Transcription
Service Data SheetNovember 2020Automated Patch Management Service Establish successful and proactive patchmanagement strategy Ensure the availability and business continuityof your DeltaV process control system Reduce manual system administrative activityand delays associated with software updatesThe Emerson Automated Patch Management Service is acombination of people, technology and best practices designedto automate the routine aspects of manual security softwareupdate deployment.IntroductionBenefitsEvery month there are new Microsoft Windows OS securityupdates, McAfee Endpoint Security for DeltaV Systemsantivirus updates, Symantec Endpoint Protection antivirusupdates and DeltaV DCS hotfixes that need to be acted upon.Emerson’s Automated Patch Management Service providesan effective solution that address the five deployment steps— identification of required Emerson-approved updates,acquisition of update executables, distribution to appropriateDeltaV DCS nodes, and installation.Establish successful and proactive patch managementstrategy: Automated Patch Management Service automatesroutine aspects of software update deployment for timelydependable implementation, while freeing staff to devotemore time to your own business. For large systems, the savingscan add up to hundreds of hours per year. Automated PatchManagement Service identifies the appropriate MicrosoftWindows security patches, tests them on DeltaV DCS andadvises the customer on which DeltaV DCS hardware needsupdating with which particular software patches on anindividual system-by-system basis.It is very common for the most critical security, antivirus andapplication hotfix updates to go uninstalled for extendedperiods of time, or not be installed at all. Often the reasons aredue to limited skilled resources and day-to-day judgment callsabout what is more important; to either address an immediateneed with a measurable business benefit or deploy the currentbatch of system software updates with their unknown and oftenun-quantified effect on system vulnerability.Ensure the availability and business continuity of yourDeltaV system: Emerson provides approved MicrosoftWindows security updates as well as antivirus signature fileupdates on a regular basis. Experience has shown many ofthe disruptive events reported to the Emerson Global ServiceCenter could have been avoided, had the relevant securityupdate or hotfix been applied in a timely fashion.
Automated Patch Management ServiceNovember 2020Reduce manual system administrative activity and delaysassociated with software updates: Maintaining securitypatch management and hotfixes are essential to your system’ssecurity and availability.This automated service ensures that critical updates aredeployed consistently.By delegating patching to Emerson’s Automated PatchManagement Service, site resources can focus on deliveringquality product and bottom-line results; spending less timeevaluating and deploying patches, and more time focusing onprocess management and itySolutionsPeriodicAuditsCybersecurity Solutions Automated/Manual Patch ManagementServices (WSUS & antivirus) Application Whitelisting Security Information & EventManagement (SIEM) DeltaV ACN Network Security Monitor Backup & Recovery Smart Firewalls, Smart Switches andController Firewalls DeltaV Upgrade Services Cybersecurity Remediation ServicesPeriodic Audits Annual or semi-annual follow-up audit Reviews adherence to previousassessment results/remediation Reviews cybersecurity real-worldchanges and suggests any remediationnecessary to protect from these changesCybersecurity Assessments Basic Cybersecurity Assessment& Report On-site Cybersecurity Assessments& Report Advanced CybersecurityAssessment & Report Cybersecurity remediationanalysis & recommendationsEmerson’s Cybersecurity Management Solutions Process and Services Portfolio.Cybersecurity Management SolutionsAutomated Patch Management Service is an integral part ofEmerson’s Cybersecurity Management Solutions portfolio.A comprehensive cybersecurity solution consists of manydifferent components; each one specific to reducing risksassociated with various process control system entities.Emerson’s Cybersecurity Management is an integratedapproach to finding the best cyber solutions to fit yourcurrent process control system and existing plant securitypolicies and procedures.Cybersecurity Management solutions cover: Automated/Manual Patch Management Services(WSUS & antivirus patching) Disaster recovery Backup and recoverywww.emerson.com/cybersecurity System Health Monitoring Applications Whitelisting Network Security Monitor Security Information & Event Management (SIEM) System Health Monitoring Smart firewalls, Smart Switches and Controller Firewalls On-site spare parts management Security consultation services Incident Response Services Development Services for IR Plan and Site Policies &Procedures ReviewReduction of risks associated with the use of these solutioncomponents reduces the time spent on controllable issuesand allows focus on other important day-to-day issues.2
Automated Patch Management ServiceAutomated Patch ManagementService ArchitectureNovember 2020 Software service enablers are combined with Emerson’s expertconsultation and optional on-site commissioning to implementautomated deployment capability for Microsoft Windows security updates, Symantec antivirus updates and DeltaVDCS hotfixes.The software service enablers include: Guardian Software Update Delivery Service (GSUDS)Client: an Emerson software application available for systemsenrolled in Guardian Support service. It solicits system hotfixes and approval information for Microsoft security updatesfrom Emerson via the Internet. It is typically located on a webfacing Upstream Server.Guardian WSUS Interface (GWI): An Emerson softwareapplication that periodically loads new DeltaV hotfixesand the latest approval information for Microsoft securityupdates, and programmatically injects them into WSUS.It is typically located on the Downstream Server.Microsoft Windows Server Update Service (WSUS)version 3 or higher: A no-cost add-on to the Microsoftserver operating system. At least two instances of theWSUS application are required; one on an internet facingserver (Upstream Server) to solicit security updates fromMicrosoft and a second located on a non-DeltaV DCS server(Downstream Server) on the DeltaV side of the firewall,synchronized to move data to and from one another.WSUS provides distribution and deployment capabilities forDeltaV Hotfixes and Microsoft security updates respectfully,but only auditing and reporting for Microsoft securityupdates. For DeltaV Hotfix reporting refer to Guardian.For McAfee Endpoint Security for DeltaV Systems:zzMcAfee ePolicy Orchestrator Console (McAfee ePO ) —A software application that solicits antivirus updates fromeither Emerson or via the Internet, typically located on aserver located on the L2.5 or L3 network.McAfee/Agent Handler - An application platform thatdeploys the antivirus updates obtained by the ePO consoleto the agents located on the DeltaV ACN nodes.www.emerson.com/cybersecurityFor Symantec Endpoint Protection Solutions:zSymantec Live Update Administrator (LUA) — A softwareapplication that solicits antivirus updates from Symantecvia the Internet, typically located on the Upstream Server.zSymantec Endpoint Protection Manager (SEPM) —A software application that deploys antivirus updatesobtained by the LUA, located on the Downstream Server.Service PrerequisitesAutomated Patch Management Service prerequisites: DeltaV installed in a domain environment, runningDeltaV v13.3.1 software or later with Windows Server 2016and Windows 10. System(s) enrollment in Guardian Support Service. Annual purchase of the Automated Patch ManagementSubscription Service for each system ID. For McAfee Endpoint Security for DeltaV Systems:z For Symantec Endpoint Protection:zzz Licenses to use McAfee ePO, Agent Handler and agentclients (all supplied by Emerson).License to use Symantec Live Update Administrator (LUA)(customer’s responsibility to procure).License to use Symantec Endpoint Protection Manager(SEPM) and clients (customer’s responsibility to procure).Support service contract from Symantec is recommended(customer’s responsibility to procure).Support contract from Microsoft for WSUS is recommended(customer’s responsibility to procure).zzAn Internet accessible server class computer licensed forMicrosoft Server (Upstream Server) to host applicationsthat require Internet access.Customer-managed network infrastructure thatallows the Downstream Server to securely accessthe Upstream Server.3
Automated Patch Management ServiceNovember 2020SoftwareInternetAV– Antivirus: McAfee Endpoint SecurityE– McAfee ePO: Management consoleA– McAfee AgentGeneric FTPApplicationFirewallLevel 4 - Local ream Server Guardian Software Update Delivery Service (GSUDS) Microsoft WSUS (Parent) McAfee ePolicy OrchestratorLevel 3 - DMZ LayerA AV EEmersonSmart FirewallApplicationStationA AVLevel 2.5Pro PlusStationA AVOperatorStationDownstream ServerA AVA AVePO AgentHandler Guardian WSUS Interface (GWI) Microsoft WSUS (Client) McAfee Agent HandlerLevel 2 - ACNReference Architecture for Emerson Automated Patch Management Service utilizing McAfee Endpoint Security forDeltaV Systems software.InternetLevel 4 - Local LANHistorianServerDataServerLevel 3 - Patch Management Upstream Server Symantec Antivirus Live Update Administrator (LUA) Microsoft WSUS (Parent) Guardian GSUDS ClientLevel 3 - DMZ LayerLevel orWorkstationLevel 2 - Patch Management Downstream Server Symantec Endpoint Protection Manager (SEPM) Microsoft WSUS (Client) Guardian WSUS Interface (GWI)Level 2 - ACNReference Architecture for Emerson Automated Patch Management Service utilizing Symantec Endpoint Protectrionfor DeltaV Systems software.www.emerson.com/cybersecurity4
Automated Patch Management ServiceNovember 2020Sample WSUS Control Panel for deployment and audit of security updates.Sample WSUS Control Panel for deployment and audit of security updates.www.emerson.com/cybersecurity5
Automated Patch Management ServiceNovember 2020Operational CharacteristicsThe detailed design phase may include:zGroup policy or individual computer settings dictate how ofteneach DeltaV application station and workstation contacts theDownstream Server for new Microsoft Security updates,and what action to take when a new update is available.These settings require careful consideration. In a typical servicedeployment; antivirus updates are scheduled for automaticdownload and installation according to a schedule,however these updates do not require reboots;Microsoft security updates are automatically downloadedaccording to a schedule with local computer notificationthat an update is ready to install; and DeltaV hotfixesare only downloaded and installed upon request.zzzzAutomated PatchManagement ServicesWhile some customers prefer to design, install and start-uptheir own solutions and simply use the Automated PatchManagement subscription service to provide the downloadedmetadata, Emerson also offers services to help our customersintegrate Automated Patch Management Service into theirnetwork infrastructure through evaluation, design andimplementation services. These services include: Automated Patch Management Evaluation:Emerson will work with the customer to evaluatetheir request for services. The evaluation will:Define the scope of work to be performed.zzz Analyze the system architecture desired and any high leveltechnical considerations requested.Define any testing that may be required to future validatethe overall system architecture and configuration desired.Provide an Evaluation Report outline the customer request,considerations, and Emerson’s recommendations.Automated Patch Management Detailed Design:Based on the findings from the Patch ManagementEvaluation, this optional service will develop a proposedarchitecture, detailed configuration, and policies to testand verify proper functioning of the proposedPatch Management system.www.emerson.com/cybersecurityz System staging based on the customers desired systemarchitecture and configuration. This pre-work willdetermine the best configuration and installation processesto be used on site. Equipment to be used in the plant can beprovided by the customer for system staging.Detailed consultation regarding the newest featuresand enhancements contained in the new versions ofGuardian Update Delivery Service, Windows System UpdateService, Symantec Endpoint Protection,and the Guardian WSUS Interface.An outline of the testing procedure to be performedComplete test reports outlining notable system behaviorand installation and configuration issued found.A detailed roadmap indicating any site installation andconfiguration prerequisites required.Testing of any desired system modification identifiedduring the Evaluation phase.Automated Patch Management Implementation: Basedon the findings of the evaluation and detail design, Emersonwill work with the customer to install, configure andimplement Patch Management Service. Upon completion, aimplementation report will be provided to the customer.Please contact your Emerson Service Representative for aquote if these services are required at your site.Automated Patch ManagementAnnual Subscription ServiceAutomated Patch Management Service requires an add-onsubscription service to Guardian. This subscription serviceenables Guardian to produce metadata specific to thecustomers covered DeltaV systems. The metadata, along withthe Guardian WSUS Interface software (GWI) will approveMicrosoft Security Updates and import DeltaV Hotfixes requiredby the DeltaV System ID’s configured.Customers deploying Automated Patch Management Servicewithout the use of Emerson services can purchase Consultationhours if assistance is required.6
Automated Patch Management ServiceAutomated Patch ManagementProject SupportAutomated Patch Management Service is a solution composedof a combination of standard Emerson products and anengineered environment that delivers patches through acustomer network to individual machines. Standard GuardianSupport provides initial support for any issues or questionsregarding the Automated Patch Management solution(including but not limited to WSUS and Symantec SEPM)through Emerson’s Global Support Center (GSC).Relatively simple and straightforward questions and issues thatare non-site/system specific will be fully covered by GuardianSupport. Issues and questions that are more complex and aremore site/system specific will most likely require and additionalservice contract either through your local Emerson ServiceNovember 2020Representative and/or Emerson’s Performance Service group.In systems where an Emerson-supplied McAfee antivirussolution (Endpoint Security for DeltaV Systems) is part of theAutomated Patch Management solution, Emerson GuardianSupport extends to McAfee support issues as well.Ordering InformationThis subscription service requires a current DeltaV DCS GuardianSupport Contract covering the System IDs at a given plantsite be in place. The model number selection is independentof whether an Emerson Endpoint Security for DeltaV Systemsor the Symantec Endpoint Protection solutions are utilized.Components of these solutions are not included with thissubscription service offering.DescriptionModel NumberAutomated Patch Management Subscription Service:1-Year Cybersecurity, Automated Patch Management;for Small Systems less than 5,000 DSTsVE9117SMAutomated Patch Management Subscription Service:1-Year Cybersecurity, Automated Patch Management;for Medium Systems from 5,000 DSTs to 19,999 DSTsVE9117MEAutomated Patch Management Subscription Service:1-Year Cybersecurity, Automated Patch Management;for Large Systems 20,000 DSTs or greaterVE9117LGAutomated Patch Management Subscription Service:1-Year Renewal for Cybersecurity, Automated Patch Management;for Small Systems less than 5,000 STsVE9117SM-RENEWAutomated Patch Management Subscription Service:1-Year Renewal for Cybersecurity, Automated Patch Management;for Medium Systems from 5,000 DSTs to 19,999 DSTsVE9117ME-RENEWAutomated Patch Management Subscription Service:1-Year Renewal for Cybersecurity, Automated Patch Management;for Large Systems 20,000 DSTs or greaterVE9117LG-RENEWThis product and/or service is expected to provide an additional layer of protection to your DeltaV system to help avoid certain types of undesired actions. This product and/orservice represents only one portion of an overall DeltaV system security solution. Emerson does not warrant that the product and/or service or the use of the product and/or serviceprotects the DeltaV system from cyber-attacks, intrusion attempts, unauthorized access, or other malicious activity (“Cyber Attacks”). Emerson shall not be liable for damages,non-performance, or delay caused by Cyber Attack. Users are solely and completely responsible for their control system security, practices and processes, and for the properconfiguration and use of the security products.To learn more, contact your local Emerson sales office or representative, or visit rsecurity7
Automated Patch Management ServiceNovember 2020 2020, Emerson. All rights reserved.The Emerson logo is a trademark and service mark of Emerson Electric Co.All other marks are the property of their respective owners.Contact Uswww.emerson.com/contactusThe contents of this publication are presented for informational purposes only, and whilediligent efforts were made to ensure their accuracy, they are not to be construed as warrantiesor guarantees, express or implied, regarding the products or services described herein or theiruse or applicability. All sales are governed by our terms and conditions, which are available onrequest. We reserve the right to modify or improve the designs or specifications of our productsat any time without notice.
For Symantec Endpoint Protection Solutions: z Symantec Live Update Administrator (LUA) — A software application that solicits antivirus updates from Symantec via the Internet, typically located on the Upstream Server. z Symantec Endpoint Protection Manager (SEPM
