Engineering Procedure

SAEP-99 20 April 2008

Process Automation Networks & Systems Security
Communications Standards Committee Members
Ghamdi, Khalid Sulaiman, Chairman
Muammar, Rushdi Husain, Vice Chairman
Shammary, Diab Methqal
Mushcab, Rami Talib
Walaie, Soliman Abdullah
Bamardouf, Lutfi Hussain
Mutairi, Salman Ayedh
Rajeh, Majed Fahad
Abu Alsaud, Zakarya Abdulelah
Daraiseh, Abdelghani A.
Kille, Bradley Clyde
Tamimi, Mohammed Abdulaziz
Qanber, Yousuf Abdul Aziz
Musabeh, Ali Hamza
Harbi, Saad Abdullah
Elwi, Salem Saud
Almadi, Soloman Musa
Gotsis, Stavros D
Kahtani, Waheed Hazza










Saudi Aramco DeskTop Standards

Table of Contents

1 Scope............................................................ 2
2 Conflicts and Deviations............................... 2
3 Referenced Documents................................. 3
4 Instructions.................................................... 3
5 Responsibilities............................................ 14
6 Definitions.................................................... 15
7 Abbreviations............................................... 17


Previous Issue: 28 October 2007 Next Planned Update: 27 October 2012
Revised paragraphs are indicated in the right margin Page 1 of 18
Primary contact: Abu Alsaud, Zakarya Abdulelah on 966-3-8737316

CopyrightSaudi Aramco 2008. All rights reserved.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 2 of 18
1 Scope
This procedure provides minimum mandatory security requirements for Industrial
Automation & Control Systems (IA&CS) including the networks and plant facilities.
This procedure is retroactive to all Saudi Aramco Plants. The scope of this procedure
includes but is not limited to:
Networks and Systems hardware and software such as Process Automation Network
(PAN), Distributed Control Systems (DCSs), Emergency Shutdown Systems (ESD),
Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition
(SCADA) systems, Terminal Management Systems (TMS), networked electronic
sensing systems, Power Monitoring System (PMS), Vibration Monitoring (VMS)
and other monitoring, diagnostic and related industrial automation and control
systems.
Associated internal, human, network, or machine interfaces used to provide control,
safety, maintenance, quality assurance, and other process operations functionalities
to continuous, batch, discrete, and combined processes.
The security requirements address the following eight security domains:
1) Access Control Systems & Methodology
2) Communications & Networks Security
3) Security Management Practices
4) Applications & Systems Development Security
5) Security Architecture & Models
6) Operations Security & Management
7) Disaster Recovery Planning (DRP)
8) Physical Security.
2 Conflicts and Deviations
2.1 Any conflicts between this Procedure and other applicable Saudi Aramco
Engineering Standards (SAES's), Materials System Specifications (SAMSS's)
Standard Drawings (SASDs), or industry standards, codes, and forms shall be
resolved in writing to the Manager, Process & Control Systems Department of
Saudi Aramco, Dhahran.
2.2 Direct all requests to deviate any mandatory security requirement from this
procedure in writing to the Manager, Process & Control Systems Department
of Saudi Aramco, Dhahran who shall follow internal company procedure
SAEP-302.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 3 of 18
3 Referenced Documents
The requirements contained in the following documents apply to the extent specified in
this procedure.
3.1 Saudi Aramco References
Saudi Aramco Engineering Standards
SAES-Z-010 Process Automation Networks Connectivity
Saudi Aramco Engineering Procedure
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
SAEP-1050 Guideline for Disaster Recovery Plan
Development for Decision Support System
Saudi Aramco Engineering Reports
SAER-6123 Process Automation Networks Firewall
Evaluation Criteria
Saudi Aramco General Instructions
GI-0710.002 Classification of Sensitive Information
GI-0299.120 Sanitization and Disposal of Saudi Aramco
Electronic Storage Devices and
Obsolete/Unneeded Software
Company Policy
INT-7 Data Protection and Retention
3.2 Industry Codes and Standards
The Instrumentation, Systems, and Automation Society
ISA-TR99.00.01-2004 ISA Technical Report: "Security Technologies for
Manufacturing and Control Systems", March
11, 2004
ISA-TR99.00.02-2004 ISA Technical Report: "Integrating Electronic
Security into the Manufacturing and Control
Systems Environment", April 12, 2004
ISA-d99.00.01 ISA Security Standard: "Security for Industrial
Automation and Control Systems Part 1:
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 4 of 18
Terminology, Concepts and Models", February
2007
4 Instructions
In this procedure, the terms "must", "shall", "should" and "can" are used. When must or
shall is used, the item is a mandatory requirement. When should is used, the item is
strongly recommended but not mandatory. When can is used, compliance may further
enhance the system security but compliance is optional.
This procedure shall be applied to all systems and networks as appropriate by
knowledgeable Process Control Systems personnel. It helps to identify and address a
wide spectrum of vulnerabilities, and to mitigate the risk of undesired intrusions that
could compromise confidential information or cause disruption or failure in the IA&CS.
The following are requirements for plants networks and systems security:
a) Follow and apply "IA&CS vendor" recommendations and requirements for
systems and networks security including Antivirus software and upgrades and
security patches with a prior economic analysis of risk versus cost. "IA&CS
vendor" refers to the vendor or manufacturer of the IA&CS.
b) The user of this procedure must exercise sound professional judgment concerning
its use and applicability under user's particular circumstances. The user must also
consider the applicability of any government regulatory, Saudi Aramco standards,
and safety practices before implementing this procedure.
c) The delegation of any PAN management or operational function to another entity
shall be executed through a Service Level Agreement (SLA).
4.1 Access Control Systems & Methodology
The IA&CS access shall be restricted to plant authorized personnel such as
Operators, Engineers and Maintenance personnel that are authorized to operate
or administer the network and perform system configuration, diagnostics, and
system monitoring.
4.1.1 Authentication and Authorization
Authorization can be as granular as determining access to specific files
in an application or as encompassing an access to a network.
Authentication describes the process of positively identifying potential
network users, hosts, applications, services, and resources using a
combination of identification factors or credentials.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 5 of 18
Passwords, if supported by the system or application, shall be the
minimum authentication requirement. The logon/logoff process shall
neither cause system interruptions nor momentarily loss of view. For
systems with hardware key authentication, the key must be securely
guarded and logged.
The following are the requirements for the passwords:
a) Passwords shall have appropriate length and entropy
characterization for the security required. In particular, they should
not be found in a dictionary or contain predictable sequences of
numbers or letters.
b) Passwords shall be used with care on operator interface devices
such as control consoles on critical processes. Passwords shall be
guarded to prevent unauthorized access.
c) User Account password shall not be stored electronically in
unprotected files.
d) All vendor-supplied default passwords for predefined accounts
shall be changed immediately after installation or upgrade.
e) In order to change user account passwords, users should always be
required to provide both their old and new passwords, if supported
by the system.
f) The keeper of master passwords or his backup(s) shall always be
available to ensure continuous operations. A password log,
especially for master passwords, shall be maintained separately
from the IA&CS, possibly in a notebook locked in a vault or safe.
g) For user authentication purposes, password use is common and
generally acceptable for users logging directly into a local device
or a computer. Passwords shall always be encrypted when sent
between networks.
h) An automatic message, if supported by the systems, should be sent
to users notifying them about the remaining days for their expired
passwords.
Individual accounts are mandatory for Supervisors, Engineers and
Administrators, if supported by the system.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 6 of 18
4.1.2 User Account Types
a) An application accounts are those associated with applications.
The password for such accounts should always be used in
encrypted/protected and encapsulated form and shall not be coded
into the application in plain text.
b) Operator Accounts are those used by Operators to access the
system and operate the plant. Such Accounts shall have a restricted
user profile so that the operator will not be able to install programs,
change software configuration, or access floppy disk, CD drives, or
any removable media.
Shared operator accounts shall be restricted to those authorized and
documented/tracked regularly.
Individual Operator Accounts are mandatory, if supported by the
system, for un-attended areas such as Process Interface Buildings
(PIBs).
c) GUEST accounts shall be disabled on all systems.
d) Super/Privileged Accounts are those used by System
Administrators and Engineers. The use of Super/Privileged
Accounts shall be limited for system support purposes and system
diagnostics and configuration and only when necessary. These
accounts shall be reviewed every 12 months. Super/Privileged
User Accounts shall be locked when not needed.
e) Operator and Application Accounts shall be excluded from
automatic password change policy; however, the PAN
administrator shall make sure that Application Accounts passwords
are changed manually every 12 months.
4.1.3 User Account Format
The structure of the user account should be [xxxxxxfm] where [xxxxxx]
is the first six characters of the last name and [f] is the first initial of the
first name and [m] is the first initial of the middle name. Numeric and
special characters should be extracted from the user account. Arabic
prefixes Al, Al-, El and El- should be removed from last name and "x"
should be used when there is no Middle initial. In case of that more than
one employee has the same last name, first and middle initials; then
following steps should be followed:
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 7 of 18
a) Up to 4 characters of last name, first initial and middle initial are
used with an assigned suffix as the last 2 characters.
b) The first suffix will always start with a numeric in the range 0-9,
and the second character of the suffix will be in the ranges A-Z,
0-9.
4.1.4 System Access
a) System Login scripts, if any, shall be configured to prevent a user
bypassing them.
b) Warnings banner on all systems, if supported, shall be enabled.
Every computer will require changes to its system files to ensure
that banner is displayed whenever the system is turned on or a user
logs on.
c) Repeated login failures shall be logged, if supported by the system,
with the location, date, time and user account used without
indicating whether the failure is caused by the wrong user name or
password. An alert message should be sent to the PAN
administrator in the event of repeated login failures.
d) At login time, every user should be given information reflecting the
last login time and date, if supported by the system.
e) No dial in is allowed for control purposes. A vendor remote
troubleshooting and testing is the only exception provided that such
activity shall be strictly monitored, documented, and on
temporarily basis with authorization of plant operations/
management.
f) Remote access to plant applications from the corporate network or
Internet, for control purposes, is not permitted.
g) PAN Administrator shall assume the responsibility of
adding/removing user's access from the proxy applications servers
for his designated plant applications.
h) Auto-logoff feature, if supported, shall be configured for all
unattended systems excluding operators' consoles.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 8 of 18
4.2 Security Management Practices
4.2.1 Security Policies
In addition to this procedure, the following are applicable Saudi Aramco
documents for plants information security policies:
a) Management Statement of Policy "INT-7"
(URL: http://corpplan/LRPD1/corporat.htm)
b) Classification of Sensitive Information "GI-0710.002",
dated 15 J anuary 2002 (URL: http://gi/html/data/0710_002.pdf).
c) Sanitization and Disposal of Saudi Aramco Electronic Storage
Devices and Obsolete/Unneeded Software "GI-0299.120", dated
December 2005 (URL: http://gi/html/data/0299_120.pdf).
4.2.2 Classification of Information
The plant operations/management is responsible for classifying,
controlling access to, and safeguarding such information as per
GI-0710.002. The classification of information ensures that information
labeled as sensitive is protected according to its classification.
4.2.3 Security Awareness
Security awareness refers to the general, collective awareness of an
organization's personnel of the importance of security and security
controls. Plant management shall ensure that their personnel have an
adequate understanding and awareness of security. This can be done
through:
a) Live/Interactive Presentations: Security awareness presentations in
an annually basis or as needed.
b) UUUPublishing/Distribution: UUU Posters, company newsletter,
email, updates, alerts, etc.
Saudi Aramco departments, such IPD/Awareness Group, Industrial
Security, P&CSD, etc., can be contacted for assistance.
4.3 Applications & Systems Development Security
a) The applications vendor default password shall be changed if supported
and it does not affect the operations.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 9 of 18
b) If available, applications must log all successful and unsuccessful logon
attempts and time of logons. It must also log sensitive transactions and
sensitive changes as defined by the application owner. The log shall
identify what, when and who made the change.
c) All special access paths, doors and short-cuts used for developing the
application shall be removed prior to moving the application to production.
d) IA&CS shall have all unnecessary services disabled.
4.4 Security Architecture & Models
4.4.1 Communication and Network Security Control
a) Ensure physical and logical separation between Plant Automation
Networks and Corporate Network inside plant fence.
Commentary Note:
The table below provides further details on the minimum
requirements:

Physical Space Network
Locked Cabinet In-Plant Connectivity Remote Site Connectivity
Dedicated cables for
both primary and
backup
Fiber optic strands for
primary and dedicated
transmission circuit (i.e.,
SDH) for backup

b) Monitoring plants applications from the corporate network shall be
allowed via only proxy servers.
c) PAN shall not interface as gateways to non-Saudi Aramco
networks such as Internet.
d) PAN clients shall not be configured to access IT services such as
e-mail, Internet/Intranet, and File and Print Sharing.
e) All nodes on the PAN shall be assigned static IP addresses.
Dynamic Host Configuration Protocol (DHCP) shall not be used
any where on the PAN.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 10 of 18
4.4.2 Firewalls Filtering, Blocking, and Access Control:
Firewalls shall:
a) Control access and prevent undesirable packets into/out off a
protected network.
b) Enable information logging for traffic monitoring and intrusion
detection.
c) Dedicated firewall hardware shall be used to interface a PAN to the
Corporate Network.
d) The fundamental policy for configuring firewalls in plants
automation networks shall be "DENY UNLESS SPECIFICALLY
PERMITTED".
e) Antivirus and Intrusion Prevention functionalities should be
installed on the PAN interface to the Corporate Network.
f) Patch management policy should be developed and maintained in
order to help identifying the latest signatures files and upgrades.
g) A procedure should be developed in order to help properly change
the firewall Access Control List (ACL) based on information
collected from the Intrusion Prevention System (IPS).
h) The Firewall is an integral part of the PAN and shall be placed
within the Plants fence.
i) Network traffic through the firewall shall be limited to server-to-
server connections and through selected IP ports. Any Corporate
Network's user requiring access to Plant's Systems shall use Proxy
Servers (See figure 1).
j) A PAN comprising of multiple scattered (PANs), should interface
with the Corporate Network via a centralized firewall. Hence, such
PANs shall be connected together in order to establish one PAN
utilizing the corporate transmission infrastructure (i.e., SDH
dedicated bandwidth/Dark Fiber).
k) Additional detailed network configurations can be found in
SAES-Z-010 "Process Automation Networks Connectivity".
l) Blocking shall be based on allowing specifically enabled
communications between devices (Server-to-Server) on the
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

Corporate Network and the PAN. The enabled communications
shall be based on source and destination pairs, services, and ports.
Blocking shall be enabled for both inbound and outbound
communications.
SAER-6123, "Process Automation Networks Firewall Evaluation
Criteria" provides additional guidelines for firewall configuration
and hardware selection.

DCS SCADA CCTV VMS
Process Automation
Network
Aramco IT
Network
Backbone Switch
( Active)
Firewall
( Active)
Firewall
( Hot Standby)
Scan Node
Backbone Switch
(Hot Standby)
Splitter
Plant
Historian
Server to Server
Connection
through Firewall
Splitter Splitter Splitter Splitter
...
Proxy
Server
Under Plant Control
(or IT Control with
SLA)
MIS
1
MIS
n


Figure 1

Page 11 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 12 of 18
4.5 Operations Security & Management
4.5.1 Monitoring
All available network and system logs shall be examined and monitored
on both a periodic basis and when abnormal activities may indicate
problems. PAN Administrator shall control and validate the access to
these log files.
Commentary Note:
Recommended monitoring tools:
a) Account logging events to monitor logon attempts (successful and
unsuccessful).
b) Events viewer logs.
c) System events such as system and service startup and shutdown.
d) Firewall logs, configurations and policies.
The PAN Administrators shall perform and maintain regular reviews for
the following:
i) Regular review of all accounts shall be performed to ensure
continues legitimacy for business needs.
ii) Inactive users shall be revoked.
iii) List of users accessing internal devices such as firewalls and
switches.
iv) Firewall penetration test of the plants networks is recommended to
highlight any weaknesses and vulnerabilities.
v) All unused ports in any network devices such as routers and
switches shall be disabled.
vi) IA&CS are synchronized with an accurate time and date stamps.
4.5.2 Reporting of Computer Security Incidents
The reporting of a computing incident must be done promptly. It is the
responsibility of the proponent plant management, their designated staff,
or the PAN Administrator, to write a memorandum, detailing any
computer irregularity incident to Corporate Security Services/Computer
Security Administration (CSA). In the case of hardware theft, the
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 13 of 18
incident must be reported to plant management who will report it to
Industrial Security.
If any user or organization suspects a computer security incident
implicating an individual, and where a formal investigation might be
required they must contact their PAN Administrator. The PAN
Administrator will evaluate the incident and, if warranted, report it to
CSA via "Incident Reporting" on "http://csa.aramco.com.sa"
In urgent situations, PAN Administrator should report these computer
security incidents to CSA by phone via the numbers for "CSA Head" or
"Computer Security Investigation" listed in the "Contacts" section of the
CSA website. The "Incident Reporting" facility on CSA's website
should be used to document and confirm the PAN Administrator's report
by phone."
4.6 Disaster Recovery Planning (DRP)
The following are the requirements for Disaster Recovery Planning (DRP) for
Saudi Aramco IA&CS excluding Decision Support Systems (DSS). For further
information of DSS Disaster Recovery Plan, refer to SAEP-1050.
a) The mission and the objective of the DRP document is to provide
instructions on restoring the plant operation and resume production in a
fast speed response time without impacting safety and the impeded
investment of plants assets and personnel.
b) A team, in within each plant or in a centralized location, shall be
established and well trained to develop, implement, test, use and maintain
the DRP.
c) Key personnel list shall be clearly identified including plant personnel,
support organizations and vendors.
d) The Plant is responsible for developing a DRP that covers all critical
IA&CS installed in the plant which by losing plant production will be
impacted.
e) The DRP shall define the data backup strategy including the systems to
backup, files to backup, the storage media, the locations of the storage and
the storage rotation.
f) The DRP shall be included as part of the overall plant process disaster
response plan.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 14 of 18
g) It is highly recommended to fully automate the Data backup operation to
avoid human errors and ensures integrity.
h) A minimum of one copy set of the data backup and recovery shall be
stored and maintained at a secure, off-site location.
i) Critical IA&CS databases shall be backed up to hard drives on daily basis.
The data required for complete backup and restore shall be archived to
removable media at least once every six months.
j) Networks and systems configuration files shall be backed up (and can be
recovered) as part of the DRP.
k) Backup and recovery data on removable media shall be stored in locked,
fire-safe cabinets.
l) Access to data backup and recovery shall be restricted to persons with
legitimate company business needs.
m) Testing of the recovery procedure shall be recorded to document the
results and resolve any new issues in the procedure.
n) The testing of the DRP plan should be done off line in a testing
environment and not on the actual system if the off line systems are
available. Testing the recovery procedure should be documented.
o) A logbook shall be maintained at each storage location for purposes of
monitoring access to the data. Entries shall be recorded in the logbook
whenever a person removes any media from the designated location. The
logbook shall contain the following:
i) Date & Time of removal;
ii) Name and Badge number of employee responsible for removing the
data;
iii) Purpose of removal;
iv) Specific data which was removed such as number of CD's and
DVD's;
v) Estimated time the data will be removed from the location;
vi) The employee's signature at check-out of data if using hard copy log
book;
vii) Date & Time when data is returned to the location;
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 15 of 18
viii) The employee's signature when the data is returned to the safe
location if using hard copy log book.
4.7 Physical Security
a) Security perimeters around informational assets should be clearly defined
and carefully monitored on a daily basis for evidence of penetration,
penetration attempt or tampering or for particular patterns of tampering
that could indicate imminent physical attack.
b) Ensure that sensitive documents and other media material that are no
longer needed are destroyed completely.
c) Access to a facility or internal locations such as Control Room (CR) and
Process Interface Building (PIB) by employees, contractors, or any other
visitors shall be authorized by Operations and documented with date and
time of entry and exit. Authorization shall be documented.
d) Isolate delivery and loading areas from any critical systems. These areas
are often likely sources of attack or damage from potentially hazardous
materials.
e) Tag all physical inventories with tamper-resistant labels to prevent
removal of property.
f) Servers and network equipment shall be located in plant controlled
facilities or data center/server/rack room.
g) Unused network ports shall be disabled in equipment located in shared
data closets or equipment racks.
h) Data on servers and workstations sent for disposal should be deleted in
accordance with GI-0299.120 "Sanitization and Disposal of Saudi Aramco
Electronic Storage Devices and Obsolete/Unneeded Software".
5 Responsibilities
5.1 Plants Operations/Management
Plants operations/management and their designated operating staff are
responsible for the implementation of this procedure. We refer to the
Management's designated operating staff as the Process Automation Networks
(PAN) Administrator. Plants operations/management has the responsibility for
monitoring the implementation of this procedure within their plants.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 16 of 18
5.2 PAN Administrator
Each plant organization shall have a qualified PAN Administrator to administer
and perform system configuration and monitoring and coordinating with Process
Control System Administrator, if different, as designated by the plant
management. The PAN Administrator shall assume the ownership of the
IA&CS including the PAN Firewall. The PAN Administrator shall have the
function of granting, revoking, and tracking access privileges and
communications of users on IA&CS including the Firewall. It is essential that
the PAN Administrator has:
a) Knowledge or experience in plant's operations, and
b) Networks security certification (or equivalent knowledge and experience).
5.3 Process & Control Systems Department (P&CSD)/Communication & Computer
Networks Unit (CCNU)
P&CSD/CCNU is responsible for maintaining and updating SAEP-99 "Process
Automation Networks & Systems Security" Procedure.
6 Definitions
Access Control: Control access to selected devices, information or both to protect
against unauthorized interrogation of the device or information.
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information.
Authorization: A right or a permission that is granted to a system entity to access a
system resource.
Backup: A reserve copy of data that is stored separately from the original, for use if
the original becomes lost or damaged.
Confidentiality: Assurance that information is not disclosed to unauthorized
individuals, processes, or devices.
Encryption: Cryptographic transformation of data (called "plaintext") into a form
(called "ciphertext") that conceals the data's original meaning to prevent it from being
known or used.
Firewall: An inter-network connection device that restricts data communication traffic
between two connected networks.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 17 of 18
Industrial Automation & Control Systems (IA&CS): IA&CS include the following:
Networks and Systems hardware and software such as Process Automation Network
(PAN), Distributed Control Systems (DCSs), Emergency Shutdown Systems (ESD),
Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition
(SCADA) systems, Terminal Management Systems (TMS), networked electronic
sensing systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems.
Associated internal, human, network, or machine interfaces used to provide control,
safety, maintenance, quality assurance, and other process operations functionalities
to continuous, batch, discrete, and combined processes.
Integrity: The quality of a system reflecting the logical correctness and reliability of
the operating system, the logical completeness of the hardware and software
implementing the protection mechanisms, and the consistency of the data structures and
occurrence of the stored data.
ISA: Stands for "The Instrumentation, Systems, and Automation Society". ISA is a
leading, global, nonprofit organization that sets standards for automation.
Logs: Files or prints of information in chronological order.
PAN Administrator: Process Automation Networks (PAN) Administrator administers
and performs system configuration and monitoring and coordinating with Process
Control System Administrator, if different, as designated by the plant management.
The PAN Administrator assumes the ownership of the IA&CS including the PAN
Firewall and has the function of granting, revoking, and tracking access privileges and
communications of users on IA&CS including the Firewall.
Password: A form of secret authentication data that is used to control access to a
resource.
Server: A dedicated un-manned data provider.
Service Level of Agreement (SLA): SLA is a contract between the service provider
(e.g., Information Technology) and the proponent (the plant) to document and specify
the service level expected such as response time for problem resolution and technical
staff qualifications requirements.
Security Domain: is a domain that establishes the scope of threat analysis for
controllable assets in pre-defined physical or logical perimeter boundaries.
Vulnerability: A flaw or weakness in a system's design, implementation, or operation
and management that could be exploited to violate the system's integrity or security
policy.
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security


Page 18 of 18
For a comprehensive list of security related terms and definitions, please refer to the
ISA Security Standard: "Security for Industrial Automation and Control Systems Part 1:
Terminology, Concepts and Models" ISA-d99.00.01, February 2007.
7 Abbreviations
CCNU - Communication & Computer Networks Unit
DRP - Disaster Recovery Planning
DCS - Distributed Control System
DSS - Decision Support System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
IPS - Intrusion Prevention System
ISA - The Instrumentation, Systems, and Automation Society
IA&CS - Industrial Automation & Control Systems
PAN - Process Automation Network
PLC - Programmable Logic Controller
PMS - Power Monitoring System
P&CSD - Process & Control Systems Department
SAES - Saudi Aramco Engineering Standard
SCADA - Supervisory Control and Data Acquisition
SLA - Service Level of Agreement
TCP/IP - Transmission Control Protocol / Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System

Revision Summary
28 October 2007 New Saudi Aramco Engineering Procedure.
20 April 2008 Minor revision to clarify the use of individual user accounts and physical and logical network
separation.