Best Practice

SABP-Z-052 3 May 2015

Network Devices Hardening Guide – Cisco Switches
Document Responsibility: Plants Networks Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Introduction……………………............................ 2
2 Conflicts with Mandatory Standards................... 2
3 References......................................................... 2
4 Definitions........................................................... 3
5 Unsupported devices.......................................... 4
6 Account & passwords Policies.......................... 5
7 Services and applications settings.................... 12
8 Hardening controls............................................ 13
9 Logs and Auditing............................................. 14

Previous Issue: New Next Planned Update: 3 May 2020

Page 1 of 16
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365

Copyright©Saudi Aramco 2015. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to harden the Cisco Switches
configurations settings, which might require software / hardware to ensure
“secure configuration” as per SAEP-99 “Process Automation Networks and
Systems Security” procedure.
This implementation of this best practice shall satisfy the audit requirement for
the BIT recommendations and can be assessed using “Performing Security
Compliance Assessment Manual”
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security
configurations by the PAN administrator(s), and shall not be considered
“exclusive” to provide “comprehensive” compliance to SAEP-99 or any other
Saudi Aramco Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from
their responsibility or duties to confirm and verify the accuracy of any
information presented herein and the thorough coordination with respective
control system steering committee chairman and vendor.

2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.

Page 2 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

 Saudi Aramco References

Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
SAEP-302 Instructions for Obtaining a Waiver of a
Mandatory Saudi Aramco Engineering
Requirement
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information

4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
DCS - Distributed Control System
ESD - Emergency Shutdown Systems
IP - Internet Protocol
ISA - The International Society of Automation
PCS - Process Control Systems
PAN - Process Automation Network
PMS - Power Monitoring System
SCADA - Supervisory Control and Data Acquisition
IP - Internet Protocol
TMS - Terminal Management System
VMS - Vibration Monitoring System
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
authorization to receive specific categories of information. When humans have
assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.

Page 3 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

Process Automation Systems (PAS): PAS include Networks and Systems

hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers,
firewalls, computers, etc. interconnecting process control system and provides
an interface to the corporate network. PAN Administrator: Process Automation
Networks (PAN) Administrator administers and performs system configuration
and monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a
personal identification number (PIN) or password. Password authentication
scheme is the simplest and most common mechanism.
Server: A dedicated un-manned data provider.

5 Unsupported devices
Some cisco switches do not support the CLI (command line interface) mode. So they will be
managed only through web interface (if enabled) or GUI software Cisco Network Assistant
downloadable from this following location http://www.cisco.com/c/en/us/products/cloud-
systems-management/network-assistant/index.html at no charge.
Following is the list of the product version which the software (or web interface) is mandatory.
- Cisco Express 500
Please report to Nabil OUCHN (ouchnnj) any product you cannot manage through CLI.

Page 4 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

6 Account & passwords Policies

Domain CISCO Ref. CIS-AP-06 BIT 12.0.a

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX
Enable secret password to protect access to
Action
privileged EXEC mode
State Final Version 1.1 Created on 12/12/2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements

Dependencies CIS-AP-11
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
Instruction
3. Issue the following command:
(config)# enable secret <ENABLE_SECRET>

<ENABLE_SECRET>: is the password that protects access to EXEC mode.

Page 5 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

Domain CISCO Ref. CIS-AP-07 BIT 12.0.a

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX
Enable encryption of passwords in device
Action
(Password Encryption Service)
State Final Version 1.0 Created on 12/12/2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
Instruction router# conf terminal
3. Issue the following command:
(config)#service password-encryption

Page 6 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

12.0.a
Domain CISCO Ref. CIS-AP-08 BIT
12.0.c
[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target SAEP-99 5.1.6.1.a-f
[ ] Catalyst 37xx series Mapping
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX
Enable password with encryption on used
Action management lines (Encrypted Line
Passwords )
State Final Version 1.0 Created on 12/12/2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite The password length and complexity shall respect the SAEP-99 requirements

Dependencies CIS-AP-11
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Configure console to restrict unprivileged user access:
Instruction
(config)# line con <line-number> <ending-line-number>
(config-line)#password <Password>
(config-line)#login
(config-line)#end

<Password> : is the password set for normal user not to access the console.

Page 7 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

12.0.a
Domain CISCO Ref. CIS-AP-09 BIT
12.0.c
[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX
Set encryption for local users (Encrypted
Action
User Passwords)
State Final Version 1.1 Created on 12/12/2013
R C
RACI Matrix Priority HIGH
A I
The password length and complexity shall respect the SAEP-99 requirements
Pre requisite Different passwords and logins should be issued if more than 1 administrator managing the
device
Dependencies CIS-AP-11
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Issue the following command:
(config)# username <LOCAL_USERNAME> secret
<LOCAL_PASSWORD>

<LOCAL_USERNAME> : is the login for the local administrator.

<LOCAL_PASSWORD>: is the password set for normal the the local administrator

Cisco 2960
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
Instruction
router# conf terminal
3. Issue the following command:
(config)# username <LOCAL_USERNAME> privilege
level password encryption-type <LOCAL_PASSWORD>
4. Enter the access mode (console or remote)
router# line console 0
or
router# line vty 0 15
5. Enable local password checking
router# login local

<LOCAL_USERNAME> : is the login for the local administrator.

<LOCAL_PASSWORD>: is the password set for normal the the local administrator
Level (optional) : set to 1
encryption-type : set to 7 for a hidden password

Page 8 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

12.0.a
Domain CISCO Ref. CIS-AP-10 BIT
12.0.c
[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX

Action Set a threshold of failed login attempts

State Final Version 1.1 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Set 5 as the number of invalid logon attempts as stated by the BIT:
Instruction (config)# security authentication failure rate
5 log

Cisco 2960

Not supported

Page 9 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

Domain CISCO Ref. CIS-AP-11 BIT 12.0.a

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.1.6.1.a-f
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX
Action Set minimum password length

State Final Version 1.1 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Set 6 characters minimal password length as stated by the BIT.
(config)# security passwords min-length 6
Instruction

We would recommend 8 characters

Cisco 2960

Not supported
Automated task yes

Page 10 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

Domain CISCO Ref. CIS-AP-12 BIT 8.6

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.1.6.1.l
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX
Disable SNMP default Community Strings
Action
(private and public)
State Final Version 1.0 Created on 12/12/2013
R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enable configuration mode by issuing
router# conf terminal
2. Disable private community using:
Instruction (config)# no snmp-server community private
3. Disable public community using:
(config)# no snmp-server community public

Automated task yes

Page 11 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

7 Services and applications settings

Domain CISCO Ref. CIS-SA-06 BIT 8.5

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
5.3.c
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.4.2.m
[ ] Catalyst 37xx series
5.1.6.1.o
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX

Action Disable SNMP server

State Final Version 1.0 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
Instruction router# conf terminal
3. Disable private community using:
(config)# no snmp-server

Automated task yes

Page 12 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

8 Hardening controls

Domain CISCO Ref. CIS-HC-21 BIT 8.3

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 n/a
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX

Action Configure the Host Name

State Final Version 1.0 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Naming convention procedure should exists. Router/Switch should reflect the type and
Pre requisite
role.
Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Issue the following command:
(config)# hostname <device_name>

Proposal
Instruction - Geo location: 3 characters referring to City or Plant (URT, ABQ, DHR ...)
- Admin Area : 3 characters referring to whether it is an Oil or Gas plant
- Device role : 2 or 3 characters indicating the device role
o PLC, DCS..
o WRK stands for workstation
o SRV stands for server
o PRT stands for printer
o FW for Firewall , RT for Router and so on
- Incremental ID : 3 variables
Ex : ABQ-RTR-005 : means router number 5 in Abqaiq Plant. We can suppose, there are ABQ-
RT-001, ABQ-RTR-002, ABQ-RTR-003 etc ..
Automated task yes

Page 13 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

9 Logs and Auditing

Domain CISCO Ref. CIS-LA-01 BIT 18.0.a

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.5.1.d.iv
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX

Action Enable System Logging

State Final Version 1.0 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
Instruction router# conf terminal
3. Issue the following command:
(config)# logging on

Automated task yes

Page 14 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

Domain CISCO Ref. CIS-LA-02 BIT 18.0.a

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.5.1.d.iv
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX

Action Enable History Logging

State Final Version 1.0 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
Instruction router# conf terminal
3. Issue the following command:
(config)# terminal history 256

Automated task yes

Page 15 of 16
Document Responsibility: Plants Networks Standards Committee SABP-Z-052
Issue Date: 3 May 2015 Network Devices Hardening
Next Planned Update: 3 May 2020 Guide – Cisco Switches

Domain CISCO Ref. CIS-LA-10 BIT 18.0.a

[ ] Catalyst 26xx series
[ ] Catalyst 28xx series
[ ] Catalyst 29xx series
[ ] Catalyst 35xx series
[ ] Catalyst 36xx series
Target Mapping SAEP-99 5.5.1.d.iv
[ ] Catalyst 37xx series
[ ] Catalyst 39xx series
[ ] Catalyst 45xx series
[ ] Catalyst 65xx series
[ ] RM-100-24TX

Action Set maximum size for logs

State Final Version 1.1 Created on 12/12/2013

R C
RACI Matrix Priority HIGH
A I
Pre requisite

Dependencies CIS-LA-01
1. Enter privileged exec mode by issuing (prepare to type password)
router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Issue the following command:
(config)# logging size 1000

Cisco 2960

Instruction 1. Enter privileged exec mode by issuing (prepare to type password)

router# enable
2. Enter configuration mode by issuing
router# conf terminal
3. Issue the following command:
(config)# logging buffered 10000

10000 is the value of the buffer. This value is slightly doubled than the default
one. Keep caution to not increase it otherwise the performance could be
impacted.
Automated task yes

Revision Summary
3 May 2015 New Saudi Aramco Best Practice.

Page 16 of 16