Service Data Sheet
November 2020
Automated Patch Management Service
„ Establish successful and proactive patch
management strategy
„ Ensure the availability and business continuity
of your DeltaV™ process control system
„ Reduce manual system administrative activity
and delays associated with software updates
Introduction
Every month there are new Microsoft® Windows® OS security
updates, McAfee® Endpoint Security for DeltaV Systems
antivirus updates, Symantec™ Endpoint Protection antivirus
updates and DeltaV DCS hotfixes that need to be acted upon.
Emerson’s Automated Patch Management Service provides
an effective solution that address the five deployment steps
— identification of required Emerson-approved updates,
acquisition of update executables, distribution to appropriate
DeltaV DCS nodes, and installation.
It is very common for the most critical security, antivirus and
application hotfix updates to go uninstalled for extended
periods of time, or not be installed at all. Often the reasons are
due to limited skilled resources and day-to-day judgment calls
about what is more important; to either address an immediate
need with a measurable business benefit or deploy the current
batch of system software updates with their unknown and often
un-quantified effect on system vulnerability.
The Emerson Automated Patch Management Service is a
combination of people, technology and best practices designed
to automate the routine aspects of manual security software
update deployment.
Benefits
Establish successful and proactive patch management
strategy: Automated Patch Management Service automates
routine aspects of software update deployment for timely
dependable implementation, while freeing staff to devote
more time to your own business. For large systems, the savings
can add up to hundreds of hours per year. Automated Patch
Management Service identifies the appropriate Microsoft
Windows security patches, tests them on DeltaV DCS and
advises the customer on which DeltaV DCS hardware needs
updating with which particular software patches on an
individual system-by-system basis.
Ensure the availability and business continuity of your
DeltaV system: Emerson provides approved Microsoft
Windows security updates as well as antivirus signature file
updates on a regular basis. Experience has shown many of
the disruptive events reported to the Emerson Global Service
Center could have been avoided, had the relevant security
update or hotfix been applied in a timely fashion.
Automated Patch Management Service November 2020

Reduce manual system administrative activity and delays
associated with software updates: Maintaining security
patch management and hotfixes are essential to your system’s
security and availability.
This automated service ensures that critical updates are
deployed consistently.
By delegating patching to Emerson’s Automated Patch
Management Service, site resources can focus on delivering
quality product and bottom-line results; spending less time
evaluating and deploying patches, and more time focusing on
process management and operations.

ASSESS SOLVE IMPROVE

Cyber Security Periodic

Assessments Solutions Audits

Cybersecurity Assessments Cybersecurity Solutions Periodic Audits

• Basic Cybersecurity Assessment • Automated/Manual Patch Management • Annual or semi-annual follow-up audit
& Report Services (WSUS & antivirus) • Reviews adherence to previous
• On-site Cybersecurity Assessments • Application Whitelisting assessment results/remediation
& Report • Security Information & Event • Reviews cybersecurity real-world
• Advanced Cybersecurity Management (SIEM) changes and suggests any remediation
Assessment & Report • DeltaV ACN Network Security Monitor necessary to protect from these changes
• Cybersecurity remediation • Backup & Recovery
analysis & recommendations • Smart Firewalls, Smart Switches and
Controller Firewalls
•• DeltaV Upgrade Services
•• Cybersecurity Remediation Services

Emerson’s Cybersecurity Management Solutions Process and Services Portfolio.

Cybersecurity Management Solutions „ System Health Monitoring

„ Applications Whitelisting
Automated Patch Management Service is an integral part of
Emerson’s Cybersecurity Management Solutions portfolio. „ Network Security Monitor
A comprehensive cybersecurity solution consists of many
„ Security Information & Event Management (SIEM)
different components; each one specific to reducing risks
associated with various process control system entities. „ System Health Monitoring
Emerson’s Cybersecurity Management is an integrated „ Smart firewalls, Smart Switches and Controller Firewalls
approach to finding the best cyber solutions to fit your
current process control system and existing plant security „ On-site spare parts management
policies and procedures. „ Security consultation services
Cybersecurity Management solutions cover: „ Incident Response Services
„ Automated/Manual Patch Management Services „ Development Services for IR Plan and Site Policies &
(WSUS & antivirus patching) Procedures Review
„ Disaster recovery Reduction of risks associated with the use of these solution
„ Backup and recovery components reduces the time spent on controllable issues
and allows focus on other important day-to-day issues.

www.emerson.com/cybersecurity 2
Automated Patch Management Service November 2020

Automated Patch Management „ For Symantec Endpoint Protection Solutions:

Service Architecture z Symantec Live Update Administrator (LUA) — A software

application that solicits antivirus updates from Symantec
Software service enablers are combined with Emerson’s expert via the Internet, typically located on the Upstream Server.
consultation and optional on-site commissioning to implement
z Symantec Endpoint Protection Manager (SEPM) —
automated deployment capability for Microsoft® Windows®
A software application that deploys antivirus updates
security updates, Symantec™ antivirus updates and DeltaV
obtained by the LUA, located on the Downstream Server.
DCS hotfixes.

The software service enablers include:

„ Guardian Software Update Delivery Service (GSUDS)

Service Prerequisites
Client: an Emerson software application available for systems Automated Patch Management Service prerequisites:
enrolled in Guardian Support service. It solicits system hot
„ DeltaV installed in a domain environment, running
fixes and approval information for Microsoft security updates
DeltaV v13.3.1 software or later with Windows Server 2016
from Emerson via the Internet. It is typically located on a web
and Windows 10.
facing Upstream Server.
„ System(s) enrollment in Guardian Support Service.
„ Guardian WSUS Interface (GWI): An Emerson software
application that periodically loads new DeltaV hotfixes „ Annual purchase of the Automated Patch Management
and the latest approval information for Microsoft security Subscription Service for each system ID.
updates, and programmatically injects them into WSUS.
„ For McAfee Endpoint Security for DeltaV Systems:
It is typically located on the Downstream Server.
z Licenses to use McAfee ePO, Agent Handler and agent
„ Microsoft Windows Server Update Service (WSUS)
clients (all supplied by Emerson).
version 3 or higher: A no-cost add-on to the Microsoft
server operating system. At least two instances of the „ For Symantec Endpoint Protection:
WSUS application are required; one on an internet facing
z License to use Symantec Live Update Administrator (LUA)
server (Upstream Server) to solicit security updates from
(customer’s responsibility to procure).
Microsoft and a second located on a non-DeltaV DCS server
z License to use Symantec Endpoint Protection Manager
(Downstream Server) on the DeltaV side of the firewall,
(SEPM) and clients (customer’s responsibility to procure).
synchronized to move data to and from one another.
z Support service contract from Symantec is recommended
WSUS provides distribution and deployment capabilities for
(customer’s responsibility to procure).
DeltaV Hotfixes and Microsoft security updates respectfully,
but only auditing and reporting for Microsoft security „ Support contract from Microsoft for WSUS is recommended
updates. For DeltaV Hotfix reporting refer to Guardian. (customer’s responsibility to procure).

„ For McAfee Endpoint Security for DeltaV Systems: z An Internet accessible server class computer licensed for
Microsoft Server (Upstream Server) to host applications
z McAfee ePolicy Orchestrator® Console (McAfee ePO™) —
that require Internet access.
A software application that solicits antivirus updates from
z Customer-managed network infrastructure that
either Emerson or via the Internet, typically located on a
allows the Downstream Server to securely access
server located on the L2.5 or L3 network.
the Upstream Server.
z McAfee/Agent Handler - An application platform that
deploys the antivirus updates obtained by the ePO console
to the agents located on the DeltaV ACN nodes.

www.emerson.com/cybersecurity 3
Automated Patch Management Service November 2020

Software

AV – Antivirus: McAfee Endpoint Security

Internet
Generic FTP
Application E – McAfee ePO: Management console
Firewall A – McAfee Agent
Level 4 - Local LAN

Historian Data ePO

Server Server Console Upstream Server
• Guardian Software Update Delivery Service (GSUDS)
• Microsoft WSUS (Parent)
Firewall • McAfee ePolicy Orchestrator
A AV E
Level 3 - DMZ Layer

Emerson
Smart Firewall
Level 2.5

Application Pro Plus Operator

Station Station Station Downstream Server
A AV A AV A AV A AV
ePO Agent • Guardian WSUS Interface (GWI)
Handler • Microsoft WSUS (Client)
• McAfee Agent Handler
Level 2 - ACN

Reference Architecture for Emerson Automated Patch Management Service utilizing McAfee Endpoint Security for
DeltaV Systems software.

Internet

Level 4 - Local LAN

Historian Data
Level 3 - Patch Management Upstream Server
Server Server
• Symantec Antivirus Live Update Administrator (LUA)
• Microsoft WSUS (Parent)
• Guardian GSUDS Client

Level 3 - DMZ Layer

Level 2.5

Operator Application Operator

Workstation Workstation Workstation Level 2 - Patch Management Downstream Server
• Symantec Endpoint Protection Manager (SEPM)
• Microsoft WSUS (Client)
• Guardian WSUS Interface (GWI)

Level 2 - ACN

Reference Architecture for Emerson Automated Patch Management Service utilizing Symantec Endpoint Protectrion
for DeltaV Systems software.

www.emerson.com/cybersecurity 4
Automated Patch Management Service November 2020

Sample WSUS Control Panel for deployment and audit of security updates.

Sample WSUS Control Panel for deployment and audit of security updates.

www.emerson.com/cybersecurity 5
Automated Patch Management Service
Operational Characteristics
Group policy or individual computer settings dictate how often
each DeltaV application station and workstation contacts the
Downstream Server for new Microsoft Security updates,
and what action to take when a new update is available.
These settings require careful consideration. In a typical service
deployment; antivirus updates are scheduled for automatic
download and installation according to a schedule,
however these updates do not require reboots;
Microsoft security updates are automatically downloaded
according to a schedule with local computer notification
that an update is ready to install; and DeltaV hotfixes
are only downloaded and installed upon request.
Automated Patch
Management Services
While some customers prefer to design, install and start-up
their own solutions and simply use the Automated Patch
Management subscription service to provide the downloaded
metadata, Emerson also offers services to help our customers
integrate Automated Patch Management Service into their
network infrastructure through evaluation, design and
implementation services. These services include:
„ Automated Patch Management Evaluation:
Emerson will work with the customer to evaluate
their request for services. The evaluation will:
Define the scope of work to be performed.
z Analyze the system architecture desired and any high level
technical considerations requested.
z Define any testing that may be required to future validate
the overall system architecture and configuration desired.
z Provide an Evaluation Report outline the customer request,
considerations, and Emerson’s recommendations.
„ Automated Patch Management Detailed Design:
Based on the findings from the Patch Management
Evaluation, this optional service will develop a proposed
architecture, detailed configuration, and policies to test
and verify proper functioning of the proposed
Patch Management system.
www.emerson.com/cybersecurity
November 2020
The detailed design phase may include:
z System staging based on the customers desired system
architecture and configuration. This pre-work will
determine the best configuration and installation processes
to be used on site. Equipment to be used in the plant can be
provided by the customer for system staging.
z Detailed consultation regarding the newest features
and enhancements contained in the new versions of
Guardian Update Delivery Service, Windows System Update
Service, Symantec Endpoint Protection,
and the Guardian WSUS Interface.
z An outline of the testing procedure to be performed
z Complete test reports outlining notable system behavior
and installation and configuration issued found.
z A detailed roadmap indicating any site installation and
configuration prerequisites required.
z Testing of any desired system modification identified
during the Evaluation phase.
„ Automated Patch Management Implementation: Based
on the findings of the evaluation and detail design, Emerson
will work with the customer to install, configure and
implement Patch Management Service. Upon completion, a
implementation report will be provided to the customer.
Please contact your Emerson Service Representative for a
quote if these services are required at your site.
Automated Patch Management
Annual Subscription Service
Automated Patch Management Service requires an add-on
subscription service to Guardian. This subscription service
enables Guardian to produce metadata specific to the
customers covered DeltaV systems. The metadata, along with
the Guardian WSUS Interface software (GWI) will approve
Microsoft Security Updates and import DeltaV Hotfixes required
by the DeltaV System ID’s configured.
Customers deploying Automated Patch Management Service
without the use of Emerson services can purchase Consultation
hours if assistance is required.
6
Automated Patch Management Service November 2020

Automated Patch Management Representative and/or Emerson’s Performance Service group.

In systems where an Emerson-supplied McAfee antivirus
Project Support solution (Endpoint Security for DeltaV Systems) is part of the
Automated Patch Management solution, Emerson Guardian
Automated Patch Management Service is a solution composed
Support extends to McAfee support issues as well.
of a combination of standard Emerson products and an
engineered environment that delivers patches through a
customer network to individual machines. Standard Guardian Ordering Information
Support provides initial support for any issues or questions
This subscription service requires a current DeltaV DCS Guardian
regarding the Automated Patch Management solution
Support Contract covering the System IDs at a given plant
(including but not limited to WSUS and Symantec SEPM)
site be in place. The model number selection is independent
through Emerson’s Global Support Center (GSC).
of whether an Emerson Endpoint Security for DeltaV Systems
Relatively simple and straightforward questions and issues that
or the Symantec Endpoint Protection solutions are utilized.
are non-site/system specific will be fully covered by Guardian
Components of these solutions are not included with this
Support. Issues and questions that are more complex and are
subscription service offering.
more site/system specific will most likely require and additional
service contract either through your local Emerson Service

Description Model Number

Automated Patch Management Subscription Service:
1-Year Cybersecurity, Automated Patch Management; VE9117SM
for Small Systems less than 5,000 DSTs
Automated Patch Management Subscription Service:
1-Year Cybersecurity, Automated Patch Management; VE9117ME
for Medium Systems from 5,000 DSTs to 19,999 DSTs
Automated Patch Management Subscription Service:
1-Year Cybersecurity, Automated Patch Management; VE9117LG
for Large Systems 20,000 DSTs or greater
Automated Patch Management Subscription Service:
1-Year Renewal for Cybersecurity, Automated Patch Management; VE9117SM-RENEW
for Small Systems less than 5,000 STs
Automated Patch Management Subscription Service:
1-Year Renewal for Cybersecurity, Automated Patch Management; VE9117ME-RENEW
for Medium Systems from 5,000 DSTs to 19,999 DSTs
Automated Patch Management Subscription Service:
1-Year Renewal for Cybersecurity, Automated Patch Management; VE9117LG-RENEW
for Large Systems 20,000 DSTs or greater

This product and/or service is expected to provide an additional layer of protection to your DeltaV system to help avoid certain types of undesired actions. This product and/or
service represents only one portion of an overall DeltaV system security solution. Emerson does not warrant that the product and/or service or the use of the product and/or service
protects the DeltaV system from cyber-attacks, intrusion attempts, unauthorized access, or other malicious activity (“Cyber Attacks”). Emerson shall not be liable for damages,
non-performance, or delay caused by Cyber Attack. Users are solely and completely responsible for their control system security, practices and processes, and for the proper
configuration and use of the security products.

To learn more, contact your local Emerson sales office or representative, or visit www.emerson.com/cybersecurity.

www.emerson.com/cybersecurity 7
Automated Patch Management Service
Contact Us
www.emerson.com/contactus
November 2020
©2020, Emerson. All rights reserved.
The Emerson logo is a trademark and service mark of Emerson Electric Co.
All other marks are the property of their respective owners.
The contents of this publication are presented for informational purposes only, and while
diligent efforts were made to ensure their accuracy, they are not to be construed as warranties
or guarantees, express or implied, regarding the products or services described herein or their
use or applicability. All sales are governed by our terms and conditions, which are available on
request. We reserve the right to modify or improve the designs or specifications of our products
at any time without notice.