Scribd
Upload
85 views16 pages

Section 12 Cybersecurity

The SEC-12 Cybersecurity directive outlines the minimum cybersecurity requirements for security systems and Industrial Automation & Control Systems (IA&CS) in industrial facilities in Saudi Arabia. It mandates the implementation of Cybersecurity Management, risk assessment, training, access controls, incident response, and data protection measures. This directive supersedes previous versions and aims to enhance the security posture of industrial facilities against cyber threats.

Uploaded by

Muhammed Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views16 pages

Section 12 Cybersecurity

The SEC-12 Cybersecurity directive outlines the minimum cybersecurity requirements for security systems and Industrial Automation & Control Systems (IA&CS) in industrial facilities in Saudi Arabia. It mandates the implementation of Cybersecurity Management, risk assessment, training, access controls, incident response, and data protection measures. This directive supersedes previous versions and aims to enhance the security posture of industrial facilities against cyber threats.

Uploaded by

Muhammed Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

SEC-12

Cybersecurity
Version 2.0

Security Directives
for Industrial Facilities

2017

KINGDOM OF SAUDI ARABIA


MINISTRY OF INTERIOR
HIGH COMMISSION FOR INDUSTRIAL SECURITY

RESTRICTED
All Rights reserved to HCIS. Copying or distribution prohibited without written permission from HCIS
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

THIS PAGE INTENTIONALLY LEFT BLANK

Version 2.0
Page 2 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

Version History

Item Description Issue Date


1 Original Issue 12 Jumada II, 1431 A.H
26 May, 2010
2 Version 2.0* 5 Rajab, 1438
2 April, 2017
* This directive was previously titled Information Protection

This Security Directive supersedes all previous Security Directives issued by the High
Commission for Industrial Security (HCIS), Ministry of Interior.

Version 2.0
Page 3 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

THIS PAGE INTENTIONALLY LEFT BLANK

Version 2.0
Page 4 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

Table of Contents

1 PURPOSE.................................................................................................................................................7
2 SCOPE .....................................................................................................................................................7
3 ACRONYMS & DEFINITIONS.....................................................................................................................7
4 REFERENCES ............................................................................................................................................7
5 GENERAL REQUIREMENTS .......................................................................................................................8
5.1. CYBERSECURITY MANAGEM ENT .................................................................................................................. 8
5.2. RISK ASSESSMENT & MANAGEMENT ............................................................................................................ 8
5.3. CYBER SECURITY TRAINING & AWARENESS .................................................................................................... 9
5.4. NETWORK SECURITY BOUNDARIES, EXTERNAL CONNECTIONS & REMOTE ACCESS ................................................. 9
5.5. ACCESS & SYSTEM SECURITY MANAGEMENT ............................................................................................... 10
5.6. CYBERSECURITY INCIDENT RESPONSE ..........................................................................................................
................................ 12
5.7. BACKUP & RECOVERY..............................................................................................................................
................................................................
................................ 13
5.8. CONFIGURATION CHANGE MANAGEMENT ................................................................
...................................................................................................
................................ 13
5.9. DATA PROTECTION PROGRAM ..................................................................................................................
................................ 13
5.10. MEDIA DISPOSAL & SANITIZATION ................................................................
.............................................................................................................
................................ 13
5.11. PHYSICAL PROTECTION OF IA&CS ASSETS ................................
................................................................................................... 13
6 APPLICATION OF REQUIREMENTS .........................................................................................................14
................................................................
................................
7 PROOF OF COMPLIANCE........................................................................................................................14
................................................................
................................

Version 2.0
Page 5 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

THIS PAGE INTENTIONALLY LEFT BLANK

Version 2.0
Page 6 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

1 Purpose
This document specifies the minimum cybersecurity requirements for security systems
and Industrial Automation & Control Systems (IA&CS), including their communication and
networking infrastructure, deployed at industrial facilities and interconnected remote
facilities.

2 Scope
This directive provides the minimum requirements for companies and establishments to
maintain the cyber security of deployed security systems and IA&CS.

3 Acronyms & Definitions


CSM Cybersecurity Management
FO Facility Operator: the owner, operator or lessee of a facility
HCIS High Commission for Industrial Security
IA&CS Industrial Automation & Control System
ISA International Society of Automation
Shall Indicates a mandatory requirement
Should Indicates an advisory recommendation

4 References
This directive utilizes the latest edition of the references listed below.

ISA/IEC-62443 Industrial Automation & Control Systems (IACS) Security Standards


ISO 27001 Information Security Management
NIST SP 800-30 Risk Management Guide for IT Systems
NIST SP 800-34 Contingency Planning Guide for Federal Information System
SEC-01 General Requirements for Security Directives
SEC-08 Security Communications & Data Networks
SEC-14 Security Project Management at Industrial Facilities

Version 2.0
Page 7 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

5 General Requirements
The following requirements contain the mandatory procedural and technical methods the
FO shall implement in order to protect the cybersecurity of security systems and IA&CS
Assets.

5.1. Cybersecurity Management

FO shall set clear and measurable policy and procedures to protect security systems
and IA&CS Assets through the implementation of Cybersecurity Management (CSM).
The CSM shall be designed to protect security systems & IA&CS assets from all
threats, whether internal
nternal or external, deliberate or accidental.

The CSM shall be reviewed, and updated where needed, every 12 calendar months
or immediately following recovery from a cybersecurity incident
incident. Changes to the
CSM shall be reviewed by facility executive manage
management who shall certify its
compliance with facility cybersecurity requirements.

The CSM shall formally assign accountability and responsibility for cybersecurity to
a designated organization.

CSM shall cover all items in this document. Changes to the CSM shall be summarized
and sent to HCIS.

5.2. Risk Assessment & Management

5.2.1. The FO shall conduct and document a cyber-risk assessment that includes
identification of critical IA&CS assets.

5.2.2. The FO shall address all identified risks with the appropriate treatment.
Penetration testing shall be utilized as part of the risk identification process.

5.2.3. The cyber-risk assessment shall be conducted utilizing a prevailing industry


methodology such as, but not limited to, the following:

5.2.3.1. NIST 800-30


5.2.3.2. ISO 27000 series
5.2.3.3. ISA 62443
FO shall identify the methodology used for the assessment.

5.2.4. A cyber-risk assessment shall be conducted either when a major change


occurs to facility IA&CS or security systems or every 12 months.

Version 2.0
Page 8 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

5.2.5. The results of the cyber-risk assessment shall be summarized and sent to
HCIS whenever the assessment is changed and shall be validated by an
external audit conducted every 12 months.

5.3. Cyber Security Training & Awareness

The FO shall provide cyber security training & awareness for personnel with access

and shall not exceed 24 months between refreshers.

The FO shall ensure that personnel acknowledgment of security policies are formally
documented for initial access authorization and renewed in each 24 month period
or after major security policy changes.

5.4. Network Security Boundaries, External Connections & Remote Access

Network design and layout constraints for security systems are defined in SEC
SEC-08.

5.4.1. Network Security Boundaries


The FO shall establish, define and document one or more Network Security
Boundaries
oundaries to protect IA&CS
I assets that are connected to a network.

The Network Security Boundary shall segregate IA IA&CS assets from external
network connections (i.e., Business/Enterprise, third parties, the Internet,
etc.) by implementing and identifying one or access control point that
restricts the flow of network traffic between the Network Security Boundary
and external network connections.

At a minimum, these access control points shall limit inbound and outbound
network traffic to only required logical protocols, ports and services with
other traffic denied by default.

5.4.2. Information Sharing with External Connections


Where critical IA&CS Assets reside within a Network Security Boundary, the
FO shall implement an intermediate security zone, such as, but not limited
to, a DMZ to secure traffic to external systems.

Version 2.0
Page 9 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

5.4.3. Network Security Boundary Monitoring


The FO shall implement security event logging and monitoring at all access
control points between the Network Security Boundary and external
connections.

5.4.4. Remote access to Network Security Boundaries


The FO shall ensure that remote access, where implemented, to the network
security boundaries shall use a documented and secured procedure that
incorporates the following attributes:

5.4.4.1. Strong encryption


5.4.4.2. Event monitoring
5.4.4.3. Access controls including multi-
multi
multi-factor
-factor authentication

5.4.5. Security Controls for Public Networks


In cases where sensitive data related to the facility or IA&CS Assets traverses
public networks, the FO shall ensure that such data is protected with strong
encryption whilst in transit.
transit FO shall conduct a risk analysis to determine the
optimal protection strategy.

5.5. Access & System Security


Security Management

5.5.1. Access Management


The FO shall document and implement a process to authorize, based on
need, physical and electronic access to IA&CS Assets and security systems.
This access shall be reviewed every 12 months.

Access shall be immediately revoked when no longer needed.

Where shared accounts are required, due to IA&CS constraints or


operational considerations, for access to IA&CS assets, physical technical or
procedural safeguards shall be implemented by the FO.

Subject to IA&CS Asset capabilities and vendor support, the FO shall


implement technical methods to enforce a limit to the number of successive
unsuccessful authentication attempts.

Version 2.0
Page 10 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

5.5.2. Default Accounts


Subject to IA&CS Asset capabilities and vendor support, the FO shall disable
unnecessary default accounts on IA&CS Assets and all security systems
including default operating system level accounts.

Where default accounts are necessary, the FO shall change default


passwords, subject to IA&CS Asset and security system capabilities and
vendor support.

5.5.3. Passwords
Where password authentication for access to security systems and IA&CS is
in use, the FO shall enforce, either through technical or procedural methods,
the following password parameters:

5.5.3.1. A minimum password length that is at least twelve characters or


the maximum length supported by the IA&CS asset if less than 12
characters.
5.5.3.2. A minimum password complexity that includes three or more
character types: uppercase alphabeti
alphabetic, lowercase alphabetic,
numeric, nonnon-alphanumeric, or the maximum complexity
supported by the IA&CS Asset.
5.5.3.3. Passwords shall automatically expire every 6 months maximum.

5.5.4. Threat Protection and Prevention


Subject to IA&CS Asset and security system capabilities and vendor support,
all IA&CS Assets and security systems shall have the latest malware
protection and prevention software installed, active and maintained.

The FO shall implement methods to proactively detect and counter emerging


threats.

5.5.5. Security Event Logging and Alerting


The FO shall, subject to IA&CS Asset capabilities and vendor support, enable
continuous security event logging on all IA&CS Assets. This data shall be
stored in a central location as well as the local site.

Version 2.0
Page 11 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

5.5.6. Security Patch Management


The FO shall document and implement a process to manage security patches
for security systems and IA&CS Assets.

Subject to IA&CS Asset capabilities and vendor support, the FO shall install
the most recent security patches for IA&CS Asset and security system
operating systems, firmware and software applications.

Security patches shall be installed within 4 weeks of becoming available from


the vendor.

5.5.7. IA&CS Asset Hardening Procedures


The FO shall document and implement security hard
hardening procedures for all
IA&CS Assets and security systems,, based on industry standards and vendor
guidelines, subject to IA&CS Asset and security system capabilities and
vendor support.

5.5.8. Disable Unnecessary Services


The FO shall disable all unnecessary fea
features, services and associated logical
network protocols and ports (e.g., scripts, applications, network services,
etc.) on all IA&CS Assets and security systems, subject to IA&CS Asset
capabilities and vendor support.

All security system and IA&CS worksta


workstations shall have all USB ports, CD
readers and other ports to connect external devices disabled. Users shall not
be permitted to install any additional software or updates.

Email services shall block any attachment that has macros or scripts.

5.5.9. Asset Management


The FO shall document and review its inventory of IA&CS Assets to ensure
completeness and correctness, at least once every 12 calendar months.

The FO shall ensure that any discrepancies are resolved and/or reported.

5.6. Cybersecurity Incident Response

The FO shall document and implement one or more Cybersecurity Incident response
plan(s) in accordance with industry standards, such as, but not limited to, NIST SP
800-34, and FO contingency plans.

Version 2.0
Page 12 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

This plan shall be tested every 12 months. The results of the annual test shall be
summarized and sent to HCIS.

5.7. Backup & Recovery

Back-up copies of data and software shall be taken and tested regularly in
accordance with the company backup policy. Backups shall be encrypted and stored
in a secured physically separate location.

FO shall have a disaster recovery plan that is periodically tested.

5.8. Configuration Change Management

All software and hardware changes to security systems and IA&CS assets shall be
documented and managed through a change management process. Significant
changes shall be tested to ensure they do not compromise IA&CS
I security controls.

5.9. Data Protection Program

The FO shall ensure that its Data Protection Program clearly assigns ownership and
the responsibility, along with classification and protection of all applicable
information regarding IA&CS and security systems
systems.

5.10. Media Disposal & Sanitization

The FO shall implement and document operational procedures to ensure that


electronic storage media associated with IA&CS assets or security systems are
properly sanitized or destroyed prior to disposal or reuse outside of the IA&CS.

FO shall refer to related guidelines such as NIST SP 800-88 regarding media disposal
and sanitization.

5.11. Physical Protection of IA&CS Assets

While this directive generally addresses the online access to IA&CS assets, the FO is
also responsible for securing the physical asset as well. IA&CS assets shall be
installed in secured areas or cabinets that limit access to the devices.

Version 2.0
Page 13 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

6 Application of Requirements
This section lists how the requirements of this security directive apply to facilities
based on their FSC.

Facility Security Classification (FSC)


REQUIREMENT
1 2 3 4 5
***All Requirements***

7 Proof of Compliance
FO shall provide HCIS with a Proof of Compliance (PoC), as part of the Stage 3
workflow, to explain and demonstrate how the FO is complying with specific
requirements in this directive. This will augment the Stage 3 submission which covers
all items. The Stage 3 submission, content and format are specified in SEC
SEC-14 section
6.3.

This PoC shall be submitted when available but prior to project commissioning.

This PoC shall provide details for each of the requirements listed below.

In all cases the responses shall be specific in nature and include adequate technical
details to demonstrate compliance to HCIS:

SEC-12
Requirement FO Response
Reference
1. 5.0 General Requirements FO shall provide relevant documents to validate
compliance with section 5.
Documents shall summarize each aspect of compliance
with section 5.

Version 2.0
Page 14 of 16
Kingdom of Saudi Arabia
Ministry of Interior
High Commission for Industrial Security
Secretariat General
SEC-12 Cybersecurity

THIS PAGE INTENTIONALLY LEFT BLANK

Version 2.0
Page 15 of 16
Ministry of Interior
High Commission for Industrial Security
Riyadh
Kingdom of Saudi Arabia

You might also like