On line Thermal Performance Monitoring System. Annexure B1. IEC IT Compliance & Cyber Security Requirements

Transcription

1 POWER & ENERGY GROUP GENERATION DEVISION MONITOR & DIAGNOSTICS CENTER On line Thermal Performance Monitoring System Annexure B1 IT Compliance & Cyber Security Requirements Approved by: Name / Signature D. Zahor Page 1 out of 8

2 TABLE OF CONTENTS 1.0 Purchaser Hardware and Software Infrastructure Compliance 1.1 General 1.2 Central Hardware, Operating Systems and Databases 1.3 End User Equipment 1.4 Software and Development Tools 1.5 Program Licensing Mechanism 1.6 Communication and Integration 1.7 Method of Information Management 2.0 Cyber Security requirements Page 2 out of 8

3 Purchaser Hardware and Software Infrastructure Compliance General This chapter describes the technological requirements of the system. Compatibility with purchaser's existing infrastructure The proposed equipment configuration, required for operating the system, shall be based on purchaser's existing infrastructure as detailed bellow Compatibility with purchaser's future infrastructure All infrastructure software is sometimes upgraded. The purchaser expects the product to maintain update compatibility with future infrastructure and O.S versions. Technology The system shall be fully available to the end user via a single web application layer. The system shall be enabled for virtual infrastructure of VMWare. In addition, if the system has elastic capacity, it shall have dynamic growth capability in the infrastructural level of the cloud tools. The system need to be with a unified management interface to all parts of the solution that is required. If there is a connection between several modules / processes / components, ensure suitability for a unified management interface. The user interface must be friendly, intuitive and comfortable in all types of end user stations (fixed and mobile computers, tablets, etc.). The solution shall include online help system (Help) that will show at any time professional assistance required by the system customers (User Guide). The API requirements are using web service technology, supporting Microsoft edge (explorer). The interface shall be optimized for different roles. The interface required to be adjusted according to the position profile. For example, the worker / operator will see on his monitor only the screens and information (type of information) relevant to his position. The work of managers and implementers shall be done by the application without requiring the assistance of software developer or the vendor help (formulas and new reports or views). The contractor undertakes to comply with all the requirements, regulations and procedures of the purchaser in the context of information security. The system is required to apply the mechanism of automatic user identification with Active Directory. Central Hardware, Operating Systems and Databases The contractor will define the hardware, operating systems and database requirements for relevant components, such as: Page 3 out of 8

4 Application Server SBC Server (Citrix) WEB Server Database Server (SQL etc.) Operating Systems (windows server 2012, 2016 etc.) Database Type Citrix Software environment compatibility. VMware environment compatibility. The standard platforms in the purchaser are: Application Server INTEL based WINDOWS 2012, 2016 servers. The purchaser intends to upgrade the operating system to last WINDOWS server O.S.. The contractor shall commit to provide continued support for this version in the future. SBC Server (Citrix) The product will support SBC (Software Based Computer) configuration in the following manner: INTEL based WINDOWS 2012 last version 64 bit, or later. Citrix ps4 32 and 64 bit, and Citrix bit, Citrix xenserver, HP Hyper converge servers tech. WEB Server Microsoft Windows servers 2012/2016 RS IIS Database Server MS SQL Server database on INTEL based WINDOWS Databases The standard databases in the purchaser are MS SQL Server 2012 and up. End User Equipment End user equipment used in the proposed system is required to be based on personal computers (physical and Virtual Machine - V.M.): The required operating system is Windows 10 PC computers with an INTEL CPU or VMware based. Software and Development Tools The system will include: Internal development tools facilitating customization of the system in the purchaser without touching the program's core. Data Extraction tools for transferring data to another system. API Application Program Interface. A library collection of functions facilitating built-in functionality which can be performed without the Page 4 out of 8

5 programs user interface. Compatibility with OSI Software API(to PI servers). Importing data to the system in the following formats: EXCEL, ASCII, and XML, PI software tags using API. Program Licensing Mechanism The program's licensing mechanism will facilitate working with the system without necessitating an open internet connection. License Management Communication and Integration Communication The purchaser network is based on L3 switches connected through private fibers using OSPF routing protocol, and Firewalls. Method of Information Management The engineering data (the item, its properties and the diagrams) will be stored in a single database so that there will not be any redundancy of engineering data. All the engineering data (the item, its properties and the diagrams) will be part of the proposed system's database. Cyber Security requirements General Any system designed according to the principles of this document is subject to the consent of the customer and the regulator Israel National Cyber Directorate, The regulator for systems' security. Exceptions shall be approved only by the regulator. Contractor shall reference all sections. Each reference at each section shall include detailed explanation of the offered pertinent solution and an indication "comply/ not comply". A note shall be added at each section if the contractor regards it as irrelevant or any other reason. The contractor shall submit a detailed components diagram (hardware, software and network) for approval by the purchaser. Topology The system shall not be connected directly to critical systems of the organization; such as SCADA/DCS. Out-of-Band dedicated segment shall be set up for the management of the system components. Management linking shall be accomplished via physical or logical network separation from the SCADA/DCS. Files and print sharing inside the network shall be done via a central server only. Page 5 out of 8

6 The system shall be compliant with micro-segmentation systems, such as VMware, NSX Security measures A central mechanism for documenting the system components and their configuration monitoring, shall be applied. Identification Every user and component in the system shall be identified uniquely. The personal identification data or the system identification verification array shall be dedicated to the system only. User identification shall be accomplished by two of the following options: Physical component (Something You Have), Password (Something You Know), Biometrics (Something You Are). Identification data shall be encrypted (static and dynamic). Password characters shall be concealed while being typed. Activity at a system operating station shall require re-identification after 30 minutes of idle period, except on stations with a full time operator in attendance. Access to management functions of a system component shall need reidentification after 10 minutes of idle period. A user account shall be locked after five (5) failed identification attempts. Default accounts shall be deleted, neutralized or renamed to names which conceal their role. Alerts shall be issued on failed identification attempts to these accounts. In Non-interactive identification (no personal user, such as service) alert shall be issued on a component's failed identification attempt (from first attempt). The identification shall be via digital certificate. If the component does not support the use of a certificate, the identification shall be via a long and complex password. Authorization Authorizations in the system shall be granted according to needs only (least privilege), including authorization to accounts used to run services / application interfaces. A mechanism for authorization management according to groups or roles - shall be incorporated. Configuration Control All the components shall be dedicated to be used only in the system. "Backdoors" (such as hard coded passwords) shall be deleted or neutralized. Sensitive data shall be filtered from messages to the user; such as versions, manufacturers' names, error messages containing identification of system components etc. Page 6 out of 8

7 Vendor's critical updates (for software, hardware and virtual components) shall be installed on all system components. Networks linking Maintenance links, when applicable: Remote linking for supplier maintenance or support shall require advance approval by the regulator. Remote linking shall be disconnected during routine operation, and connected only for maintenance/support. The maintenance/support shall be done from a dedicated computer or by dedicated means (DoK) which shall be supplied by the system owner (the customer). During the maintenance period, network access to the maintenance computer shall be blocked; and specifically access from the Internet or from the organization network shall be blocked. Two identification means (two factor) shall be used for remote maintenance/support. At least one identification factor shall be saved solely at the system owner s site; and delivered to the service provider only during required maintenance action. A traffic encryption mechanism shall be implemented. The encryption key shall be at least 256 bits long. A known and approved protocol/algorithm shall be used. The maintenance shall be done from a server which implements server based computing; hardened, monitored and dedicated for maintenance/support. The server shall be located in a different segment of the system network. The maintenance activity shall be recorded and saved for a period of at least six (6) months. The maintenance traffic shall be fully recorded (full packet capture) and saved for a period of at least six (6) months. The server shall contain only the programs which are needed for the maintenance tasks. Access control shall be implemented in order to confine access of the service provider to the systems under its responsibility. Remote linking shall be disconnected after fifteen (15) consecutive minutes of idle period. The maintenance server shall shutdown and reset at the end of the maintenance/support activity. The authorizations of the remote service provider shall not exceed the authorizations granted to him/her on local access. Remote maintenance/support concurrent access to several systems or working environments shall not be allowed. Import of files to the system shall be done on separate channels. The files shall be checked ('sanitized') beforehand on a dedicated server against malicious code. Page 7 out of 8

8 Control, Monitoring and Indication The events and activities, including on the external links, shall be documented/recorded. Each record shall include at least the following information: date, hour, type of event, source address, destination address, user identity, event details. Servers and End-stations The number of stations via which a user can access the system shall be limited, according to the system needs; e.g. via dedicated station, only one access from several possible stations, concurrent access from several stations limited to authorized stations. An alert message shall be defined, which will pop up on the access screen of the user warning against attempts to execute unauthorized actions. The name of the last logged-on user shall be hidden. Any user account for running services (services, processes) shall be limited to log-in only as a service; and only on the server on which it is defined (Non Interactive Login). As a rule, services shall run only under dedicated user account with the appropriate authorizations. In case it is impossible, services may run under a local system account (such as Local Admin). A screen saver shall be used. The screen saver shall be password protected and activated after idle period. Applications Prior to installation the code shall be checked against weaknesses or malicious code which might breach security. The testing shall be done by commercially available cyber security tools. A detailed test report shall be prepared prior to installation on the system. The application shall undergo robustness testing in order to detect vulnerabilities and potential attack routes. Development tools, enablers and capabilities which are not required on the operational system shall be removed. Identifying data shall not be hard coded or reside in the configuration files of the application. Management of users and resources shall be done by central libraries, such as Active Directory. Internal application libraries shall be avoided. Management activities shall be done from dedicated applications or functionality which is accessible only to users with management authorizations and from dedicated stations. If possible, the management interface shall be installed on a separate management server. Error messages shall not reveal details which might assist attackers of the system. Page 8 out of 8