DeltaV Whitepaper

January 2013 – Page 1 DeltaV System Software update Deployment

DeltaV™ System Software Update

Deployment
This brief whitepaper provides a handy index to Emerson documents related to deployment of software updates,
along with summary information about software update delivery and deployment services available from
Emerson.

Timely deployment of security updates and software patches contributes to secure and reliable operations.

www.DeltaV.com
DeltaV Whitepaper
January 2013 – Page 2 DeltaV System Software update Deployment

Table of Contents

Index of documents related to Software Update Deployment ............................................. 3

Software Update Types ........................................................................................................... 5

Software Update Deployment Methods ................................................................................. 6

Guardian and the Guardian Software Update Delivery Service ........................................... 6

Patch Management Service .................................................................................................... 7

Deployment Status Reporting ................................................................................................ 7

Figures

Figure 1 - KBAs Related to Software Update Deployment ..................................................................... 3

Figure 2 - Guidelines Related to Software Update Deployment ............................................................. 4

Figure 3 - Whitepapers Related to Software Update Deployment .......................................................... 4

Figure 4 - Software Update Types, Sources and Direction ..................................................................... 6

DeltaV Whitepaper
January 2013 – Page 3 DeltaV System Software update Deployment
Index of documents related to Software Update Deployment
The following Knowledge Base Articles (KBAs) are relevant to the general topic of software update deployment.
KBAs are highly technical documents, intended for use by qualified individuals, issued and supported by the
Emerson Technical Support organization.

KBAs are available via an access-controlled Internet support website for DeltaV™ systems subscribed to either
FOUNDATION Support or Guardian Support Service. Individual KBAs can be furnished for non-subscribed systems
via request to the local Emerson service department. Always ensure you have the latest revision of a particular
KBA before implementing, since these can be revised on a regular basis.

Document Title Synopsis

AP-0400-0004 Recommended Antivirus This document provides a compatibility chart, specifying the
and Installation Procedure approved Symantec™ anti-virus product for each DeltaV /
for DeltaV Workstations OS version. Known issues are identified.
AP-0800-0025 Symantec Endpoint This document provides instructions for installing
Protection 11.0 Installation Symantec’s Endpoint Protection Version11 anti-virus
Procedure on DeltaV product. The procedure is limited in scope to an
Workstations unmanaged mode of deployment.
AP-0900-0040 Using a Batch File to Aid This document provides instruction for creating a BAT
the Installation of Microsoft batch file to manually install multiple Microsoft security
Security Updates updates in a single workstation. Essentially an optimized
unmanaged mode of deployment for Microsoft security
updates.
AK-1000-0124 Application Notes for This document provides information regarding the
Patch Management implementation of a managed mode deployment of
Deployment Microsoft security updates, Symantec antivirus definition
files, and DeltaV software updates via the Emerson Patch
Management Service.
This managed mode solution utilizes Microsoft’s Windows
Server Update Services (WSUS), Symantec’s Endpoint
Protection Manager (SEPM), Symantec’s Live Update
Administrator (LUA), and Emerson’s Guardian WSUS
Interface (GWI) software, approved for use with DeltaV
version 9.3.1 and up.
AP-0900-0030 Procedure and Tips for This document provides advice for setting up a secure
Submitting the DeltaV internet path for the DeltaV system registration utility to
System Registration File automatically deliver an encrypted xml file to Emerson, to
via the Internet maintain fresh system content and version information in
Guardian.
AK-1100-0006 Microsoft 2011 Released This document lists the approval status of Microsoft
and others for Security Updates for Use security updates issued during the year for supported
prior years on DeltaV Systems versions of DeltaV. It also lists the KBA numbers for
previous years.

Figure 1 - KBAs Related to Software Update Deployment

DeltaV Whitepaper
January 2013 – Page 4 DeltaV System Software update Deployment
The following guideline documents are relevant to software update deployment. Guideline papers are issued to
provide information concerning the practices that should be used for installation and deployment of updates in a
DeltaV system that is to be supported by Emerson Process Management. It is important that these guidelines be
followed in order for Emerson Process Management to provide technical support for your DeltaV system. Failure
to follow these guidelines may compromise our ability to provide timely and complete technical support for your
DeltaV digital automation system.

Document Title Synopsis

P_MS_Patch_Mgt.doc Microsoft Security Bulletin This guideline relates to the testing and
Administration on DeltaV deployment of operating system updates,
Systems security bulletins and new operating system
service packs.
P_Anti_Virus_on_DeltaV.doc Anti-Virus Scanning in This guideline elates to the testing, support
DeltaV Systems and deployment of anti-virus scanning
software.

Figure 2 - Guidelines Related to Software Update Deployment

The following whitepaper documents are relevant to software update deployment or cyber security. Whitepapers
provide general guidance and background information. Whitepapers are available on the DeltaV internet website:
http://www2.emersonprocess.com/en-US/brands/deltav/documentation/Pages/whitepapers.aspx .

Document Title Synopsis

WP_DeltaVSystemSecurity.doc DeltaV System This whitepaper outline the system philosophy,
Cyber-Security guidelines and rules for providing cyber-security
policy to the DeltaV system.
WP_BestPrac_CyberSec.doc Best Practices for This whitepaper is supplementary and
Cyber-Security complimentary to the whitepaper “DeltaV System
Cyber-Security”. It addresses keeping a DeltaV
system secure from hacker attacks, viruses,
worms and other malware and security threats.
CS_DeltaV_Security_Manual.doc Cyber-Security for This document is a guide for process engineers,
DeltaV Digital information technology personnel, operations
Automation managers and other plant personnel responsible
Systems for developing and maintaining the cyber-security
of DeltaV digital automation systems.

Figure 3 - Whitepapers Related to Software Update Deployment

DeltaV Whitepaper
January 2013 – Page 5 DeltaV System Software update Deployment
Software Update Types
System software updates come in a variety of types with different sources:

Update Type Description and Source Rollout Directions

DeltaV Hotfixes Hotfixes are made available at Emerson’s discretion to Users are encouraged to
address issues in a specific build of DeltaV system install hotfixes proactively for
software. Hotfixes can either be issue-specific or maximum system
supplied in a ‘bundle’ of multiple hotfixes. Each hotfix robustness.
has a corresponding KBA that explains the issue. Install them per individual
KBAs and hotfix executables are obtained from the KBA instructions.
access-restricted Emerson support websites.
Microsoft Security updates are issued by Microsoft to address Only install security updates
Security cyber-security issues. Typically they are issued in a that have been approved for
Updates monthly batch, however especially critical updates can use by Emerson, at the
be issued at any time. Emerson determines which earliest opportunity following
security updates are necessary for supported DeltaV / approval.
OS version combinations and tests them for Special instructions if any are
compatibility. provided in the KBA listing of
Approved updates can be downloaded from the approved updates.
access-restricted Emerson support websites, or from It is recommended to stagger
the Microsoft Knowledgebase website. the installation, updating a
small number of computers
ahead of the majority.
Refer to the Guideline
Microsoft Security Bulletin
Administration on DeltaV
Systems for more
information.
Microsoft Microsoft issues updates for reasons other than cyber Never install Microsoft OS or
Operating security. In general, Microsoft non-security updates are application non-security
System and not approved for use with the DeltaV system, other updates unless specifically
Application than to address a DeltaV software issue. An example directed by a KBA.
Updates exception is the Microsoft OS update to accommodate Follow KBA instructions for
the 2007 change in US daylight savings time. installation.
Microsoft non-security updates are approved for use by
way of an issue-specific KBA.
Symantec Anti- Symantec frequently issues updates to their Customer may elect to install
Virus Updates virus/worm pattern files, sometimes with multiple anti-virus updates as
updates the same day. These updates can also include received in real-time from
minor updates to the anti-virus engine (application) Symantec or only apply the
itself to adapt to the latest cyber threats. The updates ones that Emerson has
are cumulative, meaning that each update checked each month.
encompasses all of the latest anti-virus patterns and It is recommended to stagger
minor engine updates. the installation, updating a
These updates have historically had no impact to small number of computers
DeltaV system compatibility and are considered ahead of the majority.
acceptable for use as received from Symantec. Refer to the Guideline Anti-
Concurrent with the monthly compatibility check of Virus Scanning in DeltaV
Microsoft Security updates, Emerson checks the latest Systems for more
available Symantec virus definition file for DeltaV information.
compatibility.
DeltaV Whitepaper
January 2013 – Page 6 DeltaV System Software update Deployment
Symantec Anti- New releases of Symantec Anti-Virus scanning Only use approved versions
Virus products are tested for DeltaV compatibility by of Symantec anti-virus
Application Emerson, with new approved versions documented via products, identified in KBA
Updates (AKA KBA. AP-0400-0004.
Virus Engine Install them per KBA AP-
Updates) 0400-0004.
Refer to the Guideline Anti-
Virus Scanning in DeltaV
Systems for more
information.
DDL/EDDL Updated Device and Extended Device Definition Install as needed.
Update Language Files are issued by the device manufacturer. For best results only install
Conceptually similar to a PC printer driver, they provide updates that have been
the DeltaV system with essential details for properly compatibility tested by
interfacing with the device. Device manufacturers Emerson.
supply the updates. Emerson tests many but not all Install them per instructions
DDL/EDDL updates for compatibility. in DeltaV Books on Line.

Figure 4 - Software Update Types, Sources and Direction

Software Update Deployment Methods

In general there are two software deployment methods, Managed and Unmanaged.

In a Managed Mode a ‘Management Server’ is employed to automatically transfer needed software updates to
individual workstations. Once the updates are received by the workstation, they are either automatically installed
or alternately saved to wait for a user-directed install command which might be given at the client workstation or
remotely from the Management Server.

In an Unmanaged Mode, software updates are installed at each individual workstation, manually invoked by an
individual physically present at the workstation. Simply stated, it is the manual method. However, it is often the
best method for DeltaV systems with a small number of workstations.

The unmanaged mode is the default recommended method for deploying software updates to a DeltaV system
and is the only choice for DeltaV system set up as a workgroup (vs. a domain).

Guardian and the Guardian Software Update Delivery Service

DeltaV customers are encouraged to subscribe to Guardian Support, a service from Emerson that provides
technical support, DeltaV system software updates including hotfixes, and access to a restricted support website
that presents technical information tailored to each individual DeltaV system installation.

One of Guardian’s features is a software update delivery service that transmits software update files and
accompanying installation instructions (KBAs), for unmanaged mode deployment, on demand or according to a
schedule, targeted to the particular customer system.

For more information reference:

 The Emerson Guardian Support Service Datasheet: http://www2.emersonprocess.com/en-

US/brands/sureservice/availabilityservices/guardiansupportservice/Pages/GuardianSupportService.aspx
DeltaV Whitepaper
January 2013 – Page 7 DeltaV System Software update Deployment

Patch Management Service

In 2009 Emerson introduced a DeltaV Patch Management Service, to assist customers with the design,
deployment and support of a managed mode delivery solution for Microsoft security updates and Symantec anti-
virus pattern files for DeltaV V9.3 or higher systems. The solution integrates the capabilities of Microsoft’s
Windows Server Update Service (WSUS), Symantec’s End Point Protection Manager and Emerson’s Guardian
Software Update Delivery Service.

When enrolled in Patch Management Service, the Guardian software update delivery service transmits a file
containing the latest list of approved and disapproved Microsoft security updates for a specific DeltaV system, in a
format that is compatible with WSUS. The file is updated and transmitted whenever Emerson completes the
compatibility testing of a security update relevant to the DeltaV system. With the help of a WSUS API interface
provided with the Patch Management Service, WSUS approval/disapproval transactions are automated, such that
security update deployment can be automatically initiated in a managed mode triggered by the Emerson
completion of compatibility testing.

For more information reference these documents:

 The Emerson Patch Management Service Datasheet: http://www2.emersonprocess.com/en-

US/brands/sureservice/availabilityservices/PatchManagementServices/Pages/PatchManagementServices.aspx

 The KBA AK-1000-0124 Application Notes for Patch Management Deployment

Deployment Status Reporting

To support unmanaged mode deployment, the Guardian website provides an automated comparison of installed
vs. approved security updates, based on timely submissions of a DeltaV system registration files. Complete
details are described in the Guardian Users Manual available on the Guardian Website. If not on Guardian
Support, the customer should regularly compare installed updates to the KBA listing of approved updates.

Deployment status reporting is automated in a managed mode deployment. Methods for comparing approved vs.
installed updates are covered in detail as part of the Patch Management Service.
DeltaV Whitepaper
January 2013 – Page 8 DeltaV System Software update Deployment

This page intentionally left blank.

To locate a sales office near you, visit our website at: For large power, water, and wastewater applications
www.EmersonProcess.com/DeltaV contact Power and Water Solutions at:
Or call us at: www.EmersonProcess-powerwater.com
Asia Pacific: 65.6777.8211 Or call us at:
Europe, Middle East: 41.41.768.6111 Asia Pacific: 65.6777.8211
North America, Latin America: +1 800.833.8314 or Europe, Middle East, Africa: 48.22.630.2443
+1 512.832.3774 North America, Latin America: +1 412.963.4000

© Emerson Process Management 2013. All rights reserved. For Emerson Process Management trademarks and service marks, go to:
http://www.emersonprocess.com/home/news/resources/marks.pdf.

The contents of this publication are presented for informational purposes only, and while every effort has been made to ensure their accuracy, they are not to be
construed as warrantees or guarantees, express or implied, regarding the products or services described herein or their use or applicability. All sales are governed
by our terms and conditions, which are available on request. We reserve the right to modify or improve the design or specification of such products at any time
without notice.

www.DeltaV.com