Sabp Z 051

Best Practice
SABP-Z-051 3 May 2015

Network Devices Hardening Guide – Allied Telesis Switches
Document Responsibility: Plants Networks Standards Committee
Saudi Aramco DeskTop Standards

Table of Contents
1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Account & passwords Policies............................ 5
6 Services and applications settings.................... 12
7 Hardening controls............................................ 13
8 Logs and Auditing............................................. 14
Previous Issue: New Next Planned Update: 3 May 2020

Page 1 of 17
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365
Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-051
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Allied Telesis Switches
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Allied Telesis
Switches configurations settings, which might require software / hardware to
ensure “secure configuration” as per SAEP-99 “Process Automation Networks
and Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.
2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Page 2 of 17
 Saudi Aramco References

Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Page 3 of 17
Process Automation Systems (PAS): PAS include Networks and Systems

hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers,
firewalls, computers, etc. interconnecting process control system and provides
an interface to the corporate network. PAN Administrator: Process Automation
Networks (PAN) Administrator administers and performs system configuration
and monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a
personal identification number (PIN) or password. Password authentication
scheme is the simplest and most common mechanism.
Server: A dedicated un-manned data provider.
Page 4 of 17
5 Account & passwords Policies
Domain ALLIED T. Ref. ATS-AP-01 BIT 12.0.a

[ ] 8000 Family
Target [ ] 8500 Family Mapping SAEP-99 5.1.6.1.a-f
[x] 8600 Family
Action Set minimum password length
State Final Version 1.0 Created on January 2014

R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements
Dependencies
1. Connected to the switch using administrative privilege

(config)->
2. When authenticated and connected, issue the following command:
Instruction
(config)-> set use minpwdlen 8
Automated task yes

[ ] 8000 Family
[x] 8600 Family
Set password expiration (password aging) for
Action
super user (manager)
R C
A I
Pre requisite
Dependencies
(config)->
Instruction (config)-> set use pwdlifetime=60
The password will remain available 60 days
Automated task yes
Page 5 of 17

[ ] 8000 Family
[x] 8600 Family
Set maximum number of old passwords to
Action
retain in the password history
R C
A I
Pre requisite
Dependencies
(config)->
Instruction
(config)-> set use pwdhistory=3
Password history is set to 3

Automated task yes

[ ] 8000 Family
[x] 8600 Family
Action Set a threshold of failed login attempts

R C
A I
Pre requisite
Dependencies

(config)->
Instruction
(config)-> set use loginfail=5
Account lockout threshold is set to 5 invalid logon attempts
Automated task yes
Page 6 of 17

[ ] 8000 Family
Target [ ] 8500 Family SAEP-99 5.1.6.1.a-f
[x] 8600 Family Mapping
Set length of time a user account remains
Action locked out of the switch before the account
is automatically unlocked
R C
A I
Pre requisite
Dependencies
(config)->
(config)-> set use lockoutpd=86400
Instruction
Account lockout duration is set to 1440 minutes.

Default value is 600 sec
Automated task yes

[ ] 8000 Family
[x] 8600 Family
Set a threshold of failed login attempts for
Action
the manager account
R C
A I
Pre requisite
Dependencies
(config)->
Instruction (config)-> set use manpwdfail=5
The manager account is very sensitive. It will lock-out after 5 unsuccessful

attempts
Automated task yes
Page 7 of 17

[ ] 8000 Family
[x] 8600 Family
Set minimum number of characters in the
Action
password (complexity)
R C
A I
Pre requisite
Dependencies
(config)->
(config)-> set use pwdmincat=4
Here are the categories of passwords

Instruction  Cat 1: uppercase letters (A–Z)
 Cat 2: lowercase letters (a–z)
 Cat 3 : digits (0–9)
 Cat 4: special symbols (any printable character not covered by one of the other
categories)
We select Cat 4 to make the password complex as required by SAEP-99

Automated task yes
Page 8 of 17

[X] 8000 Family
[ ] 8600 Family
Action Set password on console

R C
A I
Pre requisite
Dependencies
(config)->
Instruction (config)-> line console
(config)-> password Secret_Password
Secret_Password should be compliant to SAEP-99

Automated task yes
Page 9 of 17
Domain ALLIED T. Ref. ATS-AP-09 BIT 8.6

[x] 8000 Family
Target [x] 8500 Family Mapping SAEP-99 5.1.6.1.l
[x] 8600 Family
Disable SNMP default Community Strings
Action
(private and public)
R C
A I
Pre requisite SNMP enabled and authorized. Otherwise skip to disable SNMP
Dependencies
8000 Series
(config)->
(config)-> no snmp-server community public
(config)-> no snmp-server community private
3. If SNMP is used, the following commands will change the public:
(config)-> snmp-server community=New_String
access=read
8500/8600 Series
Instruction
(config)->
(config)-> disable snmp community=public
(config)-> destroy snmp community=private
3. If SNMP is used, the following commands will change the public:
(config)-> set snmp community=New_String
access=read
New_String is the new community enabled with read access privileges. The
community string should be compliant to SAEP-99
Automated task yes
Page 10 of 17
Domain ALLIED T. Ref. ATS-AP-10 BIT 8.6

[X] 8000 Family
Target [X] 8500 Family Mapping SAEP-99 5.1.6.1.l
[X] 8600 Family
Change default credential for operator
Action
(operator) and manager
R C
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements
Dependencies
8000 Series
(config)->
(config)-> username operator password
New_Password level 1
(config)-> username manager password New_Password
level 15
8500 Series
(config)->
(config)-> set password manager
Instruction (config)-> set password operator
You will be prompted to enter new password
8600 Series
1. Connected to the switch using administrative privilege (manager)
(config)->
(config)-> set user=manager password=New_Password
OR
(config)-> set password
You will be prompted to enter new password
The newest passwords should meet the SAEP-99 requirement.

Warning:
The default password for the operator account is operator.
The default password for the manager account is friend.
Automated task yes
Page 11 of 17
6 Services and applications settings
Domain ALLIED T. Ref. ATS-SA-041 BIT 8.5

[x] 8000 Family 5.3.c
Target [x] 8500 Family Mapping SAEP-99 5.4.2.m
[x] 8600 Family 5.1.6.1.o
Action Disable SNMP Server

R C
A I
Pre requisite
Dependencies
8000 Series
(config)->
(config)-> no snmp-server
Instruction
8500/8600 Series
1. Connected to the switch using administrative privilege (manager)
(config)->
(config)-> disable snmp
Automated task yes
Page 12 of 17
7 Hardening controls
Domain ALLIED T. Ref. ATS-HC-04 BIT 8.3

[x] 8000 Family
Target [x] 8500 Family Mapping SAEP-99
[x] 8600 Family
Action Set the device hostname

R C
A I
Naming convention procedure should exist. Router/Switch should reflect the type and
Pre requisite
role.
Dependencies
8000 Series
(config)->
(config)-> hostname New_Switch_Name
8500/8600 Series
(config)->
Instruction (config)-> set system name=”New_Switch_Name”
Proposal
- Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router, SW for Switch and so on
- Incremental ID : 3 variables
Ex : ABQ-WKS-005 : means Workstation 5 in Abqaiq plant
Automated task yes
Page 13 of 17
8 Logs and Auditing
Domain ALLIED T. Ref. ATS-LA-01 BIT 18.0.a

[x] 8000 Family
Target [ ] 8500 Family Mapping SAEP-99 5.5.1.d.iv
[x] 8600 Family
Action Enable the console logging

R C
A I
Pre requisite
Dependencies
8000 Series
(config)->
(config)-> logging console
critical,errors,alerts
Levels are
- Emergencies
- Alerts
- critical
Instruction - errors
- warnings
- notices
- informational
- debugging.
8600 Series
(config)->
(config)-> enable log
Automated task yes
Page 14 of 17

[x] 8000 Family
[ ] 8600 Family
Enable the buffered size of messages stored
Action
in history table
R C
A I
Pre requisite
Dependencies

(config)->
Instruction 2. When authenticated and connected, issue the following command:
(config)-> logging buffered size 400
Automated task yes

[x] 8000 Family
[ ] 8600 Family
Action Enable the file system logging on actions

R C
A I
Pre requisite
Dependencies
(config)->
Instruction (config)-> file-system logging copy
(config)-> file-system logging delete-rename
Enables the file system logging on copy, delete and rename actions
Automated task Yes
Page 15 of 17

[ ] 8000 Family
Target [x] 8500 Family Mapping SAEP-99 5.5.1.d.iv
[x] 8600 Family
Action Enable logs to be stored in RAM

R C
A I
Pre requisite
Dependencies
(config)->
Instruction 2. When authenticated and connected, issue the following command:
(config)-> create log output
Automated task Yes
Page 16 of 17

[ ] 8000 Family
Target [x] 8500 Family Mapping SAEP-99 5.5.1.d.iv
[ ] 8600 Family
Action Save logs to filename

R C
A I
Pre requisite
Dependencies
(config)->
(config)-> save log filename=SwitchFile.log
severity=i,e,w overwrite
Instruction
severity are
- Errors
- Warning
- Informational
- Debug
Automated task Yes
Revision Summary
3 May 2015 New Saudi Aramco Best Practice.
Page 17 of 17

Sabp Z 051

Uploaded by

Sabp Z 051

Uploaded by

Best Practice

SABP-Z-051 3 May 2015

Saudi Aramco DeskTop Standards

Previous Issue: New Next Planned Update: 3 May 2020

Copyright©Saudi Aramco 2015. All rights reserved.

2 Conflicts with Mandatory Standards

 Saudi Aramco References

Process Automation Systems (PAS): PAS include Networks and Systems

5 Account & passwords Policies

Domain ALLIED T. Ref. ATS-AP-01 BIT 12.0.a

Action Set minimum password length

State Final Version 1.0 Created on January 2014

1. Connected to the switch using administrative privilege

Automated task yes

Domain ALLIED T. Ref. ATS-AP-02 BIT 12.0.a

The password will remain available 60 days

Automated task yes

Domain ALLIED T. Ref. ATS-AP-03 BIT 12.0.a

Password history is set to 3

Domain ALLIED T. Ref. ATS-AP-04 BIT 12.0.a

Action Set a threshold of failed login attempts

State Final Version 1.0 Created on January 2014

1. Connected to the switch using administrative privilege

Account lockout threshold is set to 5 invalid logon attempts

Automated task yes

Domain ALLIED T. Ref. ATS-AP-05 BIT 12.0.a

Account lockout duration is set to 1440 minutes.

Automated task yes

Domain ALLIED T. Ref. ATS-AP-06 BIT 12.0.a

The manager account is very sensitive. It will lock-out after 5 unsuccessful

Domain ALLIED T. Ref. ATS-AP-07 BIT 12.0.a

Here are the categories of passwords

We select Cat 4 to make the password complex as required by SAEP-99

Domain ALLIED T. Ref. ATS-AP-08 BIT 12.0.a

Action Set password on console

State Final Version 1.0 Created on January 2014

Secret_Password should be compliant to SAEP-99

Domain ALLIED T. Ref. ATS-AP-09 BIT 8.6

Domain ALLIED T. Ref. ATS-AP-10 BIT 8.6

The newest passwords should meet the SAEP-99 requirement.

6 Services and applications settings

Domain ALLIED T. Ref. ATS-SA-041 BIT 8.5

Action Disable SNMP Server

State Final Version 1.0 Created on January 2014

Automated task yes

Domain ALLIED T. Ref. ATS-HC-04 BIT 8.3

Action Set the device hostname

State Final Version 1.0 Created on January 2014

Automated task yes

8 Logs and Auditing

Domain ALLIED T. Ref. ATS-LA-01 BIT 18.0.a

Action Enable the console logging

State Final Version 1.0 Created on January 2014

Automated task yes

Domain ALLIED T. Ref. ATS-LA-02 BIT 18.0.a

1. Connected to the switch using administrative privilege

Automated task yes

Domain ALLIED T. Ref. ATS-LA-03 BIT 18.0.a

Action Enable the file system logging on actions

State Final Version 1.0 Created on January 2014

Domain ALLIED T. Ref. ATS-LA-04 BIT 18.0.a

Action Enable logs to be stored in RAM

State Final Version 1.0 Created on January 2014

Automated task Yes

Domain ALLIED T. Ref. ATS-LA-05 BIT 18.0.a

Action Save logs to filename

State Final Version 1.0 Created on January 2014

Automated task Yes

You might also like