Transcription
Service Data SheetOctober 2016Local Patch Management Update Service Establish a successful and proactive patchmanagement strategy Tailor a site-specific patch management service Ensure the availability and business continuityof your DeltaV systemThe Emerson Local Patch Management Update Serviceis a combination of people, technology and security bestpractices designed to ensure the availability of DeltaV DCS,maintain business continuity and reduce your systemadministrative activities.IntroductionBenefitsEvery month there are new Microsoft security updates,Symantec anti-virus updates and DeltaV distributed controlsystem (DCS) system hotfixes that need to be acted upon.Emerson’s Local Patch Management Update Service providesan effective delivery solution that address the five deploymentsteps — identification of required Emerson-approved updates,acquisition of update executables, distribution to appropriateDeltaV DCS nodes, installation and compliance auditing.Establish a successful and proactive patch managementstrategy : Emerson’s Patch Management Update Servicedelivers the routine aspects of software update deploymentfor timely dependable implementation, while freeing plantstaff to devote more time to your own priorities. For largesystems, this time savings can add up to hundreds of hours peryear. The Local Patch Management Update Service identifiesthe appropriate security patches required for DeltaV DCS andschedules updates to the DeltaV DCS hardware in a routinefashion common to your plant’s policies and procedures forsecurity patching.It is very common for the most critical security, anti-virusand application hotfix updates to go uninstalled for extendedperiods of time, or not be installed at all. Often the reasons aredue to limited skilled resources and day-to-day judgment callsabout what is more important; to either address an immediateneed with a measurable business benefit or deploy the currentbatch of system software updates with their unknown and oftenun-quantified effect on system vulnerability.
Local Patch Management Update ServiceOctober 2016Tailor a site-specific patch management service: Securitypatch management and hotfixes are essential to your system’ssecurity and availability. this service can be tailored to yoursite’s work practices and resource-load to ensure these criticalupdates are deployed uritySolutionsPeriodicAuditsCybersecurity Assessments Basic Cybersecurity Assessment& Report Advanced CybersecurityAssessment & Report Cybersecurity remediationanalysis & recommendationsCybersecurity Solutions Automated/Manual Patch ManagementServices (WSUS & antivirus) Application Whitelisting Security Information & EventManagement (SIEM) DeltaV ACN Network Security Monitor Backup & Recovery Smart Firewalls, Smart Switches andController Firewalls DeltaV Upgrade Services Cybersecurity Remediation ServicesPeriodic Audits Annual or semi-annual follow-up audit Reviews adherence to previousassessment results/remediation Reviews cybersecurity real-worldchanges and suggests any remediationnecessary to protect from these changesLocal Patch Management UpdateTiered Services SuiteEmerson offers a multi-tiered approach to the application ofMicrosoft security patching, Symantec antivirus signaturescreen updates and DeltaV DCS hotfix installations. Ensure the availability and business continuity of yourDeltaV system: Emerson tests and approves MicrosoftWindows security updates and antivirus signature files on aregular basis. Experience has shown many of the disruptiveevents reported to the Emerson Global Service Center couldhave been avoided, had the relevant security update or hotfixbeen applied in a timely fashion.Full Manual Service: Utilizing Emerson certified local serviceresources, this service provides a scheduled monthly (orquarterly) visit to your site in order to manually deploy therequired security patches and antivirus signature screenupdates on each DeltaV DCS node requiring these updates.Our service will determine what Emerson-approved patchesare required for which network nodes, deploy those patches,install and commission them as appropriate. A Guardian Support service contract is not needed for this service.Assisted Manual Service: Also utilizing Emerson certifiedlocal service resources, this service level provides a scheduledmonthly (or quarterly) visit to your site in order to deploythe required security patches and antivirus signature screenwww.emerson.com/cybersecurityupdates on each DeltaV DCS node requiring these updates.We will determine what Emerson-approved patches arerequired for which network nodes, deploy those patches,install and commission them as appropriate. A GuardianSupport service contract is not needed for this service.This service can also include the installation of local server(s)for the automatic downloading of the Microsoft (WSUS)monthly patches and/or the downloading of the SymantecLive Update Administrator (LUA) and monthly upkeep ofthese server(s). If hardware is required, this can be addedat the time on initial service and will be quoted as atadditional cost.This service also includes the manual transfer anddownloading of the Emerson-approved Symantec signaturescreen onto each appropriate network node. Retrieval ofthe approved Symantec signature screen would come fromthe on-site Symantec server running the LUA platform. Thecustomer is responsible for the purchase of appropriatelicenses from Symantec; however, the Emerson servicepersonnel will deploy these Symantec signature screens.2
Local Patch Management Update Service Assisted Manual Service for Guardian Support Customers:Also utilizing Emerson certified local service resources, thisservice level provides a scheduled monthly (or quarterly) visitto your site in order to deploy the required security patchesand antivirus signature screen updates on each DeltaV DCSnode requiring these updates. We will determine whatEmerson-approved patches are required for which networknodes, deploy those patches, install and commission them asappropriate. A Guardian Support service contract is neededfor this service. This service deliverable is two-fold: a reviewof the system’s Guardian Dashboard and deployment ofnecessary OS Security, Symantec antivirus patches and/orDeltaV DCS hotfixes.This service also includes the manual transfer anddownloading of the Emerson-approved Symantec signaturescreen onto each appropriate network node. Retrieval ofthe approved Symantec signature screen would come fromthe on-site Symantec server running the LUA platform. Thecustomer is responsible for the purchase of appropriatelicenses from Symantec; however, the Emerson servicepersonnel will deploy these signature screens.This service can also include the installation of local server(s)for the automatic downloading of the Microsoft (WSUS)monthly patches and/or the downloading of the SymantecLive Update Administrator (LUA) and monthly upkeep ofthese server(s).Local Patch Management UpdateServices DescriptionFull Manual Service: This Patch Management Update Service isa scheduled site-based service, delivered by your local Emersonservice representative and includes the following services: Deployment of Appropriate Microsoft Security Updates:{{ Determination of the required “Emerson-approved”Microsoft security patches needed for each device type.{{ Scheduled deployment, installation and commissioningof each identified patch for each node.{{ Emerson will supply required Microsoft patches. Deployment of Appropriate Symantec Antivirus SignatureScreen Updates:{{ Determination of the Emerson-approved Symantecantivirus signature screen needed for each device type.www.emerson.com/cybersecurityOctober 2016{{ Scheduled deployment of the selected Symantec antivirussignature screens for each device.{{ File must be locatable on the customer Symantec server.Assisted Manual Service: This Local Patch ManagementUpdate Service is a scheduled site-based service, delivered byyour local Emerson service representative and includes thefollowing services: Includes services necessary to set-up communicationsbetween the Microsoft WSUS website and the Symantecantivirus website.{{ Separate quotation for required server is also available Deployment of Appropriate Microsoft Security Updates:{{ Determination of the required “Emerson-approved”Microsoft security patches needed for each device type.{{ Scheduled deployment, installation and commissioning ofeach identified patch for each node.{{ Emerson will supply required Microsoft patches. Deployment of Appropriate Symantec Antivirus SignatureScreen Updates:{{ Determination of the Emerson-approved Symantecantivirus signature screen needed for each device type.{{ Scheduled deployment of the selected Symantec antivirussignature screens for each device.{{ File must be locatable on the customer Symantec server.Assisted Manual Service for Guardian Support Customers:This Local Patch Management Update Service is a scheduledsite-based service, delivered by your local Emerson servicerepresentative. Generally, the service is two-fold: a review ofthe system’s Guardian Dashboard status and deployment ofnecessary OS Security, Symantec antivirus patches and/orDeltaV DCS hotfixes installation. The Guardian Support Dashboard Review focuses on severalkey tiles:{{ System Profile - Provides system contentinformation relative to your DeltaV DCS includinglast update information.{{ Knowledge Based Articles (KBA’s) – Provides importantinsight into the update status and requirements of KBAsassociated with your DeltaV DCS.3
Local Patch Management Update Service{{ Microsoft Update Compatibility – Provides importantOctober 2016 A license to use Symantec Endpoint Protection Managerand clients (customer’s responsibility) and installedand operational Symantec LUA connection to theSymantec website. An Internet accessible server class computer licensedfor Microsoft Server 2008 (Upstream Server) to hostapplications that require Internet access.MS security update compatibility information about yourDeltaV system including last update information.{{ Lifecycle Status - Provides important lifecycle informationby node name and Emerson model number for all DeltaVDCS devices. Deployment of Appropriate Security Updates:{{ Determination of the required “Emerson-approved”Microsoft security patches needed for each device type.{{ Scheduled deployment, installation and commissioningAssisted Manual for Guardian Support CustomersLocal Patch Management Update Service prerequisites: Installed and operational Microsoft WSUS connection tothe Microsoft website. Each system ID must be enrolled in Guardian SupportService contract A license to use Symantec Endpoint Protection Managerand clients (customer’s responsibility) and installedand operational Symantec LUA connection to theSymantec website. An Internet accessible server class computer licensed forMicrosoft Server 2008 (Upstream Server) to host applicationsthat require Internet access.of each identified patch.{{ Determination of the required Symantec antivirussignature screens needed for each device type.{{ Scheduled deployment of the “Emerson-approved”Symantec antivirus signature screens for each device.{{ File must be locatable on the customer Symantec server Deployment of Appropriate DeltaV DCS Hotfixes:{{ Determination of the uninstalled DeltaV DCShotfixes needed.{{ Scheduled deployment, installation and commissioningof each identified hotfix.Service PrerequisitesLocal Patch Management UpdateService Architecture Full Manual Local Patch Management UpdateService prerequisites: A license to use Symantec Endpoint Protection Managerand clients (customer’s responsibility) and installedand operational Symantec LUA connection to theSymantec website.An Internet accessible server class computer licensedfor Microsoft Server 2008 (Upstream Server) to hostSymantec application.The software service enablers may include: Microsoft Windows Server Update Service (WSUS) version3 or higher. — A no-cost add-on to the Microsoft serveroperating system installed on a customer suppliedupstream server. Symantec Live Update Administrator (LUA) —a softwareapplication that solicits anti-virus updates from Symantec viathe Internet, typically located on a customer supplied server. Guardian Software Update Delivery Service (GSUDS) Client— an Emerson software application available for systemsenrolled in Guardian Support service. It solicits system hotfixes and approval information for Microsoft security updatesfrom Emerson via the Internet. (Required only for the AssistedManual for Guardian Support Customers option.)Assisted Manual Local Patch Management UpdateService prerequisites: Installed and operational Microsoft WSUS connection to theMicrosoft website.www.emerson.com/cybersecuritySoftware service enablers are combined with Emerson’sexpert consultation and optional on-site deploymentcapability for Microsoft security updates, Symantec anti-virusupdates and DeltaV DCS hotfixes.4
Local Patch Management Update ServiceOctober 2016Full ManualInternetLevel 4 - Local LANHistorianServerDataServerLevel 3 - Patch Management Server Symantec Anti-virus Live Update Administrator (LUA)Level 3 - DMZ LayerReceive Emerson will pre-prepare in advance,determining which files are needed fortransfer to the individual DeltaV devices.Pro PlusWorkstationApplicationWorkstation We will manually transfer the required filesto a CD, portable disk or USB thumb driveand then manually load, install and commissionfiles onto each device to be updated.OperatorWorkstationLevel 2 - ACNManually Distribute, Install and/or Reboot, as appropriateTypical Full Manual Local Patch Management Update Service Deployment Architecture.Assisted ManualInternetLevel 4 - Local LANHistorianServerDataServerLevel 3 - Patch Management Server Symantec Anti-virus Live Update Administrator (LUA) Microsoft WSUS (Parent)Level 3 - DMZ LayerReceive Automate the customer’s downloading processfrom the appropriate external websites in orderto have all the required files located on theircommon server.Pro tation We will prepare in advance, which devicesrequire which file updates, download, deployand commission all devices for the customer.Level 2 - ACNManually Distribute, Install and/or Reboot, as appropriateTypical Assisted Manual Local Patch Management Update Service Deployment Architecture.www.emerson.com/cybersecurity5
Local Patch Management Update ServiceOctober 2016Assisted Manual with GuardianInternetLevel 4 - Local LANHistorianServerDataServerLevel 3 - Patch Management Server Symantec Anti-virus Live Update Administrator (LUA) Microsoft WSUS (Parent) Guardian Support Contract DeltaV KBA with .BAT filesLevel 3 - DMZ LayerReceive Utilize the batch files to deliver the requiredsoftware updates.Pro tation Manually transfer/download the requiredfiles to a CD, portable disk or USB thumbdrive and then manually load, install,and commission files onto each deviceto be updated.Level 2 - ACNManually Distribute, Install and/or Reboot, as appropriateTypical Assisted Manual for Guardian Support Local Patch Management Update Service Deployment Architecture.www.emerson.com/cybersecurity6
Local Patch Management Update ServiceSeptember 2016Ordering InformationThis service requires a current DeltaV DCS Guardian Support Contract covering the System IDs at a given plant site be in place.DescriptionModel NumberLocal Patch Management Update Service –Full Manual SupportPlease Contact Your LocalEmerson Sales OfficeLocal Patch Management Update Service –Assisted Manual SupportPlease Contact Your LocalEmerson Sales OfficeLocal Patch Management Update Service –Assisted Manual Support for Guardian Support CustomersPlease Contact Your LocalEmerson Sales OfficeThis product and/or service is expected to provide an additional layer of protection to your DeltaV system to help avoid certain types of undesired actions. This product and/orservice represents only one portion of an overall DeltaV system security solution. Emerson does not warrant that the product and/or service or the use of the product and/or serviceprotects the DeltaV system from cyber-attacks, intrusion attempts, unauthorized access, or other malicious activity (“Cyber Attacks”). Emerson shall not be liable for damages, nonperformance, or delay caused by Cyber Attack. Users are solely and completely responsible for their control system security, practices and processes, and for the proper configurationand use of the security products.To learn how comprehensive Cybersecurity Management Services address your cybersecurity needs, contact your local Emersonsales office or representative, or visit www.emerson.com/cybersecurity.EmersonNorth America, Latin America:1100 W. Louis Henna Blvd.Round Rock, TX 78681-7430 1 800 833 8314 or 1 512 832 3774Asia Pacific:65 6777 8211Europe, Middle East: 41 41 768 6111www.emerson.com/cybersecurity 2016, Emerson Automation Solutions. All rights reserved.The Emerson logo is a trademark and service mark of Emerson Electric Co. All other marks are theproperty of their respective owners.The contents of this publication are presented for informational purposes only, and while everyeffort has been made to ensure their accuracy, they are not to be construed as warranties orguarantees, express or implied, regarding the products or services described herein or theiruse or applicability. All sales are governed by our terms and conditions, which are available onrequest. We reserve the right to modify or improve the designs or specifications of our productsat any time without notice.
Symantec Live Update Administrator (LUA) —a software application that solicits anti-virus updates from Symantec via the Internet, typically located on a customer supplied server. Guardian Software Update Delivery Service (GSUDS) Client — an Emerson software application av
