Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 1/21
1202/10/04
Appendix – Z Cybersecurity
Guidelines
For
E-RTG Cranes
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 2/21
INDEX 1.DEFINITIONS AND ABBREVIATIONS .............................................................................................................................. 3
2.GENERAL .............................................................................................................................. 5
2.1.Background .................................... 5
2.2.Introduction .................................... 5
2.3.Appendix content .................................... 5
3.MILESTONES IN THE CYBER DEFENSE PROJECT ................................................................................................................. 6
4.GENERAL REQUIREMENTS FOR CYBER PROTECTION ......................................................................................................... 7
5.SPECIFIC REQUIREMENTS FOR CYBER PROTECTION .......................................................................................................... 9
5.1.Programmable controllers and equipment .................................... 9 5.1.1.Hardening ..................................................................................................................................... 9 5.1.2.Identification ................................................................................................................................ 9 5.1.3.Additional capabilities .................................................................................................................. 9
5.2.Control servers - SCADA, databases, HMI and engineering stations .................................... 9
5.3.Separation between networks .................................. 11
5.4.Segmentation .................................. 11
5.5.Identification .................................. 11
5.6.Authorizations .................................. 12
5.7.Access management .................................. 12
5.8.Wireless networks .................................. 12
5.9.Connect mobile devices .................................. 13
5.10.Hardening .................................. 13
5.11.Interfaces and communication components (switches, routers, etc.) .................................. 13
5.12. Firewall in the control network .................................. 14
6.ADDITIONAL REQUIREMENTS ............................................................................................................................ 14
6.1.Remote connection for maintenance needs outside the port .................................. 14
6.2.BACKUPS .................................. 15
6.3.NA .................................. 15
6.4.Manage changes and updates .................................. 15
6.5.CDR .................................. 16
6.6.Additional requirements for cyber components .................................. 16
6.7.Monitoring and Control .................................. 16
6.8.Physical Protection .................................. 17
7.SUPPLY CHAIN ............................................................................................................................ 17
7.1.Delivery and storing the equipment .................................. 17
8.1.Documentation .................................. 18
8.2.Training .................................. 18
9.ATP /SAT AND UTILIZATION TESTS. ............................................................................................................................ 18
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 3/21
Definitions and abbreviations 1.1. Logical Security - All the actions required from the computer and control systems in order to create
protected cyber environment.
1.2. Information Security - Maintaining confidentiality, integrity and reliability, and the availability of
information.
1.3. Cyber threat – A natural event or human action that has the potential to harm human life, systems
functioning, the environment or interest. A combination of intentions and capabilities to attack cyber
space that has not yet executed.
1.4. An unusual event - An unusual occurrence in the control systems
1.5. Cyber inciden – An occurrence that indicates a possible impairment in the proper operation of a cyber-
asset, which there is reason to believe that results from deliberate activity in the cyber space.
1.6. Weakness - A vulnerability in a computerized system, component or related procedure that can be
exploited.
1.7. Cyber policy - A document describing the cyber protection principles of our organization
1.8. System mapping - Mapping process in order to learn and be familiar with the system, configuration,
interfaces, etc.
1.9. Industrial Control system – A computer-based system that generates monitors and controls processes
within an industrial production system (ICS, SCADA, DCS, etc.)
1.10. Auxiliary system - A complementary system to the crane functions process (not an integral part of the
core process).
1.11. Peripheral system - A system that is not part of the crane functions process and there is no connection
between them.
1.12. Critical site - a compound whose damage may affect the functional continuity of the facility
1.13. Accessibility - The ability of an attacker to infiltrate a cyber-asset
1.14. Malware - 'Malicious' software installed on the computer without the user's knowledge and impairs its
proper operation
1.15. Residual risk - the risk that remains after risk control measures have been implemented
1.16. Risk survey - mapping and assessing the level and risk of cyber threats to the organization resulting
from the systems and activity
1.17. Impairment of availability - Impairment of the ability to use the organization's systems
1.18. Breach of Confidentiality - Disclosure of information that may cause harm by assisting in the planning
of a cyber-attack
1.19. Damage to integrity - damage to information by change, deletion
1.20. Cyber component - software or hardware in the control system whose function is to alert, filter or
prevent hostile / offensive / unwanted cyber activity on the control systems.
1.21. IT management network - the main computer network of the organization in which the
information is managed
1.22. OT Operational Network - A network that connects components based on industrial control
1.23. Supply chain - maintenance, service activity of subcontractors who provide services
1.24. Cyber plan - a main detailed plan to describe the concept of protection throughout the life
cycle
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 4/21
Application Control AP ־ Antivirus AV ־ Graphical User Interface GUI ־ High Availability HA ־ Internet Protocol IP ־ Information Technology IT ־ Local Area Network LAN ־ Network Access Control NAC ־ Keyboard, Video and Mouse KVM ־ Programmable logic controller PLC ־ Virtual LAN VLAN ־ Wireless LAN WLAN ־ Human Machine Interface HMI ־ Supervisory Control and data ־
Acquisition SCADA
Group Policy GPO ־ Demilitarized Zone DMZ ־ Network Time Protocol NTP ־ Media Access Control MAC ־ Firewall FW ־ Deep Packet Inspection DPI ־ Intrusion Detection System IDS ־ Multifactor Authentication MFA ־ Site Acceptance Test SAT ־ Virtual Private LAN VPN ־ Virtual LAN VLAN ־ Common Vulnerability Exposer CVE ־ Uninterruptible Power Supply UPS ־ Security Information Events Manager SIEM ־ Active Directory AD ־
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 5/21
General Background
2.1.1. Ashdod Port is prepared to purchase cranes with automation capabilities - remote
control and automatic operation.
2.1.2. As part of the purchase, various control systems will be installed.
2.1.3. The control systems, and all their components, enable a day-to-day operation of the
crane and are vulnerable to cyber-attacks.
2.1.4. In order to protect the infrastructure of the crane in cyberspace, cyber protection
solutions are required to enable the functional continuity of the operation of the crane.
Introduction
2.2.1 This specification combines the customer's requirements in the cyber aspects. Supplier
must meet all professional and administrative requirements.
2.2.2 The protection requirements in this document are based on protection in layers –
“Defense in Depth”, authorization based on "need to know"’ process separation –
“Separation of Duties”, original authorization - Authentication by Default, traffic
control – “Flow Validation”, filtering and CDR - Content Sanitation.
2.2.3 These requirements apply to all subsystems of the distributed systems.
2.2.4 The supplier is responsible to implement all specification requirements including issues
that require integration with additional contractors to ensure full compliance with the
requirements of this document.
Appendix content
2.1.5. Defining the required cyber, protection envelope and protection components for the
crane control systems.
2.1.6. Shipping and storage - supply chain.
2.1.7. Documentation and training.
2.1.8. Performing ATP
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 6/21
Milestones in the Cyber Defense Project
Relevant project documents (under the responsibility of the tender awardee)
Stage
A. Introduction and review of the project and staff.
B. Presenting challenges and risks (managerial risks in the
realization of cyber protection).
C. Procedure for maintaining the supply chain from the
purchasing stage to delivery
Initialization 1.
A. Preliminary network design
B. List of components and quantities
C. Detailed challenges and risks
Initial Planning 2.
Conducting an initial risk survey
Preliminary risk survey
3.
A. Detailed Design - Detailed Design Layout of systems and
configuration
B. Specifications of all components and list of interfaces
C. Up-to-date list of BOM
D. Integration and interfaces with adjacent systems
(communication, control, etc.)
E. Risk management plan
Detailed plan
4.
System acceptance test SAT 5.
SLA - Addressing suspicion of cyber incidents
Service 6.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 7/21
General requirements for cyber protection 4.1. The crane will be managed as a black box with recurring private IP addresses from crane to
crane of the same type.
4.2. The awardee will provide a cyber protection coverage while addressing and complying with
each of the clauses as detailed below to the customer's satisfaction.
4.3. The overall responsibility for the supply of the defined systems and configuration meeting the
requirements and definitions is the responsibility of the supplier also with respect to systems
and components that are not manufactured by him.
4.4. The requirements detailed in this chapter are general requirements and the necessary minimum
- Base Line. Additional and / or different / specific requirements will be specified later.
4.5. In the implementation of the cyber protection components, the tools accepted by the customer,
which are listed later in the chapter, will be used or alternatively, solutions that will be
approved by the customer.
4.6. In cases where the customer does not ask for detailed requirements, it is required to carry out
the activity on the basis of the baseline and in accordance with what is accepted in industry and
international standards, such as IEC 62443, NIST SP 800-82 and so forth. At each stage of the
planning stages, the customer's approval must be obtained before it is implemented.
4.7. At the end of the initial planning phase, a preliminary cyber survey of the system will be
conducted by the customer, subject to this document. The survey will indicate weaknesses and
recommendations for reducing the risks. The supplier will implement the survey
recommendations.
1.1. The supplier will carry out a detailed design of the cyber defense system in accordance with
the guidelines contained in this document, the recommendations of the cyber survey and with
clarifications received from the customer (APM) at the work planning stage.
4.8. The awardee supplier will submit a detailed list and technical specifications of components
that are intended to be implemented at the detailed design stage. At any case, equipment that is
not mentioned in this document required the approval of the customer prior to its
implementation.
4.9. All cyber components in the solution will be secured and ruggedized subject to this document.
4.10. A personal computer / equipment of the manufacturer's staff will not be used for the purpose of
configuring the components and programming the controllers during the installation phase (in
the port area). These operations will be performed from a dedicated computer (portable if
necessary) that will be provided by the customer for these purposes.
4.11. The awardee supplier will provide up-to-date systems for the delivery day of the project.
4.12. The awardee supplier will document all the actions performed in the system design, installation
and configuration process. The information will be arranged according to a system and will be
handed over to the customer. The information will include architecture, policies, addresses,
settings and any information required to perform system maintenance.
4.13. The awardee supplier will be flexible as necessary, with coordination and consent of both
parties, to apply required modifications in the detailed design in order to provide an up-to-date
protection solution against cyber-attacks. The aforesaid including the supply of the components
with the latest firmware, future protection architecture, future protection equipment, etc.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 8/21
4.14. The awardee supplier will perform a number of separate logical communication networks for
the control systems depending on the architecture to be determined by the supplier and the
customer.
4.15. All equipment connected to Ethernet-based communications will be monitored (as detailed
below)
4.16. All control equipment will have the ability to send a generic and uniform type logs, collected
from the various equipment.
4.17. The control systems will operate in accordance with a uniform network time synchronization
mechanism “Network Time Protocol” - to synchronize the operating system clocks in
networks.
4.18. All systems will be hardened.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 9/21
Specific requirements for cyber protection Programmable controllers and equipment
(PLC, DDC, RTU, IED, Multimeters, speed regulators, etc.).
5.1.1. Hardening
5.1.1.1. Unused ports will be blocked and locked (Web, FTP, SSH, ICMP, Telnet).
5.1.1.2. Physical and logical locking of wireless capabilities (WIFI, Cellular, and Bluetooth)
and physical connection such as USB that are not required in the permanent solution.
5.1.1.3. Prevention of retrieval / insertion of portable memory.
5.1.1.4. The awardee supplier commit to remove or cancel "Back Door" such as hard coded
credentials.
5.1.2. Identification
5.1.2.1. All controllers and / or end equipment, including end equipment connected to the
control network via dry contacts, will be protected by a username and password that
will be different from the manufacturer's settings and have a length of at least 8
characters.
5.1.2.2. The password will be complex of letters, numbers and special characters.
5.1.3. Additional capabilities
5.1.3.1. Ability to generate logs and transfer logs to external systems.
5.1.3.2. Presenting and saving logs, storing logs in the controller for research purposes.
5.1.3.3. Setting up dedicated ports for use.
5.1.3.4. Ability to disable unnecessary communication protocols.
5.1.3.5. Work mode support:
1- Programming mode, allows changing logic.
2 - A situation where logic cannot be changed.
5.1.3.6. The controllers will have the Achilles L2 standard.
5.1.3.7. Configuration software files are digitally signed. (If not available, a roadmap
supporting the requirement must be presented)
5.1.3.8. The control system will enter a uniform time for all controllers.
Control servers - SCADA, databases, HMI and engineering stations
5.1.4. In principle, each server (physical or virtual) will be used for one purpose only.
5.1.5. All control servers can be defined under the Control Domain and are subject to
hardening as defined in the GPO (this issue will be agreed between the awardee supplier
and the customer at the planning stage)
5.1.6. Hardening - The servers, applications, operator and engineering stations will undergo
hardening of the operating system and application according to Best Practice in full and the
ordering instructions specified in this document.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 10/21
5.1.7. Updates (Software, Hardware and Firmware) - All components will be provided with up-
to-date operating systems, firmware and hardware approved by the control system vendor.
This includes all service security pack updates.
5.1.8. Antivirus \ Application Control
5.1.8.1. Behavior-based AV or AC will be installed on all servers and endpoints including
operator positions.
5.1.8.2. Updating of AV signatures (if any) will be done once per period as agreed by the
customer.
5.1.8.3. Installation of Offline updates will be enabled (see details below).
5.1.8.4. Support for Linux-based operating systems.
5.1.8.5. Transfer logs / alerts on anomalies detection.
5.1.9. Monitoring - A full audit trail will be set up to record all operations of the operators and
control engineer in the applications and operating systems. See detail below.
5.1.10. Backups - The servers will work in an on-line backup architecture.
5.1.11. Engineering station - will include all the tools and software required to change the
application and modify the controllers’ logic. Changes will be implement only from the
engineering station. It will be locked after a pre-defined period of time with no
modification activity.
5.1.12. Time synchronization - All control systems will be fed from a uniform time system to
all networks.
5.1.13. All applications will run at the lowest possible permission level.
5.1.14. Default accounts - will be canceled or disabled.
5.1.15. Local Firewall – It is required to allow personal firewall to be used on Windows
systems.
5.1.16. System interface error messages will not contain information about the nature or cause of
the error.
5.1.17. Recent usernames will not be displayed on the identification screens.
5.1.18. Accounts generated to run services will only be set up for those services. Dynamic
Interactive Login will not be enabled.
5.1.19. A screensaver will be activated, if possible, after a certain period.
5.1.20. In principle, all workstations (based windows 10) on the crane will be running under
virtual environment over VMware products and will have the ability to connect to AD
(Active Directory).
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 11/21
Separation between networks
5.1.21. If there are servers that serve the crane, for example OCR servers, the servers will be
installed in the port network (OT), at port addresses and will be connected to the crane by
performing NAT.
5.1.22. The awardee supplier will perform logical network separation (Layer 3) according to the
networks task- operation, maintenance, management, video, cyber management.
5.1.23. Cables /harnesses to the various control networks will be in a unique color to each
network.
Segmentation
5.1.24. The awardee supplier is required to implement segmentation in the control networks.
5.1.25. The segments will be defined based on logical purpose including system role, user types,
geographical location, authorization levels and so forth.
5.1.26. No communication between segments will be possible except for a designated need for
which they are intended (precise definitions of protocols, ports and services).
5.1.27. The segments will be separated by a firewall and a constitution will be defined according
to the necessary features.
5.1.28. NA
5.1.29. NA
5.1.30. NA
5.1.31. NA
5.1.32. NA
5.1.33. A DMZ segment will be defined between the control network and the IT network.
Identification
5.1.34. Each entity on the network (person, machine, application) will have a unique profile
defined with a username, a strong password and a physical identification component.
5.1.35. All identification processes of the various systems, including HMI, SCADA and
engineering stations will be performed against a central user database (identification server)
dedicated to the control network.
5.1.36. Identification against the central database will be done in an encrypted manner.
5.1.37. Running applications on the control servers will require identification with the user
database, including a password that will be different from the factory settings. The
password has a length of at least 10 characters and a high level of complexity (letters,
numbers, and unique characters). The password will not be displayed on the screen.
5.1.38. Identification and entry to the engineering station and the HMI stations will require on
top of a password a biometric means or smart card managed in accordance with the central
user database.
5.1.39. Operators will identify at the beginning of each shift.
5.1.40. Each user will be added to a group with defined authorizations (based on their role -Role
Based) defined in the central user pool.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 12/21
5.1.41. Default accounts will be canceled on systems.
5.1.42. All inactive ports will be in disabled.
5.1.43. Identification of computing and communication components will be done through the use
of secure protocols (RADIUS, TACACS +) to a central identity database.
5.1.44. Protection of communication inputs ports, that is to say, identification in the network
layer, will be performed by a NAC system combined with x802.1, including Port Security,
Sticky MAC, and Mac Filtering.
5.1.45. For highly reliable identification, the awardee supplier will use a PKI, biometric, etc.
solution.
5.1.46. The customer and the supplier will examine the solution at the architecture formation
stage.
Authorizations
5.1.47. User Authorizations will be locally managed in the crane equipment, subject to port
procedures in terms of password complexity.
5.1.48. Default users in the system will be eliminated.
5.1.49. The Authorizations mechanism will distinguish between viewing, updating and deleting,
creating and running.
5.1.50. Granting Authorizations will be based on Role Based Access Control (RBAC). Settings
will be made by the customer.
5.1.51. Authorizations will be granted on a "minimum required" basis - Least Privilege.
5.1.52. Granting Authorizations to users will be based on belonging to groups and on the
principle of "need to know". Administrative privileges and an administrator will be defined
only for necessary roles based on need only and in accordance with the required activity.
5.1.53. Control infrastructure users will be able to run programs and view the data according to
their personal Authorizations only.
5.1.54. The management of the “licenses” and eligibility for authorization will be dynamic and
constantly updated so that employees who have left or transferred positions will be deleted.
5.1.55. It is required to ensure the prevention of use and change of Authorizations s by
unauthorized parties (Authorizations at the application level).
5.1.56. Local Admin Authorizations will be revoked.
5.1.57. Any unauthorized activity will be reported via Log either from the operating system or
from the control applications.
5.1.58. Root, Administrator, Administrator group, Domain admin group, Enterprise admin
group, DB owner and Schema admin will be disabled on servers
Access management
5.1.59. KVM systems shall meet NIAP PPS 3.0 standard.
Wireless networks
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 13/21
5.1.60. Wireless technologies will not be used in the control networks (Bluetooth, RF, and Wi-
Fi) except for a GPS connection or any other connection approved by the customer.
5.1.61. No cellular communication will be used except with the port's approval and
responsibility.
Connect mobile devices
5.1.62. It is forbidden to connect to the port networks laptops or storage devices. In exceptional
cases, connection will be possible subject to the CDR and the customer (APM)'s approval.
5.1.63. The use of personal computer neither by the supplier nor by subcontractors will not be
allowed even for the configuring components and programming the controllers. These
operations will be performed by a dedicated computer stand provided for these purposes at
the engineering station.
5.1.64. The above requirements apply throughout the life of the project including the
construction and installation phase.
Hardening
5.1.65. Components that require hardening
1 Cyber protection components
2 Controllers of all kinds
3 Control systems and operating systems
4 Databases
5 Virtualization components
6 Storage components
7 Servers
5.1.66. The awardee supplier will apply hardening to the operating systems on the servers and
endpoints in all control systems based on Windows, Linux, Real-time in their latest version
and subject to the customer (APM)'s approval.
5.1.67. The hardening will be based on the implementation of tools in the network including
GPO.
5.1.68. If required by the customer, the supplier will provide a central security server for
hardening management at the end points and servers.
5.1.69. The hardening is detailed in Appendix A.
Interfaces and communication components (switches, routers, etc.)
5.1.70. No internet connection will be made from any point on the control network.
5.1.71. Communication between networks will be done through a firewall and after a Stateful
Inspection.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 14/21
5.1.72. Only authorized traffic (protocols) will be defined in the communication components.
5.1.73. It is forbidden to connect a HUB to the communications network.
5.1.74. All switches will be managed.
5.1.75. The component can be identified using a dedicated protocol including x802.1.
5.1.76. It will be possible to duplicate the traffic to all the ports in the switch (Port Mirror).
5.1.77. You can set up an Access Control List.
5.1.78. A MAC address can be set for each port.
5.1.79. Time synchronization can be performed using the NTP protocol.
5.1.80. Log switch operations can be sent to an external address.
5.1.81. Ability to identify using a dedicated protocol (Tacacs, Radius)
5.1.82. Local management of the switch will only be done using a dedicated computer .
Firewall in the control network
5.1.83. At the crane entrance, a Fire Wall will be installed which will perform the NAT and
clearly define the connection from the port's OT network to the crane.
5.1.84. The Firewall will include an IPS module to protect vulnerabilities arising from the
operating systems of stations installed in it.
5.1.85. Traffic routing between the segments will be performed using a dedicated FW for the
control infrastructure.
5.1.86. Threat Based Next-Generation Firewall.
5.1.87. The device will have DPI capabilities.
5.1.88. High availability firewall configuration (active / active and active / passive).
5.1.89. Support for division into VLAN groups and secure VPN access.
5.1.90. At the network protocols level it will support protocols defined by the building control
and operating systems design (DNP3, Modbus TCP, OPC, ProfiNet….) or any protocol
defined and approved by the customer (APM).
5.1.91. Deviations will be reported using logs to the SIEM system.
5.1.92. Monitoring and restricting the access of software and people through the network
through rules, in layers L2 and L3
Additional requirements
Remote connection for maintenance needs outside the port
6.1.1. Remote connection will be made according to APM procedures
6.1.2. Connection For operational purposes
6.1.2.1. In the case of a remote operating room, the room will be managed as part of the
crane and optical fibers from the crane will be routed to it. This is mainly for the
transfer of protocols that do not pass over IP.
6.1.2.2. Protocols that go over IP can be transferred to the operating room through the
Firewall by enabling appropriate routing
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 15/21
BACKUPS
6.1.3. The backups and logs will be saved using dedicated backup software and in accordance
with the architecture to be decided between the supplier and the customer.
6.1.4. NA
6.1.5. It is possible to perform once a while automatic backup as defined by the customer.
6.1.6. Data history will be maintained for a period as defined by the customer.
6.1.7. The backups will include:
1. Configurations of the control systems and controllers.
2. Operating systems (Images).
3. Configuration of communication systems.
4. Applications.
5. Databases.
6. Files and other relevant information.
NA
Manage changes and updates
6.1.8. Any manufacturer update is required for CDR prior to installation as appear in the port
procedures.
6.1.9. Management system for logic version and updates
6.1.9.1. The control system will have the ability to automatically back up and manage the
logic versions of controllers and the SCADA application (visual screens and logical
settings).
6.1.9.2. The system will detect version changes and alert when changing versions,
including the possibility of comparing versions.
6.1.9.3. Managing the history of changes between versions, maintaining them on a central
server and presenting them including what the change was, when it was made and by
whom, where the specific version can be found.
6.1.10. Patch Management
6.1.10.1. A control (server) system will be installed to distribute the updated versions of all
managed devices on the network in an orderly and controlled manner (operating
systems for servers, communication components, etc.).
6.1.10.2. The above server will have software for scheduling and deploying approved
repair versions at a desired times, or manual deployment for certain groups or devices.
6.1.10.3. Display detailed results from a single platform that includes information on
missing fixes, hardware levels, links to a database, version dates, descriptions and
more.
6.1.10.4. It will be possible to undo changes to unstable patches on some devices (Roll
Back \ Snapshot).
6.1.11. Up-to-date cyber protection systems (FW, AV, etc.)
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 16/21
6.1.11.1. On the crane workstations and under the manufacturer's responsibility, an
antivirus / EDR will be installed to detect anomalous behavior and reports it to the
central logging system.
6.1.11.2. This system will be based on unusual behavior algorithms and without signatures.
6.1.11.3. The cyber systems will have signature management and vulnerability
management mechanisms updated to the delivery date of the cranes and systems.
6.1.11.4. At the main communication nodes in the crane, TAPS or sensors will be installed
by the manufacturer and under his responsibility, which will allow connection to the
port systems without interruption to the crane operation, in order to detect anomalous
activity.
6.1.11.5. The winner will write a procedure for distributing updates (hardware and
software) that will be presented at the detailed design stage dealing with periodic
security issues posted by the manufacturers and the professional community.
CDR
6.1.11.6. All information delivered to the port network will be transmitted in a CDR
process (a system containing several AV motors).
6.1.11.7. The information will be forwarded to the control network through dedicated
media for this purpose.
Additional requirements for cyber components
6.1.12. Each cyber component in the proposed solution will be provided and installed on a
separate physical server.
6.1.13. The server specifications to be provided will meet the recommended requirements of the
systems manufacturer. Automatic backup arrays (at least RAID 5) will be planned.
Installation on a virtual server will be performed only with the consent of the customer.
6.1.14. Each cyber component in the proposed solution will be from one of the manufacturers as
indicated in the BOM or equivalent .Pending on the customer approval.
Monitoring and Control
6.1.15. Traffic monitoring will be performed for all information passing between the control
center and the cranes and within the segments themselves. Monitoring will be performed by
the customer (APM)'s IDS systems.
6.1.16. The switches and routers will be able to duplicate the information traffic using Port
Mirror or Span Port settings.
6.1.17. Monitoring will be performed throughout the day (24 hours).
6.1.18. Monitoring system management will be performed from a dedicated segment.
6.1.19. In critical systems, all critical operations will be monitored including external
connections.
6.1.20. In case of a deviation, an alert will be sent to the SIEM systems at the port.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 17/21
6.1.21. All control systems will send logs in a generic syslog CEF format to the port's SIEM
system.
6.1.22. Events will be sent when:
1. Anomalies and offenses are identified.
2. Actions that are contrary to the policy as defined in the system.
6.1.23. Among the events to be monitored:
1. Configuration of key control components, change and save configuration, attempts to
access control systems, change settings in systems, malware including viruses,
worms and various cyber-attacks.
2. Domain identification mechanism, failed attempts, access from multiple sites
simultaneously, detection of attempts to connect an unidentified component, login,
login attempts (failed and successful) to applications, system administration
operations (user creation, editing and deletion), remote control, modification Settings
and parameters.
3. Attempts to delete and edit log entries, failed attempts to view log entries, transfer
operations and information to communication or operational interfaces.
6.1.24. For each event the following fields will include:
1. Date and time.
2. Source of the operation (example - IP, Domain, Host name, Mac).
3. Success or failure of the event.
4. Description of the operation - what was done and content of the relevant event.
6.1.25. Log files will be kept for at least a period, determined by the customer.
Physical Protection
6.1.26. The control cabinets will have a built-in door-locking device that requires an external
key.
6.1.27. Network equipment (switches and routers) will be located in communication rooms with
an alert and detection mechanism when accessing, the equipment will be installed in
communication cabinets and backed up by UPS systems.
6.1.28. The control servers and databases will be located in a communication room with an alert
and detection mechanism when accessing, the equipment will be installed in
communication cabinets and backed up by UPS systems.
6.1.29. End equipment will be connected / locked in a way that it cannot be removed.
Supply Chain Delivery and storing the equipment
7.1.1. The components of the control systems and cyber security equipment must be stored and
supplied in a way that reduced the risk of harm or attack.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 18/21
7.1.2. The supplier must provide a complete list of all components (name, model, serial
number) prior to delivery and supply and confirm that the equipment received is correct at
the time of delivery.
7.1.3. On arrival, APM will make sure that the equipment is packed in cardboard boxes sealed
with duct tape. The manufacturer must mark the box and the adhesive tape with his own
stamp to make sure that the boxes were not opened during delivery. The supplier must
make sure that the boxes have not been opened till the delivery date
7.1.4. Initial access passwords to the equipment will be provided separately and will not be
stored with the equipment.
7.1.5. All equipment is required to be stored in a secured warehouse which has been approved
in advance by the security officer. Entrance to the storage room will be accompanied by a
member of the security staff and with the approval of the project manager.
Documentation and Training
Documentation
8.1.1 The awardee supplier will prepare a detailed folder containing documentation and full
details regarding all parts of the system including architectural diagrams of the defense
systems (physical, logical, information flows and processes).
8.1.2 List of components in each network and infrastructure and their specifications.
8.1.3 Configuration of the protection components in cyber operating systems.
8.1.4 List of hardening performed.
8.1.5 The awardee supplier will prepare procedures and work instructions for managing the
cybersecurity systems including handling faults or operating the system while a cyber-
incident is suspected.
Training
8.1.6 As part of the commissioning, training will be required for the operation of cyber defense
systems.
8.1.7 The tutorials will be filmed and documented to save the information.
ATP /SAT and utilization tests. 9.1. Delivery of the cranes and all associate systems will be of subject to the success of SAT Site Acceptance
Test process. Only a successful SAT will make the system be considered complete in terms of cyber
protection and the warranty period will begin. 9.2. The customer (APM) or his legal representative will conduct an audit to comply with the cyber
issue as part of the process of the responsibility transfer of all the systems and facilities. The
audit will check protection system configuration, and the connectivity between the systems in
accordance with the architecture formulated both in terms of quality and integrity of execution.
9.3. During the audit, all the various documents of the cyber protection system will be presented -
architecture, specifications, configuration, etc.
9.4. Gaps in cyber defense agreed by the parties will be presented.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 19/21
9.5. Limitations of the defense system to which the awardee supplier undertook and were not
implemented in execution will be presented, both in light of physical limitations of the control
equipment / network or limitations discovered during the project.
9.6. Cyber defense mechanisms will not be failure point in terms of performance impact. The
awardee supplier will design the solution so that the cyber components do not affect and were as
imperceptible as possible. The awardee supplier will perform load analysis for equipment and
systems for the customer (APM)'s approval.
9.7. The awardee supplier will hand over the system after performance and weakness testing. Will
make adjustments to the latest versions of the system, including performing the required actions
to prevent the vulnerabilities that have been publicly posted on the various CVEs websites.
9.8. The supplier will check that all unnecessary software and development tools have been removed
from the various systems.
9.9. The awardee supplier will subcontract an independent external company (out of a company’s
list) to perform resilience tests for the control systems prior to delivery. A company not from
this list will required the approval of the customer. The awardee supplier undertakes to address
any deficiencies that may arise in the results of the resilience tests.
9.10. The customer (APM) may simultaneously perform independent resilience tests for systems, the
awardee supplier undertakes to address any deficiencies that will arise in the results of the
independent resilience tests.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 20/21
Hardening - General Definitions
1. Defining required services and eliminating other unnecessary services.
2. Block all default accounts, services, and unnecessary ports.
3. Cancellation of user’s authorization for unnecessary protocols.
4. Hardening BIOS (setting a login password to prevent change of booting order, removing or adding
components, disabling / adding interfaces, etc.).
5. Disable all wireless communication.
6. Disable the automatic updates.
7. Define screen lock after certain time period has passed.
8. Disable remote connection (where not required).
9. Prohibit sharing of resources or files (where not required).
10. Define static IP addresses only.
11. Each user will be able to connect to only one station at a given time.
12. Disable all unnecessary USB connections.
13. Setting User Rights to be different from the default permissions.
14. Disabling the option to remove or install software / hardware.
15. Operator Stations - Prevent access to computer settings or perform unnecessary actions.
PROJECTS & EQUIPMENT INTEGRATION SECTION
P.O.BOX 9001, ASHDOD 7710001, ISRAEL | ASHDODPORT.CO.IL 21/21
Information required from the supplier regarding system components
Devices and components list: A complete list of devices and applications should be delivered to the owner before the commissioning start with the following details:
1. Device type 2. General description of the device 3. Description of the device interaction with the system 4. Manufacturer name 5. Model / version / operating system 6. Service provider / maintenance 7. Is the device under warranty or support contract 8. Is the device's version under a manufacturer support 9. Criticality level of the device 10. What is the potential damage (device sabotage) 11. Is the device is backed up 12. Physical location 13. Device accessibility level 14. Is there a remote support? 15. Is the component physically protected? 16. Update level 17. Does the component produce logs? 18. Are logs files activated 19. Whether the component is reported to a monitoring system such as SIEM 20. Type of authentication 21. Hardening 22. Type of data traffic protocol 23. Is data traffic monitored 24. Permissions level to the device