Best Practice

SABP-Z-087 9 October 2016

Implementing Secure Shell (SSH) File Transfer
Protocol (SFTP) on Process Automation Systems
Document Responsibility: Plant Networks Standards Committee

Table of Contents
1 Scope ........................................................................ 2
2 Conflicts and Deviations ............................................ 2
3 Users ......................................................................... 2
4 References ................................................................ 2
5 Definitions and Abbreviations .................................... 2
5.1 DEFINITIONS ........................................................... 2
5.2 ABBREVIATIONS ...................................................... 4
6 Introduction ............................................................... 4
7 Secure File Transfer Protocol (SFTP) ....................... 4
7.1 OPENSSH SERVER .................................................. 4
7.2 SFTP CLIENT ........................................................ 18
Revision Summary......................................................... 29

Previous Issue: New Next Planned Update: TBD

Contact: Yousef, Hassan S. (youshs0a) on phone +966-13-8809815 Page 1 of 29

©Saudi Aramco 2016. All rights reserved.

Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

1 Scope

The purpose of this best practice is to guide Process Automation Network (PAN)
administrators in setting up a secure mechanism to transfer files between the PAN and
Peripherals Gateway Zone (PGZ) as per the recommendations set forth in SAER-7534
titled “Implementing Zero-USB Architecture on Process Automation Networks”.
The adoption of this secure transfer method eliminates the need to use removable media
on live production systems and therefore eliminates potential cyber security threats to
live production systems.

2 Conflicts and Deviations

In the event of a conflict between this best practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.

3 Users

The intended users of this document are Process Automation Network (PAN)
administrators in charge of implementing security controls pertaining to removable
media devices usage inside the plant.

4 References

The following references were used in this document:

 Saudi Aramco References

Saudi Aramco Engineering Procedures

SAEP-98 Removable Media Usage for Process Automation
Systems
SAEP-99 Process Automation Networks and Systems Security

Saudi Aramco Engineering Report

SAER-7534 Implementing Zero-USB Architecture on Process
Automation Networks

5 Definitions and Abbreviations

5.1 Definitions

OpenSSH (also known as OpenBSD Secure Shell): A suite of security-related

Page 2 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

network-level utilities based on the Secure Shell (SSH) protocol, which help to
secure network communications via the encryption of network traffic over
multiple authentication methods and by providing secure tunneling capabilities.

Process Automation Network (PAN): Sometimes referred to as Plant

Information Network (PIN), is a plant wide network interconnecting Process
Control Networks (PCN) and provides an interface to the WAN. A PAN does
not include proprietary process control networks provided as part of a vendor's
standard process control system.

Process Automation Networks (PAN) Administrator: A system

administrator that performs day-to-day maintenance activities on the PAN
devices (e.g., administration, configuration, upgrade, monitoring, etc.). He may
also perform additional functions such as granting, revoking, and tracking access
privileges for PCS operating systems and applications.

Process Automation System (PAS): A network of computer-based or

microprocessor-based electronic equipment whose primary purpose is process
automation. The functions may include process control, safety, data acquisition,
advanced control and optimization, historical archiving, and decision support.

Peripherals Gateway Station (PGS): A workstation that resides on the PGZ

for the sole purpose of facilitating an outlet to transfer data to/from production
systems.

Peripherals Gateway Zone (PGZ): A standalone zone on the plant-managed

firewall. It is used to host a station used for data exchange purposes.

puTTYGen: A free utility used to generate RSA and DSA key pairs.

Removable Media (or removable media devices): Computer storage

technologies that are portable (not permanently attached to a computer).
Examples include optical discs, memory cards, floppy disks, USB flash drives,
external HDDs, external SSDs, magnetic tapes, smart phones, tablets, PDAs, etc.

Secure File Transfer Protocol (SFTP), or SSH File Transfer Protocol:

FTP packaged with SSH to provide a secure link.

Server: A dedicated un-manned data provider.

Windows Secure Copy (WinSCP): A free and open-source SFTP, FTP,

WebDAV and SCP client for Microsoft Windows.

Workstation: A workstation is a computer intended for individual use that is

faster and more capable than a personal computer. It's intended for business or
professional use.

Page 3 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

5.2 Abbreviations
OpenSSH OpenBSD Secure Shell
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PCN Process Control Network
PCS Process Control System
PGS Peripherals Gateway Station
PGZ Peripherals Gateway Zone
SFTP Secure File Transfer Protocol, or SSH File Transfer Protocol
WinSCP Windows Secure Copy Protocol
USB Universal Serial Bus

6 Introduction

The use of on-demand SFTP sessions from the PAN/Protected Zone to the Peripherals
Gateway Station (PGS) adds another defense layer against potential malware spread
into the production environment.

7 Secure File Transfer Protocol (SFTP)

SFTP follows a client-server architecture where only the client can initiate a session to
the server in order to transfer data back and forth between the client and the server.

This document details the use of OpenSSH server, WinSCP client, and puTTYGen to
create a SFTP model to transfer plant data across the plant firewall.

7.1 OpenSSH Server

OpenSSH server can run on a multitude of platforms such as Windows-based,

Linux-based, or Unix-based platforms. Due to the prevalence of Windows-
based platforms in Process Automation environments, this best practice is
addressing how to install OpenSSH on a Windows Server 2012. Although
OpenSSH can run on a standard workstation, it is recommended, as a general
practice, to install a data provider on an un-manned machine i.e. a server
platform.

Page 4 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

The OpenSSH suite consists of the following tools:

• Remote operations are performed through ssh, scp, and/or sftp.
• Key management through ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.
• The service side consists of sshd, sftp-server, and ssh-agent.

Prerequisites:
• Install and run a Windows Server version on a physical machine, or a virtual
one.
• Download the appropriate OpenSSH version (32-bit or 64-bit).
• Copy the installation file (*.zip) into a directory in the SFTP server.

Configuration Steps:
1. Change the default Computer Name to a meaningful name such as
SFTPSERVER and join the domain, if a Domain Controller exists at your
facility, by selecting the “Domain” radio button on the “Member of” option
of the screen and type the Domain Name of your facility.

Note: In case a Domain Controller isn’t present at your facility, simply type the
Workgroup name used at your site.

Page 5 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

2. Click OK and reboot the machine:

3. Change the IPv4 address to a static IP address and disable IPv6 through
Network Connections  right-click the Ethernet connection  Properties.

Page 6 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

4. Uncheck Internet Protocol Version 6 (TCP/IPv6).

5. Click Internet Protocol Version 4 (TCP/IPv4)  Properties.

Page 7 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

6. Configure a static IP address as per your network architecture:

Note: The above IP address shown here is for illustrational purposes only.
It has been configured on a non-production environment at an isolated lab.

Page 8 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

Notice the new computer name, workgroup, and static IP address of the server:

Page 9 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

7. Unzip the content of the openSSH.zip file into the openssh directory of the
C-Drive “C:\openssh\”. If the directory “openssh” isn’t present, create it.

Page 10 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

8. The contents of the zipped folder shall reside on the “C:\openssh\”

subdirectory:

9. Launch PowerShell and navigate to the desired directory, i.e., “C:\openssh\”:

a. Type “./ssh-keygen.exe –A” and press Enter.
b. Type “New-NetFirewallRule –Protocol TCP –LocalPort 22 –Direction
Inbound –Action Allow –DisplayName SSH”

Page 11 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

Notes:

See the last line of the operation stating “The operation completed successfully”.

* The use of the default port for SSH (22 TCP) isn’t advised. Kindly use a different port
on the high range to prevent attacks scanning the default networking ports for
vulnerabilities. In order to do so, kindly refer to “sshd_config” file detailed in steps 11
and 12 of this document. Look for the line with the port number, change it, remove
the pound sign “#”, save and close.

10. Reboot the machine, document the reason for restart in the Comment
section of the prompt:

Page 12 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

11. Browse to the directory “C:\openssh\” and locate the file “sshd_config” 
right-click the file  open with  Notepad

12. Change the location of the sftp server from “/usr/libexec/sftp-server” to

“C:\openssh\sftp-server.exe” or wherever it is stored on your configuration
 save the file and close.

Page 13 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

13. Return to PowerShell and navigate to “C:\openssh\” subdirectory and type

in the following command: “./sshd.exe Install”

Note: See the last line of the operation stating “Service installed successfully”.

14. Once the Service installs successfully, from the Server Manager window 
Tools  Services:

Page 14 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

15. Look for the “SSHD” service  Properties:

16. Change the Startup type to Automatic and click Start  Apply  OK.

Page 15 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

17. Create a new user of the “Users” group, or a restricted profile. This account
will be used by the SFTP client to connect to the server. The details shown
below are for a Server not part of a domain:
18. Go to Server Manager  Computer Management

19. Expand System Tools  Local Users and Groups  users  New User…

Page 16 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

20. Use the screenshot below as an example in setting up the new user:

21. Make sure the newly created user is NOT an Administrator or Power
User:

Page 17 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

22. Launch PowerShell as an Administrator and navigate to “C:\openssh\” sub-

directory.

23. Type the following command:

“./ssh-keygen.exe –l –f ./ssh_host_rsa_key –E md5”

24. Note the MD5 fingerprint of the server’s RSA key for verification of server
identity on the client.

7.2 SFTP Client

The SFTP client shall reside, depending on the architecture, on the PAN or
Protected Zone. It initiates the secure session from the Inside interface of the
router (The most trusted zone) to an Outside interface such as the Peripherals
Gateway Zone. The details of how to configure WinSCP to act as an SFTP
client are detailed in this section. Its main function, for the proposed setup, is
file transfer between a local (SFTP client) and a remote computer (SFTP server).

Prerequisites
1. Install and run a Windows operating system on a physical machine, or a
virtual one. Windows 7 or a later version is strongly recommended.
2. Download the WinSCP client software.
3. Download puTTY Key Generator.
4. Copy the installation files into a directory on the SFTP client.

Configuration Steps
1. Startup the SFTP client machine and boot into Windows.

Page 18 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

2. Run the installation file of WinSCP and select Typical Installation:

3. Select the appropriate interface style of the application

Page 19 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

4. Click Finish to complete the installation.

5. Launch puTTY Key Generator and click Generate:

Page 20 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

6. Move the mouse cursor in a random pattern, as the randomness of the key
generated depends on the randomness of the cursor movement.
The generated public key looks like:

7. Select ALL the public key area and copy it into the clipboard.

8. Type a password in the “Key passphrase” field and confirm your entry in
the field below it.

9. Save the private key by clicking on “Save private key” button. Select an
appropriate name for the key and click Save.

Commentary Note:

The key passphrase is used to protect the confidentiality of the private key.
When using the public key for authentication with the server, the passphrase
is required to match the key pair.

Page 21 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

10. A subdirectory shall be created on the logged in user home directory with
the name “.ssh”. Use command prompt to create such directory by typing
“md .ssh”:

Page 22 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

11. Browse to the .ssh directory and create a new Text Document named
“authorized keys” and click edit:

12. Paste the public key generated through puTTY Gen into the authorized
keys file. Make sure the entire key is pasted on a single line:

Page 23 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

13. Save the file and close it.

14. Launch WinSCP and fill in the following parameters:

a. File Protocol: SFTP
b. Host name: SFTPSERVER
c. Port number: 22*
d. Username: username created for SFTP

* Don’t use the default port for SSH, use the port configured during openSSH
server configuration.

Page 24 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

15. Attempt to connect to the SFTP Server through password authentication to

ensure connectivity is established, note the server identity through the RSA
key fingerprint:

16. Verify that the MD5 fingerprint of the RSA key matches the one generated
on the server.
17. Type the corresponding password for the account username provided during
login:

Page 25 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

18. Connection is established once the directories of both local and remote
machines are displayed:

19. Once password authentication succeeds, key authentication shall be

verified.
20. Disconnect the session to return to the login screen, click Advanced:

Page 26 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

21. On WinSCP login screen, click advanced.

22. Select the private key previously saved, leave all other options at their
default settings:

23. Click OK to close and return to the login screen.

24. For added convenience, save the session details for ease-of-reach:

Page 27 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

25. Click Login button and the following a password prompt will appear:
Commentary Note:

The password you’re prompted to provide isn’t the Windows account

password. It is the passphrase used to protect the private key when it was
generated and saved.

26. Type the password and hit OK.

Commentary Note:

In some configurations, the following message may appear “Server refused

public-key signature despite accessing key!”. In this case, disregard the
message and enter the password one more time.

Page 28 of 29
Document Responsibility: Plant Networks Standards Committee SABP-Z-087
Issue Date: 9 October 2016 Implementing Secure Shell (SSH) File Transfer
Next Planned Update: TBD Protocol (SFTP) on Process Automation Systems

27. Connection is established once the directories of both local and remote
machines are shown as in step 18 of this section.

Revision Summary
9 October 2016 New Saudi Aramco Best Practice that provides guidelines to Process Automation Network
(PAN) administrators in setting up a secure mechanism to transfer files between the PAN and
Peripherals Gateway Zone (PGZ) as per the recommendations set forth in SAER-7534 titled
“Implementing Zero-USB Architecture on Process Automation Networks”.

Page 29 of 29