Best Practice

SABP-Z-072 1 October 2015

Functional Specification for Process Automation
System (PAS) Cybersecurity Requirement
Document Responsibility: Plants Networks Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 3
4 Definitions........................................................... 3
5 Functional Specification….................................. 7
6 Acceptance Testing.……….............................. 14

Previous Issue: New Next Planned Update: TBD

Primary contacts: Hussain Salem +966-13-8801361 and Sri Mallur (mallursx) +966-13-8804991

Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

1 Introduction

1.1 Purpose and Intended Users

The purpose of this functional specification document is to establish a minimum

Cybersecurity requirement for procurement and testing of process automation
systems (PAS) including laptops, standalone engineering workstations used for
maintenance and engineering activities, HMI’s, End Devices such as RTU’s
IED’s and PLC’s and other related computers.

This document together with related project specification for Scope of Work and
referenced Saudi Aramco standards, material specifications and project
specifications shall be used to define the specific procurement requirement of
the process automations systems.

The intended users include all groups responsible for procurement.

1.2 Scope

This functional specification provides guidelines to projects for minimum

cybersecurity requirements and testing that shall be fulfilled to ensure “security by
design” at the time of system purchase or upgrade. This document is applicable to
grassroot project, system modification and upgrades.

1.3 Disclaimer

This document complements other standards, procedures or best practices

provided by vendor and / or consulting agent for cybersecurity related
requirements for procurement, and shall not be considered “exclusive” to
provide “comprehensive” compliance to any Saudi Aramco Engineering’s
standards requirements.

The use of this document does not relieve the Vendors from their responsibility
or duties to confirm and verify the accuracy of any information presented herein
and the thorough coordination with respective control system steering
committee chairman and relevant engineers to ensure “security by design.”

2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.

Page 2 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

3 References

Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.

 Saudi Aramco References

Saudi Aramco Engineering Procedure

SAEP-99 Process Automation Networks and Systems Security

4 Definitions

This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.

4.1 Acronyms
ACL Access Control List
AD Active Directory
ANSI American National Standards Institute
CSA Computer Security Administration
DC Domain Controller
DCS Distributed Control System
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Service
DRP Disaster Recovery Planning
DSS Decision Support System
ESD Emergency Shutdown Systems
FTP File Transfer Protocol
GOI General Operating Instructions
IED Intelligent Electronic Devices
IOS Internetwork Operating System
IPS Intrusion Prevention System
MOC Management of Change
NDA Non-Disclosure Agreement
NIST National Institute of Standards and Technology
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System

Page 3 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

PIB Process Interface Buildings

PCN Process Control Network
PCS Process Control Systems
P&CSD Process & Control Systems Department
PLC Programmable Logic Controller
PMS Power Monitoring System
RDP Remote Desktop Protocol
RTU Remote Terminal Unit
SAES Saudi Aramco Engineering Standard
SCADA Supervisory Control and Data Acquisition
SDH Synchronous Digital Hierarchy
SIEM Security Information and Event Management
SLA Service Level of Agreement
TCP/IP Transmission Control Protocol / Internet Protocol
TLS Transport Layer Security
TMS Terminal Management System
USB Universal Serial Bus
VLAN Virtual Local Area Network
VMS Vibration Monitoring System
VPN Virtual Private Network
WAN Wide Area Network

4.2 Technical Definitions

Access Control: Means of controlling and regulating access to computing

resources and information.

Authentication: The process of verifying the identity of a user through a code

such as a password.

Authorization: A right or a permission that is granted to an entity to access a

system or a resource.

Backup: A data image stored separately from the original, for use if the
original becomes lost or damaged.

CoGen: Supplementary Power generation facilities, normally operated by a

third party.

Confidentiality: The process of ensuring that information is not disclosed to

unauthorized individuals, processes, or devices.

Page 4 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

Configuration Baseline: A system configuration that has been approved at a

point in time and should be changed only through a formal change control
procedure. The configuration baseline can be used as basis for future changes.

Firewall: An inter-network connection device that controls data

communication traffic between two or more connected networks.

Firewire: An IEEE 1394 high performance serial bus standard for connecting
devices to computers.

Hardware Key: A physical key or dongle that is used to regulate access to a

system or an application.

Integrity: The process of ensuring data accuracy and authenticity.

Logs: Files or prints of information in chronological order.

Non-Disclosure Agreement: A contract that restricts the disclosure of

confidential information or proprietary knowledge under specific circumstances.

PAN: is a plant wide network interconnecting Process Control Networks (PCN)

and provides an interface to the WAN. A PAN does not include proprietary
process control networks provided as part of a vendor's standard process control
system.

PAN Administrator: A system administrator that performs day-to-day

maintenance activities on the PAN devices (e.g., administration, configuration,
upgrade, monitoring, etc.). He may also perform additional functions such as
granting, revoking, and tracking access privileges for PCS operating systems
and applications. He may also assume the role of PCS Administrator.

Password: Sequence of characters (letters, numbers, symbols) used as a secret

key for accessing a computer system or network.

PCS Administrator: a system administrator who performs day-to-day system

configuration, monitoring for critical systems such as DCS, SCADA, ESD, etc.

Plant Main Gate(s): Physically restricted access points through perimeter

security fencing into Saudi Aramco process facilities. Such points, when
manned, are typically controlled by Saudi Aramco Industrial Security
Operations (ISO) organizations via identification, privilege validation and
logging. While both manual and electronic procedures are in still in use, the use
of electronic ID card readers has become the prevalent methodology.

Process Automation System (PAS): A network of computer-based or

microprocessor-based electronic equipment whose primary purpose is process

Page 5 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

automation. The functions may include process control, safety, data acquisition,
advanced control and optimization, historical archiving, and decision support.

Process Control Network (PCN): A proprietary process control networks

provided as part of a vendor's standard process control system.

Process Control System (PCS): The integrated system which is used to

automate, monitor and/or control an operating facility (e.g., Plant process units).
The PCS consists of operating area DCS and their related Auxiliary systems
which are connected together at the PCN and PAN level to form a single
integrated system.

Remote Access: The ability of a user to connect to a network asset (system, device
or application) from distant location. When connected, the user can monitor or
manipulate the configuration to modify or update the asset’s capabilities.

Secure By Design: Secure By Design is a concept to ensure products are built

using security principles from ground up. This concept ensures that the products
are designed and built incorporating sound cybersecurity principles as opposed
to bolting on security as an after thought. In this specific case security by design
is ensured by adding cybesecurity requirements to the procurement process thus
ensuring that Aramco buys obviously secured product.

Secure Room: A room within plant premise, i.e., CCR or Server rooms, where
physical security controls such as access identification, authorization and
logging is applied.

Separation (Logical): Logical separation is indicated by the virtual isolation of

network assets by means of multiplexing or the use of software emulation
technologies such as VLAN, VPN or SDH dedicated circuits.

Separation (Physical): Physical separation is indicated by the comprehensive

isolation of network assets such as switches, medium and housing cabinets to
achieve highest level of security.

Server: A dedicated un-manned data provider.

Service account: An account used by a process running on a computer

operating system in a non-interactive mode.

Service Level Agreement (SLA): Contract between a service provider and a

customer, it details the nature, quality, and scope of the service to be provided.

User Account: An established relationship between a user and a computer,

network or information service such as Operating System and Applications.

Page 6 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

Vulnerability: A flaw or weakness in a system's design, implementation,

operation or management that could be exploited to violate the system's integrity
or security policy.

5 Functional Specification

5.1 Account Management

5.1.1 Weak Session Management and Insecure Protocol

Basis

Usernames and Passwords can be sniffed and exploited if transmitted in

clear text.

References

SAEP-99 5.1.8.m

Procurement Language

5.1.1.1 System SHALL NOT transmit usernames and passwords in

clear text if they need to leave the system.

5.1.1.2 System SHALL NOT allow concurrent logins for the same
credential.

5.1.1.3 System SHALL provide user account based logout and timeout
settings.

5.1.1.4 System SHALL be configurable to adjust connection timeouts.

5.1.2 Weak Password

Basis

Simple passwords are created to ensure instant availability. This leads to

insecured authentication. Sometimes vendors hard-code passwords to
keep things simple which in turn leads to security exploits.

References

SAEP-99 5.1.8.m, SAEP-99 5.1.12

Procurement Language

5.1.2.1 System SHALL have an identification and authentication

Page 7 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

system utilizing credential or other suitable technology.

5.1.2.2 System SHALL support SAEP-99, Section 5.1.8 password

complexity requirement.

5.1.2.3 System SHALL support SAEP-99, Section 5.1.12 system

access requirements.

5.1.2.4 System SHALL control access to password configuration

interface of the account management system.

5.1.3 Account Auditing and Logging

Basis

Configuration changes, Security events and some sensitive operations

should be logged and audited.

References

SAEP-99 5.1.10.b.i, 5.3.a, NIST 800-92

Procurement Language

5.1.3.1 System SHALL log security events like (not limited to)
authentication failure, password reset, privilege escalation, etc.

5.1.3.2 System SHALL time stamp and log specific user accounts.

5.1.3.3 System SHALL ensure logging does not impact performance.

5.1.3.4 System SHALL provide means to control access to log files.

5.1.3.5 System SHALL provide ability to log events from Operating

System and Application.

5.1.4 Role Based Access Control

Basis

Access decisions should be configurable based on roles. This enables

consistent application of policies and reduces security incidents.

References

SAEP-99 5.1.10.j, 5.1.14.d, 5.1.14.g, 5.1.14.i

Page 8 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

Procurement Language

5.1.4.1 System SHALL allow for configurable access and permissions

associated to a role.

5.1.4.2 System SHALL create least privilege access to each role.

5.1.4.3 System SHALL ensure that the user cannot perform privilege
escalation to gain higher control.

5.1.4.4 System SHALL provide a means to administer roles (add,

remove users).

5.1.5 Disabling, Removing or modifying well-known or Guest Accounts

Basis

Default usernames and passwords are well known through published

materials and exploited to again unauthorized system access.

References

SAEP-99 5.1.8.j

Procurement Language

5.1.5.1 VENDOR SHALL remove (preferable) or disable (if removal

not possible) all well-known accounts, i.e., admin, guest, etc.

5.1.5.2 Vendor SHALL provide list of accounts that can be deactivated.

5.1.5.3 Vendor SHALL provide list of minimally required accounts to

operate the system that should be kept active.

5.1.5.4 Vendor SHALL provide means to reset default passwords.

5.2 Coding Practice

5.2.1 Coding for Security

Basis

Securely written and properly audited with ensure security by design.

References

N/A

Page 9 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

Procurement Language

5.2.1.1 Vendor SHALL write applications with standard secure coding

practice.

5.2.1.2 Vendor SHALL ensure all known application security bugs

have been mitigated.

5.2.2 Malware Detection and Protection

Basis

Malware are the biggest threat to ICS/SCADA. Worms, viruses, Trojans,

etc., pose a big security risk to continued operation of control systems.

References
SAEP-99 5.3.o, 5.3.p
Procurement Language

5.2.2.1 System SHALL have a host based malware (anti-virus) system

on all workstations, servers and computer systems.

5.2.2.2 System SHALL have a means to update the anti-virus with

latest signature at regular intervals.

5.2.2.3 Vendor SHALL recommend malware detection system if

directly not providing a malware detection system.

5.2.2.4 Vendor SHALL provide procedures relating to anti-virus

management including proper installation, configuration and
update.

5.3 System Hardening

5.3.1 Removal of Unnecessary Services and Programs

Basis

Unused services on a system is an entry point for exploits. Especially if

the unused services are insecure. Furthermore, these unused services are
not monitored.

References

SAEP-99 Section 5.3.s

Page 10 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

Performing PN&S Security Compliance Assessment Manual,

Control #7.1. #7.2, #7.3, #7.4

Procurement Language

5.3.1.1 Vendor SHALL provide documentation detailing all

applications, utilities, system services, scripts, configuration
files, databases and all other software required [Whitelisting].

5.3.1.2 Vendor SHALL provide a listing of services including

applications, ports and services required for normal operation
per machine.

5.3.1.3 Vendor SHALL either disable or remove (preferred) all

software, services and ports not required for operation of PAS
device. This should comply with corporate policy. Common
services that are generally not required (not limited to):
1. Games
2. Messaging services
3. Unused internet services
4. Insecure protocols used for management
(HTTP,FTP,SNMP v1 and 2,Telnet, etc.)
5. Unused communication and networking protocols
6. Backups created during installation or development
7. Sample programs or scripts
8. Unused utilities (not limited to) like MS Office
components, Adobe components, etc.
9. DHCP Server
10. IP BOOTP
11. TFTP Server
12. IP Source route
13. IP Proxy ARP

5.3.2 Configuration

Basis

Control systems come with multiple storage and communication

capabilities. These can be an entry point to malware if not properly
configured.

Page 11 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

References

Performing PN&S Security Compliance Assessment Manual, BIT

Control #1

Procurement Language

5.3.2.1 Vendor SHALL disable all unnecessary storage medium like

CD/DVD, USB, etc.

5.3.2.2 System SHALL provide a way for the Administrators to enable

these drives as required and disable when not required.

5.3.2.3 Vendor SHALL password protect BIOS from unauthorized

changes. If technically not possible vendor SHALL document
and provide mitigation.

5.3.2.4 Vendor SHALL provide a list of all disabled hardware and

provide procedure to enable and disable as required (for patch
management, anti-virus DAT update, etc.).

5.3.2.5 System SHALL NOT access any resources outside the plant
network. No direct connection outside plant network is
allowed.

5.3.2.6 Vendor SHALL provide security baseline configuration.

5.3.3 Installing Operating Systems, Applications, and Third-party

Software Updates

Basis

Unpatched systems and systems not protected by latest anti-virus are

easily exploitable.

References

SAEP-99 5.3.j, 5.3.k, 5.3.l

Procurement Language

5.3.3.1 Vendor SHALL provide a patch management process and

update process.

5.3.3.2 Vendor SHALL provide notification of vulnerabilities affecting

the vendor product and or underlying OS within pre-negotiated
period after public disclosure.

Page 12 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

5.3.3.3 Vendor SHALL notify and provide tested patch within pre-
negotiated period.

5.3.3.4 Vendor SHALL provide a centralized Network Management

System to manage network components.

5.3.3.5 Vendor SHALL install all the latest patches for all components
i.e. application, Anti-virus, etc.

5.4 Backup and Disaster Recovery

5.4.1 Backup and Recovery

Basis

Systems have to be restored quickly to the last known configuration for

availability. This will ensure continuity of operation.

References

N/A

Procurement Language

5.4.1.1 Vendor SHALL provide a centralized data backup system.

5.4.1.2 Vendor SHALL identify and provide all information needed to

create a usable backup of all critical components including (not
limited to) workstation client data, dynamic database, etc.

5.5 Network Partitioning

5.5.1 Network Devices

Basis

Network devices are used to segment and protect networks. It is used to

forward traffic securely hence needs to be protected.

References

N/A

Procurement Language

5.5.1.1 Vendor SHALL provide a method to manage network devices

and change addressing schemes.

Page 13 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

5.5.1.2 Vendor SHALL provide ACL’s, port security address lists.

5.5.1.3 Vendor SHALL document inbound and outbound rules in

firewalls.

5.5.2 Network Architecture

Basis

Poorly designed network are vulnerable to exploits. Segmentation helps

mitigate this.

References

N/A

Procurement Language

5.5.2.1 Vendor SHALL provide and document secure network

architecture.

5.5.2.2 Vendor SHALL provide and document the design for all
communication paths between networks of different security
zones.

5.5.2.3 Vendor SHALL provide a mechanism to monitor all DMZ

traffic.

6 Acceptance Testing

6.1 Account Management

6.1.1 Weak Session Management and Insecure Protocol

FAT Measure

6.1.1.1 Vendor SHALL demonstrate that the credential is not transmitted

in clear text by providing scan results and demonstrating that the
credentials are encrypted at transmission [RVL].

6.1.1.2 Vendor SHALL demonstrate that users cannot login

simultaneously and doing so creates an auditable log.

6.1.1.3 Vendor SHALL demonstrate timeout, and that the timeout

settings are configurable.

Page 14 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

SAT Measure

N/A

6.1.2 Weak Password

FAT Measure

6.1.2.1 Vendor SHALL demonstrate that credentials can be configured

per SAEP-99, Section 5.1.8.

6.1.2.2 Vendor SHALL demonstrate system access can be configured

per SAEP-99 Section 5.1.12.

SAT Measure

N/A

6.1.3 Account Auditing and Logging

FAT Measure

6.1.3.1 Vendor SHALL demonstrate that all account activity is logged

in the log file.

6.1.3.2 Vendor SHALL demonstrate that access to log file is restricted

by means of access control.

6.1.3.3 Vendor SHALL demonstrate that the log file has time stamp,
userID and other identifying information required for audit is
logged.

SAT Measure

6.1.3.4 Vendor SHALL demonstrate that all logs can be consumed by

Saudi Aramco SIEM solution.

6.1.4 Role Based Access Control

FAT Measure

6.1.4.1 Vendor SHALL demonstrate that roles are created.

6.1.4.2 Vendor SHALL demonstrate that users are created.

6.1.4.3 Vendor SHALL demonstrate that users are assigned to roles.

Page 15 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

6.1.4.4 Vendor SHALL demonstrate permissions are configured to

each role.

6.1.4.5 Vendor SHALL demonstrate that role based attacks like

privilege escalation and others are cannot be executed [RVL].

6.1.4.6 Vendor SHALL demonstrate that users can be moved between

roles and every change is audited.

6.1.4.7 Vendor SHALL demonstrate that roles have the right

permission upon login.

SAT Measure

N/A

6.1.5 Disabling, Removing or Modifying Well-known or Guest Accounts

FAT Measure

6.1.5.1 Vendor SHALL demonstrate that all default usernames and

passwords have been removed.

6.1.5.2 Vendor SHALL demonstrate that user account changes are

adequately audited and logged.

6.1.5.3 Vendor SHALL demonstrate that disabling, removing or

modifying well known accounts does not hinder normal
operation.

SAT Measure

6.1.5.4 Vendor SHALL demonstrate that all vendor owned accounts

are removed (preferable) or disabled if it cannot be removed.

6.1.5.5 Vendor SHALL demonstrate that all temporary user accounts

and passwords have been removed and only valid accounts are
retained.

6.2 Coding Practice

6.2.1 Coding for Security

FAT Measure

Vendor SHALL demonstrate that secure coding practice has been used
while developing the product. Vendor can demonstrate this by sharing

Page 16 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

the latest static or dynamic scan report, documents pertaining to secure

development methodology, or reports from any other relevant reviews.

SAT Measure

N/A

6.2.2 Malware Detection and Protection

FAT Measure

6.2.2.1 Vendor SHALL demonstrate that adding malware system does

not affect performance negatively [RVL].

6.2.2.2 Vendor SHALL demonstrate effectiveness of the malware

detection system [RVL].

6.2.2.3 Vendor SHALL demonstrate procedure to update AV signature

and DAT files to ensure uninterrupted operation.

6.2.2.4 Vendor SHALL run an anti-virus system scan and demonstrate

that the system is not compromised.

SAT Measure

6.2.2.5 Vendor SHALL update the AV with latest signature file.

6.2.2.6 Vendor SHALL run an anti-virus system scan and demonstrate

that the system is clean.

6.3 System Hardening

6.3.1 Removal of Unnecessary Services and Programs

FAT Measure

6.3.1.1 Vendor SHALL provide proof that unnecessary services are

removed (preferable) or disabled. (Disabled services can be
inadvertently enabled).

6.3.1.2 Vendor SHALL provide for each networked device (switch,

workstation, etc.) the following information:
 Underlying Operating System dependencies
 Any other dependencies outside this device

6.3.1.3 Vendor SHALL map required network services to the port and

Page 17 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

protocol.

SAT Measure

6.3.1.4 Vendor SHALL verify that all unnecessary services have been
removed (preferably) or disabled if it cannot be removed per
FAT acceptance.

6.3.2 Configuration

FAT Measure

6.3.2.1 Vendor SHALL provide proof that unnecessary hardware has

been disabled.

SAT Measure

6.3.2.2 Vendor SHALL provide proof that unnecessary hardware has

been disabled.

6.3.2.3 Vendor SHALL demonstrate the validity of base line by

sampling few configuration.

6.3.3 Installing Operating Systems, Applications, and Third-party

Software Updates

FAT Measure

6.3.3.1 Vendor SHALL demonstrate latest patches have been installed.

SAT Measure

6.3.3.2 Vendor SHALL demonstrate that all latest patches have been
applied on all system components, i.e., application, anti-virus,
etc.

6.3.3.3 Vendor SHALL demonstrate that all known vulnerabilities

have been mitigated, i.e., vulnerabilities in National
Vulnerability Database (NVD).

6.4 Backup and Disaster Recovery

6.4.1 Backup and Recovery

FAT Measure

6.4.1.1 Vendor SHALL demonstrate that the automatic backup is

Page 18 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

configured and functioning for the entire system.

6.4.1.2 Vendor SHALL demonstrate the backup recovery and

resumption of normal operation for a sample type.

6.4.1.3 Vendor SHALL deliver a complete back up after all FAT is

completed.

SAT Measure

6.4.1.4 Vendor SHALL deliver a complete back up after all SAT is

completed.

6.5 Network Partitioning

6.5.1 Network Devices

FAT Measure

6.5.1.1 Vendor SHALL demonstrate the network management system

and demonstrate that static address can be assigned to systems.

6.5.1.2 Vendor SHALL document open ports and provide documents

of traffic origination.

6.5.1.3 Vendor SHALL document and demonstrate the ACL’s, port

security, etc., on all devices to ensure system security.

6.5.1.4 Vendor SHALL document port to protocol assignment.

SAT Measure

6.5.1.5 Vendor SHALL demonstrate that firewall rules are in place per
FAT.

6.5.1.6 Vendor SHALL disable all unused Ethernet ports.

6.5.2 Network Architecture

FAT Measure

6.5.2.1 Vendor SHALL provide and document that only higher

security zone originates traffic.

6.5.2.2 Vendor SHALL verify that all restricted traffic going out of
plant network is routed through DMZ.

Page 19 of 20
Document Responsibility: Plants Networks Standards Committee SABP-Z-072
Issue Date: 1 October 2015 Functional Specification for Process Automation
Next Planned Update: TBD System (PAS) Cybersecurity Requirement

6.5.2.3 Vendor SHALL verify that DMZ traffic is monitored.

SAT Measure

N/A

Revision Summary
1 October 2015 New Saudi Aramco Best Practice to ensure cyber security requirements are included for new
project or upgrade procurement.

Page 20 of 20