileges, a user who has administrative
privileges on the machine, such as a member of the Administrators can
o View and manage backup plans and tasks owned by any user on the machine.
All password detail, and users who should have access to this system shall be added in related
user groups in domain. Detail can be found in documents:
• 4253-AMPF-7-95-9466 Sht 001 - CYBER-DC and User management.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
As of SIMATIC PCS 7 V9.1, it is recommended to use the Microsoft Defender Antivirus software integrated in
the standard Microsoft operating system. In terms of quality and above all security, it is comparable with the
current third-party products available on the market.
Benefits
• Integrated antivirus solution provided with Microsoft operating system.
No additional licenses required.
• Continuous antivirus protection based on Microsoft Defender Antivirus.
• Automatic download of Microsoft Defender Antivirus definition updates via Windows Server
Update Services (WSUS).
WSUS already used for operating system updates.
• Reduced hardware footprint and maintenance costs:
o No additional management or update server for antivirus software required.
o Existing WSUS used for Microsoft Defender Antivirus updates.
o Reduced effort for firewall configuration.
Costs
There are no additional costs associated with using Microsoft Defender Antivirus. There are no costs for
third-party licenses or the provision of an additional antivirus management or update server.
Compatibility
As of SIMATIC PCS 7 V9.1, only compatibility with Microsoft Defender Antivirus is checked and ensured by
default.
Compatibility statements already made for SIMATIC PCS 7 versions prior to V9.1 are not affected by the
change.
The compatibility of antivirus software with SIMATIC PCS 7 can be found in the Compatibility Tool.
When using alternative third-party Endpoint Protection products with SIMATIC PCS 7, we recommend that
you observe the generic notes (SIMATIC PCS 7 Administration of Virus Scanners 109760461) and test the
software for compatibility in an adequate customer test environment before productive use.
In order to guarantee the usual support from Siemens when using Endpoint Protection products in the event
of a support case, we recommend supplementing the project-specific installation with an individual Managed
System Service (MSS). Within the scope of this service, which is subject to a charge, your dedicated support
manager, who is familiar with the system-specific features, can provide you with even better support in the
operation of your system. For more information, please visit the following entry: 109810527.
Updates
Updates for Microsoft Defender Antivirus are provided via the same mechanism (WSUS) as for Microsoft
Updates. The security-relevant events generated by Microsoft Defender Antivirus are available via the
SIMATIC Management Console.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The utilization of whitelisting technologies in a process control system is only effective when they
are part of a comprehensive security concept. The sole use of whitelisting technologies cannot
comprehensively protect a process control system against malware attacks.
As a matter of principle, we therefore recommend adhering to the Security Concept PCS 7 / WinCC
and PCS 7 Compendium Part F, which are available on the Internet via the following link:
http://support.automation.siemens.com
Whitelisting in conjunction with the above referenced security concept is an additional security
measure (additional layer of defense) in order to counteract the increasing risk of attacks. In
principle, the whitelisting approach is based on a mistrust of all applications except those that have
been tested and classified as trustworthy. This means, a positive list is maintained (whitelist). This
positive list contains the applications that have been classified as harmless and that can safely be
run on the computer system. The principle of whitelisting is the exact opposite of blacklisting, which
works with a list of "“non-trustworthy"” applications (negative list = blacklist). An example for
blacklisting is a conventional virus scanner, which works with a blacklist, the virus patterns. Since
the number of "non-trustworthy"” applications increases constantly, this blacklist must be adjusted
on a regular basis. This means for example that the current blacklist (virus patterns) must be
available for the virus scanner at all times. The virus scanner can only recognize applications as
malware when they are listed on this blacklist. Since whitelisting works with a positive list, a
constant adaptation to new threats in the form of malware is not necessary. This minimizes the
administration and updating expense.
The application Control v8.2.x is an application installed on the same windows server-based
machine of the ePO server. Application Control (AC) offers a different approach to host security
than traditional HIDS/HIPS, anti-virus and other “blacklist” technologies. A “blacklist” solution
compares the monitored object to a list of what is known to be bad. This presents two issues:
• First, the blacklist must be continuously updated as new threats are discovered.
• Second, Certain attacks cannot be detected neither blocked, such as zero-days, and/or
known attacks since no available signatures are available.
A “whitelist” solution creates a list of what is known to be good and applies very simple logic—if it is
not on the list, block it. AC solutions apply this logic to the applications and files located on a host.
As a result, if a virus or Trojan successfully penetrates the control system’s perimeter
defencesdefenses and finds its way onto a target system, the host itself will prevent that malware
from executing—rendering it inoperable. In addition, it can also be used to prevent the installation of
un-authorized files on the file system. This becomes important to providing defencesdefenses
against exploits that may initially run entirely in memory and are difficult to detect until they place files
locally.
For this project, McAfee application control has been selected to serve the purpose of the application
whitelisting, the same shall be managed by the ePO server. This solution has been tested with
SIMATIC PCS 7 systems and its fully compatible and authorized to be installed in this environment.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The total number of software licenses utilized as part of this project is detailed in below table.
Table 2928-3: Software licenses
Item Description Qty
As mentioned earlier, the upstream L4 ePO server shall get all the updates from the McAfee website
as its main repository. As for the L3.5 common DMZ downstream server, it shall receive all the
signature updates from the L4 ePO server. Similarly, the L3 ePO server shall receive the signature
updates from the common DMZ L3.5 ePO server as its main repository.
The first step for the software installation is to install and configure the central management console
(ePO). The installation for the three deployments (Layer 24, Layer 3.5 and Layer 3) shall be the
same, however, the configuration of the repositories shall differ. Consequently, the agents are then
distributed, which, in turn, will be responsible for the whitelisting and protecting the individual client
systems. This section shows how the console shall be installed and configured.
To install the ePO software, Siemens will follow all the required steps detailed in below manual.
https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-installation-guide/page/GUID-
8ABD4104-28BF-4CF9-B4B7-D4D71A530822.html
The username and password shall be integrated with the domain and detailed in 4253-AMPF-7-95-
9466 Sht 001 - CYBER-DC and User management document.
Then, select the desired language and log in with the previously created user account.
Switch to the Software Manager and click ‘Refresh’ to establish synchronization with the McAfee database to be able to
obtain available updates for the McAfee agents. An internet connection is required for this step.
Figure 33-2: Software manager
Check the available updates for McAfee Agent 5.6.1. Then, update the components "ePO Agent Key Updater" and
"Install - Windows" by clicking the "Update" button for each case. If the plant has systems with operating systems other
than Windows, then the corresponding install components must also be updated. Consider the respective versions by the
number for the "minor version".
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
In the window that follows, select the option "Move existing packages in the "Current" branch to the "Previous" branch.
Check to see whether the desired component has been selected and confirm by clicking on the "OK" button.
Note: Ensure that you don’t use components marked with “Embedded” for update procedure
58.2.1.4 The updated versions of the ePO Agent Key Updater and the
respective Installation components should now be listed in the
displayed window. These must be assigned to the "Current"
branch. Pay again special attention to the minor version. Click
the "Check-In Package" button to continue.
58.2.1.5 In the dialog window that appears, select the option "Product or
Update (.ZIP)" as package type and specify the current path of
the Solidcore agent via the "Browse..." button (here:
"SOLIDCOR613-432_WIN"). Click "Next" to continue.
58.2.1.6 In the package options that now appear, you get a brief overview
of the selected package. If the correct name, version, type and
language are listed, select "Current" as the branch and continue
with the check-in. Ensure that the package is signed, which is
also displayed in this window.
58.2.1.7 Finally, confirm the settings by clicking on the "Save" button and
check whether the agent is now listed under the packages in the
master repository.
Installing Extensions
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
After the ePO console has been set up, Application Control, which is used to control and manage the set-up
client systems later on. This configuration is also done via the Layer 2.5 ePO server.
After the agents have been integrated in the ePO, the Solidcore
extensions must now be installed to be able to work with the just
installed agents.
After the ePO console has been set up, Application Control,
which is used to control and manage the set-up client systems
later on, must be configured in the following step. This
configuration is also done via the Layer 3 ePO server.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Entering Licenses
Then enter the license key for the procured McAfee products
which is shared by SIEMENS team. Use the key of the type
"Solidcore Extenstion". Then Click save to confirm your input.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
ENS Installation
Similarly, the ENS packages need to be checked-in Layer 4 ePO server by following the below steps.
2) Click next, and select “selected packages” which were installed earlier.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Repository Synchronization
First, it is required to import the Public Keys from Layer 4 ePO server into layer 3.5 ePO server as
following:
1) Log on to the Layer 3.5 ePO console.
2) Click Menu, Configuration, Server Settings.
3) Select Security Keys in the Setting Categories list, and then click Edit.
4) Next to Import and back up keys, click Import.
5) Browse to the location where you saved the exported .zip files, select the .zip file, and then
click Next.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
6) Verify it is the appropriate Master Repository Public Key, and then click Save.
7) If you exported more than one key from ePO-A, repeat these steps for the remaining key.
8) Confirm that you can see Layer 4 ePO’s Public Keys listed in the Other repository public
keys section.
After that, a pull task shall be created to pull the updates from the distributed repositories.
1) In Layer 3.5 ePO console, click Menu, Automation, Server Tasks.
2) Click New Task, name the task, keep the Schedule status as Enabled, and then click Next.
3) Select Repository Pull from the Action drop-down list.
4) Select Layer 3.5 ePO as the Source Site, and select the packages you want to update from
the Available Source Site Packages. Click OK, and then click Next.
5) Schedule the task, and then click Next.
6) Verify that the settings are correct, and then click Save.
5) In the next window, you see all tags that can be imported.
6) Click "OK" to finish the import.
2) Create a new task under the client task type "McAfee Agent" by clicking on the "New Task" button.
Figure 33-58: New client task
3) In the selection menu for the task types, select "Product Deployment" and switch to the next page
via the "OK" button.
4) Select a unique task name, the required target platform and the product to be deployed. Finally,
confirm the configurations by clicking the "Save" button. The following settings must be made for
this task.
5) Task name: "10 MFE Agent install" (can be selected as required)
6) Target platforms: "Windows
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
9) Select the global group "My Organization" here and click "Next" to continue.
10) In the dialog window that follows, select the two options "Unblocked (allow breaking inheritance
below this point)" and "Send this task to all computers". Click "Next" to continue.
Figure 33-710: Client task schedule
11) Now set the schedule for the created tasks by selecting the option "Disabled" for the Schedule
status and the option "Run immediately" for the Schedule type. Close the configuration by clicking
the "Save" button.
12) Repeat steps 1 to 8 for the product deployment of the below package:
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
“Task_Catalog.xml".
all of the systems are sorted is selected. Several properties can be linked to another via "and" or
"or" logic operations.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
5) In the next "Evaluation" dialog window, select for "Evaluate each system against the tag’s criteria"
the option "On each agent-server communication and when a "Run tag criteria" action is taken".
6) In the "Preview" dialog window, now for "Apply tag", select the option "Now apply the tag to all x
system(s) that satisfy the tag criteria". (if no system were created yet, the corresponding option
will be greyed out).
7) Confirm your entries with the "Save" button
The rules which in turn influence the behaviour of the system must now be created and are
summarized with the corresponding policies. Proceed as follows to create them:
1) Navigate to Menu > Policy > Policy Catalog.
2) In the window that appears, select McAfee Agent as the product.
Figure 33-912: Deployed McAfee agent
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
3) Click on the link "My Default", which is assigned with the category "General" and then change the
two following options:
• Policy enforcement interval: 720 minutes
• Agent-to-server communication interval: 1440 minutes
4) Close the configuration by clicking the "Save" button.
5) Choose "Solidcore: Application Control" as product.
6) Duplicate the existing "Blank Template" via the "Duplicate" button and select a suitable name for
the policy Catalog in the following dialog box. It is recommended that you create a Catalog, which
contains all of the rules needed and carried out by Siemens. In this case: "Siemens Basis".
7) Now, click on the link of the just created guideline and add the following Rule Groups via the
"Add" button. The selection made here will later be released to the clients as so-called Updaters.
This means that these applications can change themselves and other applications. For problem-
free operation of the clients, it is recommended that you define the following updaters:
• McAfee
• McAfee Publisher
• My SQL Server (if used)
• Windows AD Server
• Windows Defender
• Windows Update
8) Finish the configuration by clicking on the "Save" button
9) Then switch to Menu > Policy > Policy Assignments.
10) On the left half of the window, select the organizational group for which the just created rules
shall be applied. Starting with "My organization", an inheritance of the set policy takes place, but
it can be interrupted. On the right half of the window, select "Solidcore Application Control " as
the product ad click on the "Edit assignments" button for "Application control rules (Windows)".
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
11) For "Inherit from", select the option "Break inheritance and assign the policy and settings below".
Select the previously created policy as the "Assigned guideline" and then select the option
"Unblocked (allow breaking inheritance below this point)" at "Local policy inheritance".
4) Select "Enable scanning of scripts" and, under Scripts scan exclusions, add the following process
"bfmappersrvx.exe".
5) In the tab "Blocking", deactivate the option "Block the connection when a file with a potentially
unwanted program is detected in a shared folder".
6) In the tab "Messages", deactivate all options.
Figure 5-15: Creating new policy
7) Save the settings and ensure that the settings have been made for both the servers and
workstations.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
4) Now assign the task to your organization group and confirm with OK.
5) The next window can be confirmed with "Next".
6) Now disable the schedule status and select "Run immediately" as the schedule type.
Figure 5-18: Client task assignment
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
We recommend scheduling on-demand scans at regular intervals, with the interval based on the
system type.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
12. SRV-6502-03BL2-ELICS- X
SVR-6
13. SRV-6502-04AL2-ELICS- X
SVR-7
14. SRV-6502-04BL2-ELICS- X
SVR-8
15. HS-6502-01L2-ELICS- X
PH-1
16. HS-6502-02L2-ELICS- X
PH-2
17. NMS-6007-01L25-CYB- X
NMS-1
18. VSRV-6007-01L25-CYB- X
WSUS-1
19. VRV-6007-02L25-CYB- X
SMC-1
20. BKP-6007-01L25-CYB- X
BUSVR-1
21. EPO-6007-01L25-CYB- X
EPO-1
22. PDC-6007-01L25-CYB- X
DC-1
23. SDC-6007-01L25-CYB- X
DC-2
24. POC-6007-01L25-CYB- X
OPC-1
25. SOC-6007-01L25-CYB- X
PCC-2
Sr Equipment Name Week 1 Week 2 Week 3 Week 4
L2-DCS-EWS-1
2. x
L2-DCS-OWSC-1
3. X
L2-DCS-OWSC-2
4. X
L2-DCS-OWSC-3
5. X
L3-DCS-ALR-1
6. X
L3-DCS-OPC-1
7. X
L2-ESD-EWS-1
8. X
L2-IPCMS-OWS-1
9. X
L2-IPCMS-EWS-1
10. X
L2-HVAC-OWS-1
11. X
L2-DCS-OWSS-1
12. X
L2-DCS-OWSS-2
13. X
L3-DCS-PH-1
14. X
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
L3-CYB-WSUS-1
15. X
L3-CYB-NMS-1
16. X
L3-CYB-BUP-1
17. X
L3-CYB-TS-1
18. X
L3-CYB-EPO-1
19. x
L3-CYB-DC-1
20. x
L3-CYB-DC-2
21. X
L3.5-CYB-PI-1
22. X
Other
23. Windows servers in X
QatarGas Platform in
Level 3.5
Remote
24. Station X
Thin
25. client 1 X
Thin
26. client 2 X
On-Access Scans
When files, folders, and programs are accessed, the on-access scanner intercepts the operation and
scans the item, based on criteria defined in the settings. Scanning some types of files can negatively
affect system performance. For this reason, below options shall be deselected in the What to
Scan section of the On-Access Scan settings.
• On network drives
Scans resources on mapped network drives.
• Opened for backups
Scans files when accessed by backup software.
• Compressed archive files
Examines the contents of archive (compressed) files, including .jar files.
Even if an archive contains infected files, the files can't infect the system until the archive is
extracted. Once the archive is extracted, the On-Access Scan examines the files and detects
any malware.
Integrating Clients
Both ENS and AC clients shall be integrated and configured in Layer 3 ePO server. In order to do
so, we recommend at first to gather the information about the client systems you wish to integrate
beforehand. These should be available in text or table format (.csv) and include the following
information:
• Hostname of the client (including IP address, if available)
• Windows version including Service Pack
• Users with administrator rights on the client
• User password (might be not in writing)
Following that, SIEMENS shall follow the same steps detailed in “Whitelisting and Antivirus ENS in
PCS7” manual section 7 which is attached to this document as Appendix-B.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
Figure 3029-2
Notes:
• A dashed line begins at a component: Components with orange dashed lines leading
away from them are time masters in this network.
• An arrow points to a component: Components to which an arrow is pointing are time
slaves in this network. (Exception: (M) on a component)
• (M) at a component next to a bus system: An (M) at a component next to a bus system
marks this component as a cooperative time master for this bus system.
Hypervisor with
hosted VMs
The DTS 4138S.tTimeserver selected here is an NTP Time Server for use in industrial environments
as per the approved vendor list from company. It shall be synchronized by the GPS 4500 Antenna
and act as an NTP server in the network for the Domain Controllers. Then, the DCs shall synchronize
all IPCs and VMs. As for the AS, they shall be synchronized directly by the SICLOCK through the
plant bus.
In addition, it shall be used as a master clock for NTP slave clocks, synchronized via multicast with
NTP and time zone table. As a “main “master clock the DTS 4138S can synchronize further master
clocks or other equipment by synthetic DCF. The DTS 4138S can send e-mails as well as SNMP
traps. Via SNMP configuration and system status can be requested and the DTS 4138S can be
operated. To maintain a redundant time source, two DTS 4138S shall be linked by an optical link as
shown above.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
The DTS NTP Time server shall synchronize the Domain Controller through NTP service and
accordingly the DC shall synchronize the OS ELICS serversServers and Workstations.
All the VMs shall get synchronized with DC as their NTP server considering all the virtual machines
are within the domain.
All AS ELICS RTU and PLC will be synchronized with NTP server directly.
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
3. Expand the “W32Time”,click on “parameters” and then change the settings as in below.
Figure 36-3: Parameters list
A
60.3 PARAMETER ASSIGNMENT FOR AN OS SERVER IN A WINDOWS DOMAIN
The OS server synchronization procedure with basic configuration shall be followed as per Appendix
1 - “Process control system PCS 7- Time Synchronization (V9.1)” – section 6.3.4.1
VENDOR shall have a documented policy that requires the maintenance of an asset inventory of
all ICS components. It shall include equipment supplied by the principal or sub-contractor. For
each ICS component, the following typical information shall be documented: (for Asset Inventory
Facility NFE
SYSTEM DCS
Device Function
Operator Console
manufacturer)
MANUFACTURER DELL
VENDOR Supplied by
S/N:
L2 Primary IP address
L2 Primary IP Subnet
NORTH FIELD EAST PROJECT
Onshore LNG Facilities
L2 Primary IP Gateway(1st)
L2 Primary IP Gateway(2nd)
KVM IP address
Remarks
NORTH FIELD EAST PROJECT
Onshore LNG Facilities