Eng in eeri ng Proc edu re

SAEP-99 20 April 2008

Process Automation Networks & Systems Security
Communications Standards Committee Members
Ghamdi, Khalid Sulaiman, Chairman
Muammar, Rushdi Husain, Vice Chairman
Shammary, Diab Methqal
Mushcab, Rami Talib
Walaie, Soliman Abdullah
Bamardouf, Lutfi Hussain
Mutairi, Salman Ayedh
Rajeh, Majed Fahad
Abu Alsaud, Zakarya Abdulelah
Daraiseh, Abdelghani A.
Kille, Bradley Clyde
Tamimi, Mohammed Abdulaziz
Qanber, Yousuf Abdul Aziz
Musabeh, Ali Hamza
Harbi, Saad Abdullah
Elwi, Salem Saud
Almadi, Soloman Musa
Gotsis, Stavros D
Kahtani, Waheed Hazza

Saudi Aramc o Desk Top Sta ndards

Table of Cont ents

1 Scope............................................................ 2
2 Conflicts and Deviations............................... 2
3 Referenced Documents................................. 3
4 Instructions.................................................... 3
5 Responsibilities............................................ 14
6 Definitions.................................................... 15
7 Abbreviations............................................... 17

Previous Issue: 28 October 2007 Next Planned Update: 27 October 2012

Revised paragraphs are indicated in the right margin Page 1 of 18
Primary contact: Abu Alsaud, Zakarya Abdulelah on 966-3-8737316

Copyright©Saudi Aramco 2008. All rights reserved.

Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

1 Scope

This procedure provides minimum mandatory security requirements for Industrial

Automation & Control Systems (IA&CS) including the networks and plant facilities.
This procedure is retroactive to all Saudi Aramco Plants. The scope of this procedure
includes but is not limited to:

• Networks and Systems hardware and software such as Process Automation Network
(PAN), Distributed Control Systems (DCSs), Emergency Shutdown Systems (ESD),
Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition
(SCADA) systems, Terminal Management Systems (TMS), networked electronic
sensing systems, Power Monitoring System (PMS), Vibration Monitoring (VMS)
and other monitoring, diagnostic and related industrial automation and control
systems.

• Associated internal, human, network, or machine interfaces used to provide control,

safety, maintenance, quality assurance, and other process operations functionalities
to continuous, batch, discrete, and combined processes.

The security requirements address the following eight security domains:

1) Access Control Systems & Methodology

2) Communications & Networks Security
3) Security Management Practices
4) Applications & Systems Development Security
5) Security Architecture & Models
6) Operations Security & Management
7) Disaster Recovery Planning (DRP)
8) Physical Security.

2 Conflicts and Deviations

2.1 Any conflicts between this Procedure and other applicable Saudi Aramco
Engineering Standards (SAES's), Materials System Specifications (SAMSS's)
Standard Drawings (SASDs), or industry standards, codes, and forms shall be
resolved in writing to the Manager, Process & Control Systems Department of
Saudi Aramco, Dhahran.

2.2 Direct all requests to deviate any mandatory security requirement from this
procedure in writing to the Manager, Process & Control Systems Department
of Saudi Aramco, Dhahran who shall follow internal company procedure
SAEP-302.

Page 2 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

3 Referenced Documents

The requirements contained in the following documents apply to the extent specified in
this procedure.

3.1 Saudi Aramco References

Saudi Aramco Engineering Standards

SAES-Z-010 Process Automation Networks Connectivity

Saudi Aramco Engineering Procedure
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
SAEP-1050 Guideline for Disaster Recovery Plan
Development for Decision Support System

Saudi Aramco Engineering Reports

SAER-6123 Process Automation Networks Firewall
Evaluation Criteria

Saudi Aramco General Instructions

GI-0710.002 Classification of Sensitive Information
GI-0299.120 Sanitization and Disposal of Saudi Aramco
Electronic Storage Devices and
Obsolete/Unneeded Software

Company Policy
INT-7 Data Protection and Retention

3.2 Industry Codes and Standards

The Instrumentation, Systems, and Automation Society

ISA-TR99.00.01-2004 ISA Technical Report: "Security Technologies for
Manufacturing and Control Systems", March
11, 2004
ISA-TR99.00.02-2004 ISA Technical Report: "Integrating Electronic
Security into the Manufacturing and Control
Systems Environment", April 12, 2004
ISA-d99.00.01 ISA Security Standard: "Security for Industrial
Automation and Control Systems Part 1:

Page 3 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

Terminology, Concepts and Models", February

2007

4 Instructions

In this procedure, the terms "must", "shall", "should" and "can" are used. When must or
shall is used, the item is a mandatory requirement. When should is used, the item is
strongly recommended but not mandatory. When can is used, compliance may further
enhance the system security but compliance is optional.

This procedure shall be applied to all systems and networks as appropriate by

knowledgeable Process Control Systems personnel. It helps to identify and address a
wide spectrum of vulnerabilities, and to mitigate the risk of undesired intrusions that
could compromise confidential information or cause disruption or failure in the IA&CS.

The following are requirements for plants networks and systems security:

a) Follow and apply "IA&CS vendor" recommendations and requirements for

systems and networks security including Antivirus software and upgrades and
security patches with a prior economic analysis of risk versus cost. "IA&CS
vendor" refers to the vendor or manufacturer of the IA&CS.

b) The user of this procedure must exercise sound professional judgment concerning
its use and applicability under user's particular circumstances. The user must also
consider the applicability of any government regulatory, Saudi Aramco standards,
and safety practices before implementing this procedure.

c) The delegation of any PAN management or operational function to another entity

shall be executed through a Service Level Agreement (SLA).

4.1 Access Control Systems & Methodology

The IA&CS access shall be restricted to plant authorized personnel such as

Operators, Engineers and Maintenance personnel that are authorized to operate
or administer the network and perform system configuration, diagnostics, and
system monitoring.

4.1.1 Authentication and Authorization

Authorization can be as granular as determining access to specific files

in an application or as encompassing an access to a network.
Authentication describes the process of positively identifying potential
network users, hosts, applications, services, and resources using a
combination of identification factors or credentials.

Page 4 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

Passwords, if supported by the system or application, shall be the

minimum authentication requirement. The logon/logoff process shall
neither cause system interruptions nor momentarily loss of view. For
systems with hardware key authentication, the key must be securely
guarded and logged.

The following are the requirements for the passwords:

a) Passwords shall have appropriate length and entropy

characterization for the security required. In particular, they should
not be found in a dictionary or contain predictable sequences of
numbers or letters.

b) Passwords shall be used with care on operator interface devices

such as control consoles on critical processes. Passwords shall be
guarded to prevent unauthorized access.

c) User Account password shall not be stored electronically in

unprotected files.

d) All vendor-supplied default passwords for predefined accounts

shall be changed immediately after installation or upgrade.

e) In order to change user account passwords, users should always be

required to provide both their old and new passwords, if supported
by the system.
f) The keeper of master passwords or his backup(s) shall always be
available to ensure continuous operations. A password log,
especially for master passwords, shall be maintained separately
from the IA&CS, possibly in a notebook locked in a vault or safe.

g) For user authentication purposes, password use is common and

generally acceptable for users logging directly into a local device
or a computer. Passwords shall always be encrypted when sent
between networks.

h) An automatic message, if supported by the systems, should be sent

to users notifying them about the remaining days for their expired
passwords.

Individual accounts are mandatory for Supervisors, Engineers and

Administrators, if supported by the system.

Page 5 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

4.1.2 User Account Types

a) An application accounts are those associated with applications.

The password for such accounts should always be used in
encrypted/protected and encapsulated form and shall not be coded
into the application in plain text.

b) Operator Accounts are those used by Operators to access the

system and operate the plant. Such Accounts shall have a restricted
user profile so that the operator will not be able to install programs,
change software configuration, or access floppy disk, CD drives, or
any removable media.

Shared operator accounts shall be restricted to those authorized and

documented/tracked regularly.

Individual Operator Accounts are mandatory, if supported by the

system, for un-attended areas such as Process Interface Buildings
(PIBs).

c) GUEST accounts shall be disabled on all systems.

d) Super/Privileged Accounts are those used by System

Administrators and Engineers. The use of Super/Privileged
Accounts shall be limited for system support purposes and system
diagnostics and configuration and only when necessary. These
accounts shall be reviewed every 12 months. Super/Privileged
User Accounts shall be locked when not needed.

e) Operator and Application Accounts shall be excluded from

automatic password change policy; however, the PAN
administrator shall make sure that Application Accounts passwords
are changed manually every 12 months.

4.1.3 User Account Format

The structure of the user account should be [xxxxxxfm] where [xxxxxx]

is the first six characters of the last name and [f] is the first initial of the
first name and [m] is the first initial of the middle name. Numeric and
special characters should be extracted from the user account. Arabic
prefixes Al, Al-, El and El- should be removed from last name and "x"
should be used when there is no Middle initial. In case of that more than
one employee has the same last name, first and middle initials; then
following steps should be followed:

Page 6 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

a) Up to 4 characters of last name, first initial and middle initial are

used with an assigned suffix as the last 2 characters.

b) The first suffix will always start with a numeric in the range 0-9,
and the second character of the suffix will be in the ranges A-Z,
0-9.

4.1.4 System Access

a) System Login scripts, if any, shall be configured to prevent a user

bypassing them.

b) Warnings banner on all systems, if supported, shall be enabled.

Every computer will require changes to its system files to ensure
that banner is displayed whenever the system is turned on or a user
logs on.

c) Repeated login failures shall be logged, if supported by the system,

with the location, date, time and user account used without
indicating whether the failure is caused by the wrong user name or
password. An alert message should be sent to the PAN
administrator in the event of repeated login failures.

d) At login time, every user should be given information reflecting the

last login time and date, if supported by the system.

e) No dial in is allowed for control purposes. A vendor remote

troubleshooting and testing is the only exception provided that such
activity shall be strictly monitored, documented, and on
temporarily basis with authorization of plant operations/
management.

f) Remote access to plant applications from the corporate network or

Internet, for control purposes, is not permitted.

g) PAN Administrator shall assume the responsibility of

adding/removing user's access from the proxy applications servers
for his designated plant applications.

h) Auto-logoff feature, if supported, shall be configured for all

unattended systems excluding operators' consoles.

Page 7 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

4.2 Security Management Practices

4.2.1 Security Policies

In addition to this procedure, the following are applicable Saudi Aramco

documents for plants information security policies:

a) Management Statement of Policy "INT-7"

(URL: http://corpplan/LRPD1/corporat.htm)
b) Classification of Sensitive Information "GI-0710.002",
dated 15 January 2002 (URL: http://gi/html/data/0710_002.pdf).

c) Sanitization and Disposal of Saudi Aramco Electronic Storage

Devices and Obsolete/Unneeded Software "GI-0299.120", dated
December 2005 (URL: http://gi/html/data/0299_120.pdf).

4.2.2 Classification of Information

The plant operations/management is responsible for classifying,

controlling access to, and safeguarding such information as per
GI-0710.002. The classification of information ensures that information
labeled as sensitive is protected according to its classification.

4.2.3 Security Awareness

Security awareness refers to the general, collective awareness of an

organization's personnel of the importance of security and security
controls. Plant management shall ensure that their personnel have an
adequate understanding and awareness of security. This can be done
through:

a) Live/Interactive Presentations: Security awareness presentations in

an annually basis or as needed.

b) UUUPublishing/Distribution: UUU Posters, company newsletter,

email, updates, alerts, etc.

Saudi Aramco departments, such IPD/Awareness Group, Industrial

Security, P&CSD, etc., can be contacted for assistance.

4.3 Applications & Systems Development Security

a) The applications vendor default password shall be changed if supported

and it does not affect the operations.

Page 8 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

b) If available, applications must log all successful and unsuccessful logon

attempts and time of logons. It must also log sensitive transactions and
sensitive changes as defined by the application owner. The log shall
identify what, when and who made the change.

c) All special access paths, doors and short-cuts used for developing the
application shall be removed prior to moving the application to production.

d) IA&CS shall have all unnecessary services disabled.

4.4 Security Architecture & Models

4.4.1 Communication and Network Security Control

a) Ensure physical and logical separation between Plant Automation

Networks and Corporate Network inside plant fence.

Commentary Note:

The table below provides further details on the minimum

requirements:

Physical Space Network

Locked Cabinet In-Plant Connectivi ty Remote Site Connectivi ty
Dedicated cables for Fiber optic strands for
both primary and primary and dedicated
backup transmission circuit (i.e.,
SDH) for backup

b) Monitoring plants applications from the corporate network shall be

allowed via only proxy servers.

c) PAN shall not interface as gateways to non-Saudi Aramco

networks such as Internet.

d) PAN clients shall not be configured to access IT services such as

e-mail, Internet/Intranet, and File and Print Sharing.

e) All nodes on the PAN shall be assigned static IP addresses.

Dynamic Host Configuration Protocol (DHCP) shall not be used
any where on the PAN.

Page 9 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

4.4.2 Firewalls Filtering, Blocking, and Access Control:

Firewalls shall:

a) Control access and prevent undesirable packets into/out off a

protected network.

b) Enable information logging for traffic monitoring and intrusion

detection.
c) Dedicated firewall hardware shall be used to interface a PAN to the
Corporate Network.

d) The fundamental policy for configuring firewalls in plants

automation networks shall be "DENY UNLESS SPECIFICALLY
PERMITTED".

e) Antivirus and Intrusion Prevention functionalities should be

installed on the PAN interface to the Corporate Network.

f) Patch management policy should be developed and maintained in

order to help identifying the latest signatures files and upgrades.

g) A procedure should be developed in order to help properly change

the firewall Access Control List (ACL) based on information

collected from the Intrusion Prevention System (IPS).

h) The Firewall is an integral part of the PAN and shall be placed
within the Plants fence.

i) Network traffic through the firewall shall be limited to server-to-

server connections and through selected IP ports. Any Corporate
Network's user requiring access to Plant's Systems shall use Proxy
Servers (See figure 1).

j) A PAN comprising of multiple scattered (PANs), should interface

with the Corporate Network via a centralized firewall. Hence, such
PANs shall be connected together in order to establish one PAN
utilizing the corporate transmission infrastructure (i.e., SDH
dedicated bandwidth/Dark Fiber).

k) Additional detailed network configurations can be found in

SAES-Z-010 "Process Automation Networks Connectivity".

l) Blocking shall be based on allowing specifically enabled
communications between devices (Server-to-Server) on the

Page 10 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

Corporate Network and the PAN. The enabled communications

shall be based on source and destination pairs, services, and ports.
Blocking shall be enabled for both inbound and outbound
communications.

SAER-6123, "Process Automation Networks Firewall Evaluation

Criteria" provides additional guidelines for firewall configuration
and hardware selection.

Aramco IT
Network

Plant
Proxy MIS MIS
Historian
Server 1 n

Firewall Firewall
Under Plant Control
( Active) ( Hot Standby)
(or IT Control with
SLA)

Backbone Switch Backbone Switch

( Active) (Hot Standby)

Server to Server
Connection
through Firewall

Splitter Splitter Splitter Splitter Splitter

Scan Node…………... DCS SCADA CCTV VMS

Process Automation
Network

Figure 1

Page 11 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

4.5 Operations Security & Management

4.5.1 Monitoring

All available network and system logs shall be examined and monitored
on both a periodic basis and when abnormal activities may indicate
problems. PAN Administrator shall control and validate the access to
these log files.

Commentary Note:

Recommended monitoring tools:

a) Account logging events to monitor logon attempts (successful and

unsuccessful).

b) Events viewer logs.

c) System events such as system and service startup and shutdown.

d) Firewall logs, configurations and policies.

The PAN Administrators shall perform and maintain regular reviews for
the following:

i) Regular review of all accounts shall be performed to ensure

continues legitimacy for business needs.

ii) Inactive users shall be revoked.

iii) List of users accessing internal devices such as firewalls and

switches.

iv) Firewall penetration test of the plants networks is recommended to

highlight any weaknesses and vulnerabilities.

v) All unused ports in any network devices such as routers and

switches shall be disabled.

vi) IA&CS are synchronized with an accurate time and date stamps.

4.5.2 Reporting of Computer Security Incidents

The reporting of a computing incident must be done promptly. It is the

responsibility of the proponent plant management, their designated staff,
or the PAN Administrator, to write a memorandum, detailing any
computer irregularity incident to Corporate Security Services/Computer
Security Administration (CSA). In the case of hardware theft, the

Page 12 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

incident must be reported to plant management who will report it to

Industrial Security.

If any user or organization suspects a computer security incident

implicating an individual, and where a formal investigation might be
required they must contact their PAN Administrator. The PAN
Administrator will evaluate the incident and, if warranted, report it to
CSA via "Incident Reporting" on "http://csa.aramco.com.sa"

In urgent situations, PAN Administrator should report these computer

security incidents to CSA by phone via the numbers for "CSA Head" or
"Computer Security Investigation" listed in the "Contacts" section of the
CSA website. The "Incident Reporting" facility on CSA's website
should be used to document and confirm the PAN Administrator's report
by phone."

4.6 Disaster Recovery Planning (DRP)

The following are the requirements for Disaster Recovery Planning (DRP) for
Saudi Aramco IA&CS excluding Decision Support Systems (DSS). For further
information of DSS Disaster Recovery Plan, refer to SAEP-1050.

a) The mission and the objective of the DRP document is to provide

instructions on restoring the plant operation and resume production in a
fast speed response time without impacting safety and the impeded
investment of plants assets and personnel.

b) A team, in within each plant or in a centralized location, shall be

established and well trained to develop, implement, test, use and maintain
the DRP.

c) Key personnel list shall be clearly identified including plant personnel,

support organizations and vendors.

d) The Plant is responsible for developing a DRP that covers all critical
IA&CS installed in the plant which by losing plant production will be
impacted.

e) The DRP shall define the data backup strategy including the systems to
backup, files to backup, the storage media, the locations of the storage and
the storage rotation.

f) The DRP shall be included as part of the overall plant process disaster
response plan.

Page 13 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

g) It is highly recommended to fully automate the Data backup operation to

avoid human errors and ensures integrity.

h) A minimum of one copy set of the data backup and recovery shall be
stored and maintained at a secure, off-site location.

i) Critical IA&CS databases shall be backed up to hard drives on daily basis.

The data required for complete backup and restore shall be archived to
removable media at least once every six months.
j) Networks and systems configuration files shall be backed up (and can be
recovered) as part of the DRP.

k) Backup and recovery data on removable media shall be stored in locked,

fire-safe cabinets.

l) Access to data backup and recovery shall be restricted to persons with

legitimate company business needs.

m) Testing of the recovery procedure shall be recorded to document the

results and resolve any new issues in the procedure.

n) The testing of the DRP plan should be done off line in a testing
environment and not on the actual system if the off line systems are
available. Testing the recovery procedure should be documented.

o) A logbook shall be maintained at each storage location for purposes of

monitoring access to the data. Entries shall be recorded in the logbook
whenever a person removes any media from the designated location. The
logbook shall contain the following:

i) Date & Time of removal;

ii) Name and Badge number of employee responsible for removing the
data;

iii) Purpose of removal;

iv) Specific data which was removed such as number of CD's and
DVD's;

v) Estimated time the data will be removed from the location;

vi) The employee's signature at check-out of data if using hard copy log
book;

vii) Date & Time when data is returned to the location;

Page 14 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

viii) The employee's signature when the data is returned to the safe
location if using hard copy log book.

4.7 Physical Security

a) Security perimeters around informational assets should be clearly defined

and carefully monitored on a daily basis for evidence of penetration,
penetration attempt or tampering or for particular patterns of tampering
that could indicate imminent physical attack.
b) Ensure that sensitive documents and other media material that are no
longer needed are destroyed completely.

c) Access to a facility or internal locations such as Control Room (CR) and

Process Interface Building (PIB) by employees, contractors, or any other
visitors shall be authorized by Operations and documented with date and
time of entry and exit. Authorization shall be documented.

d) Isolate delivery and loading areas from any critical systems. These areas
are often likely sources of attack or damage from potentially hazardous
materials.

e) Tag all physical inventories with tamper-resistant labels to prevent

removal of property.

f) Servers and network equipment shall be located in plant controlled

facilities or data center/server/rack room.

g) Unused network ports shall be disabled in equipment located in shared

data closets or equipment racks.

h) Data on servers and workstations sent for disposal should be deleted in

accordance with GI-0299.120 "Sanitization and Disposal of Saudi Aramco
Electronic Storage Devices and Obsolete/Unneeded Software".

5 Responsibilities

5.1 Plants Operations/Management

Plants operations/management and their designated operating staff are

responsible for the implementation of this procedure. We refer to the
Management's designated operating staff as the Process Automation Networks
(PAN) Administrator. Plants operations/management has the responsibility for
monitoring the implementation of this procedure within their plants.

Page 15 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

5.2 PAN Administrator

Each plant organization shall have a qualified PAN Administrator to administer

and perform system configuration and monitoring and coordinating with Process
Control System Administrator, if different, as designated by the plant
management. The PAN Administrator shall assume the ownership of the
IA&CS including the PAN Firewall. The PAN Administrator shall have the
function of granting, revoking, and tracking access privileges and
communications of users on IA&CS including the Firewall. It is essential that
the PAN Administrator has:

a) Knowledge or experience in plant's operations, and

b) Networks security certification (or equivalent knowledge and experience).

5.3 Process & Control Systems Department (P&CSD)/Communication & Computer

Networks Unit (CCNU)

P&CSD/CCNU is responsible for maintaining and updating SAEP-99 "Process

Automation Networks & Systems Security" Procedure.

6 Definitions

Access Control: Control access to selected devices, information or both to protect

against unauthorized interrogation of the device or information.

Authentication: A security measure designed to establish the validity of a

transmission, message, or srcinator, or a means of verifying an individual's
authorization to receive specific categories of information.

Authorization: A right or a permission that is granted to a system entity to access a

system resource.

Backup: A reserve copy of data that is stored separately from the srcinal, for use if
the srcinal becomes lost or damaged.

Confidentiality: Assurance that information is not disclosed to unauthorized

individuals, processes, or devices.

Encryption: Cryptographic transformation of data (called "plaintext") into a form

(called "ciphertext") that conceals the data's srcinal meaning to prevent it from being
known or used.

Firewall: An inter-network connection device that restricts data communication traffic

between two connected networks.

Page 16 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

Industrial Automation & Control S ystems (IA&CS): IA&CS include the following:

• Networks and Systems hardware and software such as Process Automation Network
(PAN), Distributed Control Systems (DCSs), Emergency Shutdown Systems (ESD),
Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition
(SCADA) systems, Terminal Management Systems (TMS), networked electronic
sensing systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems.

• Associated internal, human, network, or machine interfaces used to provide control,

safety, maintenance, quality assurance, and other process operations functionalities
to continuous, batch, discrete, and combined processes.

Integrity: The quality of a system reflecting the logical correctness and reliability of
the operating system, the logical completeness of the hardware and software
implementing the protection mechanisms, and the consistency of the data structures and
occurrence of the stored data.

ISA: Stands for "The Instrumentation, Systems, and Automation Society". ISA is a
leading, global, nonprofit organization that sets standards for automation.

Logs: Files or prints of information in chronological order.

PAN Administrator: Process Automation Networks (PAN) Administrator administers

and performs system configuration and monitoring and coordinating with Process
Control System Administrator, if different, as designated by the plant management.
The PAN Administrator assumes the ownership of the IA&CS including the PAN
Firewall and has the function of granting, revoking, and tracking access privileges and
communications of users on IA&CS including the Firewall.

Password: A form of secret authentication data that is used to control access to a

resource.

Server: A dedicated un-manned data provider.

Service Level of Agreement (SLA): SLA is a contract between the service provider
(e.g., Information Technology) and the proponent (the plant) to document and specify
the service level expected such as response time for problem resolution and technical
staff qualifications requirements.

Security Domain: is a domain that establishes the scope of threat analysis for
controllable assets in pre-defined physical or logical perimeter boundaries.

Vulnerability: A flaw or weakness in a system's design, implementation, or operation

and management that could be exploited to violate the system's integrity or security
policy.

Page 17 of 18
Document Responsibility: Communications SAEP-99
Issue Date: 20 April 2008
Next Planned Update: 27 October 2012 Process Automation Networks & Systems Security

For a comprehensive list of security related terms and definitions, please refer to the
ISA Security Standard: "Security for Industrial Automation and Control Systems Part 1:
Terminology, Concepts and Models" ISA-d99.00.01, February 2007.

7 Abbreviations

CCNU - Communication & Computer Networks Unit

DRP - Disaster Recovery Planning

DCS - Distributed Control System

DSS - Decision Support System

ESD - Emergency Shutdown Systems

IP - Internet Protocol

IPS - Intrusion Prevention System

ISA - The Instrumentation, Systems, and Automation Society

IA&CS - Industrial Automation & Control Systems

PAN - Process Automation Network

PLC - Programmable Logic Controller

PMS - Power Monitoring System

P&CSD - Process & Control Systems Department

SAES - Saudi Aramco Engineering Standard

SCADA - Supervisory Control and Data Acquisition

SLA - Service Level of Agreement

TCP/IP - Transmission Control Protocol / Internet Protocol

TMS - Terminal Management System

VMS - Vibration Monitoring System

Revision Summary
28 October 2007 New Saudi Aramco Engineering Procedure.
20 April 2008 Minor revision to clarify the use of individual user accounts and physical and logical network
separation.

Page 18 of 18