Saes T 566 PDF
Saes T 566 PDF
Saes T 566 PDF
1 Scope............................................................. 2
2 Conflicts and Deviations................................. 2
3 References..................................................... 2
4 Definitions....................................................... 3
5 DMZ Architecture Design……………............. 5
6 Firewalls Filtering, Blocking,
and Access Control……………..………...... 7
7 Cabling Distribution Design............................ 8
8 DMZ Applications and Services……………… 8
9 Backup and Recovery.................................... 8
10 System Testing............................................... 8
11 Documentation............................................... 8
1 Scope
This standard defines the minimum mandatory requirements governing the design,
installation, configuration, and commissioning of Saudi Aramco plant Demilitarized
Zone (DMZ) Architecture, which shall establish an intermediate network between the
Saudi Aramco Process Automation Network (PAN) and Saudi Aramco Corporate
Network to provide security protection for the Saudi Aramco plants networks and
systems (PN&S).
2.1 Any conflicts between this standard and other applicable Saudi Aramco
Materials System Specifications (SAMSSs), Engineering Standards (SAESs),
Engineering Procedures (SAEPs), Standard Drawings (SASDs), or other
Mandatory Saudi Aramco Engineering Requirements (MSAERs) shall be
resolved in writing by the Company or Buyer Representative through the
Chairman, Communications Standards Committee, Process & Control Systems
Department, Dhahran.
2.2 Direct all requests to deviate from this standard in writing to the Company or
Buyer Representative, who shall follow internal company procedure SAEP-302
and forward such requests to the Manager, Process & Control Systems
Department of Saudi Aramco, Dhahran.
3 References
Page 2 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
4 Definitions
L2 Switch: A network device that joins multiple computers together at layer two (Data
Link Layer) of the Open System Interconnection (OSI) model.
Local Area Network (LAN): A private data communications network, used for
transferring data among computers and peripherals devices; a data communications
network consisting of host computers or other equipment interconnected to terminal
devices.
Page 3 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
PI-to-PI Interface: It is a software that transfers data from one PI server (the source
server) to another PI server (the receiving server) via TCP/IP.
Abbreviations:
AV Anti-Virus
CCR Central Control Room
CMS Condition Monitoring System
DCS Distributed Control Systems
DMZ Demilitarized Zone
PAN Process Automation Network
PMS Power Monitoring System
PSA Power System Automation
SCADA Supervisory Control and Data Acquisition
SDH Synchronous Digital Hierarchy
SSH Secure Shell Protocol
VMS Vibration Monitoring System
Page 4 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
5.1 Each Saudi Aramco plant facility shall implement a DMZ at their network
boundaries with Corporate Network.
Commentary Notes:
5.2 DMZ network shall comply with IEEE 802.3 CSMA/CD (Ethernet) standard.
5.3 DMZ components shall be installed in the plant operating facility premises as
close as practical to the PAN in locations such as CCR, Telecommunications/
Computer/ Rack room(s), in accordance with SAEP-99 requirements.
5.4 All Plant Systems and applications that are required to communicate with the
Corporate Network (such as Plant Information (PI)) shall be hosted in the DMZ
either by relocation or provision of a replica server.
5.6 All DMZ components (i.e., firewall, switches and servers) shall be implemented
with the latest security updates and patches per vendor recommendations.
Page 5 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
5.7 All default passwords for predefined accounts of all DMZ components shall be
changed immediately after installation or upgrade
5.10 The DMZ subnet shall be different from corporate and plant subnets. Subnet IP
address and network mask shall be obtained from Saudi Aramco IT.
5.11 DMZ components shall be deployed with the latest vendor supported security
hardened operating system (i.e., apply patches, disable USB port, disable
unnecessary services/tasks) in accordance with SAEP-99 and relevant Saudi
Aramco security guidelines.
5.13 DMZ components shall be fully interoperable with plant PAN and Corporate
Network. It is recommended to align DMZ components with IT purchase
agreements and maintenance contracts.
Corporate Corporate
Office PI data Corporate
patch
work- historian Anti-virus
management
station server Server
Server
Patch
DMZ local PI management
DMZ
5.15 Each Saudi Aramco production plant facility shall implement the hardware-
based isolation device with unidirectional network communication from
Industrial Control Systems (ICS) network to Business network.
Page 6 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
5.16 Each Saudi Aramco Bulk Plant and OSPAS shall implement the hardware-based
isolation device with bidirectional network communication from Industrial
Control Systems (ICS) network to Business network.
5.17 The hardware-based isolation device for plant facility shall be installed inside
the DMZ and before IT firewall.
6.1 DMZ firewall(s) shall be configured to prevent network traffic from passing
directly between the Corporate Network and PAN. All Traffic from either side
shall terminate at the DMZ zone.
6.2 Firewall(s) shall be configured to deny all access unless specifically permitted.
6.3 Firewall(s) filter rules shall allow only approved secure services and protocols.
Insecure services and clear text protocols such as Telnet and FTP shall not be used.
6.4 Enable Security logging for traffic monitoring and intrusion detection for all
DMZ components.
6.7 Network equipment including firewalls and network devices shall be managed
by predefined facility support staff through secure ports such as SSH.
Page 7 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
Premises distribution methods for cables and cabinets shall comply with SAES-T-916,
“Communications Building Cable.”
DMZ shall host the following applications and services, but not limited to:
Patch management servers (such as windows security patches update and anti-
virus data file) shall be located in the DMZ.
Commentary Note:
For small facilities where the number of workstation/servers is less than five,
manual updates can be utilized in accordance with Saudi Aramco IT antivirus
manual and relevant vendor recommendations periodically. A formal internal
procedure shall be developed by the proponent.
A complete configuration backup of DMZ switches and systems shall be developed for
new installations or upgrades of DMZ equipment per SAES-Z-010 and SAEP-1050
requirements and guidelines.
10 System Testing
11 Documentation
11.1 Standard vendor manuals and catalogs shall be provided in CD-ROM or other
Page 8 of 9
Document Responsibility: Plants Networks Standards Committee SAES-T-566
Issue Date: 26 October 2015
Next Planned Update: 17 March 2018 Plants Demilitarized Zone (DMZ) Architecture
11.3 Final project specific documents in two signed hard copies plus two (2) sets of
CD-ROM in Microsoft Word.
11.4 A DMZ network drawings layout showing the DMZ logical and physical design
and its interconnection to the Corporate Network.
11.5 For all plant applications that need to traverse plant firewalls, the vendors shall
provide application flow diagram that shows inter-path connections and traffic
characteristics to the plant administration. These diagrams are required to
support the following objectives:
● Expedite mission critical troubleshooting
● Ensure security by verifying that only the required traffic flow is allowed.
Revision Summary
17 March 2013 New Saudi Aramco Engineering Standard.
15 May 2014 Minor revision to align technical requirements with the current technology and BIT
recommendations.
30 June 2014 Minor revision to update the primary contact, edit the definition of “Hardware-based isolation
device” in section 4, and edit sections 5.15, 5.16 & 5.17 to reflect the mandate for the
Hardware-based isolation device requirements.
8 January 2015 Editorial revision to transfer this engineering document from Communications Standards
Committee to be under the newly established Plants Networks Standards Committee.
26 October 2015 Minor revision to update the plants firewall intrusion prevention functionality requirements.
Page 9 of 9