Sabp Z 088

Best Practice
SABP-Z-088 19 December 2016

Performing Offline Update to PAN WSUS Server (Import and Export)
Document Responsibility: Plants Networks Standards Committee
Authors: Hassan S. Al-Yousef

Ahmad M. Al-Saleh
Contents
1 Scope ................................................................ 2
2 Conflicts and Deviations .................................... 2
3 Users ................................................................. 2
4 References ........................................................ 2
5 Definitions and Abbreviations ............................ 2
6 Introduction........................................................ 4
7 Corporate ICS Update Platform ......................... 4
8 Deployment Options .......................................... 4
9 Independent Upstream WSUS .......................... 5
10 Configure Windows Server to Run WSUS......... 5
11 Configuring WSUS to Receive Updates .......... 11
12 Export Updates from the Upstream WSUS ..... 15
13 Import Updates to the PAN WSUS .................. 17
14 E-Cabinet ........................................................ 18
Revision Summary ................................................. 19
Previous Issue: New Next Planned Update: TBD

Page 1 of 19
Contact: Yousef, Hassan S. (youshs0a) on phone +966-13-8809815
©Saudi Aramco 2016. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-088
Issue Date: 19 December 2016
Next Update: TBD Performing Offline Update to PAN WSUS Server (Import and Export)
1 Scope
The purpose of this best practice is to guide Process Automation Network (PAN)
administrators in setting up a secure mechanism to obtain operating system patches
through the corporate platform (E-Cabinet) or individually through an IT-provided
virtual machine. The critical and security updates shall be made available for the
internal Windows Server Update Services (WSUS) and can then deploy updates to its
domain computers.
2 Conflicts and Deviations
In the event of a conflict between this best practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.
3 Users
The intended users of this document are Process Automation Network (PAN)
administrators in charge of rolling-out security updates and patches to automation
system workstations and servers.
4 References
This best practice is based on the latest edition of the references below, unless otherwise
noted.
 Saudi Aramco References
Saudi Aramco Engineering Procedures

SAEP-98 Removable Media Usage for Process Automation
Systems
SAEP-99 Process Automation Networks and Systems Security
5 Definitions and Abbreviations
5.1 Abbreviations
HDD Hard Disk Drive
PAN Process Automation Network (also: Plant Information Network)
PAS Process Automation System
PCN Process Control Network
Saudi Aramco: Company General Use

Page 2 of 19
PCS Process Control System

PN&S Plant Networks and System
USB Universal Serial Bus
WSUS Windows Server Update Services
5.2 Definitions
Hard Disk Drive (HDD): A data storage device used for storing and retrieving
digital information using one or more rigid (“hard”) rapidly rotating disks
(platters) coated with magnetic material.
Process Automation Network (PAN): Or sometimes referred to as Plant

Information Network (PIN), is a plant wide network interconnecting Process
Control Networks (PCN) and provides an interface to the WAN. A PAN does
not include proprietary process control networks provided as part of a vendor's
standard process control system.
Process Automation Networks (PAN) Administrator: A system administrator

that performs day-to-day maintenance activities on the PAN devices
(e.g., administration, configuration, upgrade, monitoring, etc.). He may also
perform additional functions such as granting, revoking, and tracking access
privileges for PCS operating systems and applications.
Process Automation System (PAS): A network of computer-based or

microprocessor-based electronic equipment whose primary purpose is process
automation. The functions may include process control, safety, data acquisition,
advanced control and optimization, historical archiving, and decision support.
Removable Media (or Removable Media Devices): Computer storage

technologies that are portable (not permanently attached to a computer).
Examples include optical discs, memory cards, floppy disks, USB flash drives,
external HDDs, external SSDs, magnetic tapes, smart phones, tablets, PDAs, etc.
Server: A dedicated un-manned data provider.
Universal Serial Bus (USB): An external serial bus interface standard for
connecting peripheral devices to a computer.
Virtual Machine: A virtual machine is a software computer that, like a

physical computer, runs an operating system and applications. The virtual
machine is comprised of a set of specification and configuration files and is
backed by the physical resources of a host.
Windows Server Update Services (WSUS): A computer program developed by

Page 3 of 19
Microsoft that enables administrators to manage the distribution of updates and

hotfixes released for Microsoft products to computers in a corporate environment.
6 Introduction
The prevalence of open-system architectures in the IT world led to their wide adoption
on process automation environments. As a result, the vulnerabilities and exploits found
on these platforms, such as Windows Operating Systems, are now inherent risks to
automation systems security and availability. Therefore, the need to deploy security
updates and patches on control systems is no longer an option. These systems need to
be patched against known vulnerabilities and exploits in a timely manner since these
risks become common knowledge once a vulnerability is made public and its patch
released.
Since Saudi Aramco operating facilities are isolated from the corporate network
and the Internet, availing and deploying updates to isolated environments is a real
challenge, especially that the use of removable media is tightly controlled within the
plant. This Best Practice aims to fill-in the gap by establishing a mechanism to deliver
updates to patch management servers within Saudi Aramco operating facilities.
7 Corporate ICS Update Platform
The E-Cabinet system within the corporate network offers manual updates for small-
sized installations as well as WSUS-compatible formats. For manual updates, the
platform contains a single ISO image for the security updates that Microsoft releases
each month for all operating systems. The image is a collection of update files that can
be deployed individually on a small number of systems. For large deployments,
however, operating facilities require a Windows Server running the Windows Server
Update Services (WSUS).
For WSUS-compatible updates, users need to download the content of WSUSContent

folder and its metadata (catalog) from an upstream server. The data are then imported
into the production system using the a procedure that will be part of this document.
8 Deployment Options
Depending on the size and complexity of the operating facility in question, operating
facilities may opt to deploy a WSUS server or resort to a manual process. In a manual
process, PAN administrators need to deploy each security or critical update manually on
each and every system within their facility. The number of patches requiring
deployment increases dramatically as the number of nodes increases. In a centralized
solution, the use of WSUS coupled with Active Directory allows administrators to
deploy updates to groups, perform silent installations and makes update roll-out faster,
simpler and more efficient.
Page 4 of 19
8.1 Manual Updates
The Corporate ICS Update Platform hosts all ISO images of all security
updates that Microsoft released for their operating systems since January, 2006.
The security update files need to be extracted from the ISO image for
deployment. PAN administrators are required to verify, with the vendor, the
applicability of an update before deploying it at an Industrial Control System.
8.2 Centralized Patch Management
A Windows Server machine is required to deploy WSUS on a centrally-managed

environment. WSUS is capable of downloading and installing updates for a
multitude of Microsoft products and languages. By creating groupings and
policies, PAN administrators can custom-tailor the deployment of patches as per
the vendor recommendations. The problem, however, is that the plant WSUS
isn’t connected to the Internet nor the corporate IT network. PAN administrators
can use the corporate ICS Update platform to download the updates and their
catalog (metadata) and import the updates into the plant WSUS. Alternatively,
operating facilities can create a CRM to have a virtual machine on the IT network
running a WSUS server. This virtual machine shall be used in order to sync with
Microsoft. The data can then be extracted to the plant WSUS using removable
media, as per SAEP-98 guidelines.
9 Independent Upstream WSUS
9.1 This deployment guide aims to provide PAN administrators with a step-by-step
guide in setting up the virtual WSUS server that can fetch updates from Microsoft
Update site. This server will be the Upstream server for the PAN WSUS.
9.2 Prerequisites
 Create a CRM to obtain the virtual machine from IT.
 A licensed Windows Server version, preferably 2008 or above.
 Deployment of all security updates and patches on the target server.
 Installation of McAfeeVSE 880 on the target server, as per IT instructions.
10 Configure Windows Server to run WSUS
The below setup guide is based on Windows Server 2012 R2. Other versions of
Windows Server will have similar steps but some aspects may differ:

Page 5 of 19
10.1 From the Server Manager dashboard  Add Roles and Features
10.2 In the Roles and Features Wizard click Next

Page 6 of 19
10.3 In the Installation Type, select Role-based or feature-based installation,

click Next.
10.4 Select the destination server and click on Next

Page 7 of 19
10.5 In the Server Roles list, select Windows Server Update Services
10.6 When prompted to Add required features for WSUS, click Add Features

Page 8 of 19
10.7 In the Features List, click on Next
10.8 In the WSUS pane, click on Next

Page 9 of 19
10.9 In the Role Services pane, make sure the WID database and WSUS Services are
selected.
10.10 In the Content Location Selection window, uncheck “Store updates in the
following location” if you intend to store the updates in the default location.
If you have a dedicated drive, or folder, check the option and specify the path to
the desired folder.

Page 10 of 19
10.11 Finally, click Install to begin WSUS installation.
11 Configuring WSUS to Receive Updates
Once the installation of WSUS concludes, the Server Manager Dashboard will flag that
the Post-Deployment Configuration is missing.
11.1 Click Launch Post Deployment Configuration from the flag dropdown menu

Page 11 of 19
11.2 On the Server manager dashboard, click the WSUS pane on the left-hand side,
right-click on the server and select Windows Server Update Services.
This should launch the WSUS application.
11.3 Expand the Server and Select Options, the above page is going to appear.
The categories of interest are:
 Products and Classifications

 Update Files and Languages
11.3.1 Products and Classifications
In the Products tab, select all operating systems currently installed at

your facility, please refer to the asset inventory tool used at your facility
for such information.
The Classifications tab refers to the types of updates to be installed by

WSUS. PAN administrators shall install, at minimum, the following
types:
 Critical Updates
 Security Updates

Page 12 of 19
11.3.2 Update Files and Languages
In the Update Files tab, apply the below configurations:

 Store update files locally on this server.
 Un-Check Download update files to this server only when updates
are approved.
 Select Download express installation files.
In the Update Languages tab, select Download updates only in these

languages:
 Uncheck any language apart from English.
 Click OK to save.

Page 13 of 19
11.4 Once the configuration on the Options tab has been completed, click the
Synchronizations tab from the server drop-down list.

Page 14 of 19
11.5 Click Synchronize now to begin the synchronization with Microsoft site.
11.6 Once Synchronization concludes, WSUS will automatically download the

updates for all operating systems selected based on the classifications selected
earlier. The status of the downloads can be verified through the WSUS server
main page. This can be accessed by clicking the server name on the left-side
pane of WSUS. In this document, the server is called LAB-DC.
12 Export Updates from the upstream WSUS
12.1 Once all the updates are downloaded, update files and their metadata are
extractable through WSUSUTIL.EXE and a simple copy command.
12.2 In order to export metadata, open cmd, move to the following location:
C:/Program Files/Update Services/Tools.

Page 15 of 19
12.3 Type: wsusutil export export.cab export.log
12.4 Once the message “All updates are successfully exported” is received on the
screen, proceed to the following directory C:/Program Files/Update Services/
and copy the WsusContent folder into removable media.

Page 16 of 19
13 Import Updates to the PAN WSUS
13.1 Once the folder WsusContent is copied to a removable media device, it can be
imported to the downstream WSUS (PAN).
13.2 Copy the content of the imported WsusContent folder and paste it into the
destination server WsusContent folder. Merge the two folders and delete
duplicates should you have any.
13.3 In order to import the metadata into the destination server, open cmd and browse
to the following location: C:/Program Files/Update Services/Tools.
13.4 Type: wsusutil import export.cab import.log
13.5 Once the message “All updates are successfully imported.” appears, the updates
will be visible on the WSUS and can be deployed once approved.

Page 17 of 19
14 E-Cabinet
14.1 PAN administrators can download zipped files of Windows updates straight
from E-Cabinet. File extensions are normally altered to .dat to bypass the
security restrictions imposed by corporate IT.
14.2 In order to obtain an update, users shall browse to the following directory:
“PROCESS & CONTROL SYSTEMS DEPT/PAN Administrators/Microsoft

Security Updates/WSUS Updates”
14.3 Select the appropriate O.S. version to which you require the updates, and click
Export.

Page 18 of 19
14.4 Once the file is downloaded, change its extension to “.zip” in order to extract its
content. In some cases, you may need to use command prompt to do so, as
follows:
14.5 Once the folder content is extracted, use Section 13 of this best practice to
import the updates into the downstream WSUS server.
Revision Summary
19 December 2016 New Saudi Aramco Best Practice that guide Process Automation Network (PAN)
administrators in setting up a secure mechanism to obtain operating system patches
through the corporate platform (E-Cabinet) or individually through an IT-provided virtual
machine.

Page 19 of 19

Sabp Z 088

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sabp Z 088

Uploaded by

Copyright:

Available Formats

Best Practice

SABP-Z-088 19 December 2016

Authors: Hassan S. Al-Yousef

Previous Issue: New Next Planned Update: TBD

©Saudi Aramco 2016. All rights reserved.

2 Conflicts and Deviations

 Saudi Aramco References

Saudi Aramco Engineering Procedures

5 Definitions and Abbreviations

Saudi Aramco: Company General Use

PCS Process Control System

Process Automation Network (PAN): Or sometimes referred to as Plant

Process Automation Networks (PAN) Administrator: A system administrator

Process Automation System (PAS): A network of computer-based or

Removable Media (or Removable Media Devices): Computer storage

Server: A dedicated un-manned data provider.

Virtual Machine: A virtual machine is a software computer that, like a

Windows Server Update Services (WSUS): A computer program developed by

Saudi Aramco: Company General Use

Microsoft that enables administrators to manage the distribution of updates and

7 Corporate ICS Update Platform

For WSUS-compatible updates, users need to download the content of WSUSContent

8.1 Manual Updates

8.2 Centralized Patch Management

A Windows Server machine is required to deploy WSUS on a centrally-managed

9 Independent Upstream WSUS

10 Configure Windows Server to run WSUS

Saudi Aramco: Company General Use

10.2 In the Roles and Features Wizard click Next

Saudi Aramco: Company General Use

10.3 In the Installation Type, select Role-based or feature-based installation,

10.4 Select the destination server and click on Next

Saudi Aramco: Company General Use

Saudi Aramco: Company General Use

10.7 In the Features List, click on Next

10.8 In the WSUS pane, click on Next

Saudi Aramco: Company General Use

Saudi Aramco: Company General Use

10.11 Finally, click Install to begin WSUS installation.

11 Configuring WSUS to Receive Updates

Saudi Aramco: Company General Use

 Products and Classifications

11.3.1 Products and Classifications

In the Products tab, select all operating systems currently installed at

The Classifications tab refers to the types of updates to be installed by

Saudi Aramco: Company General Use

11.3.2 Update Files and Languages

In the Update Files tab, apply the below configurations:

In the Update Languages tab, select Download updates only in these

Saudi Aramco: Company General Use

Saudi Aramco: Company General Use

11.6 Once Synchronization concludes, WSUS will automatically download the

12 Export Updates from the upstream WSUS

C:/Program Files/Update Services/Tools.

Saudi Aramco: Company General Use

12.3 Type: wsusutil export export.cab export.log

Saudi Aramco: Company General Use

13 Import Updates to the PAN WSUS

13.4 Type: wsusutil import export.cab import.log

Saudi Aramco: Company General Use

“PROCESS & CONTROL SYSTEMS DEPT/PAN Administrators/Microsoft

Saudi Aramco: Company General Use

Saudi Aramco: Company General Use