API St 1164-2009 pdf free download

API St 1164-2009 pdf free download.Pipeline SCADA Security.
3.7 Operating System and Application Updates Due to system complexities, operating systems and application software are not inherently secure. In addition, the constant evolution of the computing and networking environment continually reveals new vulnerabilities. To address this issue, vendors publish hot fixes, service packs, and application updates. It is often necessary to apply software hot fixes and updates to maintain system stability and security, but the risk of applying patches and updates to real- time systems should always be weighed against the risk posed by the present vulnerabilities. Operational and SCADA security concerns require that certain precautions be taken when applying software modifications: — install only SCADA vendor approved software; — any update should be certified by the SCADA vendor before being applied to the SCADA system; — updates should be analyzed for applicability in your environment; — if possible, documented installation procedures for updates should be obtained from the SCADA vendor; — updates should never be applied directly from the internet; — an offline test environment should be utilized to test updates before being applied to a production environment; — applicable functionality testing should be performed before modified system builds are moved into production environments; — once system modifications are complete, a security compliance checklist should be reviewed to ensure the SCADA system still complies with the operator’s security policies. For the purpose of this document, operators who develop and maintain SCADA systems in-house are considered a SCADA vendor. These procedures should be performed in accordance with the operator’s change management plan.
3.8 Application and Software Restrictions SCADA networks are designed primarily to support proprietary control systems using efficient protocols with low bandwidth requirements and limited tolerance for transmission delays. Since these networks are dispersed over wide geographical areas, with historically expensive wide area network (WAN) connections, they have often been designed with minimal bandwidth specifications. For this reason, the addition to the SCADA network of any additional protocols, applications, or communicating software packages should be approached with great care to preserve the unimpaired availability of the SCADA system. No additional protocols, applications, or software should be added to the SCADA networks that are not essential to pipeline operations or for the maintenance of the SCADA network infrastructure. Commercial business software and information services such as internet access should not be made available on the SCADA network. System event or alarm notifications using email type applications shall be outbound only with proper security applied. No software or application should be added to the SCADA network that could create unmonitored liability for copyright infringement or legally-defined offensive content. Any new protocol, application, or software proposed to be added to the SCADA network should be run in a test-bed or development environment to evaluate the potential for impairing the performance of the SCADA system, particularly with regard to bandwidth requirements, since modern servers and software packages can easily consume WAN capacity at the expense of critical SCADA traffic. 4 Physical Security Operators of critical transportation infrastructure shall take measures and controls to deny unauthorized persons access to control facilities. Some of the measures for good control room physical security are outlined under the following sections. For further information, please refer to API’s Security Guidelines for the Petroleum Industry.
The operator shall develop and maintain a security policy and associated procedures that require all personnel with access to the SCADA facilities to undergo periodic security reviews. The operator shall develop and maintain a security plan for operator-controlled utilities that supply the control center operation. These utilities include, but are not limited to, power distribution systems, uninterruptible power supplies (UPS), and power generation equipment. The operator shall develop and maintain a security plan for all operator-controlled SCADA network infrastructures. The operator should secure the access to all network and computing ports and deactivate any unused ports. The operator shall perform a risk assessment of all operator-controlled facilities where SCADA equipment resides and shall develop a process for controlling access to that equipment. The operator should consider installing intruder detection into unmanned sites such as valve sites, pump station, metering facilities, etc. Unauthorized personnel shall be escorted by authorized personnel when accessing SCADA facilities.