Which Microsoft Updates have been tested for compatibility with SIMATIC PCS 7?
Notes on Microsoft Updates 2018-01 (Meltdown and Spectre)
In January 2018, Microsoft has released updates for the Windows operating systems to close the vulnerabilities, which are grouped under the name Meltdown and Specter. As announced by Microsoft, after installing the updates on some systems, performance limitations have been identified. These will be further investigated on our test facilities.
For compatibility reasons, we recommend that you do not currently import the security updates marked with a "FailedProduct" entry on the affected systems.
For further information see Entry ID 109754953.
The latest updates are usually issued every second Tuesday of the month. Microsoft groups the updates into numerous different classifications:
To ensure that SIMATIC PCS 7 is secure you have to install updates with the patch classifications "Security Updates", "Critical Updates", "Update Rollups", "Updates" and "Definition Updates".
For this reason, a PCS 7 test configuration has been set up in order to test the compatibility of the updates with the PCS 7 software. This system always features the very latest of the supported versions of PCS 7 and Microsoft products released for operating these versions of PCS 7. Keeping pace with the updates published by Microsoft, compatibility tests are performed regularly on the test system.
The attached table in xls format provides precise information about the Microsoft updates that are tested for compatibility. As far as possible, this is updated within three weeks after publication of the latest updates of the designated classification. It reflects the Microsoft products installed in the PCS 7 test configuration. Therefore, a discrepancy between this list and the products installed in the project cannot be excluded. If a system requires more updates than contained in the published list, these updates are requested according to the additional installed products/software components. In this case, it is up to the user to install these updates.
We recommend installing all the available updates of the named classifications to ensure that the system is protected.
However, we cannot say anything about the compatibility of updates that we have not tested. Therefore, we recommend installing all the updates in the separate project-specific test environment prior to rolling out the updates in the productive environment.
|Excel file in compliance with IEC 62443-2-3||security_patches_iec.xls (1,6 MB)|
|Packed XML and model files in compliance with IEC 62443-2-3|| ecurity_patches_iec.zip (157,0 KB)|
Only the current patches are listed. These are cumulative and contain all previous updates.
In rare cases it might happen that in our tests an update has a negative influence on our software. This is noted in the "Comment" field in the list above. Furthermore, we inform you as fast as possible by newsletter of any indications and the resulting remedies.
Recommended procedure for patch management with the Microsoft Windows Server Update Service (WSUS)
These instructions assume that you have a WSUS installed for your PCS 7 plant. The WSUS version to be installed depends on the latest operating system used in the plant. It is always recommended to use the latest available WSUS version. How to proceed with the WSUS is described in Entry ID: 38621083.
- WSUS configuration
In the "Products and Classifications" dialog you select the "Products" tab and then all the Microsoft products relevant for the plant.
In the "Products and Classifications" dialog you select the "Classifications" tab and then "Definition Updates", "Security Updates", "Update Rollups", "Updates" and "Critical Updates".
- WSUS configuration
Create the project-specific groups for distribution of the updates in the plant.
- Download the "Security_Patches_iec.xls" Excel table above onto your computer.
Open the table and set the filter to "-" in the "PassedProduct" column"PassedProduct".
- Check the "Comments" column to see whether these updates have been replaced.
- WSUS administration
Select all the available updates and not yet approved updates in the categories above and then deselect only the non-released patches as in the Excel table above.Enable the patches for installation in the groups created.
- Log in on the clients connected to the WSUS using an administrative account. Check whether updates for the client are available (the clients have been configured to receive updates from the WSUS).
- Make sure that the PCS 7 Runtime has ended. Install all the available updates. Restart the computer and check whether more updates are offered for installation.
More information about the MS Patch Management and the WSUS Configuration is available at the following links:
- PCS 7 Compendium Part F - Industrial Security V9.0
- SIMATIC Process Control System PCS 7 Patch Management and Security Updates
Further explanations about Microsoft Updates and the WSUS are available on the following Microsoft pages:
- Microsoft Security Bulletins (English)
- Microsoft WSUS (English)
- To find out which Microsoft Patches are installed on the PC, refer to Entry ID: 48844294.
- These guidelines apply for the version PCS 7 V7.0 SP3 and higher.
The procedure described above does not apply for new Microsoft Service Packs which still require an explicit release for use. If the patches require a higher version of the Microsoft software, then refer to the "PCS 7 readme" file or Entry ID 64847781, to check whether these higher versions of the software or Service Packs are released for SIMATIC PCS 7.
Windows Update Service, Security Patch