This article is about SAES-T-566 which is about Plant Demilitarized Zone (DMZ) Architecture and download SAES-T-566 PDF for telecommunication and electrical engineers, supervisors and project managers, telecom QCs, telecom QC Supervisors. This is saudi aramco standards of Telecommunication Engineering based on international codes and standards and useful for telecom and electronics engineering knowledge to get job as engineers, QC Supervisors and QC managers, Engineering managers and technicians.
SAES-T-566 PDF Download
SAES-T-566Plant Demilitarized Zone (DMZ) Architecture
The SAES-T-566 standard outlines the minimum mandatory requirements for the design, installation, configuration, and commissioning of the Demilitarized Zone (DMZ) Architecture in Saudi Aramco plants. The purpose of this architecture is to establish an intermediate network between the Saudi Aramco Process Automation Network (PAN) and the Saudi Aramco Corporate Network. The DMZ Architecture serves to enhance security and provide protection for the Saudi Aramco plants’ networks and systems (PN&S).
The specific objectives of implementing the DMZ Architecture include:
- Security Protection: The DMZ Architecture aims to protect the Saudi Aramco plants’ networks and systems from unauthorized access, malicious activities, and potential cyber threats.
- Network Segmentation: It establishes a clear separation between the Process Automation Network (PAN) and the Corporate Network, ensuring that communication between these networks occurs through controlled access points.
- Controlled Access: The DMZ Architecture defines mechanisms for controlling and monitoring access to the Saudi Aramco plants’ networks and systems, enabling authorized entities to interact with the PAN while maintaining security.
- Secure Communication: It facilitates secure communication between the PAN and the Corporate Network by implementing appropriate security measures, such as firewalls, intrusion detection systems, and encryption protocols.
- Policy Enforcement: The DMZ Architecture ensures that the established security policies and guidelines are enforced consistently throughout the Saudi Aramco plants’ networks and systems.
By adhering to the requirements specified in the SAES-T-566 standard, Saudi Aramco aims to establish a robust and secure DMZ Architecture that mitigates risks, safeguards critical infrastructure, and protects sensitive data within their plant networks.
DMZ Architecture Design
The DMZ Architecture design for Saudi Aramco plant facilities includes the following requirements and guidelines:
5.1 Each Saudi Aramco plant facility should implement a DMZ at their network boundaries with the Corporate Network. For plants with multiple scattered Process Automation Networks (PANs) or small consolidated facilities, it is recommended to interface with the Corporate Network via a centralized DMZ network model. Consolidated PANs with centralized DMZ design should be submitted to P&CSD (Projects & Control Systems Department) for review and approval. Conducting a risk assessment, following SAEP-99 and SAEP-707, is recommended prior to DMZ implementation to ensure proper implementation and meet the DMZ’s objectives.
5.2 The DMZ network should comply with the c CSMA/CD (Ethernet) standard.
5.3 DMZ components, including firewalls, switches, and servers, should be installed in the plant operating facility premises as close as practical to the PAN. Suitable locations for installation include the CCR (Central Control Room), Telecommunications/Computer/Rack room(s), in accordance with SAEP-99 requirements.
5.4 Plant systems and applications that need to communicate with the Corporate Network, such as Plant Information (PI), Anti-Virus (AV), Windows Server Update Services (WSUS), and proxy server for Vibration Monitoring System (VMS) and Power System Automation (PSA) remote access, should be hosted in the DMZ. This can be achieved by either relocating the servers or providing replica servers.
5.5 The DMZ network should include the following components:
- Layer 2 switch
- Two firewalls
- Server hardware to host plant applications shared with Corporate users and security management services such as automatic AV update, patch update management, and proxy if applicable. When high availability of critical facilities is required, two redundant firewalls should be considered. The criticality of the facility should be determined by the proponent business case.
5.6 All DMZ components (firewalls, switches, and servers) should be implemented with the latest security updates and patches following vendor recommendations.
5.7 Default passwords for predefined accounts of all DMZ components should be changed immediately after installation or upgrade.
5.8 User ID formats should conform to corporate guidelines as highlighted in Section 11.1.1.3.6 “USER ID CONSTRUCTION” in IPSAG-007.
5.9 All nodes on the DMZ should be assigned static IP addresses.
5.10 The DMZ subnet should have a different IP address and network mask from the corporate and plant subnets. The subnet IP address and network mask should be obtained from Saudi Aramco IT.
5.11 DMZ components should be deployed with the latest vendor-supported security-hardened operating systems. This includes applying patches, disabling USB ports, and disabling unnecessary services/tasks, following SAEP-99 and relevant Saudi Aramco security guidelines.
5.12 Unused physical ports/interfaces of DMZ network equipment should be disabled.
5.13 DMZ components should be fully interoperable with the plant PAN and Corporate Network. It is recommended to align DMZ components with IT purchase agreements and maintenance contracts.
5.14 A sample logical DMZ model is illustrated in Figure 1 (not provided here).
By following these guidelines and requirements, Saudi Aramco aims to establish a secure and well-designed DMZ Architecture to protect their plant networks and systems while enabling controlled communication with the Corporate Network.
Firewalls Filtering, Blocking, and Access Control
The filtering, blocking, and access control guidelines for DMZ firewalls in Saudi Aramco’s architecture are as follows:
6.1 DMZ firewall(s) should be configured to prevent network traffic from directly passing between the Corporate Network and PAN. All traffic from either side should terminate at the DMZ zone.
6.2 Firewall(s) should be configured to deny all access by default unless specifically permitted.
6.3 Firewall(s) filter rules should only allow approved secure services and protocols. Insecure services and clear text protocols like Telnet and FTP should not be used.
6.4 System logging should be enabled for traffic monitoring and intrusion detection on all DMZ components. This helps in tracking and identifying potential security incidents.
6.5 Intrusion Prevention functionalities should be installed on all firewalls. These functionalities help in detecting and preventing unauthorized access attempts and malicious activities.
6.6 The filtering mechanism of the firewall should be based on source/destination IP addresses and TCP/UDP ports, as a minimum. Network equipment, including firewalls and network devices, must be hardened with minimum security configuration baselines. These network devices should be managed by predefined facility support staff through secure ports such as SSH (Secure Shell).
For additional guidelines on firewall configuration and hardware selection, SAER-6123, “Process Automation Networks Firewall Evaluation Criteria,” can provide further guidance. It outlines specific criteria and recommendations for configuring and selecting firewalls in process automation networks.
FAQs about SAES-T-566 PDF Download
Q1: What is SAES-T-566?
A: SAES-T-566 is a Saudi Aramco Engineering Standard that outlines the minimum mandatory requirements for the design, installation, configuration, and commissioning of the Demilitarized Zone (DMZ) Architecture in Saudi Aramco plants.
Q2: What is the purpose of the DMZ Architecture?
A: The purpose of the DMZ Architecture is to establish an intermediate network between the Saudi Aramco Process Automation Network (PAN) and the Saudi Aramco Corporate Network. It enhances security and provides protection for the Saudi Aramco plants’ networks and systems (PN&S).
Q3: What is the recommended network standard for the DMZ?
A: The DMZ network should comply with the IEEE 802.3 CSMA/CD (Ethernet) standard. This standard ensures compatibility and interoperability of the network components.
Q4: Where should the DMZ components be installed?
A: The DMZ components, including firewalls, switches, and servers, should be installed in the plant operating facility premises as close as practical to the PAN. Suitable locations for installation include the CCR (Central Control Room), Telecommunications/Computer/Rack room(s), in accordance with SAEP-99 requirements.
Q5: Are there any specific requirements for the DMZ installation?
A: SAEP-99 requirements provide guidance on the installation of DMZ components, including considerations for physical locations, equipment layout, and facility requirements. It is essential to adhere to these requirements to ensure proper installation and operation of the DMZ Architecture.
Read Also:
SAES-T-556 PDF Download – Circuit Quality and Performance
SAES-T-555 PDF Download – IP Based Closed-Circuit Television (CCTV)
SAES-T-521 PDF Download – Circuit Measuring Techniques
SAES-T-494 PDF Download – Very Small Aperture Terminal (VSAT) Network Design
SAES-T-493 PDF Download – Digital Trunked Radio System
SAES-T-492 PDF Download – VHF/UHF Land-Mobile and Fixed Radio Communication
SAES-T-481 PDF Download – In-Plant Voice Paging System
SAES-T-360 PDF Download – Synchronous Digital Hierarchy Transmission Systems
SAES-T-151 PDF Download – D.C. Power Systems
SAES-T-101 PDF Download – Regulated Vendors List for Communications Equipments and Materials
SAES-T-018 PDF Download – Telecommunications Symbols, Abbreviations and Definitions
SAES-T-000 PDF Download – Telecommunications Standards – Introduction and Indices
Pingback: SAES-T-634 PDF Download - Telecommunications Cable Testing and Acceptance - PDFYAR - Engineering Notes, Documents & Lectures