Engineering Standard

SAES-Z-010 1 January 2018

Process Automation Networks
Document Responsibility: Plants Networks Standards Committee

Contents
1 Scope ................................................................ 2
2 Conflicts and Deviations ................................... 4
3 References........................................................ 4
4 Definitions ......................................................... 5
5 Process Automation Network Design ................ 8
6 Wiring System ................................................. 12
7 Access Control Management
and Monitoring Design Requirements ............. 12
8 Operating System and
Network Device Hardening ............................. 15
9 Centralized Patch Server ................................ 15
10 Backup and Recovery ..................................... 15
11 System Testing ............................................... 15
12 Documentation ................................................ 16
Revision Summary ................................................. 16

Previous Issue: 29 October 2015 Next Planned Update: 29 October 2018

Revised paragraphs are indicated in the right margin Page 1 of 16
Contact: Usail, Khalid Yousif (usailky) phone +966-13-8800500

©Saudi Aramco 2018. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

1 Scope

1.1 This standard establishes the requirements for design, installation, configuration
and commissioning of Process Automation Networks (PANs), which shall
interface with plant DMZ (Demilitarized Zone) to communicate with the Saudi
Aramco corporate network or third party external networks. Process
Automation Network is a plant-wide network interconnecting Process Control
Systems (PCS) that provides an interface to the corporate network through plant
DMZ. A PAN does not include proprietary process control networks provided
as part of a vendor's standard process control system.

Parties involved in the commissioning of PANs are required to comply with this
standard.

1.2 The following requirements are excluded from this standard:

1.2.1 The requirements and guidelines governing the engineering, design

and installation of Process Control Systems is covered in SAES-Z-001.

1.2.2 The requirements and guidelines governing the engineering, design and
installation of Supervisory Control and Data Acquisition (SCADA) is
covered in SAES-Z-004.

1.2.3 The requirement for engineering design, specification, installation,

configuration, commissioning, and maintenance for FOUNDATION™
fieldbus based control systems are covered in SAES-J-904.

1.2.4 The procedural requirements and guidelines to govern minimum

mandatory Security for Process Control Systems and Networks are
covered in SAEP-99.

1.2.5 The requirement for governing the design, installation, configuration,

and commissioning of Saudi Aramco plant Demilitarized Zone (DMZ)
Architecture, which shall establish an intermediate network between the
Saudi Aramco Process Automation Network (PAN) and Saudi Aramco
Corporate Network is covered in SAES-T-566.
1.2.6 Figure 1 illustrates the division of responsibilities between the relevant
standards:

1.3 This entire standard may be attached to and made a part of purchase orders.

Saudi Aramco: Company General Use

Page 2 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

Figure 1 - Standards Coordination

Saudi Aramco: Company General Use

Page 3 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

2 Conflicts and Deviations

Any conflicts between this document and other applicable Mandatory Saudi Aramco
Engineering Requirements (MSAERs) shall be addressed to the EK&RD Coordinator.

Any deviation from the requirements herein shall follow internal company procedure
SAEP-302.

3 References

The selection of material and equipment and the design, construction, maintenance, and
repair of equipment and facilities covered by this standard shall comply with the latest
edition of the references listed below.

3.1 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-99 Process Automation Networks and Systems Security
SAEP-302 Waiver of a Mandatory Saudi Aramco Engineering
Requirement
SAEP-701 Plant Ethernet Network Test Procedure
SAEP-1630 Preparation of Integration Test Procedure Document
SAEP-1634 Factory Acceptance Test Plan of Process Automation
Systems
SAEP-1638 Site Acceptance Test Plan

Saudi Aramco Engineering Standards

SAES-J-902 Electrical Systems for Instrumentation
SAES-J-904 FOUNDATION™ fieldbus (FF) Systems
SAES-P-103 UPS and DC Systems
SAES-T-566 Plant Demilitarized Zone (DMZ) Architecture
SAES-Z-001 Process Control Systems
SAES-Z-004 Supervisory Control and Data Acquisition (SCADA)
System

Saudi Aramco Materials System Specifications

23-SAMSS-010 Distributed Control Systems
23-SAMSS-020 Supervisory Control and Data Acquisition (SCADA)
Saudi Aramco: Company General Use
Page 4 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

Systems
23-SAMSS-030 Remote Terminal Unit
23-SAMSS-050 Terminal Management Systems
23-SAMSS-701 Industrial Ethernet Switch Specifications
23-SAMSS-072 Data Acquisition and Historization System (DAHS)
34-SAMSS-820 Instrument Control Cabinets - Indoor

Saudi Aramco Engineering Report

SAER-6123 Process Automation Networks Firewall Evaluation
Criteria

Saudi Aramco General Instructions

GI-0299.120 Sanitization and Disposal of Saudi Aramco Electronic
Storage Devices and Obsolete/Unneeded Software
GI-0710.002 Classification and Handling of Sensitive Information

Corporate Policy
INT-7 Data Protection and Retention

Saudi Aramco Information Protection Manual (IPM)

IPSAG-007 Computer Accounts Security Standards and Guidelines

3.2 Industry Codes and Standards

Institute of Electrical and Electronics Engineers, Inc.

IEEE 802.3 Carrier Sense Multiple Access with Collision
Detection (CSMA/CD) Access Method and
Physical Layer Specifications

4 Definitions

Backbone: A network configuration that connects various LANs together into an

integrated network. In a plant-wide network, that part of the network whose primary
function is to forward data packets between the other smaller networks.
Demilitarized Zone (DMZ): A network installed as a “neutral zone” between two
networks with different security levels that require exchanging information. The DMZ
network prevents information and network traffic from passing directly between the two
networks; in Saudi Aramco’s case, between the Corporate Network and the PAN.

Saudi Aramco: Company General Use

Page 5 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

Firewall: A set of related programs, located at a network gateway server that protects
the resources of a private network from users of other networks.
Human Machine Interface (HMI): The display, data entry devices and supporting
software to allow a user access to applications.
Interfaces: Software modules for collecting data from data sources or sending data to
other systems. Typical data sources are Distributed Control Systems (DCSs),
Programmable Logic Controllers (PLCs), OPC Servers, lab systems, and process
models. However, the data source could be as simple as a text file.
L3 Switch: A network device that joins multiple computers together at the network
protocol layer of the Open System Interconnection (OSI) model eliminating the need for
a router. L2 network switches operate at layer two (data link layer) of the OSI model.
Local Area Network (LAN): A private data communications network, used for
transferring data among computers and peripherals devices; a data communications
network consisting of host computers or other equipment interconnected to terminal
devices, such as personal computers, often via twisted pair or coaxial cable.
Logical Separation: The use of different Layer 3 network subnets or software running
on common hardware to separate two or more networks and systems.
Logs: Files or prints of information in chronological order.
OPC: OPC (originated from OLE for Process Control, now referred as open
connectivity via open standards) is a standard established by the OPC Foundation task
force to allow applications to access process data from the plant floor in a consistent
manner. Vendors of process devices provide OPC servers, whose communications
interfaces comply with the specifications laid out by the task force (the OPC standard),
and any client software that complies with that standard can communicate with any of
those servers without regard to hardware releases or upgrades. The connection between
the client and the OPC server is either through the Microsoft COM interface or through
OLE automation, and the client accesses data from the data cache maintained by the
OPC server or requests that the server read the device directly.
Physical Separation: The use of different hardware to separate two or more networks
and systems.
Plant Historian: A plant-wide data repository which collects, archives, and
disseminates real-time plant information at extremely high speeds. It can be
cost-efficiently scaled to meet the demands of small, medium and large plants equally.
It can read all types of process data, and is the ideal solution to have all key parameters
of all types of manufacturing operations.

Saudi Aramco: Company General Use

Page 6 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

Process Automation Network (PAN): A plant-wide network interconnecting Process

Control Systems (PCS) that provides an interface with plant DMZ to communicate with
the corporate network or third party external networks. A PAN does not include
proprietary process control networks provided as part of a vendor's standard process
control system.
Scan Node: Scan nodes run interfaces. Interfaces get the data from the data sources
and send it to the plant historian servers. Each different data source needs an interface
that can interpret it.
Secured Node: A server or a workstation is located in a room with controlled physical
access. It is assigned with a fixed IP address and the remote desktop service is disabled;
however, remote desktop client can be enabled. Access to the room must be logged
with information such as, name, date, time of entry/exit and type of activity.
Server: A dedicated un-manned data provider.
Virtual Private Network (VPN): A private communications network existing within a
shared or public network platform (i.e., the internet).

Abbreviations:
CCTV Closed Circuit Television
CSMA/CD Carrier Sense Multiple Access/Collision Detection
DAHS Data Acquisition and Historization System
DCS Distributed Control Systems
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
FTP File Transfer Protocol
IP Information Protocol
LAN Local Area Network
OSI Open Systems Interconnection
PAN Process Automation Network
SCADA Supervisory Control and Data Acquisition
SIEM Security Information and Event Management
SOC Security Operation Center
TCP Transmission Control Protocol

Saudi Aramco: Company General Use

Page 7 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

UDP User Datagram Protocol

UPS Uninterruptable Power Supply
VLAN Virtual LAN
VMS Vibration Monitoring System
WiFi Wireless Fidelity

5 Process Automation Network Design

5.1 The PAN shall be based on IEEE 802.3 CSMA/CD (Ethernet) standard.
The backbone shall be based on Layer 3 multi-protocol switches or routers.

5.2 Physical and Logical Separation

5.2.1 The network design shall provide physical and logical separation
between PAN and all other networks such as the Saudi Aramco
Corporate Network using SAES-T-566 Plant Demilitarized Zone (DMZ)
Architecture.

5.2.2 Logical separation such as VLAN or Layer 3 network subnets is

mandatory for subsystems such as CCTV, telephone network
connections in PAN.

5.2.3 Physical separation utilizing dedicated fiber strands is permitted outside

plant fence and shall include a service level agreement defining area of
responsibility for support and maintenance, including agreed response
time.
Commentary Note:

Growth and future expansions shall be considered.

5.3 PAN can be used to integrate auxiliary systems on a single network such as
emergency shutdown systems, compressor control systems, vibration monitoring
systems, etc., for the purpose of centralizing the engineering and maintenance
activities of the plant.

5.4 Network segmentation within the plant shall be implemented by interconnecting

different systems communicating with each other utilizing a network firewall.
Segmentation shall be implemented at the autonomous system as a minimum.

5.5 PAN shall not be permitted to access the internet.

5.6 All TCP/IP addressing shall be obtained from Saudi Aramco IT Organization.

Saudi Aramco: Company General Use

Page 8 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

5.7 All nodes on the PAN shall be assigned static IP addresses.

5.8 Dynamic Host Configuration Protocol (DHCP) shall not be used on the PAN.

5.9 Plant Historian

Historian System Architecture: The architecture consists of three components:

the corporate PI server, local PI server, and local PI scan node. The corporate PI
server is located on the corporate network (CN), where it reads and collects data
through PI-to-PI interfaces from one or more DMZ local PI server(s). The DMZ
local PI server reads and collects data from the PI scan node located in PAN
through the plant-DMZ firewall. The PI scan node is interfaced to the Plant
Process Automation Systems to get real-time data and the server, named Data
Collector, lets captured process data to be stored in a time-series database with
accurate time-stamping and sends it to the local DMZ PI server.
 Corporate Plant Historian Server(s) shall be on the Corporate Network (CN)
and it shall be Saudi Aramco standard (IT) server hardware.
 Corporate Plant Historian shall be accessed within the plant using the
Corporate Network.
 Local PI server and PI Interface Server, which has PI-to-Pi interface on the
DMZ.
 PI-to-PI Interface shall transfer data between two PI servers that are
separated by a DMZ and firewalls.
 PI-to-PI interface server should be on the DMZ and it shall be Saudi Aramco
standard (IT) server hardware.
 PI scan node server shall be on the Process Automation Network (PAN) and
it shall be Saudi Aramco standard (IT) server hardware.
 PI scan node server shall be configured to buffer the maximum amount of
process data in case of disconnection in communication between PAN and
DMZ.
 Network traffic between local Plant Historian and scan node shall be through
the plant DMZ firewall.
 Port TCP 5450 must be enabled at the firewall, to open the communication
between the Corporate Plant Historian Server and Local Plant Historian
Server/PI-to-PI Interface Server located in the DMZ.

Saudi Aramco: Company General Use

Page 9 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

 Data sources (PLCs/DCS/SCADA, etc.) shall be configured by industry

standard OPC interface and avoid vendor specific interfaces as much as
possible.
 Use one scan node to install both OPC Server (provided by data source
vendor) and OPC Client (provided by plant historian vendor). This will
eliminate COM/DCOM issues.

In case of multiple OPC servers, it is recommended to use a single OPC client

(scan node). Multiple scan nodes can also be used in case of load balancing or
any compatibility issues. Tunneller software can be used in this situation to
eliminate COM/DCOM issues.

Saudi Aramco: Company General Use

Page 10 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

5.10 See Figure 2 for a sample PAN architecture.

Figure 2 - Sample PAN Architecture

Saudi Aramco: Company General Use

Page 11 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

6 Wiring System

6.1 Fiber optic patch panels shall be installed in a cabinet.

6.2 PAN routers and switches shall be installed in a cabinet.

6.3 Fiber optic cable routed to another cabinet shall be run in polyethylene
corrugated loom tubing or flexible conduit at a minimum.

6.4 Corrugated loom tubing or flexible conduit is not required inside cabinets.

6.5 PAN cabling shall conform to the data link requirements in SAES-J-902.

6.6 PAN cabinets shall be designed in accordance with 34-SAMSS-820 without

affecting the accessibility and safety.

6.7 UPS/Battery capability and software implemented to provide for a controlled

shutdown of services in PAN components shall be configured according to
SAES-P-103.

7 Access Control Management and Monitoring Design Requirements

7.1 Access Control

7.1.1 Centralized authentication and account management capabilities shall be

implemented for all PAN components.

7.1.2 User Accounts

7.1.2.1 Each user should be assigned a unique user ID.

7.1.2.2 All GUEST user accounts shall be disabled on the system.

7.1.2.3 Where applicable, all individual user IDs formats should

conform to corporate guidelines as highlighted in IPSAG-007,
Section 11.1.1.3.6 “USER ID CONSTRUCTION”.

7.1.3 User Account Passwords

7.1.3.1 Every user ID shall have an individual password.

7.1.3.2 The system shall be configured to require a minimum password

length of eight characters.

7.1.3.3 Passwords shall be transmitted and stored in encrypted format.

Saudi Aramco: Company General Use

Page 12 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

7.1.3.4 The system shall be configured to enforce password

uniqueness. A minimum of six unique passwords must be
entered before a password can be re-used.

7.1.3.5 Password Construction

The system shall be configured to enforce password complexity

rules. Easy guessable passwords must be avoided at all times.
As a minimum, a password must be constructed and contained at
least three of the following four characteristics:
 Lower case characters a-x
 Upper case characters A-Z
 Digits 0-9
 Punctuation characters, e.g., ! @ # $ % ^ & *, etc.

7.1.4 The system shall be configured to require passwords to be reset for all
user IDs every three months.

7.1.5 The system should issue a password expiration notification to the user at
least 10 days prior to password expiry date.

7.1.6 Passwords shall be masked on the screen while being entered.

7.1.7 In order to change user account passwords, users should always be required
to provide both their old and new passwords.

7.1.8 PAN router and switch passwords shall be changed prior to commissioning.

7.1.9 PAN routers and switches should monitor and record all failed login
attempts.

7.2 System Access

7.2.1 System login scripts, if any, shall be configured to prevent a user

bypassing them.

7.2.2 Repeated login failures shall be logged with the location, date, time, and
user account used.

7.2.3 At login time, every user should be given information reflecting the last
login time and date, if supported by the system or application. This will
allow unauthorized system usage to be detected.

7.2.4 Systems shall be configured to deny concurrent user sessions.

Saudi Aramco: Company General Use
Page 13 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

7.3 Disposing of PAN equipment that contains data storage shall be sanitized in
compliance with GI-0299.120.

7.4 Monitoring and Review

7.4.1 The PAN shall be configured for the monitoring and recording of:
i. System Events
ii. Security Events (i.e. logon events, privileged activities, user ID, user
type, transaction and log source, etc.)

7.4.2 The PAN shall include a system to proactively monitor Plan Networks
and Systems components in accordance with vendor recommendations:

7.4.2.1 The events below should be captured as applicable:

i. Disk space utilization
ii. CPU usage utilization
iii. Memory utilization
iv. IO rates (i.e., physical and buffer) and device utilization
v. Network utilization and availability (e.g., transaction
rates, error and retry rates)
vi. System Event logs and faults

Capturing processes (if not all, at least unexpected ones) should

also be required to detect and/or root cause any malware.

7.4.2.2 Vendor-approved third party computer hardware monitoring

software or appliance may be used to manage hardware
performance monitoring parameters.

7.4.3 Retention and archival of security audit logs shall be developed in

accordance with Corporate Data Protection and Retention INT-7 policy.
The retention period for audit logs shall be set for 12 months as a
minimum.

7.4.4 The PAN shall facilitate an automated (SIEM) solution that securely
integrates with Saudi Aramco corporate SOC.

7.4.5 Captured information classified as “Sensitive,” as defined in

GI-0710.002, shall be adequately safeguarded.

7.5 Physical Access

7.5.1 The PAN hardware components such as cables, switches, routers, and
Saudi Aramco: Company General Use
Page 14 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

modems shall be physically secured to prevent vandalism and electronic

eavesdropping.

7.5.2 Physical access to components shall be restricted to persons authorized

for administrative access.

8 Operating System and Network Device Hardening

8.1 PAN equipment shall be deployed with vendor latest supported security
hardened operating system.

8.2 The secure configuration baselines shall be thoroughly tested by the vendor.
The vendor shall enable the PAN administrators to support and administrate the
PAN equipment after deployment and commissioning.

8.3 PAN equipment with unused physical ports/interfaces shall be disabled before
commissioning.

9 Centralized Patch Server

A centralized patch server shall be located on the PAN or DMZ to distribute operating
systems’ security patches, antivirus updates, and vendor application software to stations
located on PAN or DMZ. This centralized server shall be used for stations connected to
the PAN, which are part of other systems such as PCS or emergency shutdown systems.

10 Backup and Recovery

A complete backup of PAN switches, routers, and PAN systems configuration shall be
developed for new installations or upgrades of PAN equipment. This includes:

10.1 All necessary operating system and configuration files

10.2 The backup is tested and verified

10.3 Multiple copies of the backup are made

10.4 One copy shall be stored in a secure onsite location and the other copy shall be
maintained at a secure off-site location

11 System Testing

11.1 Testing shall address all plant components, networking and interfaces to external
systems and to legacy applications/system. Formal testing shall minimally
comprise Factory Acceptance Test (FAT) per SAEP-1634, Site Acceptance
Tests (SAT) per SAEP-1638, Performance Acceptance Tests (PAT), and

Saudi Aramco: Company General Use

Page 15 of 16
Document Responsibility: Plants Networks Standards Committee SAES-Z-010
Issue Date: 1 January 2018
Next Planned Update: 29 October 2018 Process Automation Networks

Preparation of Integration Test Procedure Documents per SAEP-1630.

11.2 Comprehensive test plans and test specifications such as SAEP-701, Plant Ethernet
Network Test Procedure, shall be followed for all plant platforms, networking,
applications, integration components, interfaces to external systems and legacy
applications/systems, and any additional technology content of the project.

12 Documentation

Comprehensive documentation shall be provided to ensure that the PAN is installed and
configured in a consistent manner. It shall include detailed layouts of TCP/IP addressing
schemes and all other network protocols used in the system. The documentation shall
also include physical locations of systems components like routers, and switches.
The following shall be made available:

12.1 Standard vendor manuals and catalogs shall be provided in CD-ROM or other
electronic media. Formats should be in PDF or HTML.

12.2 Equipment configuration data bases in Microsoft Excel, Access, or Intools.

12.3 Final project specific documents in two signed hard copies plus two sets of
CD-ROM in Microsoft Word.

12.4 A plant network drawing layout showing the PAN logical and physical design
and its interconnection to the Corporate Network.

12.5 A PAN System Architectural Drawing(s) providing a complete and detailed

overall interconnection methodology for all PAN equipment and components.

12.6 All PAN software shall be authentic, supported, and up to date with security
patches, fixes or other revisions. Software licenses, activation keys and, where
available, offline backup media shall be provided as part of the equipment
documentation.

Revision Summary
29 October 2015 Major revision to reflect Audit IS2015-426 observations and addressed Plant Networks
segmentation requirements.
1 January 2018 Editorial revision to modify and/or delete paragraph 7.3.

Saudi Aramco: Company General Use

Page 16 of 16