Cybersecurity Guidelines For E - ashdodport.co.il

PROJECTS & EQUIPMENT INTEGRATION SECTION

P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 1/21

1202/10/04

Appendix – Z Cybersecurity

Guidelines

For

E-RTG Cranes



INDEX 1.DEFINITIONS AND ABBREVIATIONS .............................................................................................................................. 3

2.GENERAL .............................................................................................................................. 5

2.1.Background .................................... 5

2.2.Introduction .................................... 5

2.3.Appendix content .................................... 5

3.MILESTONES IN THE CYBER DEFENSE PROJECT ................................................................................................................. 6

4.GENERAL REQUIREMENTS FOR CYBER PROTECTION ......................................................................................................... 7

5.SPECIFIC REQUIREMENTS FOR CYBER PROTECTION .......................................................................................................... 9

5.1.Programmable controllers and equipment .................................... 9 5.1.1.Hardening ..................................................................................................................................... 9 5.1.2.Identification ................................................................................................................................ 9 5.1.3.Additional capabilities .................................................................................................................. 9

5.2.Control servers - SCADA, databases, HMI and engineering stations .................................... 9

5.3.Separation between networks .................................. 11

5.4.Segmentation .................................. 11

5.5.Identification .................................. 11

5.6.Authorizations .................................. 12

5.7.Access management .................................. 12

5.8.Wireless networks .................................. 12

5.9.Connect mobile devices .................................. 13

5.10.Hardening .................................. 13

5.11.Interfaces and communication components (switches, routers, etc.) .................................. 13

5.12. Firewall in the control network .................................. 14

6.ADDITIONAL REQUIREMENTS ............................................................................................................................ 14

6.1.Remote connection for maintenance needs outside the port .................................. 14

6.2.BACKUPS .................................. 15

6.3.NA .................................. 15

6.4.Manage changes and updates .................................. 15

6.5.CDR .................................. 16

6.6.Additional requirements for cyber components .................................. 16

6.7.Monitoring and Control .................................. 16

6.8.Physical Protection .................................. 17

7.SUPPLY CHAIN ............................................................................................................................ 17

7.1.Delivery and storing the equipment .................................. 17

8.1.Documentation .................................. 18

8.2.Training .................................. 18

9.ATP /SAT AND UTILIZATION TESTS. ............................................................................................................................ 18



Definitions and abbreviations 1.1. Logical Security - All the actions required from the computer and control systems in order to create

protected cyber environment.

1.2. Information Security - Maintaining confidentiality, integrity and reliability, and the availability of

information.

1.3. Cyber threat – A natural event or human action that has the potential to harm human life, systems

functioning, the environment or interest. A combination of intentions and capabilities to attack cyber

space that has not yet executed.

1.4. An unusual event - An unusual occurrence in the control systems

1.5. Cyber inciden – An occurrence that indicates a possible impairment in the proper operation of a cyber-

asset, which there is reason to believe that results from deliberate activity in the cyber space.

1.6. Weakness - A vulnerability in a computerized system, component or related procedure that can be

exploited.

1.7. Cyber policy - A document describing the cyber protection principles of our organization

1.8. System mapping - Mapping process in order to learn and be familiar with the system, configuration,

interfaces, etc.

1.9. Industrial Control system – A computer-based system that generates monitors and controls processes

within an industrial production system (ICS, SCADA, DCS, etc.)

1.10. Auxiliary system - A complementary system to the crane functions process (not an integral part of the

core process).

1.11. Peripheral system - A system that is not part of the crane functions process and there is no connection

between them.

1.12. Critical site - a compound whose damage may affect the functional continuity of the facility

1.13. Accessibility - The ability of an attacker to infiltrate a cyber-asset

1.14. Malware - 'Malicious' software installed on the computer without the user's knowledge and impairs its

proper operation

1.15. Residual risk - the risk that remains after risk control measures have been implemented

1.16. Risk survey - mapping and assessing the level and risk of cyber threats to the organization resulting

from the systems and activity

1.17. Impairment of availability - Impairment of the ability to use the organization's systems

1.18. Breach of Confidentiality - Disclosure of information that may cause harm by assisting in the planning

of a cyber-attack

1.19. Damage to integrity - damage to information by change, deletion

1.20. Cyber component - software or hardware in the control system whose function is to alert, filter or

prevent hostile / offensive / unwanted cyber activity on the control systems.

1.21. IT management network - the main computer network of the organization in which the

information is managed

1.22. OT Operational Network - A network that connects components based on industrial control

1.23. Supply chain - maintenance, service activity of subcontractors who provide services

1.24. Cyber plan - a main detailed plan to describe the concept of protection throughout the life

cycle



Application Control AP ־ Antivirus AV ־ Graphical User Interface GUI ־ High Availability HA ־ Internet Protocol IP ־ Information Technology IT ־ Local Area Network LAN ־ Network Access Control NAC ־ Keyboard, Video and Mouse KVM ־ Programmable logic controller PLC ־ Virtual LAN VLAN ־ Wireless LAN WLAN ־ Human Machine Interface HMI ־ Supervisory Control and data ־

Acquisition SCADA

Group Policy GPO ־ Demilitarized Zone DMZ ־ Network Time Protocol NTP ־ Media Access Control MAC ־ Firewall FW ־ Deep Packet Inspection DPI ־ Intrusion Detection System IDS ־ Multifactor Authentication MFA ־ Site Acceptance Test SAT ־ Virtual Private LAN VPN ־ Virtual LAN VLAN ־ Common Vulnerability Exposer CVE ־ Uninterruptible Power Supply UPS ־ Security Information Events Manager SIEM ־ Active Directory AD ־



General Background

2.1.1. Ashdod Port is prepared to purchase cranes with automation capabilities - remote

control and automatic operation.

2.1.2. As part of the purchase, various control systems will be installed.

2.1.3. The control systems, and all their components, enable a day-to-day operation of the

crane and are vulnerable to cyber-attacks.

2.1.4. In order to protect the infrastructure of the crane in cyberspace, cyber protection

solutions are required to enable the functional continuity of the operation of the crane.

Introduction

2.2.1 This specification combines the customer's requirements in the cyber aspects. Supplier

must meet all professional and administrative requirements.

2.2.2 The protection requirements in this document are based on protection in layers –

“Defense in Depth”, authorization based on "need to know"’ process separation –

“Separation of Duties”, original authorization - Authentication by Default, traffic

control – “Flow Validation”, filtering and CDR - Content Sanitation.

2.2.3 These requirements apply to all subsystems of the distributed systems.

2.2.4 The supplier is responsible to implement all specification requirements including issues

that require integration with additional contractors to ensure full compliance with the

requirements of this document.

Appendix content

2.1.5. Defining the required cyber, protection envelope and protection components for the

crane control systems.

2.1.6. Shipping and storage - supply chain.

2.1.7. Documentation and training.

2.1.8. Performing ATP



Milestones in the Cyber Defense Project

Relevant project documents (under the responsibility of the tender awardee)

Stage

A. Introduction and review of the project and staff.

B. Presenting challenges and risks (managerial risks in the

realization of cyber protection).

C. Procedure for maintaining the supply chain from the

purchasing stage to delivery

Initialization 1.

A. Preliminary network design

B. List of components and quantities

C. Detailed challenges and risks

Initial Planning 2.

Conducting an initial risk survey

Preliminary risk survey

3.

A. Detailed Design - Detailed Design Layout of systems and

configuration

B. Specifications of all components and list of interfaces

C. Up-to-date list of BOM

D. Integration and interfaces with adjacent systems

(communication, control, etc.)

E. Risk management plan

Detailed plan

4.

System acceptance test SAT 5.

SLA - Addressing suspicion of cyber incidents

Service 6.



General requirements for cyber protection 4.1. The crane will be managed as a black box with recurring private IP addresses from crane to

crane of the same type.

4.2. The awardee will provide a cyber protection coverage while addressing and complying with

each of the clauses as detailed below to the customer's satisfaction.

4.3. The overall responsibility for the supply of the defined systems and configuration meeting the

requirements and definitions is the responsibility of the supplier also with respect to systems

and components that are not manufactured by him.

4.4. The requirements detailed in this chapter are general requirements and the necessary minimum

- Base Line. Additional and / or different / specific requirements will be specified later.

4.5. In the implementation of the cyber protection components, the tools accepted by the customer,

which are listed later in the chapter, will be used or alternatively, solutions that will be

approved by the customer.

4.6. In cases where the customer does not ask for detailed requirements, it is required to carry out

the activity on the basis of the baseline and in accordance with what is accepted in industry and

international standards, such as IEC 62443, NIST SP 800-82 and so forth. At each stage of the

planning stages, the customer's approval must be obtained before it is implemented.

4.7. At the end of the initial planning phase, a preliminary cyber survey of the system will be

conducted by the customer, subject to this document. The survey will indicate weaknesses and

recommendations for reducing the risks. The supplier will implement the survey

recommendations.

1.1. The supplier will carry out a detailed design of the cyber defense system in accordance with

the guidelines contained in this document, the recommendations of the cyber survey and with

clarifications received from the customer (APM) at the work planning stage.

4.8. The awardee supplier will submit a detailed list and technical specifications of components

that are intended to be implemented at the detailed design stage. At any case, equipment that is

not mentioned in this document required the approval of the customer prior to its

implementation.

4.9. All cyber components in the solution will be secured and ruggedized subject to this document.

4.10. A personal computer / equipment of the manufacturer's staff will not be used for the purpose of

configuring the components and programming the controllers during the installation phase (in

the port area). These operations will be performed from a dedicated computer (portable if

necessary) that will be provided by the customer for these purposes.

4.11. The awardee supplier will provide up-to-date systems for the delivery day of the project.

4.12. The awardee supplier will document all the actions performed in the system design, installation

and configuration process. The information will be arranged according to a system and will be

handed over to the customer. The information will include architecture, policies, addresses,

settings and any information required to perform system maintenance.

4.13. The awardee supplier will be flexible as necessary, with coordination and consent of both

parties, to apply required modifications in the detailed design in order to provide an up-to-date

protection solution against cyber-attacks. The aforesaid including the supply of the components

with the latest firmware, future protection architecture, future protection equipment, etc.



4.14. The awardee supplier will perform a number of separate logical communication networks for

the control systems depending on the architecture to be determined by the supplier and the

customer.

4.15. All equipment connected to Ethernet-based communications will be monitored (as detailed

below)

4.16. All control equipment will have the ability to send a generic and uniform type logs, collected

from the various equipment.

4.17. The control systems will operate in accordance with a uniform network time synchronization

mechanism “Network Time Protocol” - to synchronize the operating system clocks in

networks.

4.18. All systems will be hardened.



Specific requirements for cyber protection Programmable controllers and equipment

(PLC, DDC, RTU, IED, Multimeters, speed regulators, etc.).

5.1.1. Hardening

5.1.1.1. Unused ports will be blocked and locked (Web, FTP, SSH, ICMP, Telnet).

5.1.1.2. Physical and logical locking of wireless capabilities (WIFI, Cellular, and Bluetooth)

and physical connection such as USB that are not required in the permanent solution.

5.1.1.3. Prevention of retrieval / insertion of portable memory.

5.1.1.4. The awardee supplier commit to remove or cancel "Back Door" such as hard coded

credentials.

5.1.2. Identification

5.1.2.1. All controllers and / or end equipment, including end equipment connected to the

control network via dry contacts, will be protected by a username and password that

will be different from the manufacturer's settings and have a length of at least 8

characters.

5.1.2.2. The password will be complex of letters, numbers and special characters.

5.1.3. Additional capabilities

5.1.3.1. Ability to generate logs and transfer logs to external systems.

5.1.3.2. Presenting and saving logs, storing logs in the controller for research purposes.

5.1.3.3. Setting up dedicated ports for use.

5.1.3.4. Ability to disable unnecessary communication protocols.

5.1.3.5. Work mode support:

1- Programming mode, allows changing logic.

2 - A situation where logic cannot be changed.

5.1.3.6. The controllers will have the Achilles L2 standard.

5.1.3.7. Configuration software files are digitally signed. (If not available, a roadmap

supporting the requirement must be presented)

5.1.3.8. The control system will enter a uniform time for all controllers.

Control servers - SCADA, databases, HMI and engineering stations

5.1.4. In principle, each server (physical or virtual) will be used for one purpose only.

5.1.5. All control servers can be defined under the Control Domain and are subject to

hardening as defined in the GPO (this issue will be agreed between the awardee supplier

and the customer at the planning stage)

5.1.6. Hardening - The servers, applications, operator and engineering stations will undergo

hardening of the operating system and application according to Best Practice in full and the

ordering instructions specified in this document.



5.1.7. Updates (Software, Hardware and Firmware) - All components will be provided with up-

to-date operating systems, firmware and hardware approved by the control system vendor.

This includes all service security pack updates.

5.1.8. Antivirus \ Application Control

5.1.8.1. Behavior-based AV or AC will be installed on all servers and endpoints including

operator positions.

5.1.8.2. Updating of AV signatures (if any) will be done once per period as agreed by the

customer.

5.1.8.3. Installation of Offline updates will be enabled (see details below).

5.1.8.4. Support for Linux-based operating systems.

5.1.8.5. Transfer logs / alerts on anomalies detection.

5.1.9. Monitoring - A full audit trail will be set up to record all operations of the operators and

control engineer in the applications and operating systems. See detail below.

5.1.10. Backups - The servers will work in an on-line backup architecture.

5.1.11. Engineering station - will include all the tools and software required to change the

application and modify the controllers’ logic. Changes will be implement only from the

engineering station. It will be locked after a pre-defined period of time with no

modification activity.

5.1.12. Time synchronization - All control systems will be fed from a uniform time system to

all networks.

5.1.13. All applications will run at the lowest possible permission level.

5.1.14. Default accounts - will be canceled or disabled.

5.1.15. Local Firewall – It is required to allow personal firewall to be used on Windows

systems.

5.1.16. System interface error messages will not contain information about the nature or cause of

the error.

5.1.17. Recent usernames will not be displayed on the identification screens.

5.1.18. Accounts generated to run services will only be set up for those services. Dynamic

Interactive Login will not be enabled.

5.1.19. A screensaver will be activated, if possible, after a certain period.

5.1.20. In principle, all workstations (based windows 10) on the crane will be running under

virtual environment over VMware products and will have the ability to connect to AD

(Active Directory).



Separation between networks

5.1.21. If there are servers that serve the crane, for example OCR servers, the servers will be

installed in the port network (OT), at port addresses and will be connected to the crane by

performing NAT.

5.1.22. The awardee supplier will perform logical network separation (Layer 3) according to the

networks task- operation, maintenance, management, video, cyber management.

5.1.23. Cables /harnesses to the various control networks will be in a unique color to each

network.

Segmentation

5.1.24. The awardee supplier is required to implement segmentation in the control networks.

5.1.25. The segments will be defined based on logical purpose including system role, user types,

geographical location, authorization levels and so forth.

5.1.26. No communication between segments will be possible except for a designated need for

which they are intended (precise definitions of protocols, ports and services).

5.1.27. The segments will be separated by a firewall and a constitution will be defined according

to the necessary features.

5.1.28. NA

5.1.29. NA

5.1.30. NA

5.1.31. NA

5.1.32. NA

5.1.33. A DMZ segment will be defined between the control network and the IT network.

Identification

5.1.34. Each entity on the network (person, machine, application) will have a unique profile

defined with a username, a strong password and a physical identification component.

5.1.35. All identification processes of the various systems, including HMI, SCADA and

engineering stations will be performed against a central user database (identification server)

dedicated to the control network.

5.1.36. Identification against the central database will be done in an encrypted manner.

5.1.37. Running applications on the control servers will require identification with the user

database, including a password that will be different from the factory settings. The

password has a length of at least 10 characters and a high level of complexity (letters,

numbers, and unique characters). The password will not be displayed on the screen.

5.1.38. Identification and entry to the engineering station and the HMI stations will require on

top of a password a biometric means or smart card managed in accordance with the central

user database.

5.1.39. Operators will identify at the beginning of each shift.

5.1.40. Each user will be added to a group with defined authorizations (based on their role -Role

Based) defined in the central user pool.



5.1.41. Default accounts will be canceled on systems.

5.1.42. All inactive ports will be in disabled.

5.1.43. Identification of computing and communication components will be done through the use

of secure protocols (RADIUS, TACACS +) to a central identity database.

5.1.44. Protection of communication inputs ports, that is to say, identification in the network

layer, will be performed by a NAC system combined with x802.1, including Port Security,

Sticky MAC, and Mac Filtering.

5.1.45. For highly reliable identification, the awardee supplier will use a PKI, biometric, etc.

solution.

5.1.46. The customer and the supplier will examine the solution at the architecture formation

stage.

Authorizations

5.1.47. User Authorizations will be locally managed in the crane equipment, subject to port

procedures in terms of password complexity.

5.1.48. Default users in the system will be eliminated.

5.1.49. The Authorizations mechanism will distinguish between viewing, updating and deleting,

creating and running.

5.1.50. Granting Authorizations will be based on Role Based Access Control (RBAC). Settings

will be made by the customer.

5.1.51. Authorizations will be granted on a "minimum required" basis - Least Privilege.

5.1.52. Granting Authorizations to users will be based on belonging to groups and on the

principle of "need to know". Administrative privileges and an administrator will be defined

only for necessary roles based on need only and in accordance with the required activity.

5.1.53. Control infrastructure users will be able to run programs and view the data according to

their personal Authorizations only.

5.1.54. The management of the “licenses” and eligibility for authorization will be dynamic and

constantly updated so that employees who have left or transferred positions will be deleted.

5.1.55. It is required to ensure the prevention of use and change of Authorizations s by

unauthorized parties (Authorizations at the application level).

5.1.56. Local Admin Authorizations will be revoked.

5.1.57. Any unauthorized activity will be reported via Log either from the operating system or

from the control applications.

5.1.58. Root, Administrator, Administrator group, Domain admin group, Enterprise admin

group, DB owner and Schema admin will be disabled on servers

Access management

5.1.59. KVM systems shall meet NIAP PPS 3.0 standard.

Wireless networks



5.1.60. Wireless technologies will not be used in the control networks (Bluetooth, RF, and Wi-

Fi) except for a GPS connection or any other connection approved by the customer.

5.1.61. No cellular communication will be used except with the port's approval and

responsibility.

Connect mobile devices

5.1.62. It is forbidden to connect to the port networks laptops or storage devices. In exceptional

cases, connection will be possible subject to the CDR and the customer (APM)'s approval.

5.1.63. The use of personal computer neither by the supplier nor by subcontractors will not be

allowed even for the configuring components and programming the controllers. These

operations will be performed by a dedicated computer stand provided for these purposes at

the engineering station.

5.1.64. The above requirements apply throughout the life of the project including the

construction and installation phase.

Hardening

5.1.65. Components that require hardening

1 Cyber protection components

2 Controllers of all kinds

3 Control systems and operating systems

4 Databases

5 Virtualization components

6 Storage components

7 Servers

5.1.66. The awardee supplier will apply hardening to the operating systems on the servers and

endpoints in all control systems based on Windows, Linux, Real-time in their latest version

and subject to the customer (APM)'s approval.

5.1.67. The hardening will be based on the implementation of tools in the network including

GPO.

5.1.68. If required by the customer, the supplier will provide a central security server for

hardening management at the end points and servers.

5.1.69. The hardening is detailed in Appendix A.

Interfaces and communication components (switches, routers, etc.)

5.1.70. No internet connection will be made from any point on the control network.

5.1.71. Communication between networks will be done through a firewall and after a Stateful

Inspection.



5.1.72. Only authorized traffic (protocols) will be defined in the communication components.

5.1.73. It is forbidden to connect a HUB to the communications network.

5.1.74. All switches will be managed.

5.1.75. The component can be identified using a dedicated protocol including x802.1.

5.1.76. It will be possible to duplicate the traffic to all the ports in the switch (Port Mirror).

5.1.77. You can set up an Access Control List.

5.1.78. A MAC address can be set for each port.

5.1.79. Time synchronization can be performed using the NTP protocol.

5.1.80. Log switch operations can be sent to an external address.

5.1.81. Ability to identify using a dedicated protocol (Tacacs, Radius)

5.1.82. Local management of the switch will only be done using a dedicated computer .

Firewall in the control network

5.1.83. At the crane entrance, a Fire Wall will be installed which will perform the NAT and

clearly define the connection from the port's OT network to the crane.

5.1.84. The Firewall will include an IPS module to protect vulnerabilities arising from the

operating systems of stations installed in it.

5.1.85. Traffic routing between the segments will be performed using a dedicated FW for the

control infrastructure.

5.1.86. Threat Based Next-Generation Firewall.

5.1.87. The device will have DPI capabilities.

5.1.88. High availability firewall configuration (active / active and active / passive).

5.1.89. Support for division into VLAN groups and secure VPN access.

5.1.90. At the network protocols level it will support protocols defined by the building control

and operating systems design (DNP3, Modbus TCP, OPC, ProfiNet….) or any protocol

defined and approved by the customer (APM).

5.1.91. Deviations will be reported using logs to the SIEM system.

5.1.92. Monitoring and restricting the access of software and people through the network

through rules, in layers L2 and L3

Additional requirements

Remote connection for maintenance needs outside the port

6.1.1. Remote connection will be made according to APM procedures

6.1.2. Connection For operational purposes

6.1.2.1. In the case of a remote operating room, the room will be managed as part of the

crane and optical fibers from the crane will be routed to it. This is mainly for the

transfer of protocols that do not pass over IP.

6.1.2.2. Protocols that go over IP can be transferred to the operating room through the

Firewall by enabling appropriate routing



BACKUPS

6.1.3. The backups and logs will be saved using dedicated backup software and in accordance

with the architecture to be decided between the supplier and the customer.

6.1.4. NA

6.1.5. It is possible to perform once a while automatic backup as defined by the customer.

6.1.6. Data history will be maintained for a period as defined by the customer.

6.1.7. The backups will include:

1. Configurations of the control systems and controllers.

2. Operating systems (Images).

3. Configuration of communication systems.

4. Applications.

5. Databases.

6. Files and other relevant information.

NA

Manage changes and updates

6.1.8. Any manufacturer update is required for CDR prior to installation as appear in the port

procedures.

6.1.9. Management system for logic version and updates

6.1.9.1. The control system will have the ability to automatically back up and manage the

logic versions of controllers and the SCADA application (visual screens and logical

settings).

6.1.9.2. The system will detect version changes and alert when changing versions,

including the possibility of comparing versions.

6.1.9.3. Managing the history of changes between versions, maintaining them on a central

server and presenting them including what the change was, when it was made and by

whom, where the specific version can be found.

6.1.10. Patch Management

6.1.10.1. A control (server) system will be installed to distribute the updated versions of all

managed devices on the network in an orderly and controlled manner (operating

systems for servers, communication components, etc.).

6.1.10.2. The above server will have software for scheduling and deploying approved

repair versions at a desired times, or manual deployment for certain groups or devices.

6.1.10.3. Display detailed results from a single platform that includes information on

missing fixes, hardware levels, links to a database, version dates, descriptions and

more.

6.1.10.4. It will be possible to undo changes to unstable patches on some devices (Roll

Back \ Snapshot).

6.1.11. Up-to-date cyber protection systems (FW, AV, etc.)



6.1.11.1. On the crane workstations and under the manufacturer's responsibility, an

antivirus / EDR will be installed to detect anomalous behavior and reports it to the

central logging system.

6.1.11.2. This system will be based on unusual behavior algorithms and without signatures.

6.1.11.3. The cyber systems will have signature management and vulnerability

management mechanisms updated to the delivery date of the cranes and systems.

6.1.11.4. At the main communication nodes in the crane, TAPS or sensors will be installed

by the manufacturer and under his responsibility, which will allow connection to the

port systems without interruption to the crane operation, in order to detect anomalous

activity.

6.1.11.5. The winner will write a procedure for distributing updates (hardware and

software) that will be presented at the detailed design stage dealing with periodic

security issues posted by the manufacturers and the professional community.

CDR

6.1.11.6. All information delivered to the port network will be transmitted in a CDR

process (a system containing several AV motors).

6.1.11.7. The information will be forwarded to the control network through dedicated

media for this purpose.

Additional requirements for cyber components

6.1.12. Each cyber component in the proposed solution will be provided and installed on a

separate physical server.

6.1.13. The server specifications to be provided will meet the recommended requirements of the

systems manufacturer. Automatic backup arrays (at least RAID 5) will be planned.

Installation on a virtual server will be performed only with the consent of the customer.

6.1.14. Each cyber component in the proposed solution will be from one of the manufacturers as

indicated in the BOM or equivalent .Pending on the customer approval.

Monitoring and Control

6.1.15. Traffic monitoring will be performed for all information passing between the control

center and the cranes and within the segments themselves. Monitoring will be performed by

the customer (APM)'s IDS systems.

6.1.16. The switches and routers will be able to duplicate the information traffic using Port

Mirror or Span Port settings.

6.1.17. Monitoring will be performed throughout the day (24 hours).

6.1.18. Monitoring system management will be performed from a dedicated segment.

6.1.19. In critical systems, all critical operations will be monitored including external

connections.

6.1.20. In case of a deviation, an alert will be sent to the SIEM systems at the port.



6.1.21. All control systems will send logs in a generic syslog CEF format to the port's SIEM

system.

6.1.22. Events will be sent when:

1. Anomalies and offenses are identified.

2. Actions that are contrary to the policy as defined in the system.

6.1.23. Among the events to be monitored:

1. Configuration of key control components, change and save configuration, attempts to

access control systems, change settings in systems, malware including viruses,

worms and various cyber-attacks.

2. Domain identification mechanism, failed attempts, access from multiple sites

simultaneously, detection of attempts to connect an unidentified component, login,

login attempts (failed and successful) to applications, system administration

operations (user creation, editing and deletion), remote control, modification Settings

and parameters.

3. Attempts to delete and edit log entries, failed attempts to view log entries, transfer

operations and information to communication or operational interfaces.

6.1.24. For each event the following fields will include:

1. Date and time.

2. Source of the operation (example - IP, Domain, Host name, Mac).

3. Success or failure of the event.

4. Description of the operation - what was done and content of the relevant event.

6.1.25. Log files will be kept for at least a period, determined by the customer.

Physical Protection

6.1.26. The control cabinets will have a built-in door-locking device that requires an external

key.

6.1.27. Network equipment (switches and routers) will be located in communication rooms with

an alert and detection mechanism when accessing, the equipment will be installed in

communication cabinets and backed up by UPS systems.

6.1.28. The control servers and databases will be located in a communication room with an alert

and detection mechanism when accessing, the equipment will be installed in

communication cabinets and backed up by UPS systems.

6.1.29. End equipment will be connected / locked in a way that it cannot be removed.

Supply Chain Delivery and storing the equipment

7.1.1. The components of the control systems and cyber security equipment must be stored and

supplied in a way that reduced the risk of harm or attack.



7.1.2. The supplier must provide a complete list of all components (name, model, serial

number) prior to delivery and supply and confirm that the equipment received is correct at

the time of delivery.

7.1.3. On arrival, APM will make sure that the equipment is packed in cardboard boxes sealed

with duct tape. The manufacturer must mark the box and the adhesive tape with his own

stamp to make sure that the boxes were not opened during delivery. The supplier must

make sure that the boxes have not been opened till the delivery date

7.1.4. Initial access passwords to the equipment will be provided separately and will not be

stored with the equipment.

7.1.5. All equipment is required to be stored in a secured warehouse which has been approved

in advance by the security officer. Entrance to the storage room will be accompanied by a

member of the security staff and with the approval of the project manager.

Documentation and Training

Documentation

8.1.1 The awardee supplier will prepare a detailed folder containing documentation and full

details regarding all parts of the system including architectural diagrams of the defense

systems (physical, logical, information flows and processes).

8.1.2 List of components in each network and infrastructure and their specifications.

8.1.3 Configuration of the protection components in cyber operating systems.

8.1.4 List of hardening performed.

8.1.5 The awardee supplier will prepare procedures and work instructions for managing the

cybersecurity systems including handling faults or operating the system while a cyber-

incident is suspected.

Training

8.1.6 As part of the commissioning, training will be required for the operation of cyber defense

systems.

8.1.7 The tutorials will be filmed and documented to save the information.

ATP /SAT and utilization tests. 9.1. Delivery of the cranes and all associate systems will be of subject to the success of SAT Site Acceptance

Test process. Only a successful SAT will make the system be considered complete in terms of cyber

protection and the warranty period will begin. 9.2. The customer (APM) or his legal representative will conduct an audit to comply with the cyber

issue as part of the process of the responsibility transfer of all the systems and facilities. The

audit will check protection system configuration, and the connectivity between the systems in

accordance with the architecture formulated both in terms of quality and integrity of execution.

9.3. During the audit, all the various documents of the cyber protection system will be presented -

architecture, specifications, configuration, etc.

9.4. Gaps in cyber defense agreed by the parties will be presented.



9.5. Limitations of the defense system to which the awardee supplier undertook and were not

implemented in execution will be presented, both in light of physical limitations of the control

equipment / network or limitations discovered during the project.

9.6. Cyber defense mechanisms will not be failure point in terms of performance impact. The

awardee supplier will design the solution so that the cyber components do not affect and were as

imperceptible as possible. The awardee supplier will perform load analysis for equipment and

systems for the customer (APM)'s approval.

9.7. The awardee supplier will hand over the system after performance and weakness testing. Will

make adjustments to the latest versions of the system, including performing the required actions

to prevent the vulnerabilities that have been publicly posted on the various CVEs websites.

9.8. The supplier will check that all unnecessary software and development tools have been removed

from the various systems.

9.9. The awardee supplier will subcontract an independent external company (out of a company’s

list) to perform resilience tests for the control systems prior to delivery. A company not from

this list will required the approval of the customer. The awardee supplier undertakes to address

any deficiencies that may arise in the results of the resilience tests.

9.10. The customer (APM) may simultaneously perform independent resilience tests for systems, the

awardee supplier undertakes to address any deficiencies that will arise in the results of the

independent resilience tests.



Hardening - General Definitions

1. Defining required services and eliminating other unnecessary services.

2. Block all default accounts, services, and unnecessary ports.

3. Cancellation of user’s authorization for unnecessary protocols.

4. Hardening BIOS (setting a login password to prevent change of booting order, removing or adding

components, disabling / adding interfaces, etc.).

5. Disable all wireless communication.

6. Disable the automatic updates.

7. Define screen lock after certain time period has passed.

8. Disable remote connection (where not required).

9. Prohibit sharing of resources or files (where not required).

10. Define static IP addresses only.

11. Each user will be able to connect to only one station at a given time.

12. Disable all unnecessary USB connections.

13. Setting User Rights to be different from the default permissions.

14. Disabling the option to remove or install software / hardware.

15. Operator Stations - Prevent access to computer settings or perform unnecessary actions.



Information required from the supplier regarding system components

Devices and components list: A complete list of devices and applications should be delivered to the owner before the commissioning start with the following details:

1. Device type 2. General description of the device 3. Description of the device interaction with the system 4. Manufacturer name 5. Model / version / operating system 6. Service provider / maintenance 7. Is the device under warranty or support contract 8. Is the device's version under a manufacturer support 9. Criticality level of the device 10. What is the potential damage (device sabotage) 11. Is the device is backed up 12. Physical location 13. Device accessibility level 14. Is there a remote support? 15. Is the component physically protected? 16. Update level 17. Does the component produce logs? 18. Are logs files activated 19. Whether the component is reported to a monitoring system such as SIEM 20. Type of authentication 21. Hardening 22. Type of data traffic protocol 23. Is data traffic monitored 24. Permissions level to the device

Documents

Cybersecurity Guidelines For E - ashdodport.co.il