RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 1 OF 51

ADNOC GAS

Cybersecurity Requirements for Vendors

COMPANY Contract No.

CON22-146 / 4700022871

JV TJN RUWAIS Contract No

215122C

Document Class

Document Category (for Class 1)

Class 2

N/A

OPERATING CENTER Contract No.

OPERATING CENTER Doc Ref.

1

0

IFC - Issued for Construction

28-Jan-2025

S. Shawcross A. De-Vandiere,

ICR - Issued for Client Review

13-Aug-2024

S. Duboz

T. Sakamoto, M. Vallivel

S. Deilles, M. Kobayashi, M. Vallivel

S. Deilles K. Fujii

K. Fujii

Rev.

Revision Purpose

Date

Prepared by

Checked by Approved by

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 2 OF 51

Table of Contents

Contents

Page

1.0

INTRODUCTION … 5

1.1 Scope of the Document … 5

1.1.1 Organizations … 5 1.1.2 Project Phases … 6 Type of Systems … 6 1.1.3 In Scope Equipment … 6 1.1.4

1.2 Holds List … 7 1.3 References … 7

1.3.1 COMPANY Reference documents … 7 1.3.2 CONTRACTOR Reference documents … 8 1.3.3 International Standards … 8 1.3.4 National Standards … 8

1.4 Definitions and Abbreviations … 9

1.4.1 Requirements qualifiers … 9 1.4.2 Project terms … 9 1.4.3 Common Terms … 10 1.4.4 Abbreviations … 12

1.5 Document Governance … 14

1.5.1 Audience … 14 1.5.2 Approval … 15 1.5.3 Maintenance and Enforcement … 15 1.5.4 Project roles and responsibilities … 15

2.0 System Classification Principles … 16 3.0 Requirements … 17 3.1 Technical Requirements … 17

3.1.1 Identification and authentication control (IAC) … 17 3.1.2 Use control (UC) … 19 3.1.3 System Integrity (SI) … 22 3.1.4 Data confidentiality (DC) … 25 3.1.5 Restricted data flow (RDF) … 26 Timely response to event (TRE) … 28 3.1.6 3.1.7 Resource Availability (RA) … 30 3.1.8 Standalone Systems … 32 3.1.9 Mobile Devices… 33

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 3 OF 51

3.2 Organizational Requirements … 34

3.2.1 Staffing … 34 3.2.2 Assurance … 35 3.2.3 Solution Hardening … 35 3.2.4 Configuration management … 38 3.2.5 Event management … 38 3.2.6 Patch Management … 38 3.2.7 Backup and Restore … 40 3.2.8 Asset inventory … 41

4.0 Deliverables … 43 4.1 Design Deliverables … 43 4.2 Assurance Deliverables … 45 4.3 Maintenance and Handover Deliverables … 46 5.0 Non-compliance Management Process … 47 5.1 Non-Compliance Detection … 47 5.2 Non-Compliance Response … 47

Foundational Requirements … 47

5.3 Security Program Requirements … 48 6.0 Appendices … 49 6.1 Appendix 1 – Preferred Technology Manufacturers … 49

Hardware … 49 Software … 50

6.2 Appendix 2: Plant Reference Architecture … 51

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 4 OF 51

Table of Changes compared to previous revision (for Procedures and Job Specifications only)

Paragraph

Modification description

Remarks / Origin

Incorporation of CPY Comments on revision 0

RLNG-000-PM-SP- 0001_0_CRS_Code 2

1.1.2 Project Phases 1.1.4 In Scope Equipment 1.2.3 International Standards 1.2.4 National Standards 1.3.3 Common Terms 1.3.4 Abbreviations 2.0 SYSTEM CLASSIFICATION PRINCIPLES 3.0 REQUIREMENTS 3.1 Technical Requirements 3.1.2 Use control (UC) 3.1.3 System Integrity (SI) 3.1.5 Restricted data flow (RDF) 3.1.6 Timely response to event (TRE) 3.1.7 Resource Availability (RA) 3.1.8 Standalone Systems 3.2.2 Assurance 3.2.3 Solution Hardening 3.2.6.2 Firewall Patch Management 4.1 Design Deliverables 6.2 Appendix 2: Plant Reference Architecture

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 5 OF 51

1.0

INTRODUCTION

The ADNOC Ruwais LNG Project is a two train, near net-zero electrically driven LNG facility, targeting international markets. The feed gas for the project is supplied from the Habshan Gas Processing Plant via a new export gas pipeline. The plant will have two 4.8 MTPA (nominal capacity) electric driven LNG Trains with associated LNG storage/marine export facilities and utilities.

Figure 1 – Project Context

The ADNOC Ruwais LNG Project foresees the following main components at the facility:

 Onshore LNG Liquefaction facilities for 2 x 4.8 MTPA electrically driven LNG Trains (9.6MTPA total)

 Common facilities including inlet receiving facilities, LNG storage, BOG handling, flare, refrigerant

storage and support buildings.

 Utilities to support the facilities including import power from the national grid.

 Marine facilities for LNG export and bunkering.

1.1

Scope of the Document

The purpose of this document is to define the cybersecurity POLICY applicable to VENDORs that are involved in the PROCESS CONTROL DOMAIN of the PLANT in the context of the PROJECT.

This is to ensure effective controls that meet Confidentiality, Integrity and Availability of information and systems included in the PLANT’s PROCESS CONTROL DOMAIN.

This document is intended as a set of rules and practices that control the cybersecurity performance of systems and activities delivered by VENDORs all along the project lifecycle. It covers VENDOR’s activities from design till final delivery, including testing, maintenance and changing.

VENDOR’s commitment to the POLICY is a mandatory requirement that comes before any other technical and commercial requirement.

1.1.1 Organizations

The POLICY is applicable to all VENDORs that are involved anytime all along the PROJECT lifecycle.

Moreover, the POLICY is as well applicable to COMPANY or CONTRACTOR whenever it is involved in direct supplies of material and/or services for the OT DOMAIN LAYER of the PLANT in the context of the PROJECT.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 6 OF 51

1.1.2 Project Phases

From the VENDOR’s point of view, the PROJECT lifecycle starts from requisitioning, when a proposal for a new solution or for a change is asked and goes throughout multiple phases till final handover to CONTRACTOR and to COMPANY on cascade.

Typical project phases, given in a time order, are:

1. Requisitioning

2. Procurement

3. Detailed Design

4. Development

5. FAT

6. IFAT

7. Installation at SITE

8. SAT

9. ISAT

10. Handover

11. Maintenance

Table 1 - Typical Project Lifecycle and Project Phases

The POLICY applies to all PROJECT phases mentioned above.

1.1.3 Type of Systems

The POLICY applies to all industrial systems belonging to [ODL] of the PLANT. This includes in the scope the systems from Level 1 up to Level 3.5.

With reference to package types, the scope is specified as follows:

Package Type Category type A Category type B Category type C

In Scope Yes Yes Yes

1.1.4

In Scope Equipment

The specification shall apply to all Operational Technology (OT) systems which shall include but not limited to:

 Integrated Control & Safety Systems (ICSS) comprising of Safety Instrumented System (SIS), Fire & Gas (F&G) System; Distributed Control System (DCS) and ICSS subsystems; Instrument Asset Management System; Alarm Management System; Data historian; Workstation; IT Router/Firewall; Network; Printer; office workstation; OT Domain Server; SFTP Server/ Backup; IDS Server; AV/Patch Server; OPC Client; Historian PI Mirror; OT Core Switch; Packaged Vendor; OPC Server; Historian PI Server; PCN Firewall; EWS Server; Safety Controller; Sensor; Actuator; Condition and Machine Monitoring System; Operator Training System.

 Third Party Systems, Packages and interfaces that are stand alone or have interfaces to other OT

Systems;

 Including Condition and Machine Monitoring Systems, Operator Training System, etc.

 Any other Industrial Automation & Control System (IACS), related subsystems and IP enabled

instruments defined by the project.

 MODBUS traffic exiting the DCS system, a host firewall will be employed. This means that

communication will occur via MODBUS between firewalls.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 7 OF 51

 Telecommunication systems

The term System shall include:

 The PLC’s, Controllers, IED’s used for monitoring and controlling.

 The computer-based systems that analyze and store data such as servers, desktops, workstations

and laptops;

 The network devices that interconnect the various computer systems such as switches, routers and

wireless devices;

 The security devices that protect the OT network such as firewalls and data diode.

The specification is intended for use for both new projects and amendments to existing installation s. The specification shall apply to both offshore and onshore installations.

1.2

Holds List

HOLD

DESCRIPTION

1

2

1.3

References

1.3.1 COMPANY Reference documents

Ref. ID DC-01

Code

AGES-SP-04-013

DC-02

AGES-SP-12-003

DC-03

AGES-SP-12-004

DC-04

AGES-SP-12-012

Table 2 - COMPANY’s Reference Documents

OT Cybersecurity Specifications

Title

Wireless Infrastructure and Communication System Specification

Field Telecommunication Network Specification

Telecommunication Transport Network Specification

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 8 OF 51

1.3.2 CONTRACTOR Reference documents

Ref. ID DT-01

Code

DT-02

RLNG-000-PM-PP-1102 Table 3 - CONTRACTOR’s Reference Documents

1.3.3

International Standards

Rev.

0

1B

Title

Plant Information Security Assurance Plan

Document Identification and Numbering Procedure

Ref. ID

Code

Rev.

DI-01

IEC/TS 62443-1-1

DI-02

IEC 62443-2-1

DI-03

IEC 62443-2-3

DI-04

IEC 62443-2-4

1.1

DI-05

IEC/TR 62443-3-1

DI-06

IEC 62443-3-2

DI-07

IEC 62443-3-3

DI-08

IEC 62443-4-2

DI-09 ISA TR84.00.09 DI-10 NIST SP 800-82 DI-11 NIST FIPS 197

Table 4 – International Standards

1.3.4 National Standards

Ref. ID DI-12 UAE IAS DI-13 UAE NESA

Code

Table 5 – National Standards

Title Industrial communication networks – Network and systems security. Part 1-1: Terminology, concepts, and models Industrial communication networks – Network and systems security. Part 2-1: Establishing an industrial automation and control system security program Industrial communication networks – Network and systems security. Part 2-3: Patch management in the IACS environment Security for industrial automation and control systems – Part 2-4: Security program requirements for IACS service providers Industrial communication networks – Network and systems security. Part 3-1: Security industrial automation and control systems Security for industrial automation and control systems – Part 3- 2: Security risk assessment for system design Industrial communication networks – Network and systems security. System security requirements and security levels Security for Industry Automation and Control systems - Part 4- 2 Technical security requirements for IACS components Cybersecurity related to the functional safety lifecycle Guide to Industrial Control System (ICS) Security Advanced Encryption Standard

technologies

for

R3

Rev.

Title

UAE IAS National Electronic Security Authority

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 9 OF 51

1.4

Definitions and Abbreviations

1.4.1 Requirements qualifiers

May

Shall

Should

Indicates a possible course of action.

Indicates a requirement. Any deviation shall be processed applying the non-compliances process specified in this document. Indicates a recommendation.

1.4.2 Project terms

COMPANY

CONTRACTOR

IT DOMAIN LAYER

Refers to ADNOC, ADNOC Group or an ADNOC Group Company, and includes any agent or consultant authorized to act for, and on behalf of the COMPANY

Refers to the parties that carry out all or part of the design, engineering, procurement, construction, commissioning or management for ADNOC projects. CONTRACTOR includes its approved MANUFACTURER(s), SUPPLIER(s), SUB-SUPPLIER(s), and SUB-CONTRACTOR(s).

It belongs to the COMPANY information system and encompasses all Information Technology resources, such as systems and networks, that are needed to support the office operations.

This layer may interface via secure gateways externally with the Internet and internally with the OT DOMAIN LAYER.

OT SECURITY LAYER

It is an independent layer separating the IT DOMAIN LAYER from the OT DOMAIN LAYER.

OT DOMAIN LAYER

It provides OT DOMAIN LAYER with maintenance cybersecurity services and secure connectivity between systems in the IT DOMAIN LAYER and the OT DOMAIN LAYER.

It offers ways to enhance the protection of the endpoints in OT DOMAIN LAYER, such as anti-malware, patch management, secure files transfer, and ways to ensure remote maintenance is safe.

It belongs to the COMPANY information system and encompasses all information technology resources, such as systems and networks, that are needed to support the office operations. This layer may interface via secure gateways externally with Internet and internally with the OT DOMAIN LAYER.

POLICY

The ensemble of requirements specified in this document and in any other COMPANY reference, when applicable to VENDOR.

In case of conflict of interpretation, COMPANY documents prevail.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 10 OF 51

PLANT

PROJECT

SITE

Ruwais Industrial City, UAE

Ruwais LNG Project

Ruwais Industrial City, UAE

SUBCONTRACTOR

CONTRACTOR could delegate some activity to SUBCONTRACTOR, keeping the overall responsibility.

SUPPLIER

SYSTEM

VENDOR

Synonym of VENDOR.

The system supplied by the VENDOR in the frame of the PROJECT for the OT DOMAIN LAYER of the PLANT, which this POLICY applies to.

Party that oversees supplying material and/or services whose supply is regulated by a contract signed along with CONTRACTOR or COMPANY directly.

Scope of supply of this party might include, but it is not limited to, supplying of software licenses, supplying of hardware, detailed functional design, customization, configuration, services and assistance, installation and testing of the systems.

1.4.3 Common Terms

High-Level Risk Assessment

Level 0

Level 1

Level 2

Level 3

The HLRA starts with an overarching view of potential impacts on the business, evaluating the consequences of cyber threats on critical organizational assets and functions. This step sets strategic priorities for cybersecurity efforts, by identifying the SL-T for the SYSTEM.

With reference to the Purdue Model referenced in the IEC 62443-3-3 standard, the Level 0 (Process Field Instrumentation) encompasses all sensors and actuators. It does not include any PE device. (See 6.2).

With reference to the Purdue Model referenced in the IEC 62443-3-3 standard, Level 1 (Process Control) encompasses all process control devices and any other PE device without user interface, which belongs conceptually to the upper Level of the model. (See 6.2).

With reference to the Purdue Model referenced in the IEC 62443-3-3 standard, Level 2 (Supervisory Control) encompasses all user interfaces meant for process supervision. This layer includes but in snot limited to HMI, operator consoles, and control panels. (See 6.2).

With reference to the Purdue Model referenced in the IEC 62443-3-3 standard, the Level 3 (Operation Systems) encompasses all manufacturing services, such as production scheduling, process laboratory management and project historian. (See 6.2).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 11 OF 51

Level 3.5

Level 4

Low-Level Risk Assessment

Integrated Control and Safety System

Information Technology

Main Automation Contractor

Maximum Tolerable Downtime

Operational Technology

Programmable Electronic

With reference to the IEC 62443 standard, Level 3.5 (DMZ) of the Purdue Model encompasses security services designed to protect the OT layer, including anti-virus, patch management, SAN and tape backup solutions, centralized access management, NTP, network monitoring, firewalls, data diode solutions, SIEM, and vulnerability management, no remote access is required. (See 6.2)

With reference to the Purdue Model referenced in the IEC 62443 standard, the Level 4 (Office Domain) and layers above encompasses all Information Technology resources, such as systems and networks, that are needed to support the office operations.

Following the HLRA, the LLRA, delves into the specific vulnerabilities and threats, assessing the security of individual system components and the potential methods of attack. This detailed analysis supports the development of targeted security measures and controls.

The main process control automaton system supplied in the frame of the PROJECT for the PLANT. It is supplied by the ICSS Vendor (also known as Main Automation Contractor) which is commissioned by the CONTRACTOR.

Information Technology (IT) refers to the use of systems, network, and data to manage and process information. IT primarily focuses on data storage, retrieval, transmission, and protection, serving the needs of business operations such as communication, office productivity, and database management.

The vendor commissioned to supply at least the ICSS.

Maximum Tolerable Downtime (MTD) represents the total amount of downtime that can occur without causing significant harm to the organization’s mission.

Operational Technology (OT) involves the use of hardware and software to monitor and control physical devices and processes. OT is typically used in industrial environments to manage and operate physical equipment, factories, plants, and infrastructure, ensuring direct control and functionality of these physical systems.

It is defined as an item based on computer technology which may be comprised of hardware, software, and of input and/or output units. This term covers micro-electronic devices based on one or more Central Processing Units (CPU) together with associated memories. Examples of process sector PE include: • Smart sensors and final elements • Programmable electronic logic solvers including:

o Programmable controllers. o Programmable logic controllers. o Loop controllers.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 12 OF 51

Category type A Package Package fully integrated into ICSS for Control and Monitoring, no ICSS

equipment within SUPPLIER’s cabinets.

Category type B Package Package fully integrated into ICSS for Control and Monitoring, ICSS

nodes in SCPs located in remote IES.

Category type C Package Complex package with PLC control within SUPPLIER UCPs located in

remote IES.

Recovery Point Objective Recovery Point Objective (RPO) is about data loss tolerance. RPO specifies the maximum targeted period in which data can be lost without severely impacting the recovery of operations.

Recovery Time Objective Recovery time objective (RTO) is about restoration goals. RTO specifies the planned recovery time for a process or system which should occur before reaching the business process’s maximum tolerable downtime.

Safety Critical Element

Any component, part of a structure, equipment, or computer program, which failure could cause or significantly contribute to a major accident. Alternatively, its purpose might be to prevent or mitigate the effects of such an accident. Example of SCE: • Fire and Gas Detection Systems. • Emergency Shut-Down Systems. • Evacuation Measures.

Security Level 1. Systems classified SL 1, require protection against casual or coincidental violation.

Security Level 2. Systems classified SL 2, require protection against intentional violation using simple means with low resources, generic skills, and low motivation.

Security Level 3. Systems classified SL 3, require protection against intentional violation using sophisticated means with moderate resources, industrial system specific skills and moderate motivation.

Security Level 4. Systems classified SL 4, requires protection against intentional violation using sophisticated means with extended resources, industrial system specific skills and high motivation.

Authentication, Authorization and Accounting Access Control List Active Directory Abu Dhabi Operating center - National Petroleum Construction Company Advanced Encryption Standard Anti-Virus Application Whitelisting Basic Input/Output System

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

SL 1

SL 2

SL 3

SL 4

1.4.4 Abbreviations

AAA ACL AD ADOC AES AV AWL BIOS

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 13 OF 51

BMR CD CCTV COMPANY

CONTRACTOR

DC-(NN) DCOM DCS DI-(NN) DMZ DN-(NN) DNP3 DNS DOS DT-(NN) EPC EPO EWS FAT FEED HIPS HLRA HMI ICSS IDS IFAT IP IPS ISAT IT LLRA LNTP MAC MOS MTD NAS NIC NTP OEM ODL OPC

Bare Metal Recovery Compact Disk Closed Circuit Tele Vision ABU DHABI NATIONAL OIL COMPANY (ADNOC) P.J.S.C. TJN Ruwais, Joint Venture of Technip Energies France-Abu Dhabi, JGC Corporation and National Petroleum Construction Company (NPCC) COMPANY document reference Distributed Component Object Model Distributed Control System International Standard document reference Demilitarized Zone National Standard document reference Distributed Network Protocol 3 Domain Name System Denial Of Service CONTRACTOR document reference Engineering Procurement Construction ePolicy Orchestrator Engineering Workstation Factory Acceptance Test Front End Engineering Design Host Intrusion Prevention System High-Level Risk Assessment Human Machine Interface Integrated Control and Safety System Intrusion Detection System Integrated Factory Acceptance Test Internet Protocol Intrusion Prevention System Integrated Site Acceptance Test Information Technology Low-Level Risk Assessment Limited Notice To Proceed Main Automation Contractor Microsoft Office Specialist Maximum Tolerable Downtime Network Attached Storage Network Interface Card Network Time Protocol Original Equipment Manufacturer OT Domain Layer Open Platform Communications

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 14 OF 51

OS OT PCN PE PKI PLC POC RDP RPO RTO

SAT

SAN SCE SIEM SIS SL SL-C SL-T SNMP SP SQL SSH TCP UCP UDP USB VLAN VM VPN WEF WRT YOC

Operating System Operational Technology Process Control Network Programmable Electronic Public Key Infrastructure Programmable Logic Controller Paris Operating Center - Technip Energies Remote Desktop Protocol Recovery Point Objective Recovery Time Objective

Site Acceptance Test

Storage Area Network Safety Critical Element Security Information and Event Management Safety Instrumented System Security Level Security Level Capability Security Level Target Simple Network Management Protocol Security Program Structured Query Language Secure Shell Transport Control Protocol Unit Control Panel User Datagram Protocol Universal Serial Bus Virtual Local Area Network Virtual Machine Virtual Private Network Windows Event Forwarding With Reference To Yokohama Operating center - JGC Corporation

1.5

Document Governance

1.5.1 Audience

This document is addressed to the following PROJECT’s roles and entities:

Addressed Entities

Purpose

VENDOR

The POLICY shall be shared with every VENDOR’s team member, starting from the very beginning of its involvement in the PROJECT. It shall be considered in every requisitioning process for the PROJECT.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 15 OF 51

Addressed Entities

CONTRACTOR’s Disciplines

COMPANY

Table 6 – POLICY’s Audience

Purpose

Sharing the POLICY within CONTRACTOR organizations involved in the PROJECT is a key action to keep under control the cybersecurity performance delivered by VENDORs and identify the cyber-security risks in advance. Sharing the POLICY within COMPANY members involved in the PROJECT is a key action to keep under control the cybersecurity performance delivered by VENDORs and identify the cyber-security risks in advance.

Unless otherwise authorized by CONTRACTOR, the distribution of this document is restricted to COMPANY and authorized VENDORs.

Any authorized access to this document does implies authorization to any documents, data, or information to which this document may refer.

1.5.2 Approval

This PROJECT document requires issuance approval from the Engineering Manager. Moreover, to be effective, it requires formal approval from COMPANY.

1.5.3 Maintenance and Enforcement

The following roles are assigned to address POLICY governance.

Governance Role

POLICY Owner POLICY Custodian

POLICY Enforcement

CONTRACTOR’s Roles

T.EN’s Head of OT-SOC Information Security Project Manager assigned to the PROJECT Information Security Project Manager supported by OT Cybersecurity Engineers assigned to the PROJECT actively enforce the POLICY by means of awareness and induction session throughout the PROJECT lifecycle.

Other PROJECT stakeholders, such as VENDOR’s members, are authorized to enforce the POLICY in the extent of their involvement.

Table 7 – POLICY’s Governance Roles

1.5.4 Project roles and responsibilities

A list of roles and responsibilities is available in DT-01.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 16 OF 51

2.0

SYSTEM CLASSIFICATION PRINCIPLES

Every system belonging to ODL shall comply with the minimum set of requirements specified by the international standards listed in (1.3.3). However, further requirements from these standards could be appliable depending on the SL-T identified for each system’s device.

According to this principle, the PROJECT requires an HLRA session for every system to be performed in an initial phase. This session decides the SL-T for each device in a system. However, the VENDOR should know the main principles that decide the system classification, to make a preliminary estimation of the SL- T for the SYSTEM with some confidence.

For this purpose, the following table gives an indicative classification of the most typical type of systems belonging to ODL.

The following table is for first approach indication only and should not be considered final. Security Levels will be adjusted with the High Level Risk Assessment.

System Type

ICSS / SIS excluded SIS Any system embedding some SCE Monitoring systems Fire & Gas (F&G) System; Distributed Control System (DCS) and ICSS subsystems; Include Instrument Asset Management System; Alarm Alarm Management Management System; Workstation; IT Router/Firewall; Network; Printer; office workstation; OT Domain Server; SFTP Server/ Backup; IDS Server; AV/Patch Server; OPC Client; Historian PI Mirror; OT Core Switch; Packaged Vendor; OPC Server; Historian PI Server; PCN Firewall; EWS Server; Safety Controller; Sensor; Actuator

System;

Indicative Minimum SL-T SL 2 SL 3 SL 3 SL 1

SL 2

Table 8 - Preliminary system classification by type

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 17 OF 51

3.0

REQUIREMENTS

A secure system, in terms of industrial cybersecurity, has been designed adopting components that comply with the foundational requirements defined in [DI-06] and configured to comply with the security program requirements specified in [DI-04].

Not all requirements specified are applicable to every system. The applicable requirements depend on the SL-T identified by the High-Level Risk Assessment. The list of applicable requirements per system will be issued in later releases.

Physical security measures, such as housing OT equipment (switches, servers, firewalls) in secure cabinets or dedicated equipment rooms, are essential. Additionally, CCTV surveillance and access control systems should be implemented in sensitive and data processing areas.

The following requirement shall be satisfied by any integration and maintenance VENDOR involved in the PROJECT.

3.1

Technical Requirements

3.1.1

Identification and authentication control (IAC)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SL-T in Scope

SR 1.1

Human user identification and authentication

Capability to identify and authenticate all human users

SR 1.1 RE 1

Unique identification and authentication

Capability to identify and authenticate uniquely all human users

SR 1.1 RE 2

Multifactor authentication for all interfaces

Capability to employ multi-factor authentication for all human users

SR 1.2

Software process and device identification and authentication

Capability of a system to identify and authenticate all on all interfaces.

SR 1.2 RE 1

Unique identification and authentication

SR 1.3

Account management

Capability of a system to uniquely identify and authenticate all on all interfaces.

System shall support account management

SR 1.3 RE 1

Unified account management

System shall support unified account management

1

2

3

2

3

1

3

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 18 OF 51

Req. ID

Topic

Subtopic

SL-T in Scope

SR 1.4

Identifier management

SR 1.5

Authenticator management

The system shall support identity management

Support for initial authenticators, change of default authenticators, periodic authenticator refresh and authenticator protection from unauthorized disclosure

SR 1.5 RE 1

Hardware security for software process identity credentials

Protection of authenticators by hardware measures

SR 1.7

Strength of password-based authentication

SR 1.7 RE 1

Password generation and lifetime restrictions for human users

Enforce configurable password

Prevent reusing a password

SR 1.8

SR 1.9

Public key infrastructure (PKI) certificates

Integrate into a public key infrastructure

Strength of public key authentication

Validate certificates

SR 1.9 RE 1

Hardware security for public key based authentication

Hardware protection mechanism for private keys

SR 1.10

Authenticator feedback

SR 1.11

Unsuccessful login attempts

SR 1.12

System use notification

SR 1.13

Access via untrusted networks

Obscure feedback during authentication process

Enforce a limit of consecutive invalid access attempts, deny access for a specific time period

Display a configurable system message on HMIs

Monitor and control all methods of access via untrusted networks

1.13

SR RE 1

Explicit access request approval

Deny access requests via untrusted networks unless explicitly approved

1

1

3

1

3

2

2

3

1

1

1

1

3

Table 9 - FR 1 - Identification and Authentication Control

Additional Requirements

• SR.01-PS-01 Windows systems shall integrate with an Active Directory / Domain Controller

infrastructure centralizing and enforcing policies.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 19 OF 51

• SR.01-PS-02 Systems shall follow the required configuration of Group policies as per the

approved hardening baseline standards.

• SR.01-PS-03 The Active Directory must be implemented in High Availability mode. An automatic failover mechanism should be implemented to ensure that the secondary system takes over as primary in the event of a primary system failure.

• SR.01-PS-04 System Operator account login shall be configured to have minimum privileges based on the role and shall not have any administrative privileges at the Windows level.

• SR.01-PS-05 A comprehensive list of users and groups, including detailed information on each, should be provided. Group Policy should be used to implement all necessary controls and hardening measures for the Windows OS:

o a. Domain/Local Users:

a)

i. Domain role

b)

ii. Local role

c)

iii. Access requirements

d)

iv. Functional rights requirements

o b. Domain/Local groups:

a)

i. Domain role

b)

ii. Membership

c)

iii. Access requirements

d)

iv. Functional rights requirements

• SR.01-PS-06 A solution for centralized authentication and enforcement of access policies on

network devices (AAA functionality) shall be enforced.

• SR.01-PS-07 Passwords traversing within the OT network shall be encrypted. Any deviations

shall be communicated to and approved by the CONTRACTOR.

• SR.01-PS-08 All password files stored in authentication servers shall be encrypted and

protected from read and copy access.

• SR.01-PS-09 All system passwords shall be provided to the CONTRACTOR in a secure

mechanism agreed by the CONTRACTOR.

• SR.01-PS-10 The VENDOR shall configure access privileges on the OT application based on

roles to ensure that only the privileges required for the role is configured.

• SR.01-PS-11 The VENDOR shall document an Access Control Matrix containing roles and privileges (system and application level) including the names of the engineers who are assigned a specific role.

3.1.2 Use control (UC)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 20 OF 51

Req. ID

Topic

Subtopic

SL-T in Scope

SR 2.1

Authorization enforcement

Enable authorization on human user interfaces

SR 2.1 RE 1

Authorization enforcement for all users

Enable authorization on all interfaces

SR 2.1 RE 2 Permission mapping to roles

Map permissions to roles for all human users

SR 2.1 RE 3 Supervisor override

Support supervisor manual override

SR 2.2

Wireless use control

SR 2.2 RE 1

Identify and report unauthorized wireless devices

Usage authorization, monitoring and restrictions for wireless connectivity

Detect and report unauthorized wireless devices

SR 2.3

Use control for portable and mobile devices

Enforce usage restrictions for portable and mobile media devices

SR 2.3 RE 1

Enforcement of security status of portable and mobile devices

SR 2.4

Mobile code

Verify that the media device complies with the security requirements of the zone.

Enforce restrictions for mobile code technologies (control execution, control mobile code transfer, integrity check)

SR 2.4 RE 1

Mobile code authenticity check

Check of authenticity

SR 2.5

Session lock

Initiate session lock

SR 2.6

Remote session termination

Session termination after configurable time, manually by the user

SR 2.7

Concurrent session control

Limit the number of concurrent sessions

SR 2.8

Auditable events

Generate security-relevant audit records

SR 2.8 RE 1

Centrally managed, system- wide audit trail

Send logs to a central storage.

1

2

2

3

1

3

1

3

1

3

1

2

3

1

3

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 21 OF 51

Req. ID

Topic

Subtopic

SL-T in Scope

SR 2.9

Audit storage capacity

Provide sufficient audit storage capacity

SR 2.9 RE 1

Warn when audit record storage capacity threshold reached

SR 2.10

Response to audit processing failures

Issue warning when log capacity is reached

Prevent the loss of essential services and functions while auditing and provide appropriate actions

SR 2.11

Timestamps

Create timestamps for audit records

SR 2.11 RE 1

Internal time synchronization

The system shall be able to sync internal clock

SR 2.12

Non-repudiation

For human user interfaces: log users’ actions

1

3

1

2

3

3

Table 10 - FR 2 – Use Control

Additional Requirements

• SR.01-PS-12 A solution for centralized management of all removable media (USB/CD/DVD etc.) within the OT Network shall be developed. It is preferable for this solution to be integrated with the anti-malware proposed or existing anti-malware solution implemented at the respective site.

• SR.01-PS-13 The proposed solution shall provide the following features:

o Centrally enable and disable all removable media such as USB drives, blue tooth devices,

CDs, DVDs etc. on all OT nodes from a central host.

o

Integrate with the installed anti-malware solution and console.

o All device control policies and incidents should be managed through a centralised policy

management software solution, and all incidents should be forwarded to the SIEM;

o Set role-based access control.

o Support for Microsoft Windows Operating System (OS).

• SR.01-PS-14 The VENDOR must disable all removable media ports, unless otherwise

specified by the CONTRACTOR. All data-accessible ports should be secured.

• SR.01-PS-15 USB Ports on firewalls and appliances which cannot be disabled shall be locked using physical USB locks. Physical locks should be used to secure USB ports on firewalls and appliances that cannot be disabled.

• SR.01-PS-16 All anti-virus updates shall be introduced to the system during the period of installation, testing and implementation via a dedicated or secure USB, CD or DVD. Any deviation shall be subject to CONTRACTOR approval. Only OT System OEM approved updates shall be installed.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 22 OF 51

• SR.01-PS-17 A centrally managed Application Whitelisting (AWL) solution to control unauthorized execution of executables, programs, software and applications shall be implemented. The proposed solution shall be certified and supported by the OT system OEM.

• SR.01-PS-18 The Vendor must demonstrate that the application whitelisting solution will not negatively impact the functionality, safety, or performance of the OT system or any of its integrated systems. ePO should be integrated with SIEM for all logs, similarly for all other servers and network devices.

3.1.3 System Integrity (SI)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SR 3.1

Communication integrity

Protect integrity of transmitted information

SR 3.1 RE 1 Communication authentication

SR 3.2

Malicious code protection

SR 3.2 RE 1

Malicious code protection on entry and exit points

SR 3.2 RE 2

Central management and reporting for malicious code protection

SR 3.3

Security functionality verification

Verify and recognize the information changes during communication.

Provide protection from malicious code or unauthorized software Can update the protection

Provide malicious code protection

Manage malicious code protection mechanisms

Support verification of security functions when anomalies are discovered during maintenance

SR 3.3 RE 1

Automated mechanisms for security functionality verification

Provide automation for management of security verification

SR 3.4

Software and information integrity

Perform or support integrity checks on software and configuration

SR 3.4 RE 1

Automated notification about integrity violations

Send notification to some users if there is an integrity violation

SR 3.5

Input validation

Validate syntax, length and content of any input

SL-T in Scope

1

3

1

2

3

1

3

1

3

1

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 23 OF 51

Req. ID

Topic

Subtopic

SL-T in Scope

SR 3.6

Deterministic output

SR 3.7

Error handling

SR 3.8

Session integrity

SR 3.8 RE 1

Invalidation of session IDs after session termination

SR 3.8 RE 2 Unique session ID generation

SR 3.9

Protection of audit information

Set outputs to a predetermine state if normal operation cannot be maintained

Identify and handle error conditions in a manner that does not provide exploitable information for the adversaries.

Protect the integrity of communications sessions

The control system shall provide the capability to invalidate session IDs upon user logout or other session termination (including browser sessions). The control system shall provide the capability to generate a unique session ID for each session and treat all unexpected session IDs as invalid.

Protect relevant audit information and tools

1

2

2

2

3

2

Table 11 - FR 3 – System Integrity

Additional Requirements

• SR.01-PS-19 VENDOR shall provide controllers and PLC’s that are tested and certified for cyber security from reputed certification agencies such as Wurldtech Security Technologies’ Achilles certification, ISA Security Compliance Institute (ISCI) or any equivalent certification agency which shall be reviewed and approved by the CONTRACTOR. The test certificates shall be provided to the CONTRACTOR.

• SR.01-PS-20 VENDOR shall provide information related to the OEM’s process for addressing cyber security in their Software Development Life Cycle (SDLC) process. The VENDOR shall submit the available secure code review and testing certificates.

• SR.01-PS-21 Process for secure software development life cycle of the OT System OEM shall

provide assurance for the following application-level controls:

o

Input to the application / software are validated;

o Validation checks are incorporated into the system to detect any corruption of data while

processing;

o Ensure authenticity and integrity in processing of messages/commands within the

application;

o Data output from the application system shall be validated to ensure that the processing of

stored information is correct;

o Protection against denial of service and robustness to withstand network scans;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 24 OF 51

o Error messages generated by the ICSS shall provide timely and useful information without revealing potentially harmful information that could be used by adversaries to exploit the system.

• SR.01-PS-22 VENDOR shall provide the CONTRACTOR the OT System OEM’s process for

publishing and communicating security vulnerabilities to the CONTRACTOR.

• SR.01-PS-23 VENDOR shall permit CONTRACTOR to conduct security vulnerability scans on the OT system and associated components in scope of the project (which include but not limited to servers, laptops, PC’s, workstations, applications, network switches, routers, databases etc.) during FAT stage. The OT System OEM shall confirm compatibility of conducting VA scans on the OT System.

• SR.01-PS-24 The VENDOR shall be fully responsible for remediation of all identified

vulnerabilities.

• SR.01-PS-25 VENDOR shall provide the CONTRACTOR with white papers and best practice documents for remediating of any published flaws within its supplied applications, PLC’s, controllers and IT components during the period of the contract.

• SR.01-PS-26 VENDOR shall disclose the existence of any known or identified backdoor in the

supplied systems.

• SR.01-PS-27 VENDOR shall inform CONTRACTOR of any hard coded credentials within the

OT system(s).

• SR.01-PS-28 A centralized anti-malware solution on all applicable nodes supplied as part of

the project scope shall be implemented.

• SR.01-PS-29 Anti-malware solution provided shall be approved and certified for use by the OT

System OEM.

• SR.01-PS-30 Anti-malware solution provided shall have the capability for centralized

administration and deployment of agents & anti-virus signatures.

• SR.01-PS-31 Anti Malware solution shall have the capability to configure password restriction

for uninstallation of agents.

• SR.01-PS-32 VENDOR shall verify system performance after installation of anti-malware

solution on the OT environment.

• SR.01-PS-33 Virus definition files shall be tested and released for installation by the OT OEM as soon as possible, within a maximum of thirty (30) days after initial release from the anti- malware OEM.

• SR.01-PS-34 Anti Malware Solution shall be designed to support offline update of anti-virus

signatures.

• SR.01-PS-35 VENDOR shall provide a documented procedure for installation, configuration,

offline update and uninstallation of anti-malware solution.

• SR.01-PS-36 Where the installation of anti-malware software is not technically feasible, a list of all affected computers must be maintained. Additionally, alternative mitigating measures should be implemented to reduce the risk of infection. A deviation/exception request must be submitted to the CONTRACTOR for approval. Anti-malware event logs should be shared with the SIEM

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 25 OF 51

3.1.4 Data confidentiality (DC)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SL-T in Scope

SR 4.1

Information confidentiality

SR 4.1 RE 1

Protection of confidentiality at rest or in transit via untrusted networks

SR 4.2

Information persistence

SR 4.2 RE 1

Purging of shared memory resources

SR 4.3

Use of cryptography

SR 4.1

Information confidentiality

SR 4.1 RE 1

Protection of confidentiality at rest or in transit via untrusted networks

SR 4.2

Information persistence

SR 4.2 RE 1

Purging of shared memory resources

SR 4.3

Use of cryptography

Table 12 - FR 4 – Data Confidentiality

Additional Requirements

None applicable.

Protect confidentiality of information at rest or in transit for which explicit read authorization is supported Protect confidentiality of information at rest and remote access traversing untrusted network Erase all information with explicit read authorization when released from service Protect against unauthorized information transfer via volatile shared memory resources Use cryptographic mechanisms according to international recognized recommendations Protect confidentiality of information at rest or in transit for which explicit read authorization is supported Protect confidentiality of information at rest and remote access traversing untrusted network Erase all information with explicit read authorization when released from service Protect against unauthorized information transfer via volatile shared memory resources Use cryptographic mechanisms according to international recognized recommendations

1

2

2

3

1

1

2

2

3

1

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 26 OF 51

3.1.5 Restricted data flow (RDF)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SL-T in Scope

SR 5.1

Network segmentation

Support and provide a segmented network

SR 5.1 RE 1

Physical network segmentation

Provide a physical network segmentation

SR 5.1 RE 2

Independence from non- control systems networks

Provide independent network access to control system

SR 5.2

Zone boundary protection

Monitor and control communications between boundaries zones

SR 5.2 RE 1

Deny by default, allow by exception

Deny all network traffic by default and allow by exception

SR 5.2 RE 2

Island mode

Protect against any communication

SR 5.2 RE 3 Fail close

SR 5.3

SR 5.3 RE 1

General purpose, person-to- person communication restrictions

Prohibit all general purpose person-to-person communications

Protect against any communication when boundary protection mechanisms fail Protect from general purpose, person- to-person messages being received from users or systems external to the control system

Prevent transmission and reception of these messages

SR 5.4

Application partitioning

Support partitioning for data, applications and services

1

2

3

1

2

3

3

1

3

1

Table 13 - FR 5 – Data Flow

Wireless Dataflow

• SR.01-PS-37 The VENDOR shall configure strong authentication, encryption and access

control mechanisms for industrial wireless devices.

• SR.01-PS-38 The highest possible wireless encryption shall be implemented (minimum of 128

bits encryption).

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 27 OF 51

• SR.01-PS-39 The point of interconnection between a wired and wireless network shall be

segregated by a firewall.

• SR.01-PS-40 Unused ports provided on wireless instruments shall be disabled.

• SR.01-PS-41 Default passwords on wireless devices shall be changed to complex passwords.

Network Security

• SR.01-PS-42 The OT network shall be zoned thereby partitioning the network and grouping devices with the same functionality to implement a secure zoning and conduit model. The proposed network segmentation, zoning and conduit model shall be certified by the OT System OEM and in compliance to the requirements of ADNOC OT Cyber Security Network Reference Architecture. The VENDOR shall obtain endorsement from the CONTRACTOR prior to finalization of the architecture.

• SR.01-PS-43 Demilitarized zone (Level 3.5) shall be created between Level 3 and Level 4

networks as per ADNOC OT Cyber Security Network Reference Architecture.

• SR.01-PS-44 The OT Engineering workstations shall be segregated in a separate zone and enforce network security barrier between the engineering workstation zone and Human Machine Interface (HMI) zone (applicable to dedicated Engineering Stations). Where HMI and Engineering stations are combined in the same machine separate user accounts and authorization levels must be configured to segregate the access.

• SR.01-PS-45

It is recommended that process control network and safety network do not terminate on the same switch to ensure that two independent networks are maintained.

• SR.01-PS-46 Safety-related communications (SIL 1 and above) that share a network (or bus) with a control network SHALL be separated from the control network by a network security barrier (i.e., gateway, firewall or network device with Access Control Lists (ACLs)) that only permits traffic required for the safety and control systems to inter-operate.

• SR.01-PS-47 As per ADNOC cyber security requirement, data Transfer from OT to IT Network must flow through a Physical Unidirectional Gateway / Data Diode between L3.5 and L4. The VENDOR shall ensure that all proposed solutions that are required to transfer data from the OT network to corporate IT network is compatible with the data diode implemented at the respective ADNOC site.

• SR.01-PS-48

Internet Protocol (IP) routing shall be implemented using equipment explicitly

designed for this purpose, i.e., router and firewall devices.

• SR.01-PS-49 Network devices (routers, switches, or firewalls) interconnecting different levels and zones must have ACLs configured to restrict access. Access lists should be implemented as part of firewall configurations, restricting access to the port level from source to destination. No subnet-level ACLs are permitted.

• SR.01-PS-50 VLAN 1 shall be disabled. Segmentation and zoning of virtualized infrastructure and networks shall utilize specialized virtual firewalls for inter-virtual machine traffic segmentation. All such configurations shall comply with ADNOC OT Cyber Security Network Reference Architecture.

• SR.01-PS-51 Hypervisor management interfaces shall be isolated in to a separate zone which

restricts access to authorized protocols and devices.

• SR.01-PS-52 Any loss of communication with or failures in business network shall not impact

the safe operations of process/ process equipment.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 28 OF 51

• SR.01-PS-53 Communication between ICSS and third party sub system networks shall be

secured using security controls specific to the communication interface & protocol.

3.1.6 Timely response to event (TRE)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SR 6.1

Audit log accessibility

Provide humans or tools read access to audit logs

SR 6.1 RE 1

Programmatic access to audit logs

Provide programmatic access (API) to audit records

SR 6.2

Continuous monitoring

Table 14 - FR 6 – Timely Response to Event

Additional Requirements

Allow for continuous monitoring to detect/report security breaches in a timely manner

SL-T in Scope

1

3

2

• SR.01-PS-54 A centralized monitoring solution to continuously monitor OT System

infrastructure components shall be implemented.

• SR.01-PS-55 The proposed solution must have the following minimum capabilities:

o Ability to monitor wired and wireless networks, physical and virtual servers;

o Discover & map the network including desktops, workstations, servers, firewalls, switches

and routers;

o Ability to visualize the complete network map;

o Monitor the availability and performance of routers, switches, and firewalls;

o Network Traffic analysis;

o Configuration Change Management and Policy Compliance;

o Generate hardware and software inventory reports;

o Access Rights Management;

o

Identify root causes of failure;

o Alert system and network failures;

o Provide capacity monitoring reports;

o

Intuitive web-based dashboards;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 29 OF 51

o Supports scripting languages like VBScript and PowerShell and supports SQL queries to

create database monitors;

o Assign device roles to the identified devices;

o Supports multiple monitors such as active monitors that proactively poll to monitor device states, performance monitors that capture actual performance metrics like CPU, interface status, interface utilization and memory utilization, and passive monitors that collect SNMP traps, Syslog info, and Windows event logs.

• SR.01-PS-56 A workstation console for monitoring the cyber security solutions implemented

as per the requirements of this specification shall be implemented.

• SR.01-PS-57 The monitoring console shall be installed with all the software required to troubleshoot, monitor and view diagnostics information of the security solutions that are implemented as per the requirements of this specification.

• SR.01-PS-58 The VENDOR shall support the CONTRACTOR in the installation of SIEM agents on the OT nodes supplied as part of the project. If installation of SIEM agent on the OT node is not supported, the VENDOR shall support to pull the audit logs using WEF to the SIEM servers or propose alternate mechanisms.

• SR.01-PS-59 The VENDOR shall provide support services to send security and audit logs to

the SIEM Solution.

• SR.01-PS-60 Scope of SIEM integration shall include:

o Windows OS, Linux, Unix and all other supported Operating Systems used in the project.

o Network devices such as switches, routers etc.;

o Security devices such as firewalls;

o OT application;

o Cyber security solutions in scope of the project;

o Databases (SQL, Oracle etc.).

• SR.01-PS-61 The OT system components shall be capable to generate logs for:

o User login success/failure;

o Operator/administrator activities;

o System events/faults;

o Security events;

o Configuration changes related to the Operating System (OS);

o OT System application events;

o Operator and Engineering level activities at the windows and application level.

• SR.01-PS-62

Individual audit records generated shall include details but not limited to:

o Timestamp;

o Event ID;

o Status;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 30 OF 51

o Error codes;

o Service/command/application name;

o User or system account associated with an event;

o Device used (e.g. source and destination IPs, terminal session ID, web browser, etc.);

o Commands entered.

• SR.01-PS-63 OT system should have the ability to send audit logs to an alternate storage system for analysis and retention. The control system should be compatible to send system logs to a syslog server for integration with a SIEM (Security Incident and Event Management solution).

• SR.01-PS-64 The logs shall be forwarded to the SIEM solution using the below collection

options:

o Agent Based: Agent to be installed on the machines to collect Logs from OS, File based

logs and databases.

o Directly connect using a network protocol such as Syslog – For Network and Security

devices and solutions that support syslog forwarding mechanism.

o WEF based – For Agentless collection of Windows logs.

o Streaming protocol: e.g., SNMP, Netflow, IP Flow etc.

• SR.01-PS-65 The VENDOR shall provide the method statement to collect the logs from the OT system to the collector server (using Syslog, WEF, DB collector etc.) based on supported collection mechanism. The Vendor shall also provide MOS for WEF event forwarding source- initiated subscriptions

3.1.7 Resource Availability (RA)

Standard Requirements

With reference to [DI-06], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SR 7.1

Denial of service protection

Maintain essential functions when operating in degraded mode

SR 7.1 RE 1

Manage communication loads Mitigate effects of DoS

SR 7.1 RE 2

Limit DoS effects to other systems or networks

Mitigate effects of DoS to others systems or networks

SR 7.2

Resource management

Limit the use of resources by security functions to protect from resource exhaustion

SL-T in Scope

1

2

3

1

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 31 OF 51

Req. ID

Topic

Subtopic

SR 7.3

Control system backup

Participate in system level backup operation without affecting normal operations

SR 7.3 RE 1

SR 7.3 RE 2

Backup verification

Validate the reliability of the backed-up information

Backup automation

Automate the backup processus at any time.

SR 7.4

Control system recovery and reconstitution

Recover to a known secure state after disruption or failure

SR 7.5

Emergency power

SR 7.6

Network and security configuration settings

Switch to emergency power without affecting the current state

Configuration according to security guidelines. Provision of an interface to the currently deployed configuration

SR 7.6 RE 1

Machine-readable reporting of current security settings

Provide a machine-readable format for settings

SR 7.7

Least functionality

Restrict the use of unnecessary functions, ports, protocols and/or services

SR 7.8

Control system component inventory

Support a control system inventory

SL-T in Scope

1

2

3

1

1

1

3

1

2

Table 15 - FR 7 – Ressource Availability

Additional Requirements

• SR.01-PS-66 A centralized backup and recovery system shall be implemented to conduct centralized automated backup of user-level and system-level information without affecting normal operations.

• SR.01-PS-67 Three Tier Centralized Backup Topology shall be implemented:

o Each device individually utilizing a dedicated partition;

o The Central Backup Server with centralized reporting capabilities;

o Tape Library for offsite storage.

• SR.01-PS-68 The backup solution should support the capability to verify the reliability of the

backup mechanism.

• SR.01-PS-69 The backup and recovery system shall have the capability to restore the OT

System node through the saved backups after a disruption or failure.

• SR.01-PS-70 For Virtual Machines (VMs) the backup solution shall have the capability to:

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 32 OF 51

o Take file-level and image-level VM backups;

o Support replication and recovery of VMs to alternate locations;

o Support file level recovery for database VMs;

o Monitor Backup of VMs.

• SR.01-PS-71 The backup and recovery system shall maintain an audit trail of all backups and

restore activities

• SR.01-PS-72 Backup system shall be capable to adjust the network bandwidth usage and CPU

load. The backup process shall not affect the performance of the OT Network.

• SR.01-PS-73 The backup solution VENDOR shall provide a minimum of 10 backup tapes in

total for onsite and offsite backup storage.

• SR.01-PS-74 Dedicated backup and recovery server shall be provided for each plant in scope

and as per the backup design considering ICSS and third party sub systems.

• SR.01-PS-75 Backup solution shall have bare metal remote restore capability.

• SR.01-PS-76 The solution shall have the capability to integrate with Active Directory.

• SR.01-PS-77 The backup solution shall have centralized software to monitor the status of the

backup and restoration activity and to make policy configurations centrally.

• SR.01-PS-78 The backup solution shall support encryption of backup images and files.

• SR.01-PS-79 The solution shall support agents for Windows, Linux applications, virtualized

platforms and databases.

• SR.01-PS-80 Backup solution must have the capability of whole disk images and data backup

with bare metal restore capability.

• SR.01-PS-81 The backup and restore system shall maintain an audit trail of all backup and

restore activities.

• SR.01-PS-82 The Backup Solution shall have the capability to increase the capacity and licenses based on the growing capacity requirements. The Backup Solution shall support online and off-line restoration capabilities & BMR and reports and logs shall be supported. Backup Solution shall support reports and integrate logs with SIEM.

3.1.8 Standalone Systems

• SR.01-PS-83 Centralized Anti-malware server is not mandatory, however host-based antivirus software is required. Standalone AV Virus definition files shall be tested and released for installation by the OT OEM as soon as possible, within a maximum of thirty (30) days after initial release from the anti-malware OEM.

• SR.01-PS-84 Active Directory is not mandatory, appropriate Local Security policy shall be

implemented.

• SR.01-PS-85 Microsoft Patch Update – Centralized patch management server is not mandatory for these systems, however manual patching shall be performed as per OT System OEM recommendation.

• SR.01-PS-86 Local security audit logging shall be enabled.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 33 OF 51

• SR.01-PS-87 Application Whitelisting, HIPS, IDS/IPS solutions are not applicable for

standalone systems.

• SR.01-PS-88 All desktops, workstations, laptops, switches, routers and firewalls in scope shall

be hardened as per OEM approved Hardening Standard in line with CIS Benchmark.

• SR.01-PS-89 Standalone Backup and Recovery software shall be

implemented. All applications, operating system images, data (including databases), user configuration information, and hardware configuration information (as applicable) shall be backed up. Backups for standalone servers shall be stored at a centralized NAS.

• SR.01-PS-90 Time synchronization shall be implemented through a secure time source.

• SR.01-PS-91 Removable Media shall be disabled. Removable media control option through

the Anti malware solution shall be implemented where feasible.

• SR.01-PS-92 Strong Password Policy shall be implemented on all nodes. The settings shall

be configured as per defined policy.

• SR.01-PS-93 Unique User Accounts shall be created for all administrative level and privileged

accounts.

• SR.01-PS-94 System shall be capable of configuring session time out / screen lock based on

inactivity. The settings shall be configured as per defined policy.

• SR.01-PS-95 Remote Desktop connection shall be enabled only for authorized users.

• SR.01-PS-96 Wireless connections (if any) shall be risk assessed and approved by the

CONTRACTOR.

• SR.01-PS-97 All administrator level passwords must be strong & complex.

• SR.01-PS-98 Default accounts and default passwords shall be changed.

• SR.01-PS-99 Service account passwords or application hard-coded passwords can be

changed. The Service account shall be configured as “deny login locally.

• SR.01-PS-100 Windows Firewall shall be enabled. Asset Inventory of Hardware and Software

shall be documented by the VENDOR as per template provided.

3.1.9 Mobile Devices

• SR.01-PS-101 The following security requirements shall be implemented on mobile devices

used in Industrial OT Network:

o

o

o

o

Implement Anti Malware solution;

Implement Device Encryption;

Implement link encryption of wireless and radio connections;

Implement solution for backup and recovery.

• SR.01-PS-102 Mobile devices used in Industrial OT Network shall have the following

capabilities:

o Ability to enforce strong password policy;

o Ability to encrypt the device;

o Ability to enforce strong access control;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 34 OF 51

o Ability to perform configuration settings change only to privileged users;

o Ability to enable audit logging.

3.2

Organizational Requirements

3.2.1 Staffing

Standard Requirements

With reference to [DI-04], the following table specifies the applicability plan in function of target security level (SL-T) of the SYSTEM or any of its component.

Req. ID

Topic

Subtopic

SL-T in Scope

SP.01.01 - BR

Training

SP.01.01 - RE(1) Training

SP.01.02 - BR

Training

SP.01.02 - RE(1) Training

requirements / IEC 62443-2-4

requirements / IEC 62443-2-4

SL 1, SL 2, SL 3, SL 4

SL 1, SL 2, SL 3, SL 4

Security requirements – asset owner

SL 1, SL 2, SL 3, SL 4

Security requirements – asset owner

SL 1, SL 2, SL 3, SL 4

SP.01.03 - BR

Training

Sensitive data

SL 1, SL 2, SL 3, SL 4

SP.01.03 - RE(1) Training

Sensitive data

SL 1, SL 2, SL 3, SL 4

SP.01.04 - BR

Background checks

Service provider

SL 1, SL 2, SL 3, SL 4

SP.01.04 - RE(1) Background checks

Subcontractor

SL 2, SL 3, SL 4

SP.01.05 - BR

Personnel assignments

Security contact

SL 1, SL 2, SL 3, SL 4

SP.01.06 - BR

Personnel assignments

Security lead

SL 1, SL 2, SL 3, SL 4

SP.01.07 - BR

Personnel assignments

Change

SL 1, SL 2, SL 3, SL 4

Table 16 - Staffing

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 35 OF 51

Additional Requirements

• SR.01-PS-103 The VENDOR shall insure that qualified personnel are allocated at all times of

project.

• SR.01-PS-104 The VENDOR shall utilize a project team structure to achieve continuity and accuracy of implementation. The VENDOR shall submit the resumes of the personnel that will be allocated to the project for CONTRACTOR approval.

• SR.01-PS-105 The VENDOR shall conduct security-related background checks on all personnel

before they are assigned to the project.

• SR.01-PS-106 All personnel executing the project with access to the OT System shall sign and agree to abide by COMPANY Acceptable usage and confidentiality agreements and shall follow applicable COMPANY policies, procedures and standards.

• SR.01-PS-107 The Vendor shall provide an intranet site to download all regularly released and tested patches, firmware, and security updates for all solutions implemented. This should also include current details and an inventory of software and hardware, including license and support validity.

3.2.2 Assurance

No requirement applicable.

3.2.3 Solution Hardening

• SR.01-PS-108 ADNOC security practice guidelines need to be followed for all implementations. The VENDOR shall document the security hardening baseline standard as approved by the OT System OEM for all IT infrastructure components and applications, including but not limited to:

o a. Operating System (Windows, Linux etc.)

o b. Network devices such as routers and switches

o c. Security devices such as firewalls

o d. Security Solutions such as Anti-Malware, Backup & Recovery, Network Monitoring,

Patch Management etc.

o e. Active Directory / Domain Controller

o

f. OT System Application

o g. Wireless Devices

o h. Virtualization Platforms such as VMWare, Hyper-V etc.

• SR.01-PS-109 The proposed hardening standards shall be based on international benchmarks such as Centre for Internet Security (CIS), NSA Security Configuration Guides or DISA STIG which shall be tested and approved by the OT System OEM. Where international benchmarks are not available, OEM recommended security hardening best practices shall be complied.

• SR.01-PS-110 The VENDOR shall implement the approved hardening standard on all applicable workstations, servers, laptops, network devices, security devices and applications in scope of the project.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 36 OF 51

• SR.01-PS-111 The VENDOR shall implement (but not limited to) the following settings as part

of the hardening service:

o Windows Nodes

a) File shares to meet least privilege requirements;

b)

Implement session lock out for all Engineering workstations and servers after a defined period of inactivity as specified by CONTRACTOR;

c) Disable removable media (Floppy, CD/DVD, USB/ Mass Storage ports etc.);

d) Disable non-essential Window services;

e) Restrict and harden RDP configuration;

f)

Secure the Simple Network Management Protocol (SNMP) Service & Traps

g) Password complexity for Operating System and Application passwords;

h) Password protected screen savers shall be activated and configured on workstations located in remote / unmanned areas after a defined period of inactivity as specified by the CONTRACTOR;

i) Set Account lock out settings;

j) Rename the built in Administrator and generic administrator accounts;

k) Set Audit Log Policy and retention period;

l) Configure login banner;

m) Allow only authorized administrator to access RDP Service;

n) Customized OS login privileges for each role based on least privilege (e.g. operator login should not have access to the operating system root or administrator privileges);

o) Remove and/or disable all software utilities and ports that are not required prior to

commissioning.

p) Remove/uninstall functionality that is not required for the intended functional purpose of the system and business purpose, e.g., e-mail, office applications, games, messaging services, unused drivers, USB ports, Bluetooth and Wi-Fi communication etc.

o Network Devices

a) Secret password to protect access to privileged EXEC modes;

b) Encryption of passwords stored within the device (Password Encryption Service);

c) Password with encryption on console access (Encrypted Line Passwords);

d) Enable audit Logging;

e) Enable session time out after a defined period of inactivity;

f) Change default passwords;

g) Set account lock out settings;

h) Security of SNMP;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 37 OF 51

i) Configure login banner;

j) Disable unnecessary and insecure services;

k) The channel for management access to network devices and firewalls shall be through an encrypted channel such as Secure Shell (SSH) from designated hosts within the OT Network.

l) The most secure and supported encryption algorithm shall be implemented.

o Others

a) Create unique user id for users with engineering privileges at application and

system level.

b)

Implement strong password authentication for all engineering functions to make configuration changes on the controller.

c) The controller should accept configuration changes only from authorized

engineering workstations and nodes.

d) Change default passwords used for system accounts (such as an administrator or root account). Exceptions (if any) must be approved by the CONTRACTOR.

e) Remove or disable default system and application accounts e.g. SUPPLIER “back-

door”, “super-user” and “guest” accounts.

f) The “administrator” and built in default administrator level accounts shall not be used by the OT system to run services (if any). A dedicated “service” account shall be created with the minimum privileges necessary for running the service. (E.g. OPC service accounts).

g) OT Application logins with engineering level privileges should be logged out after

a defined period of inactivity.

h) The VENDOR shall verify that a user cannot escalate privileges without logging

into a higher-privileged role first.

i) Documentation of all user, built-in, local and service accounts on the OT System, network devices, security devices and servers must be provided by the VENDOR.

• SR.01-PS-112 VENDOR shall configure the controller such that it would accept configuration

changes only from authorized workstations.

• SR.01-PS-113 Windows administrator level privileges shall not be provided to operators.

• SR.01-PS-114 Remote Diagnostic and configuration ports (if any) on devices shall be disabled

unless requested and approved by CONTRACTOR in writing.

• SR.01-PS-115 Any unused network ports on switches, routers, firewalls, servers and

workstations shall be disabled.

• SR.01-PS-116 Temporary user accounts used during commissioning and testing shall be

removed at the end of the activity.

• SR.01-PS-117 The VENDOR shall recommend and implement methods to protect unauthorized

changes to the Basic Input/ Output System (BIOS).

• SR.01-PS-118 Where technically feasible the hardening policies and standards shall be

enforced from a centralized policy source.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 38 OF 51

• SR.01-PS-119 The VENDOR shall provide the means to physically secure the Manual Control

Override switches and keys.

• SR.01-PS-120 Maintenance Laptops and handheld devices shall be hardened and installed with all applicable security controls mentioned in this specification such as anti-virus, removable media control, patch updates, network monitoring etc.

3.2.4 Configuration management

• SR.01-PS-121 The VENDOR shall configure an alarm to operator when the Operating mode of

the controller is changed.

• SR.01-PS-122 A file integrity monitoring solution to track changes to integrity of controller / PLC

and critical folders and files, and raise alarms to the operator shall be implemented.

• SR.01-PS-123 Controller / PLC code shall be secured through cryptographic mechanism.

• SR.01-PS-124 The VENDOR shall ensure that the installed operating system version is not out of support or not announced by the OEM to be out of support or end of life within 5 years at the time of engineering / design freeze.

• SR.01-PS-125 The latest supported version of all solutions must be considered.

• SR.01-PS-126 The VENDOR shall recommend and provide any critical spares that are needed

for the project.

• SR.01-PS-127 The VENDOR shall consider and implement any firmware upgrade needed for

the effective implementation of cyber security solutions.

• SR.01-PS-128 All workstations and servers shall support multiple Network Interface Cards (NIC)

and network teaming.

• SR.01-PS-129 Infrastructure Redundancy Requirements:

o Redundant servers shall be provided for Active Directory (AD) infrastructure;

o Redundancy shall be provided for all firewalls and switches in the network;

o Servers performing the following functionality shall NOT be clubbed with other systems unless the technical limitation is approved by the COMPANY: Anti-Virus, Patch Management, Log Management and Active Directory.

3.2.5 Event management

• SR.01-PS-130 VENDOR shall provide a communication channel to CONTRACTOR to report security incidents, problems and remediation requests to the OT System OEM and to the CONTRACTOR. This shall include contact details of any existing technical call centre for reporting cyber security incidents.

3.2.6 Patch Management

3.2.6.1

System Patch Management

• SR.01-PS-131 The VENDOR shall supply and implement a centralized patch management solution capable of deployment of Microsoft, Linux, Third party software (such as Adobe, Java, Flash etc.) and virtualized platform related patches.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 39 OF 51

• SR.01-PS-132 The VENDOR shall deploy patches to the OT nodes in an offline or online mode.

• SR.01-PS-133 The patch management server shall have sufficient capacity and storage space as recommended by the system OEM and considering the growth requirements of at least 5 years.

• SR.01-PS-134 VENDOR shall provide method statement for performing online / offline patch

deployment and roll back.

• SR.01-PS-135 VENDOR shall ensure that the operating system and applications are patched

to current OEM approved patch level before commissioning.

• SR.01-PS-136 The VENDOR shall provide during the period of the contract, the OT System OEM approved patch qualification list as and when released by the OEM. Access shall be provided on any OEM portal that contains the approved patch list and published vulnerabilities.

• SR.01-PS-137 OT system OEM shall be responsible to test all applicable security patches that are released by the manufacturer of the OS. The OT System OEM and VENDOR shall ensure that there are no adverse effects on operations and safety due to the installation of the patches.

• SR.01-PS-138 Prior to installation of patches VENDOR shall take a complete backup of the OT

system.

• SR.01-PS-139 Groups shall be created on the patch management solution to ensure that the approved patches are deployed on a sample set of designated nodes prior to deployment of patches to all nodes.

• SR.01-PS-140 Remote patching and update solutions shall be designed by taking into consideration a data diode at the perimeter of the OT Network and shall align with ADNOC OT Cyber Security Network Reference Architecture.

• SR.01-PS-141 Patch Management solution should have the following reporting capabilities

o A web-based reporting module.

o Allow administrators to create and save graphical reports (e.g. pie, bar, line charts).

o Allow administrators to create filters to include or exclude certain categories of information

from the reports.

o Ability to export reports in various formats such as csv, pdf, MS word etc.

o The solution should have the capability to generate the following reports:

a) Patch compliance status report;

b) Report on list of patches missing on a specific or group of machines;

c) Report on list of machines pending restart after patch installation;

d) Report on patch deployment status of a machine.

• SR.01-PS-142 The patch management solution shall have the capability to integrate with the

SIEM solution implemented.

3.2.6.2

Firewall Patch Management

• SR.01-PS-143 Firewalls shall be implemented to comply with the requirements of ADNOC OT

Cyber Security Network Reference Architecture.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 40 OF 51

• SR.01-PS-144 The data sheet, make and model of the firewalls along with the firewall design

shall be endorsed by the CONTRACTOR.

• SR.01-PS-145 The proposed firewall shall not cause degradation and latency to the OT network outside the prescribed performance requirements as defined in the project specific specification.

• SR.01-PS-146 The proposed firewalls with IPS capability shall be tested and approved by the

OT system OEM.

• SR.01-PS-147 Network communications between two or more zones (Level 2 and above) shall

pass through a Firewall.

• SR.01-PS-148 Networks used to connect Level 1 and Level 2 functions shall use physically

separate network switches and routers from networks at Level 3.5 and above.

• SR.01-PS-149 All firewalls implemented shall be redundant in high availability mode without any

single point of failure.

• SR.01-PS-150 Hardware segregation is required if the vendor solution supports the same for PCN & OT networks. Process control firewalls that understand control system protocols such as Modbus over IP, OPC, DNP3, etc., shall be implemented at the interface points between the Integrated Control and Safety System (ICSS) and any integrated third-party systems. The positioning of process control firewalls, their configuration, and any deviations shall be discussed with the CONTRACTOR prior to finalization.

• SR.01-PS-151 OPC aware industrial firewalls shall be used for OPC connections. Distributed Component Object Model (DCOM) related traffic used for OPC / PI system communication shall be restricted to a single defined port using compatible OPC enforcement solutions and firewalls. VENDOR shall provide detailed information on all communications (including protocols) required through the firewall, whether inbound or outbound, and identify each network device initiating a communication and shall configure the corresponding firewall rules.

• SR.01-PS-152 All rules applied to the firewalls which are not required after commissioning shall

be removed prior to handover.

• SR.01-PS-153 A management software for centralized monitoring, configuration and update of all the firewalls of similar brands supplied as part of the project shall be proposed and implemented.

• SR.01-PS-154 The VENDOR shall analyze the current network traffic and propose the firewall model with the required throughput and functionality requirements. Additional 30% spare capacity shall be considered for the firewall throughput.

3.2.7 Backup and Restore

• SR.01-PS-155 VENDOR shall provide a detailed procedure for taking backup and for restoration

of OT System components, which shall include but not limited to:

o Operating system files;

o Applications (including middleware);

o Configuration data;

o Database;

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 41 OF 51

o Network Configurations;

o Log files;

o Active Directory;

o Files, Configuration, folders, database and parameters identified by the OT OEM, required

to create a complete backup and to enable restoration of the OT system;

o System Image Backup.

3.2.8 Asset inventory

• SR.01-PS-156 Asset Inventory shall be provided by VENDOR in excel format and shall contain

but not limited to the following fields.

For Infrastructure Assets:

 Asset-ID

 Device Label

 Device Name

 Asset Type (Hardware / Software)

 Asset Category (Server, Switch, Firewall, Workstation, Laptop etc.)

 Device Type (Physical / Virtual)

 Related System Name (DCS/ F&G etc.)



IP Address

 VLAN

 MAC Address

 Environment (Production / Test / Development)

 OEM Name

 Supplier Name

 Device Make & Model

 Serial Number

 OS Name

 Database Name

 Database Version

 Device Location

 Site Location

 Cabinet Name

 No of Licenses

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 42 OF 51

 License Start Date

 License End Date

 Warranty End Date

 End of Life Date

 End of Support Date

For Controller / PLC Assets

 Asset ID

 Controller Name

 Controller Description

 Related to Which System (DCS / F&G Third Party System)

 OEM Name

 Location

 Cabinet Name

 Role (Primary / Backup /NA)

• SR.01-PS-157 VENDOR shall be responsible for providing an inventory of all Hardware and

Software components in the supplied OT systems in scope.

• SR.01-PS-158 VENDOR shall be responsible for providing the Inventory in the format and

template as provided by the COMPANY.

• SR.01-PS-159 A solution for automated passive discovery of hardware and software assets of the OT Network from Level 1 to Level 3.5 shall be implemented. The solution shall also be capable of detecting unauthorized / unapproved devices to the OT Network.

• SR.01-PS-160 VENDOR shall provide a detailed list of devices involved in the supplied architecture. This list should include, but not limited to, computing devices (e.g., controllers, servers, engineering consoles), network devices (e.g., network switches, network routers), security network devices (e.g., network firewalls), storage devices (e.g., NAS), dongles and installation media along with license keys.

• SR.01-PS-161 For each computing device, the asset inventory must include network

configuration and a list of applications installed in it and user credentials.

• SR.01-PS-162 Credentials are sensitive information and cannot be reported in documents but

communicated in a secure way to be agreed with the CONTRACTOR.

• SR.01-PS-163 VENDOR

this is responsible CONTRACTOR aligned all along project life cycle upon change.

for maintaining

information and keeping

• SR.01-PS-164 The Asset Inventory format shall comply with the one that will be specified by the

CONTRACTOR.

• SR.01-PS-165 VENDOR shall adhere to naming convention defined by CONTRACTOR prior to

assigning tag names and host names to any device supplied.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 43 OF 51

4.0

DELIVERABLES

VENDOR is requested to supply the following documentation organized by requirements type.

4.1

Design Deliverables

ID

Title

Description

Required by

CSVD-01

Cybersecurity Functional Design Specification

It covers all architectural design considerations related to cybersecurity that are supposed not to change after completion, and till handover. This shall include the following information:

Overall description of the architecture with no drawings

 (they go in a dedicated deliverable).





 











Hardening Design (physical and logical protection).

Security Event Logging Design.

IP Addressing Plan (as received from CONTRACTOR).

Wireless Availability Study and Design.

Remote Access Design for Maintenance and Diagnostic.

Logical Access Design (roles and permissions).

1 month prior Cyber FAT

Malware Protection Design.

Patch Management Design.

Backup Design.

List of Technical Deviation to the POLICY with related

 mitigation measures.

License shall be valid for at least 3 years after

 commissioning.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 44 OF 51

ID

Title

Description

Required by

Logical architecture, hardware diagram and its connectivity diagram with make and model of the devices with native vision file are required. The project format for drawings is AutoCAD and shall include the following views:

Low Level Design / Logical Service View (LLD-LSV): block diagram that represents all SYSTEM components with their interactions in terms of TCP/IP protocols.

CSVD-02

Architecture Drawings

Low Level Design / Logical Network View (LLD-LNV): network diagram that shows all SYSTEM components either virtual or physical connected to their relating VLANs (IP address level).

Low Level Design / Physical Network View (LLD-PNV): network diagram that shows all SYSTEM components with their physical connection to network devices (RJ45 port level).

Low Level Design / Physical Urbanistic View (LLD-PUV): Diagram that shows the cabinets layout and their special organization such as location and plot plan.

It shall be based on CONTRACTOR template (Microsoft Excel or Web Form) and include the following information organized in the following tables:

Table 01 - List of SYSTEM supplied Table 02 - List of ASSET (components) by SYSTEM Table 03 - List of NETWORK by ASSET Table 04 - List of NETWORK SERVICE used and related justification by ASSET Table 05 - List of SOFTWARE installed by ASSET Table 06 - List of SERVICES running by ASSET Table 07 - List of FIREWALL rules by ASSET Table 08 - List of COMMUNICATION by ASSET Table 09 - List of Anti-Virus exception rules by ASSET Table 10 - List of OS security settings Table 11 - Files system permission by ASSET, FOLDER Table 12 - List of Installation Media, dongle, and license key

CSVD-03

Asset Inventory

LLD-LSV: 1 month prior Cyber FAT

LLD-LNV, LLD-PNV and LLD- PUV: 2 months prior Cyber SAT

1 month prior Cyber FAT

 All documents should be updated on change or annually as minimum to ensure they are ready for handover

in their “as built” version.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 45 OF 51

4.2

Assurance Deliverables

ID

Title

Description

Required by

CSVD-04

Cyber FAT Testing Procedure

It describes the testing strategy and step by step to test all the compliance with the POLICY and consistency with the Cybersecurity Functional Design Specification [CSVD-01].

1 month prior Cyber FAT

CSVD-05

Cyber I-FAT Testing Procedure

It describes the testing strategy and step by step to test all the compliance with the POLICY and consistency with the Cybersecurity Functional Design Specification [CSVD-01] with reference to integration with external systems.

1 month prior Cyber I-FAT

CSVD-06

Cyber SAT Testing Procedure

It describes the testing strategy and step by step to test all the compliance with the POLICY and consistency with the Cybersecurity Functional Design Specification [CSVD-01] within the production / target environment.

1 month prior Cyber SAT

CSVD-07

Cyber FAT Test Report

It reports the list of findings / non-compliances identified during the testing session and the remediation strategy and schedule.

1 week after Cyber FAT

CSVD-08

Cyber I-FAT Test Report

It reports the list of findings / non-compliances identified during the testing session and the remediation strategy and schedule.

1 week after Cyber I-FAT

CSVD-09

Cyber SAT Test Report

It reports the list of findings / non-compliances identified during the testing session and the remediation strategy and schedule.

1 week after Cyber SAT

In addition to the documents listed above CONTRACTOR is responsible for the conduction of the risk analysis and the development of the relating report. Despite not being directly responsible, VENDOR is required to contribute to the development of this document as well.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 46 OF 51

4.3

Maintenance and Handover Deliverables

Maintenance documentation shall be identified with the definition of the relevant roles and responsibilities between parties involved in the PROJECT.

ID

Title

Description

CSVD-10

Anti-virus Policy and Operation Procedure

It shall describe the policy to apply Anti-virus signature and the how to operate the Anti-virus management. It shall include the following as a minimum:

  agents.

Anti-virus updating strategy and policy.

how to update the antivirus signature and scanning



how to maintain the scanning exception.

 (detection operations).

how to inspect and clear the notification logs

 applicable.

how to operate the local software firewall, if

Required by

3 months prior to handover

CSVD-11

Patch Management Policy and Operation Procedure

It shall describe the policy to apply security patching and the how to operate patch deployment.

The patch management policy shall be reviewed annually to address new threats and vulnerabilities.

It shall include the following as a minimum:

2 months prior to Cyber SAT

 systems using at least one of the following methods:

Instructions on how to make a full back up each SII

CSVD-12

Backup and Restore Policy and Operation Procedure

Using removable media; Distributed architecture in which each backup

o o system backs-up a subset; o system.

Centralized architecture using one back-up



Instruction on the back-up type of data:

o o o o o o (routers, switches, firewalls).

Machine Image; Operating System; Archive and historical data; Application program; Any other specific software; Network components configuration and settings

 components to a normal operation.

Instructions on how to restore the SII or its

2 months prior to Cyber SAT

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 47 OF 51

CSVD-13

Installation and Procedure

It shall describe how to install the SYSTEM from scratch using the software media or any other required methodology. This would be required in case the backup result unavailable for any reason or not consistent.

1 month prior Handover

CSVD-14

Start-up / Shut Down Procedure

For some system is very important to respect a specific sequence for starting up the various component to get a consistent and fully operational system. The same is for shut down sequence. This procedure will be used every time will be necessary to shut down the system for power maintenance or shut down testing. This documentation should also specify the possible risk that an abrupt shut down of the SYSTEM could incur.

CSVD-15

Incident Response Plan

It shall describe the VENDOR organization and the strategy to cope with incidents that could occur in the SYSTEM.

CSVD-16

Disaster Recovery Plan

It shall describe the strategy to keep the defined RTO and RPO for every SYSTEM component. The effectiveness of the Disaster Recovery Plan shall be tested at least one time throughout the PROJECT.

1 months prior the system is shipped to SITE

1 months prior the system is shipped to SITE

3 months prior Handover

5.0

NON-COMPLIANCE MANAGEMENT PROCESS

Management of non-compliances against the POLICY is the responsibility of CONTRACTOR, who is responsible to collect and process any detected non-compliance.

5.1

Non-Compliance Detection

Non-compliances against the POLICY relating to design and documentation requirements are usually detected in a structured way, during assurance testing sessions (wrt Cyber FAT, Cyber I-FAT, Cryer SAT). While those relating to maintenance requirements can be detected throughout the PROJECT lifecycle and during maintenance phase, prior handover. So, non-compliances detected at level of design usually concern incompleteness or inconsistency of documentation, architectural design or improper configuration provided by VENDOR. Non-compliances relating to maintenance practices concern VENDOR behavior. A violation of a cyber hygiene practice, such as an improper patch management or a change performed without the proper authorization.

 A Non-compliance can be detected by CONTRACTOR, COMPANY, VENDOR (auto-declaration) or any

other VENDOR involved in the PROJECT.

5.2

Non-Compliance Response

Once detected a non-compliance to the POLICY is addressed depending on the type of requirements as follows.

Foundational Requirements

The following applies to deviation to the foundational requirements of the POLICY.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 48 OF 51

 VENDOR shall propose a change plan to address full compliance.

 Deviations that cannot be remediated shall follow the technical deviation process. In this case VENDOR shall

submit the deviation to CONTRACTOR by means of the Technical Deviation Form.

 Every Technical Deviation Form shall duly specify the compensation measures and shall be approved by

CONTRACTOR, and COMPANY prior implementation.

 Any modification to the SYSTEM shall follow the PROJECT change management process and be reflected

in the “as-built” documentation.

 Any integration activities are suspended until resolution.



In case of pending deviation not resolved, CONTRACTOR could suspend invoice payment and VENDOR is followed up till resolution.

5.3

Security Program Requirements

The following applies to deviation to the security program requirements of the POLICY.

 VENDOR shall provide cybersecurity certificates, supplied by third parties that could justify the deviation.

 VENDOR to be submitted to a cybersecurity assessment process to get full compliance with the assurance

requirements.

 Deviation that cannot be justified, shall be explicitly addressed by the technical deviation process to explain why the SYSTEM would not be submitted to the standard assurance process along with the relating mitigation measures.

 CONTRACTOR creates a dedicated punch / ticket in the completion system and VENDOR is formally asked

to address the non-compliance with a dedicated plan.

 Depending on the severity of the deviation, CONTRACTOR could suspend VENDOR from operations and

even apply seizure of material involved in the maintenance activity (e.g., Maintenance Laptop).

 Deviations that cannot be remediated shall follow the technical deviation process. In this case VENDOR shall

submit the deviation to CONTRACTOR by means of the Technical Deviation Form.



In case of pending deviation not resolved, CONTRACTOR could suspend invoice payment and VENDOR is followed up till resolution.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 49 OF 51

6.0

6.1

APPENDICES

Appendix 1 – Preferred Technology Manufacturers

VENDOR shall comply with the preferred list of technology manufacturers.

Hardware

ID

Supply Item

Applicable to

Mounting Type

Approved Manufacturer/s

HW-01 Servers

From Level 3.5 below

Rack mounted

HP, DELL

HW-02 Workstations

From Level 3.5 below

Rack mounted

HP, DELL

HW-03

Laptops

From Level 3.5 below

Standard

HP, DELL

HW-04

Laptops

Level 1 / Field

Ruggedized

GETAC

HW-05 Network Switches

From Level 3.5 below

Rack mounted

HW-06 Network Firewall

From Level 2 to Level 3.5

Rack mounted

CISCO, BELDEN, HIRSHMANN

CISCO, FORTINET, Palo Alto

HW-07 Network Firewall

From Level 1 to Level 2

DIN

TOFINO, CISCO

HW-08

Intrusion Detection

From Level 1 to Level 3

DIN, Rack mounted

Nozomi Networks, Claroty, Dragos, etc.

HW-09 Quarantine Workstation

From Level 2 above

Kiosk

KUB

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 50 OF 51

Software

ID

Supply Item

Applicable to

Approved Manufacturer/s

Approved Product/s

SW-01 Operating System

From Level 3 above

Microsoft

Server, Window 11 and above

SW-02 Operating System

Level 2

Microsoft

Windows IOT

SW-02 Endpoint Security

SW-03 Patch Management

SW-04 Backup Management

SW-05 Network Monitoring

Any

Any

Any

Any

Trellix

Trellix ePO

Microsoft

Windows Server Update Services (WSUS)

Any

Any

Ipswich

WhatsApp Gold

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Cybersecurity Requirements for Vendors

COMPANY DOCUMENT REF. CONTRACTOR DOC. REF.

RLNG-000-PM-SP-0001 215122C-000-JSM-0001

REVISION: 1

PAGE 51 OF 51

6.2

Appendix 2: Plant Reference Architecture

Figure 1 – PLANT Reference Architecture

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

Project: Q-32859 - NMDC - Ruwais Folder: RFQ Files