Professional Documents
Culture Documents
S-TR-CPS-ICS (Rev.0-2023)
S-TR-CPS-ICS (Rev.0-2023)
S-TR-CPS-ICS (Rev.0-2023)
CONTROL-PROTECTION-SUPERVISION
( Specification )
CONTENTS
1 PURPOSE ........................................................................................................................ 3
2 SCOPE .............................................................................................................................. 4
3 DEFINITIONS AND ACRONYMNS ............................................................................ 5
4 REFERENCES .............................................................................................................. 10
5 RESPONSIBILITY ....................................................................................................... 10
6 GENERAL REQUIREMENTS TO THE CONTRACTOR...................................... 11
7 CYBER SECURITY PROCESS REQUIREMENTS ................................................ 12
7.1 General ............................................................................................................................ 12
7.2 Secured Physical Systems and Actions ........................................................................... 13
7.3 Media Control .................................................................................................................. 13
7.4 Contractor Development Environment Requirements..................................................... 14
7.5 Risk Management ............................................................................................................ 15
7.6 Vulnerability Management .............................................................................................. 16
7.7 Incident Management ...................................................................................................... 17
7.8 Documentation and Training ........................................................................................... 17
8 CYBER SECURITY DESIGN REQUIREMENTS ................................................... 19
8.1 General ............................................................................................................................ 19
8.2 Secure Network and Network Architecture Design ........................................................ 20
8.3 Cryptography ................................................................................................................... 24
8.4 Secure Time Synchronization.......................................................................................... 24
8.5 Role Based Access Control (RBAC) ............................................................................... 25
8.6 System Integrity............................................................................................................... 27
8.7 Data Confidentiality ........................................................................................................ 27
8.8 Asset Management .......................................................................................................... 27
8.9 Log Management ............................................................................................................. 28
8.10 Antimalware .................................................................................................................... 29
8.11 Backup and Restore ......................................................................................................... 30
8.12 Network Monitoring ........................................................................................................ 31
8.13 Network Intrusion Detection (NIDS) .............................................................................. 32
8.14 Secure Remote Access Connection to Substation L2.5 DMZ ......................................... 34
8.15 Patch Management .......................................................................................................... 34
8.16 Hardening ........................................................................................................................ 35
9 HARDWARE CYBER SECURITY REQUIREMENTS........................................... 37
10 SOFTWARE CYBER SECURITY REQUIREMENTS ............................................ 38
APPENDIX A: PURDUE REFERENCE MODEL ...................................................................... 41
APPENDIX B: ICS ACCEPTABLE AND UNACCEPTABLE USE ......................................... 46
APPENDIX C: INCIDENT REPORT FORM ............................................................................. 49
OPERATIONAL TECHNOLOGY CYBER SECURITY FOR INDUSTRIAL CONTROL
SYSTEMS
1 PURPOSE
The purpose of this document is to provide Transco Contractors with cyber security requirements
for Industrial Control Systems (ICS) when delivering ICS assets and/or services to Transco.
This compliance will also guide Contractors to ensure alignment with the United Arab Emirates
(UAE) Information Assurance Standards and UAE ICS Cybersecurity Framework for systems
delivered to Transco.
In general terms, compliance with Transco security policies and processes help ensure compliance
with national and international standards. Figure 1 represents a hierarchy of the international,
national, company local documents for cyber security governance of Operational Technology (OT)
systems.
• ISO 27001
• IEC 62443
International
Standards • Energy Sector Specific: NERC-CIP, NISTIR 7628, IEC62351, IEEE 1686
Figure 1 – Transco hierarchy of international, national, company local documents for cyber security governance of OT
systems
2 SCOPE
The cyber security requirements for ICS outlined in this document are applicable to all ICS assets
and services delivered to Transco by Contractor in scope of greenfield development, and other
applicable projects on Transco facilities.
This cyber security requirements document consists of two major sections:
• Process Requirements describes general requirements to the Contractor (and any
associated sub-contractors or other 3rd parties) compliance to the Transco cyber security
procedures. This part includes behavioral requirements, agreements for security measures
for data exchange during the project execution phases, obligations to follow risk-oriented
model to manage cyber security risks during the project execution phases and obligations
to take responsibility for the vulnerability management for solutions delivered to Transco.
This part of the cyber security requirements also contains obligations for cyber security
incident management during project execution phases. The Contractor shall familiarize
themselves with these process requirements and assess their compliance to these
requirements. The Contractor shall confirm their commitment to follow Transco cyber
security requirements.
• Cyber Security Design Requirements describes cyber security requirements for the
systems and solutions which will be designed and procured by Contractor for power
systems and facilities. This part of the document contains requirements for network design,
substation perimeter protection, detection and monitoring systems and endpoint protection
solutions including configurations. Based on the design of SCMS, FMS, WAMS, PQMS,
Partial Discharge, TCAMC physical protection systems and other process control systems
in the substation Contractor shall follow current cyber security requirements and provide
and integrate cyber security solutions for the substations systems and network. The scope
of work based on current cyber security requirements shall be implemented at the
substation level and include substation cyber security systems integration to the cyber
security management system in THQZ.
Term Definition
This term refers to personal devices (i.e. devices that are not
Bring Your Own Device provided by the contractor or Transco) and software that is not
(BYOD) approved by Transco. The use of BYOD is forbidden on the
Transco OT network.
This refer to the set of cyber security solutions such as RBAC,
firewall management, intrusion detection, Secure Remote Access,
Cyber Security
Antimalware, Backup & Restore, Network Management, Patch
Management System
management and other systems that are deployed via central
(CSMS)
management consoles in the Transco HQ2 (THQZ) for the cyber
security monitoring of substation systems in real time.
This refers to any control system and the devices it is composed
of deployed on Transco premises that are OT assets. Examples
Industrial Control
include: SCMS, FMS, PQMS systems with components such as
System(s) (ICS)
IEDs, relays, AVR, switches, operator workstations, relay access
workstation gateway, etc.
These are redundant firewalls that are used for segmenting the
L-FW Firewall for LDC communication between the substation LDC gateway and LDC
centralized systems.
This is the communications network layer that is a part of ICS
Process Control Network systems in the substation such as SCMS, FMS, PQM, WAMS,
(PCN) TCAMC, cyber security services and other OT devices and
systems that are part of this network.
This is a combination of the technical systems, network
configuration, firewall configurations, RBAC and Transco
Secure Remote Access
administrative controls that allow authorized Transco personnel
(SRA)
to have time-limited remote connection from the Transco HQ2
engineering room to the substation DMZ.
These are redundant firewalls that are used for traffic
segmentation between substation systems on Level 2. In addition,
this firewall is used for the segmentation of Level 2 and substation
S-FW Substation Firewall
DMZ L2.5. This firewall is also used for the connection between
substation and THQZ. Other connections such as connections to
LDC, ADDC, IWPP shall not be made through firewall S-FW.
Segmentation is the process of dividing up a computer network
into smaller parts. The purpose is to improve network security and
performance. Different networks can be segmented from each
Segmentation
other but are still able to communicate with each other. Network
segmentation for the purposes of this specification applies to
layers 2 and 3 of OSI model.
4 REFERENCES
The following is a list of informative references which may be referred to as a source of relevant
best practice to support achieving compliance with the requirements specified in this document:
• ISO 27001- Information Security Management - Requirements
• IEC 62443 - Security Standards for The Secure Development of Industrial Automation
and Control Systems (IACS)
• IEC 62531 - Cyber Security Series for the Smart Grid
• IEEE 1686 - Standard for Intelligent Electronic Devices Cyber Security Capabilities
• NERC-CIP - North American Electric Reliability Corporation Critical Infrastructure
Protection
• NISTIR 7628 - Guidelines for Smart Grid Cybersecurity
• NIST SP 800-82 - Guide to Operational Technology (OT) Security
• UAE Department of Energy (DoE) Cyber Security Framework
5 RESPONSIBILITY
These cyber security requirements apply to all personnel involved in the procurement, engineering,
commissioning, operations, maintenance and decommissioning of any ICS asset, information and
data and the information and data stored, transmitted, and processed and by any ICS system or
asset.
These requirements also apply to all vendors, contractors, sub-contractors and consultants
responsible for handling ICS assets, information and data during ICS systems and asset lifecycles.
10. The Contractor shall not publish descriptions of Transco ICS systems or architecture as
publicly available sources of information without prior risk assessment and approval by
Transco.
7.1 General
1. The Contractor shall submit a request for approval from Transco before commencing work
for any type of activities, related to the ICS systems in Transco.
2. The Contractor shall ensure that all integration, commissioning, acceptance testing and
maintenance activities related to cyber security are performed in accordance with
predefined, approved and documented procedures and criteria.
3. The Contractor shall put in place administrative and technical controls to ensure that all
information is suitably and sufficiently protected during digital transmission (e.g. email,
phone, messenger, ICS systems, remote control and monitoring, etc.) or offline methods
(correspondence, media storages, printed documents, verbal information sharing). Security
controls shall be suitable and sufficient and shall be based on the information classification
level of the information/data to be handled.
4. The corporate information exchange systems for project data transfer (e.g. Enterprise
Resource Planning (ERP) systems, document controller etc.) shall be agreed by both sides.
The Contractor shall follow Transco rules and requirements while using information
systems and uploading data related to the project.
5. The Contractor shall adopt suitable and sufficient security controls to ensure the security
and integrity of information during transmission. The Contractor shall implement
alternative controls where an asset cannot support suitable and sufficient transmission
security and/or integrity. The Contractor shall document the details and justification for
any alternative countermeasures used.
6. The Contractor shall protect physical media and any device in transit carrying ICS
information/data, according to the highest level of information sensitivity it will contain.
This may include physical locking mechanisms, digital encryption and/or packaging that
is suitable and sufficient to prevent data loss or theft.
7. The Contractor shall maintain suitable and sufficient records about data transferred using
physical media.
8. During projects the Contractor shall agree and establish an method for information
exchange with Transco and sub-contractors and other stakeholders involved in the project.
9. The Contractor shall support and improve the prevention measures against data leakage
during of the project and/or service delivery. After project completion Contractor shall keep
all data about the project and/or service delivery secured and confidential.
10. The Contractor shall follow a Configuration and Change Management process agreed with
and approved by Transco.
eliminated, a mitigation plan shall be provided by the Contractor and suitable and sufficient
actions shall be agreed with Transco and be undertaken by the Contractor.
11. The Contractor shall perform system patching for critical and high vulnerabilities during
the warranty period for delivered systems. Transco retain the right to define what
constitutes a critical and high vulnerability.
12. The Contractor shall perform regular system patching twice a year during the warranty
period until the FAC certificate is issued. The patching schedule shall be approved by
Transco.
2. The Contractor shall provide comprehensive and understandable documentation about the
overall design of products. This documentation shall describe its architecture,
functionalities and protocols, their realization in hardware or software components, the
interfaces and interactions of components with each other and with internal and external
services and the configuration baseline in order to be able to implement and use the product
in the most secure way possible.
3. All documents related to cyber security implementations in substations (procedures,
manual, drawings, as-built diagrams, etc.) shall follow the same template, fonts, style,
colors, drawings and symbols.
4. The Contractor shall document all data flows that provided ICS systems and assets use to
communicate. Data flow characterization shall include, at least: the purpose of the data
flow, the impact on the overall ICS solution if data flow is interrupted or inhibited, the
communication protocol utilized, the TCP/UDP port where an IP-based protocol is used,
and the typical bandwidth needed. Contractors shall also provide delay requirements
associated with data flows.
5. The Contractor shall document all network components (e.g. hosts, servers, network
equipment, etc.), and provide detailed network diagrams at the physical, logical and
network levels (Open Systems Interconnection (OSI) layers 1, 2, and 3)
6. The dataflows for all substation systems and OT assets network shall be documented and
reflected on the dataflow diagrams. Dataflow information for each
system/device/application in the substation shall provide the following as minimum:
- Source and destination for the dataflow mapped onto the Purdue model diagram
(see APPENDIX A: PURDUE REFERENCE MODEL).
- Explicit network paths from the source to the destination.
- Protocols that are required to be enabled for the communication.
- Port numbers that are required to be enabled.
7. All network components shall be documented in the project documentation and detailed
network diagrams. These network diagrams shall show the physical, logical and network
levels, interconnections within substations, and external communications.
8. The Contractor shall provide summary documentation of a product’s security features and
security-focused instructions on product maintenance, support, and reconfiguration of
default settings.
9. The Contractor shall provide knowledge transfer to Transco personnel for any implemented
solution.
8.1 General
1. Substation ICS cyber security design shall be based on the requirements of IEC62443,
NIST, ISO27001/2, UAE DoE Cyber Security Framework and follow a defense-in-depth
approach.
2. A low-level design of the systems shall be submitted to Transco prior to FAT. This is
applicable to the single system/network/hardware/software as well for overall substation
network architecture.
3. The proposed solution shall incorporate a scalable architecture that enables low-cost
expansion to multiple control rooms/remote locations (substations & regional hubs). The
solution functionalities shall operate as one integrated environment, not a collection of
individual tools.
4. The security design shall be consistent across all systems within substations, shall provide
an optimized amount of hardware and number of solutions, shall be cost-optimized and
only due-diligent solutions shall be proposed.
5. Security design shall be harmonized with existing Transco telecommunication and cyber
security systems, solutions and infrastructure that are implemented in the THQZ.
6. A System under Consideration shall be defined in accordance with IEC62443-3-2 for the
scope of work of work being supplied to Transco. This shall include consideration of
implementation of the following:
- Secure network design for substation systems with consideration of segmentation
and segregation between substation systems and 3rd party companies;
- Endpoint security based on antimalware, Host Based Intrusion Detection (HIDS),
Endpoint Detection and Response (EDR) solutions;
- A centrally managed Role-Based Access Control (RBAC) solution for all
substation systems and devices;
- Next generation and industry specific firewalls and unidirectional data diodes for
inbound and outbound connections;
- System & network hardening for all OT assets in the substation;
- Asset status monitoring & asset health status;
- Intrusion Detection System (IDS) with OT capabilities;
- Patch management solution and system integration;
- Secure remote access system to the substation OT environment from THQZ OT
environment (jump server, secure remote access solution, etc.)
- Secure file transfer system from OT systems in the substation to Transco
engineering laptops and/or THQZ engineering workstations
- Encrypted multi-layered backup and restore solution.
- System & network hardening for all OT assets in the substation
7. A flat network model shall not be implemented.
8. All supplied cyber security products shall be compatible with ICS systems, including but
not limited to the SCMS, FMS, PQM and WAMS and any other system that is located in
the substation and/or THQZ. Relevant proof of system compatibility shall be provided by
the Contractor. The sizing details for the hosting platform used for cyber security solutions
shall be calculated during the design stage and submitted for Transco review.
9. System and devices on the substation shall have interfaces with and capabilities for
integration with the Transco Cyber Security Management System (CSMS) located in the
THQZ.
10. The sizing details for the hosting of cyber security solutions shall be provided by the
Contractor and submitted for Transco approval.
11. The overall substation network design, each ICS system network design, and cyber security
systems and their components shall be scalable and allow for system growth over the time.
3. In accordance with the requirements of IEC62443-3-2 the Security Level Capability (SL-
C) for each zone and conduit shall be established for all components within a zone or
conduit.
4. Where the SL-C is below the SL-T for a zone, Detailed Risk Assessment shall be performed
by the Contractor to establish further countermeasures that may be required.
5. The system shall be designed to meet requirements derived from the clauses above and
evidence shall be provided that the Security Level Achieved (SL-A) meets the SL-T
requirements.
6. The following levels shall be considered in the substation network architecture:
- Level 0 – This zone contains sensors, actuators, bus bars, transformers,
disconnectors/ isolators, transducers, smart meters etc.
- Level 1 – This is the basic control zone containing bay level equipment (all IEDs,
BCU, relays, AVR, GPS, PLC etc.).
- Level 2 – This is the supervisory control zone containing SCMS, FMS, PQM
systems components (e.g. servers/workstation/RTUs) and related monitoring and
power regulation.
- Level 2.5 – This is the substation DMZ zone, which is used to segment substation
internal L1, L2 networks from external communications to the
LDC/ADDC/ECC/TCC/TC&MC. It is also used to deploy cyber security systems
local to the substation.
- Level 3 – This is the master supervisory zone containing THQZ, TCC and CSMS
(Cyber Security Management System) and related master supervisory control
systems (e.g. SCADA, NMS, Network Manager, centralized consoles and servers
etc.),
- Level 3.5 – This contains Transco’s TCAMC data processing systems and data hub
in the THQZ along with connections to substation systems and cyber security
monitoring systems.
7. The Contractor shall provide a network design for the whole substation that shall include
the following:
- A Network IP plan;
- Detailed of PCN logical and physical segmentation based on the results of the Initial
Risk Assessment;
- Communication protocol details;
- Network redundancy schema for L1, L2 and L2.5 infrastructure;
- Network security details;
- Explicit dataflow between substation systems and dataflow from substation system
to the THQZ, LDC, ADDC, IWPP.
8. The design shall include a substation Demilitarized Zone (DMZ) (level 2.5) to segment the
THQZ centralized L3 process environment from substation L2 devices.
9. The process data exchange between L2 station controllers and L2.5 data gateways HMIs
to the TCAMC and other systems located on levels L3, L3.5 of the THQZ shall not be
mapped directly from L2 to L3.
10. A next generation firewall shall be used to provide network segmentation between level L3
and L2.5.
11. The firewall shall be used to provide network segmentation between level L2.5 and L2.
12. The firewall shall be used to provide segmentation between management and process
traffic.
13. The firewall shall be used for SCMS, FMS, PQMS, WAMS, Partial Discharge, TCAMC,
and all other external communication and interconnections needs for the substation
systems.
14. The firewall shall support advanced threat protection, industrial protocols and protection
of industrial systems.
15. The substation L2.5 zone shall be configured to be used for secured remote access
communication from the THQZ engineering room. This shall be used to provide access for
cyber security specialists and authorized Transco engineers. Security for such access shall
be provided by using only dedicated thin client machines on dedicated machines within the
THQZ OT network connected to the dedicated secure remote access servers located in the
OT network. Sessions and actions shall be recorded, and phishing resistant two-factor
authentication shall be used for connection authorization. Firewall rules for remote access
to the TCAMC to the substation L2.5 zone shall allow such communication only during
requested and approved time frames. At all other times, the firewall rule shall deny any
remote communication from zones external to the substation.
16. Data gateway devices located in substations shall be configured with dataflow allowed only
to dedicated devices. Mesh connections shall be excluded. Substation gateway devices for
the ADDC and/or LDC shall be segregated from the substation L1, L2 process control
network, since the substation gateway connections to LDC and/or ADDC are considered
as communication with 3rd party systems (i.e. systems in the L3.5 zone are considered to
be 3rd party systems).
17. Network and device IP address assignments shall be designed to exclude utilization of the
same IP range as already used on existing Transco assets. IP address schema shall be
optimized, and proper subnet masks shall be used to avoid unreasonable IP address space
overutilization.
18. Design of segmentation between substation core PCN and 3rd party systems or networks
(e.g. power plant, water plant, other partners’ systems such as ADDC, AADC, TAQA)
shall be achieved using industrial firewalls, next-generation firewalls and data diodes, as
appropriate, to provide a suitable and sufficient level of security.
19. Detailed design of network connectivity from substation L2.5 to the Transco SDH shall be
provided. This shall include interface IP addresses, routing protocols, reliability
configuration, and security configuration.
20. Detailed design of the connectivity from the substation to the THQZ and shall be provided.
The design shall be unified with the existing Transco OT network and shall utilize the same
routing and/or switching protocols. If at the contract award of a project, there are no unified
routing protocols between remote sites and the THQZ, the Contractor shall design and
propose the solution to Transco.
21. Explicit network dataflow shall be defined and documented for all systems on L1, L2, L2.5
and their communications to the THQZ, TCAMC, LDC, ADDC and IWPP.
22. Substations shall have only a single external connection to the Transco THQZ via a single
point connection on redundant routers and firewalls within the substation. This shall be
implemented using two dedicated ethernet channels for redundancy purposes.
23. Substations shall have only a single external connection to the Transco DR Center via a
single point connection on redundant routers and firewalls within the substation. This shall
be implemented using two dedicated ethernet channels for redundancy purposes.
24. The connections from a substation to 3rd party networks (e.g. power generation plants,
water generation plants or LDC/ADDC, AADC) shall be established through firewalls (L-
FW) or data diodes. This shall be a physically separate device from the substation firewalls.
25. The firewall for 3rd party systems shall be specified based on the type of industrial protocol,
used for the data transfer and/or exchange. Advanced threat protection and industrial
protocols and systems protection shall be supported by firewalls.
26. Where there is a requirement to have unidirectional connection due to the criticality of an
OT asset, on Transco’s or a 3rd party’s side, a unidirectional data diode shall be designed
and delivered.
27. Advanced threat protection and industrial protocols and systems protection shall be
supported by all firewalls.
28. Network design shall include network traffic aggregation switches and required network
connections for traffic mirroring to the IDS sensor. Traffic mirroring shall cover mirroring
for L1, L2, L2.5 network flow and for the egress and ingress traffic from external
communications.
29. 2.4 and 5Ghz Wi-Fi solutions for the PCN, substation and the THQZ OT systems are
prohibited unless requested by Transco.
30. ICS systems, which utilize any other radio channel range, which is different from Wi-Fi
range, shall be designed for secure communication.
31. Industrial protocols shall be implemented in line with best security practice such as those
contained in IEC 62351 and IEC 62443.
32. TCP/IP and any other non-industrial protocols shall be implemented in line with relevant
best practice.
33. If non-TCP/IP protocol or any other proprietary communication protocol is designed to be
used by the solution, suitable and sufficient cyber security measures shall be deployed to
protect it. Respective evidence of protocol security shall be provided to Transco as well the
assurance that this solution is going to be supported by vendor and user support will be
available for the agreed lifetime of the system. This shall be officially confirmed to
Transco.
34. All cyber security network equipment (switches, firewalls, servers) shall have redundancy
on the following levels: platform, interface and appliance (if applicable).
35. The Design shall include redundant uplink interfaces for all network equipment on levels
L1, L2 and L2.5.
36. The Contractor shall not implement cloud-based solutions for Transco ICS systems.
37. Data from ICS systems is prohibited to be transferred, processed and/or stored in cloud-
based solutions.
8.3 Cryptography
1. The Contractor shall ensure that cryptography provided as part of the system and enabled
during commissioning or maintenance complies with relevant UAE laws, regulations and
agreements.
2. The Contractor shall use cryptographic algorithms, key sizes and mechanisms for key
establishment and management according to commonly accepted security industry
practices and recommendations.
3. The Contractor shall ensure that suitable and sufficient levels of secure key management
are implemented and that any keys generated by the Contractor are securely deleted when
they are no longer required by the Contractor.
4. The Contractor shall implement provision of NTP and/or PTP to devices via a separate
secure logical network zone.
5. NTP and/or PTP servers shall incorporate anti-jamming and anti-spoofing protection.
4. OEM vendor expertise shall be considered for the implementation of L2 domain controller
This shall include the analysis of the process for implementation of domain controllers for
substations, designing an OEM approved domain controller and Active Directory
architecture and, group policies configuration.
5. Design of the substation OT Domain architecture, low level design for domain controllers,
DNS, Active Directory configuration, user accounts, user groups and assigned permissions
shall be agreed and approved by Transco.
6. Local accounts on the SCMS/FMS/PQM/TCAMC devices in the substation shall be
suitably and sufficiently secured and kept enabled for emergency purposes. However, the
primary authentication and login into the system shall be based on the RBAC server
authentication.
7. The substation level domain controllers shall have a RADIUS server deployed for client
authentication. All clients in the substation OT network that support RADIUS
authentication shall be configured to be integrated into the RADIUS server for
authentication and access control.
8. Services and processes running on substation systems shall be configured to use domain
service accounts for authentication.
9. Configuration of the Active Directory and Group Policy Objects shall be done based on
OEM vendor qualified baselines for SCMS devices. For the cyber security systems and
non-process control systems a configuration based on the most robust CIS Benchmark
baselines and Transco approved baselines shall be implemented.
10. All domain controllers shall have a Transco approved antivirus and antimalware agent with
correctly configured antivirus policies.
11. All Domain Controllers shall have backup and restore agents installed with a configured
backup schedule based on the Transco backup strategy.
12. Domain Controller logs and events shall be transmitted to the substation log management
system.
13. All Domain Controllers shall have latest systems and security patches installed in prior to
connection to the Transco PCN.
14. Authorization, Authentication and Accounting (AAA) and RBAC mechanisms shall be
implemented to suitably and sufficiently secure management access to critical hosts
substation servers and network equipment.
15. Devices shall require identity authentication to take place prior to any other form of user-
initiated interaction, including remote interaction, with the system. Specifically,
unauthenticated, repudiable user interaction with the system shall be prohibited.
16. Substation systems and devices shall be capable of supporting multiple user accounts.
17. Substation systems and devices shall provide the capability to manage user accounts
(including default accounts). Management capability shall include the following as a
minimum:
- Account creation;
- Ability to disable accounts;
- Account deletion;
- Ability to change account passwords;
- Ability to change account privileges.
18. The ability to manage user accounts shall be restricted to specific accounts. Account
management actions shall be logged.
19. All default administrator and/or root, user and service accounts on substation devices shall
be capable of being disabled, deleted, renamed, or have their passwords changed.
Hardcoded, non-configurable default accounts and passwords are prohibited.
20. By default, all passwords shall be obfuscated on the screen during input to prevent
disclosure of the password to any by-standers.
21. Where systems utilize auto-login accounts or where user accounts are used to provide
continuous operations or monitoring for essential functions, these accounts shall never
expire or become disabled automatically.
22. Temporary shared accounts shall be configured for use during FAT & SAT stages and shall
be removed from all devices and systems before substation energization.
23. Personal accounts for Transco authorized personnel shall be configured in the system at
the SAT stage as per Transco guidelines and under Transco supervision.
7. The substation OT systems shall log user activities as well as security relevant events and
errors in a format that can be evaluated and analyzed during operations or afterwards. The
log files shall be protected against tampering.
8. Where possible and required devices shall be configured to use SNMPv3. A unique login
and password shall be defined for each category of device and system.
9. If SNMPv2 and/or SNMPv1 is used because a device or system is not compatible with
SNMPv3, these shall be configured using a private unique community name for each
category of device. Passwords shall exclude the use of dictionary words, any company
related words, or any other combination of characters which are easy to guess or brute
force. Devices shall be configured to have ability to only send to the monitoring device for
traps and shall be configured to only be read by the monitoring device.
10. Log management system shall be deployed on the separate VM or hardware-based node
and reside at the substation L2.5 DMZ.
11. The log management system shall be capable of being fully integrated with the CSMS in
the THQZ and Transco’s Splunk SIEM.
12. The log files from ICS, cyber security and log collector systems shall be transmitted to the
substation log management system for pre-processing and onwards transmission to the
central log management system in the THQZ. In the event of network disruption, the onsite
log manager shall store logs whilst the network is unavailable and shall be configured to
forward them to the THQZ following restoration of the network connection.
8.10 Antimalware
1. Antivirus & antimalware solution shall be used to protect computers that run Windows and
Linux Operating Systems. The Antimalware solution shall include antivirus and
application whitelisting.
2. The Antivirus & antimalware solution shall be qualified to be compatible with SCMS/
systems by OEMs and vendors if applicable.
3. The antivirus & antimalware system shall support all versions of Windows & Linux
systems that are delivered as part of the substation scope of work.
4. In case the antivirus & antimalware system cannot support a version of an OS (e.g. due to
compatibility issues, functionality issues, installation issues, etc.) The contractor shall
demonstrate and agree a solution with the Transco cyber security team.
5. The proposed solution shall deliver the capability to employ protection mechanisms to
prevent, detect, report, and mitigate the effects of malicious code or unauthorized software.
6. The proposed solution shall deliver the capability to whitelist all approved software and
restrict use of any forms of unapproved scripts, software, batch files and all other forms of
executable instructions or software.
7. The proposed solution shall deliver the capability to detect, record, report, and protect
against unauthorized changes to critical software and supporting information at rest to
preserve the integrity of the delivered system.
8. Approved antivirus and antimalware systems shall be compatible with OT networks and
systems and shall not have any functional impact on OT systems.
9. The right quantity of antivirus and antimalware client licenses shall be considered based
on the substation systems design.
10. Antivirus and antimalware system shall have the capability to be integrated with the
Transco centralized antivirus and antimalware console located in the THQZ.
11. The Contractor shall test the integration, performance and connectivity of the deployed
antivirus and antimalware systems with the centralized Transco antivirus and antimalware
console located in the THQZ.
12. Antivirus & antimalware solution agent on the client node to have the option to be disabled
locally. This mechanism shall be protected by a password.
13. Antivirus and antimalware system shall be capable to send real-time, event-based logs to
the log management system at the substation level.
14. Application whitelisting shall be implemented on each Windows or Linux based device in
the substation. The application whitelisting configuration shall not have an exclusion for
file formats or file types. All files shall be inventoried, and their status shall be defined
(approved/unapproved). If exclusions are required to be applied based on the operational
process requirements or OEM vendor recommendations this shall be approved by Transco.
15. Antivirus and application whitelisting policies shall be configured in the way to ensure that
policies are pushed to antivirus & antimalware agents. This shall also include required
policies for removable media prevention.
16. Antimalware agents shall be able to operate on the client node without connectivity to the
central antimalware server. This shall not have impact on the SCMS, FMS, WAMS,
PQMS, and other systems in the substation, running on the client node with no connection
to the central antimalware server.
17. The Contractor shall verify that devices do not have any malicious files before deploying
and configure the application whitelisting system.
• 2nd level backup – A copy of all physical device configurations and data and copies of
all virtual devices is replicated on the THQZ centralized backup system.
• 3rd level backup – A duplicate copy of all physical device configurations and data and
copies of all virtual devices is held on long term storage medium and saved in two
locations: the THQZ and the DR site.
1. The substation level backup and restore solution shall be designed with the capability to
recover and reconstitute to a known secure state after a disruption or failure. Protected NAS
storage shall be part of the backup and restore system design to save substation systems
backups locally.
2. The proposed solution shall have the capability to take secure reliable backups of user-
level and system-level files and data (including system state information) without affecting
normal operations. The solution shall provide further capability to restore system backup
archives on dissimilar system hardware or virtual machines.
3. The solution shall deliver the capability to verify the reliability of backup file archives and
the backup mechanisms.
4. The solution shall have a user-friendly and intuitive interface.
5. The Contractor shall integrate the secure backup solution with Transco centralized backup
and restore solution and shall ensure that the required data can be provided for the 2nd and
3rd levels of backup.
6. The proposed solution shall have options for configuration that will ensure that a suitable
and sufficient level of independence between local and centralized backup locations exists
and configured to prevent malicious damage or non-malicious corruption of one level of
backup spreading to another.
7. The backup and restore solution shall provide real-time, continuous backup and restore
infrastructure for all devices and create an online backup of all devices and will be capable
of restoring devices in the event of hardware or software system failure.
8. The backup and restore solution shall have ransomware prevention mechanisms to protect
the backup and restore server operating system and software and backup storage files.
9. Documentation that describes manual backup and restoration procedures that include
detailed step-by-step backup and restoration activities for all devices in the substation shall
be developed and submitted as part of Operation and Maintenance Manual.
2. The NMS shall be deployed in the substation for monitoring of the health status of the OS
based PC`s, network devices and other supported devices on L1-L2.5.
3. The NMS system shall support all SNMP protocol versions for data collection, WMI for
Windows based nodes data collection, applicable protocols for Linux based machines and
applicable protocols for SQL database performance monitoring.
4. The NMS system shall use separate SNMP communities to deliver asset details.
5. SNMPv3 shall be used for all compatible devices using the User Security Model with the
auth and priv configuration parameter enabled.
6. For SNMPv2, SNMPv1, these shall be configured using a private unique community name
for each category of device. This shall exclude dictionary words, or any company related
words which easy to guess or brute force. Devices shall be configured to only send to the
monitoring device for traps and shall be configured to be read-only.
7. All substation devices (switches, routers, firewalls, Windows based nodes, Linux based
nodes, etc.) in the substation shall be configured and added to the substation NMS system
for monitoring.
8. The Substation NMS system shall have proxy interface and shall be capable of being linked
with NMS console in the THQZ.
9. Traffic from substation NMS server in the THQZ shall be sent through a dedicated port
(use of ephemeral ports is prohibited). The required port configuration and rules
configuration on the firewalls and switches shall be implemented by contractor
10. The NMS server shall be a member of an RBAC domain and respective GPO and security
configuration shall be applied to the server.
11. The NMS solution shall have a perpetual license model. For a solution under a GPL, or
other open-source license, shall be obtained Transco cyber security team approval in
advance.
12. NMS event and alarm logging subsystem shall be linked to the substation log management
system.
asset type identification (OT/IT) and assign a Purdue level where this asset located. Asset
configuration changes shall be monitored and alarmed.
18. The IDS sensors in the substation shall be connected to the CMC in the THQZ. Remote
access from THQZ shall only be available through the Management network and shall be
monitored. Phishing resistant two-factor authentication shall be deployed for management
access to the IDS sensors.
3. Secure managed services solution for updates delivery shall be available during warranty
period for uploading new patches to the patch management system. This shall be only from
trusted resources.
4. The patch deployment process on the endpoints shall be done in silent invisible mode with
no system reboot or shutdown.
5. The Contractor shall provide solution for secure patching of air gapped systems in the
substation.
6. The patch management system shall have extended reporting system using graphs and shall
be able to show discrepancies between previous and current status of the patches in the
system.
7. In case of failure or errors in patch installation, the system shall revert back to its previous
state without impact on the Transco substation, operational process.
8. Substation endpoints shall be connected to the patch management system.
9. Any hardware, system, software or solution component being connected to the Transco
PCN shall have installed latest security patches and systems updates. Patching shall be
done prior to the system being connected to the PCN.
8.16 Hardening
Hardening is a method of securing systems and network devices by using a collection of tools,
techniques, and best practices to reduce vulnerability in applications, systems, and networks. The
goal of systems hardening is to reduce security risk by eliminating potential attack vectors and
condensing the system’s attack surface.
1. Comprehensive network and systems hardening shall be deployed on OT assets starting
from preparation for the FAT stage of the project.
2. A detailed design document with components and phases of system hardening shall be
developed and submitted to Transco prior to FAT.
3. Necessary written justification shall be provided to Transco in case where hardening steps
or options cannot be applied to the system.
4. The Contractor shall follow requirements from control system OEM for the hardening of
devices at levels L1, L2, L2.5 with industrial software installed.
5. CIS benchmarks and cyber security best practices for hardening non process operation
devices and networks on L1-2.5 layers shall be used for system hardening.
6. System hardening shall be applied to the software, firmware and hardware of all system
devices not limited to but including ICS devices (e.g. IED, PLC, Digital Relays,
Workstations, Servers, Switches, Routers, Firewalls) and other components that have
configurable settings.
7. Host-based firewalls shall be implemented and configured with explicit rules that allows
only approved communications on devices running the Windows and Linux Operating
Systems.
8. Workstations and server hardware shall have the latest version of firmware, drivers and
BIOS updates approved by the relevant vendor.
9. Network devices (e.g. switches, routers, firewalls, etc.) shall have the latest version of
firmware, ROS, IOS, etc. approved by vendor.
10. Unused Network Interface Cards (NIC) or any other forms of unused connectivity (e.g.
Bluetooth, Wi-Fi, cellular, etc.) shall be disabled at the BIOS level.
11. Hardening of Windows devices in SCMS and FMS systems shall be done based on the
OEM recommendations and best cyber security practices. A minimal hardening
configuration shall be agreed with Transco which shall be aligned with Transco cyber
security requirements and the DoE cyber security framework.
12. Hardening for Windows devices, which are not a part of the SCMS and FMS systems shall
be done as per the most robust CIS Benchmarks and Transco requirements.
13. Unnecessary or temporary accounts created in Operating Systems, switches, routers
firewalls, IEDs, BCUs, GPS, software applications, or any other device shall be removed
from the system.
14. Factory-default accounts shall be renamed and disabled wherever this is applicable and not
prevented by OEM vendor.
15. USB ports shall be disabled in the BIOS unless there is an operational need for them.
16. Non-required user accounts, services, applications, daemons and servers shall be disabled.
17. For Offline and Non-Real Time PCs (such as EWS), antivirus shall be configured for real
time monitoring and on-demand scans.
18. For real time PCs (such as Gateways) antivirus shall be configured for real time monitoring
and on-demand scans with malware prevention completed by whitelisting software.
19. For substation IEDs the follow requirements are mandatory:
- All unused IED features (e.g. earlier versions of SNMP) shall be disabled via
software and/or firmware configuration.
- USB ports shall be protected using a physical cap and shall be disabled using device
settings by default. The option must be available to reenable USB ports if and when
required (e.g. for maintenance purposes). User session shall automatically
terminate after a configurable time out.
20. Authentication shall be required to access the substation LAN remotely by configuring the
firewall as a proxy authentication.
21. The Contractor shall provide the following evidence of the above requirement being
correctly implemented:
8. All devices on the substation network shall have capabilities for the configuration minimize
their attack surface. The reduction in the systems attack surface shall not impede the
required functionality of the system as defined by the systems functional requirements
specification. To achieve this the following shall be undertaken:
- Remove unrequired connectivity
- Disable unrequired network protocols
- Disable unrequired system services or resources
- Disable unrequired device ports and interfaces.
9. Devices shall be capable of storing security audit logs for a minimum period of 3 months.
10. Devices shall use authoritatively sourced timestamps for all generated logs.
11. Network hardware on the substation such as switches, routers must support SPAN and
RSPAN configuration. Unmanaged switches shall not be used in the substation network.
12. All OT assets and devices that are part of a substation (Relays, IED, AVR`s interface
converters, PLC`s, RTU`s, switches, routers, firewalls, servers, workstations, thin clients,
etc.) shall support RBAC authentication through RADIUS/LDAP/KERBEROS
authentication protocols and integration.
13. All devices within substation shall have respective configured settings to log transferring
to the log management system on the substation.
14. The Contractor shall be responsible for the configuration of hardware security event
reporting systems, to provide relevant information to the cyber security management and
monitoring systems.
15. Country-of-origin information for hardware shall be submitted to Transco prior to the
hardware procurement process.
16. Supply chain security for the equipment shall be provided during the whole equipment
delivery process.
17. Necessary security certifications for the hardware shall be provided as part of the
procurement process and shall be based on Transco’s request.
18. No backdoors or hardcoded user accounts shall exist in the substation devices. The
information about such backdoors, hardcoded user accounts or any other not-documented
features in the substation’s devices shall be provided to Transco.
1. Available cyber security certifications for supplied software shall be provided where
needed for cyber security purposes.
2. The Contractor shall ensure all final documents, licenses, tools, and media are provided to
Transco utilizing suitably and sufficiently secure means of (electronic or physical)
communication.
3. The Contractor shall be responsible for all software licenses (own licenses as well as third
party licenses) for the entire system with prices and details of license (single user, multi-
user, etc.).
4. Suitable and sufficient licenses for all third-party libraries and components shall be part of
project cope and shall be provided to Transco during the project commissioning stage.
5. Only latest version of OS, which is compatible with ICS and (or) qualified by ICS vendor
shall be used on Transco OT infrastructure. The Contractor shall provide a compatibility
matrix from OEM vendors for OSs and ICS systems with information and/or justification
for any case of OS selection and implementation process. This shall be provided during the
material submittal stage.
6. Software shall be capable of storing security audit logs for a minimum period of 6 months
or must have configurable option for log size, retention policy, etc.
7. Software shall use authoritatively sourced timestamps for all generated logs.
8. Systems shall be able to trace whether a given user, user group or user type have carried
out a particular action
9. Service account passwords or application hard-coded passwords that cannot be changed
shall be documented and additional compensating controls shall be identified to protect and
monitor such systems.
10. ICS and cyber security software in substations shall have functions and event reporting in
formats that provide compatibility with as wide a range of products as possible. The
Contractor shall clarify with the Transco security team the details report logging
requirements to the supplied software.
11. All cyber security system related software must be procured with required licenses. The
licenses should be perpetual, however if the OEM does not have perpetual model of a
license, a subscription-based license shall be provided with validity for the next 3 years
starting from the system commissioning.
12. An official letter from the software OEM shall be provided with confirmation that perpetual
model of the licensing is not supported by the OEM.
13. For the software that is under a GPL, or other open-source license, approval shall be
obtained from the Transco cyber security team in advance of it being used on a system or
as part of system design.
14. Installation of any freeware products is not allowed unless agreed and approved by
Transco.
15. Unnecessary software that is not belonging to scope of work shall not be installed on any
system.
16. Licenses for the cyber security systems shall be registered under a Transco account in the
OEM database (service portal). The registration shall be done using the clsdb@taransco.ae
email address. The Transco cyber security team shall be informed about the registration
process in advance.
17. No backdoors or hardcoded user accounts shall exist in the substation software. The
information about such backdoors, hardcoded user accounts or any other not-documented
features in the substation’s software shall be provided to Transco.
ECC 1
Emergency Control Center
LDC IWPP/ADDC/ Details of 3rd party firewalls on IWPP / LDC side is out of
Load Dispatch Center Zone & 3rd Party Partners Zone
Transco responsibility.
2
Please refer to figure 3 for details.
3
1 Each system have independent connection to time source
3rd party firewalls
-Network topology and switches for each substation systems
does not shown on current diagram and subject of detailed
design.
DR THQZ
FMS Regional Transco Disaster Recovery Transco Head Quarters Zone -DMZ access switches does not shown on current diagram
Monitoring Site Zone (TCAMC, WAMS, -All connections Except PQM system, shown are dual
Level 3
S-FW
L-FW IWPP/ADDC
Substation
LDC Firewall Firewall
DMZ Firewall
Level 2.5
Substation Local
Cyber Security
Services2
Level 2
Figure 3 - High Level System Architecture Diagram Showing Connections and Segmentation Between Transco Systems
2. Switches in the ICS systems network are not reflected on the current
drawing.
3. DMZ access switches are not reflected on the current drawing.
Server
Antimalware
Log that combine necessary
Management
physical and logical links
Server
between substation ICS
Cyber security physical server#2 systems
Backup & Secure
Restore Remote
Access
Network
management
IDS Sensor
Level 2
via VLAN
ICS systems IED /DAU /
relays /PLC`s etc Transco Substation
Note: Current diagram reflect interconnection details between cyber security
S-TR-CPS-ICS (Rev.0-2023) Transco Page 44 of 50
systems in substation DMZ zone and ICS systems.
Revision
Initial Date: 09/04/2023 Rev: 0
Date:
CONTROL-PROTECTION-SUPERVISION
Operational Technology Cyber Security Requirements for Industrial Control Systems
Diagrams are provided for reference only to give an overall idea of the substation architecture levels as per the Purdue mode.
Use of Internet
a) Internet connections (inbound/outbound), including remote connections from vendor, sub
vendor, contractor, and subcontractor networks for remote maintenance and other is
prohibited for ICS network, unless authorized by Transco.
b) The Contractor shall not download, install, or use any unauthorized software or contents
from internet or external sources on the ICS computing devices existed on any of Transco
ICS Sites
c) Any information derived from the internet for any ongoing activity or project shall be
verified before being used for business purposes.
d) Prohibited to post any information (e.g. photos of Transco facilities, photos of the devices
or systems, project documentation, text information related to the software/hardware,
configuration files) on the any internet recourses (e.g. social media such as LinkedIn,
Instagram, professional and public forums and any other).
Monitor, Gateways, Operator Workstations, PLC’s, IEDs, etc.) for any purposes such as
charging.
Removable Media
a) The Contractor should not connect any personal owned removable media into Transco ICS
devices without contacting the AOD Cyber Security Section to scan the media and should
not plugin removable media contain Transco ICS data into their personal computing
devices.
b) Any removable media containing any Transco ICS data shall be encrypted.
c) Removable media containing sensitive ICS data shall not leave Transco premises unless
required to execute an authorized business operation with updated record inventory.
INCIDENT SUMMARY
Type of Incident Detected:
☐ Denial of Service ☐ Unauthorized Use
☐ Device/System configuration change detected ☐ Unauthorized access to the OT system
☐ Malicious software detected ☐ Lost credentials to the account/system/device
☐ Network compromised ☐ Unplanned system/network downtime
☐ Abnormal behavior of device/system ☐ Other (Unidentified)
Incident Description:
INCIDENT NOTIFICATION
☐ TRANSCO TCC ☐ TRANSCO Project manager
☐ TRANSCO Cyber security team
ACTIONS TAKEN
Identification measures:
Containment measures:
Eradication measures
Mitigation measures:
Evidence Collection:
FOLLOW-UP
Reviewed by:
☐ TRANSCO Cyber security team
Note: Cyber security incident form shall be filled in and submitted to TRANSCO Cyber Security Focal point Engineer