×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ, Entry ID: 18752994, Entry date: 06/22/2017
(3)
Rate

Which Microsoft Patches ("Security Patches" and "Critical Patches") have been tested for compatibility with SIMATIC WinCC?

  • Entry
  • Associated product(s)
Microsoft regularly rectifies security gaps in its products and makes these fixes available to its customers in the form of official patches.

These updates/patches are usually issued every second Tuesday in the month, on so-called "Patch Tuesday". Microsoft divides up the updates into numerous different classifications:

http://support.microsoft.com/kb/824684/en

However, you only have to install "Security Patches" and "Critical Patches" to ensure that SIMATIC WinCC operation is secure and stable. For this reason, a WinCC test configuration has been set up in order to test the compatibility of the WinCC software with the above-mentioned patch classifications ("Security Patches" and "Critical Patches"). This system always features the very latest of the released versions of WinCC and Microsoft products released for operating these versions of WinCC. Compatibility tests with the latest released versions of WinCC are performed on the test system in pace with the updates published by Microsoft.
We recommend installing all the available updates of both the named classifications to ensure that the system is protected.
Through any additional software installed on your system, it might happen that you have more updates installed than checked by our tests. Of course, nothing can be said about the compatibility of these additional updates. Therefore, we recommend installing all the updates in the separate project-specific test environment prior to rolling out the updates in the productive environment.

Some time ago at various points Microsoft changed the procedure with Windows Updates for Windows 7 and Windows 8.1 and higher. It is no longer the separate updates (KBs) that are delivered, but cumulative roll-up packages, the so-called "Monthly Rollups". Each of these updates includes the updates of the previous month.
Likewise the setting options for the Windows Updates have been changed: by default now you have to install the complete packages and not just specific classifications.
You have to use the Microsoft Windows Server Update Service (WSUS) to install single classifications of your choice.

Recommended procedure for patch management with the WSUS
Go to the Microsoft web pages for detailed instructions for installing and configuring the WSUS.

No.Procedure
1WSUS configuration:
In the "Products and Classifications" dialog you select the "Products" tab and then all the Microsoft products relevant for the plant.
2WSUS configuration:
In the "Products and Classifications" dialog you select the "Classifications" tab and then "Definition Updates", "Security Updates" and "Critical Updates".
 



Fig. 01


3WSUS configuration:
Create the project-specific groups for distribution of the updates in the plant.
4WSUS administration:
Select all the available updates in the "Critical Updates" and "Security Updates" categories and then deselect the non-released patches as in the list above. Release the patches for installation in the groups created.
5Log in on the clients connected to the WSUS using an administrative account (the clients were configured to receive the updates from the WSUS).
6Execute the updates offered.


For more detailed explanations about Microsoft Updates and the WSUS visit the following web pages.

If you wish to continue running your WinCC plant without installing a WSUS, you can do this by disconnecting from the internet. In this case you must nevertheless ensure that the computers receive the necessary updates.

Warning
You might experience the consequences below if you do not use WSUS.

  • There might be an unscheduled shutdown of the WinCC system.
  • There might be unscheduled installation of all the packages provided by Microsoft.

These are reasons why we do not recommend running a continuous production plant without WSUS.

In rare cases it might happen that in our tests an update has a negative influence on our software. This is noted in the following list in the "Test Result" field. Furthermore, we inform you as fast as possible by newsletter of any indications and the resulting remedies.

Description
Excel file updates with negative influence
Registration required security_patches_failed.xls (12.4 KB)

Important note on SQL server 2014 SP2 (KB3171021)
It is not recommended to install the Service Pack with WinCC version V7.4 or lower. Service Pack 2 is released only for WinCC Version V7.4 SP1 and higher.

Notes

  • To find out which Microsoft Patches are installed on the PC, refer to Entry ID: 48844294.
  • These guidelines apply only for WinCC V6.0 SP4 and higher.

Warning
The procedure described above does not apply for new Microsoft Service Packs which still require an explicit release for use. If the patches require a higher version of the Microsoft software, then refer to the "WinCC Install Notes" or Entry ID 64847781, to check whether these higher versions of the software or Service Packs are released for SIMATIC WinCC.

You can find more precise information about Industrial Security in connection with WinCC software in the WinCC Security Concept in Entry ID: 60119725.

Additional Keywords
Windows Update Service, Security Patch

Security information
In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about industrial security, please visit
http://www.siemens.com/industrialsecurity.
ProductSupport.EntityResultListTitle
ProductSupport.EntityResultListDescription

ProductSupport.EntityResultListButtonText
Copy URL
mySupport Cockpit
Related links