Professional Documents
Culture Documents
Contents
1 Scope ................................................................ 2
2 Conflicts and Deviations .................................... 2
3 Users ................................................................. 2
4 References ........................................................ 2
5 Definitions and Abbreviations ............................ 2
6 Introduction........................................................ 4
7 Corporate ICS Update Platform ......................... 4
8 Deployment Options .......................................... 4
9 Independent Upstream WSUS .......................... 5
10 Configure Windows Server to Run WSUS......... 5
11 Configuring WSUS to Receive Updates .......... 11
12 Export Updates from the Upstream WSUS ..... 15
13 Import Updates to the PAN WSUS .................. 17
14 E-Cabinet ........................................................ 18
Revision Summary ................................................. 19
1 Scope
The purpose of this best practice is to guide Process Automation Network (PAN)
administrators in setting up a secure mechanism to obtain operating system patches
through the corporate platform (E-Cabinet) or individually through an IT-provided
virtual machine. The critical and security updates shall be made available for the
internal Windows Server Update Services (WSUS) and can then deploy updates to its
domain computers.
In the event of a conflict between this best practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 Users
The intended users of this document are Process Automation Network (PAN)
administrators in charge of rolling-out security updates and patches to automation
system workstations and servers.
4 References
This best practice is based on the latest edition of the references below, unless otherwise
noted.
5.1 Abbreviations
HDD Hard Disk Drive
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PCN Process Control Network
5.2 Definitions
Hard Disk Drive (HDD): A data storage device used for storing and retrieving
digital information using one or more rigid (“hard”) rapidly rotating disks
(platters) coated with magnetic material.
Universal Serial Bus (USB): An external serial bus interface standard for
connecting peripheral devices to a computer.
6 Introduction
The prevalence of open-system architectures in the IT world led to their wide adoption
on process automation environments. As a result, the vulnerabilities and exploits found
on these platforms, such as Windows Operating Systems, are now inherent risks to
automation systems security and availability. Therefore, the need to deploy security
updates and patches on control systems is no longer an option. These systems need to
be patched against known vulnerabilities and exploits in a timely manner since these
risks become common knowledge once a vulnerability is made public and its patch
released.
Since Saudi Aramco operating facilities are isolated from the corporate network
and the Internet, availing and deploying updates to isolated environments is a real
challenge, especially that the use of removable media is tightly controlled within the
plant. This Best Practice aims to fill-in the gap by establishing a mechanism to deliver
updates to patch management servers within Saudi Aramco operating facilities.
The E-Cabinet system within the corporate network offers manual updates for small-
sized installations as well as WSUS-compatible formats. For manual updates, the
platform contains a single ISO image for the security updates that Microsoft releases
each month for all operating systems. The image is a collection of update files that can
be deployed individually on a small number of systems. For large deployments,
however, operating facilities require a Windows Server running the Windows Server
Update Services (WSUS).
8 Deployment Options
Depending on the size and complexity of the operating facility in question, operating
facilities may opt to deploy a WSUS server or resort to a manual process. In a manual
process, PAN administrators need to deploy each security or critical update manually on
each and every system within their facility. The number of patches requiring
deployment increases dramatically as the number of nodes increases. In a centralized
solution, the use of WSUS coupled with Active Directory allows administrators to
deploy updates to groups, perform silent installations and makes update roll-out faster,
simpler and more efficient.
Saudi Aramco: Company General Use
Page 4 of 19
Document Responsibility: Plants Networks Standards Committee SABP-Z-088
Issue Date: 19 December 2016
Next Update: TBD Performing Offline Update to PAN WSUS Server (Import and Export)
The Corporate ICS Update Platform hosts all ISO images of all security
updates that Microsoft released for their operating systems since January, 2006.
The security update files need to be extracted from the ISO image for
deployment. PAN administrators are required to verify, with the vendor, the
applicability of an update before deploying it at an Industrial Control System.
9.1 This deployment guide aims to provide PAN administrators with a step-by-step
guide in setting up the virtual WSUS server that can fetch updates from Microsoft
Update site. This server will be the Upstream server for the PAN WSUS.
9.2 Prerequisites
Create a CRM to obtain the virtual machine from IT.
A licensed Windows Server version, preferably 2008 or above.
Deployment of all security updates and patches on the target server.
Installation of McAfeeVSE 880 on the target server, as per IT instructions.
The below setup guide is based on Windows Server 2012 R2. Other versions of
Windows Server will have similar steps but some aspects may differ:
10.1 From the Server Manager dashboard Add Roles and Features
10.5 In the Server Roles list, select Windows Server Update Services
10.6 When prompted to Add required features for WSUS, click Add Features
10.9 In the Role Services pane, make sure the WID database and WSUS Services are
selected.
10.10 In the Content Location Selection window, uncheck “Store updates in the
following location” if you intend to store the updates in the default location.
If you have a dedicated drive, or folder, check the option and specify the path to
the desired folder.
Once the installation of WSUS concludes, the Server Manager Dashboard will flag that
the Post-Deployment Configuration is missing.
11.1 Click Launch Post Deployment Configuration from the flag dropdown menu
11.2 On the Server manager dashboard, click the WSUS pane on the left-hand side,
right-click on the server and select Windows Server Update Services.
This should launch the WSUS application.
11.3 Expand the Server and Select Options, the above page is going to appear.
The categories of interest are:
11.4 Once the configuration on the Options tab has been completed, click the
Synchronizations tab from the server drop-down list.
11.5 Click Synchronize now to begin the synchronization with Microsoft site.
12.1 Once all the updates are downloaded, update files and their metadata are
extractable through WSUSUTIL.EXE and a simple copy command.
12.2 In order to export metadata, open cmd, move to the following location:
12.4 Once the message “All updates are successfully exported” is received on the
screen, proceed to the following directory C:/Program Files/Update Services/
and copy the WsusContent folder into removable media.
13.1 Once the folder WsusContent is copied to a removable media device, it can be
imported to the downstream WSUS (PAN).
13.2 Copy the content of the imported WsusContent folder and paste it into the
destination server WsusContent folder. Merge the two folders and delete
duplicates should you have any.
13.3 In order to import the metadata into the destination server, open cmd and browse
to the following location: C:/Program Files/Update Services/Tools.
13.5 Once the message “All updates are successfully imported.” appears, the updates
will be visible on the WSUS and can be deployed once approved.
14 E-Cabinet
14.1 PAN administrators can download zipped files of Windows updates straight
from E-Cabinet. File extensions are normally altered to .dat to bypass the
security restrictions imposed by corporate IT.
14.2 In order to obtain an update, users shall browse to the following directory:
14.3 Select the appropriate O.S. version to which you require the updates, and click
Export.
14.4 Once the file is downloaded, change its extension to “.zip” in order to extract its
content. In some cases, you may need to use command prompt to do so, as
follows:
14.5 Once the folder content is extracted, use Section 13 of this best practice to
import the updates into the downstream WSUS server.
Revision Summary
19 December 2016 New Saudi Aramco Best Practice that guide Process Automation Network (PAN)
administrators in setting up a secure mechanism to obtain operating system patches
through the corporate platform (E-Cabinet) or individually through an IT-provided virtual
machine.