Cybersecurity Suite
HFCS 2101 (January 2021)
Patch Compliance Engine (PCE)
User Guide
CS-HFCSE613en-2101A
January 2021 Disclaimer
This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be reproduced, published, or disclosed to a third party without the express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.
Copyright 2021 - Honeywell International Sàrl
CS-HFCSE613en-2101A 2 Notices
Trademarks
Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Other trademarks
Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement.
Third-party licenses
This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor.
The licenses, notices, restrictions and obligations, if any, may be found in the materials accompanying the product, in the documents or files accompanying such third party materials, or in a file named third_party_ licenses on the media containing the product.
Documentation feedback
You can find the most up-to-date documents on the Honeywell Process Solutions support website at: http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your feedback to: [email protected]
Use this email address to provide feedback, or to report errors and omissions in the documentation. For immediate help with a technical problem, contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).
CS-HFCSE613en-2101A 3 How to report a security vulnerability
For the purpose of submission, a security vulnerability is defined as a software defect or weakness that can be exploited to reduce the operational or security capabilities of the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and services.
To report a potential security vulnerability against any Honeywell product, please follow the instructions at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Submit the requested information to Honeywell using one of the following methods:
Send an email to [email protected].
or
Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC) listed in the “Support” section of this document.
Support
For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-us/customer- support-contacts/Pages/default.aspx.
Training classes
Honeywell holds technical training classes that are taught by process control systems experts. For more information about these classes, contact your Honeywell representative, or see http://www.automationcollege.com.
CS-HFCSE613en-2101A 4 About this Guide
Scope
This guide provides step-by-step instructions for collecting data on the VSE and for installing and using the Patch Compliance solution.
Intended audience
This guide is intended for the following audience types:
● Honeywell Support personnel, who install and deploy the Patch Compliance Engine Software
● Honeywell or customer Support personnel who collect data in the VSE
● System administrators who use the Patch Compliance Engine Software
Prerequisite skills
For the installation and deployment of the Patch Compliance Engine Software, the guide assumes knowledge of Honeywell Windows Supplemental Product Line.
Related documents
The following list identifies publications that may contain information relevant to the information in this document.
Document Name Document Number
Cybersecurity Suite 2003 (March 2020) - VSE CS-HFCS-601en-2003A User Guide
CS-HFCSE613en-2101A 5 Revision history
Revision Supported Date Description Release
B 2101 January 2021 This software is an upgrade- only release from release 2003
A 2009 October 2020 First release
CS-HFCSE613en-2101A 6 Contents
1 Security Considerations 10
1.1 Physical security 10
1.2 Secured zone 10
1.3 Limiting access 11
1.3.1 At the VSE level 11
1.3.2 At the directory or file level 11
1.4 Authorization measures 11
2 Terms and Definitions 13
3 Patch Compliance Engine Overview 15
3.1 Patch Compliance Engine architecture 15
3.1.1 Scheduling reports 17
3.1.2 Generating on-demand (instant) reports 18
3.2 Microsoft products supported for Patch Compliance calculation 18
3.3 Entities supported for Patch Compliance calculation 19
4 Requirements 21
4.1 Requirements for data collection 21
4.2 Requirements for the Patch Compliance Engine 21
5 Collecting the Qualification Data at the VSE 22
5.1 Collecting configuration matrix information on Windows machines 23
6 Installing the Patch Compliance solution 24
7 Importing the Qualification Matrix 26
CS-HFCSE613en-2101A 7 7.1 Statuses of patches 29
Appendices 31
Appendix A: Device Categories for Compliance Calculation 32
CS-HFCSE613en-2101A 8 List of Figures
Figure 3-1: Patch Compliance Engine architecture 15
Figure 3-2: Scheduled Reports tab 17
Figure 3-3: Generating instant reports 18
Figure 6-1: Pre-Installation Summary page 25
Figure 6-2: Install Complete page 25
Figure 7-1: Qualification matrix Excel file - Summary tab 27
Figure 7-2: Qualification file's Matrix tab 27
Figure 7-3: Uploading the qualification matrix file 28
CS-HFCSE613en-2101A 9 1 Security Considerations
1 Security Considerations
This chapter outlines the security measures for the .
1.1 Physical security
Caution: HFCS-Patch Compliance Engine is a mission-critical component.
Take all necessary physical security measures to prevent attacks or disasters.
Ensure that the server where the product is installed is located in an approved physically secure location that is accessible only to authorized personnel.
1.2 Secured zone
Patch Compliance Engine contains sensitive information, the loss of which could have severe consequences. Therefore, there is a need to protect the sensitive information and prevent attacks against the product. To do that, the Patch Compliance Engine software, as well as its related extensions, must be installed in an internally secured zone with strict access control lists and appropriate firewall/routing rules.
Ensure that Patch Compliance Engine is installed in a directory that is only accessible to authorized personnel responsible for the product.
In addition, you must take the following precautions:
● Use a NextGeneration firewall to limit access to the Communication Server to only specific IP addresses (such as the IP address of each VSE), and only through port 443.
● Enable Intrusion/Threat Prevention on this firewall and update the threat signatures at least once a month.
● Ensure that all access to the Communication Server, as well as all other Security Center Components, is protected by this or another, similar firewall.
CS-HFCSE613en-2101A 10 1 Security Considerations
● Ensure that the Security Center network is only accessible by trusted, authorized personnel and devices.
Caution: If Patch Compliance Engine is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.
1.3 Limiting access
It is highly recommended to follow regulatory, industry, and enterprise standards for limiting access to sensitive information as specified below.
1.3.1 At the VSE level
The user management at the host running the VSE must follow the principles of need to know and least privilege: Only users who absolutely must have access to the computer are granted access, and these users are assigned the minimal set of permissions allowing them to perform their job.
1.3.2 At the directory or file level
Access to directories and files should also be granted in accordance with the principles of need to know and least privilege: Only users who absolutely must have access to the requested directory and file are granted access, and these users are assigned the minimal set of permissions allowing them to perform their jobs.
Use the built-in file access audit logging on the OS to monitor unauthorized changes to sensitive files.
1.4 Authorization measures
You are strongly advised to implement the following security measures:
CS-HFCSE613en-2101A 11 1 Security Considerations
● Change the default administrative password and delete/disable the default service accounts as soon as new administrative accounts are created.
● Disable any default Administrator/Root user on the computer.
● Disable any default Guest user on the computer.
● Disable any unauthenticated access to the computer via shared directories etc.
● Ensure that the OS is up to date with the latest security patches provided by the OS vendor.
CS-HFCSE613en-2101A 12 2 Terms and Definitions
2 Terms and Definitions
Note: The terms and definitions are listed in alphabetical order.
R Remote Access Bridge (RAB) A Cybersecurity Suite component installed externally to the Security Center, which enables secure remote access between the Security Center and the VSE.
Remote Access Gateway (RAG) The Remote Access Gateway is part of the Cybersecurity Suite remote access solution. When initiated, the Remote Access Gateway automatically pulls the connection details from the database. For each request to access a remote site, the Remote Access Gateway establishes a secure connection to the Remote Access Bridge to enable a secure communication tunnel.
S Security Center (SC) A Cybersecurity Suite component that is installed at the corporate data center. The Security Center is composed of various software components, which enable it to remotely collect, analyze, view, manage, and store data retrieved from the VSEs. This data refers to the monitored network assets and devices found at the VSE’s sites.
site A remote physical location, such as an industrial plant, which includes one or more network environments and has at least one VSE.
CS-HFCSE613en-2101A 13 2 Terms and Definitions
V Virtual Security Engine (VSE) The Cybersecurity Suite component that is installed at the remote site, monitors the assets at the site, and provides additional functionalities such as remote access.
CS-HFCSE613en-2101A 14 3 Patch Compliance Engine Overview
3 Patch Compliance Engine Overview
This chapter presents a brief introduction to the Honeywell Forge Cybersecurity - Patch Compliance Engine.
3.1 Patch Compliance Engine architecture
The architecture of the Honeywell Forge Cybersecurity - Patch Compliance Engine is as shown below.
Figure 3-1: Patch Compliance Engine architecture
The Patch Compliance Engine calculation is as follows:
1. The VSE collects data from the assets (computers, servers and stations) that operate by using Windows Supplemental Product Line.
2. The collected data is transferred on predefined intervals to the Security Center.
3. The data from the Oracle database is transferred to the Interactive Reports' database (SQL Server) by using ELT.
4. The qualification matrix data is imported from external Excel files.
5. Upon request to generate a Patch Compliance report, the Reports Center activates the Patch Compliance service with the data from the
CS-HFCSE613en-2101A 15 3 Patch Compliance Engine Overview
reports database. The Patch Compliance service then processes the data and provides the compliance result, based on the qualification matrix provided by the customer. Reports can be either scheduled or generated instantly (on-demand). For details, see sections Scheduling reports and Generating on-demand (instant) reports.
6. For each asset type, the Patch Compliance Engine takes the following parameters:
■ OS and OS architecture - collected automatically and populated in the device properties in the VSE, by using the collect daily profile.
■ The device's vendor and product - provided by the customer in the Device Properties tab in the VSE.
Note: The vendor is the name of the asset's manufacturer, and must be identical to the name specified in the qualification matrix Excel file. For example, do not write Microsoft in the qualification matrix Excel file and MS in the Device Properties tab. The same applies to the product name; for example, Experion Backup and Restore vs EBR.
■ A list of software suites installed on device
Note: The Experion Server-Station Product Line is used for tagging Windows machines as Experion devices. Reports Center does not use the Patch Compliance service for calculating compliance for Honeywell devices. As a result, there is no need to set the above device properties for Honeywell devices. For details, see appendix Device Categories for Compliance Calculation.
7. For each product, the Patch Compliance Engine performs a compliance calculation.
CS-HFCSE613en-2101A 16 3 Patch Compliance Engine Overview
3.1.1 Scheduling reports
To schedule reports:
1. Go to the Scheduled Reports tab.
2. Select the site ID from the list.
3. Set the requested frequency by selecting either of the following options:
■ Dashboard - to run a daily scheduled job, which generates reports for the last 7 days.
■ Monthly - to generate a report on the 1st of each month, which provides information about the last month.
Figure 3-2: Scheduled Reports tab
4. Enter a password to protect the reports.
After data collection begins, a process for retrieving the data is scheduled to run every day at a predefined hour (usually 3 AM). If the daily option was selected for the schedule frequency, a report is created automatically after the report run is complete.
Note: The reports generated before the data collection process runs for the first time are empty.
CS-HFCSE613en-2101A 17 3 Patch Compliance Engine Overview
3.1.2 Generating on-demand (instant) reports
To generate on-demand reports:
1. Go to the Instant Reports tab.
2. Select the site ID from the pane on the left.
3. Select the start and end dates for the reporting period.
4. Optionally, to archive the report via a a password-protected ZIP file, enter the ZIP file password.
Figure 3-3: Generating instant reports
5. Click Generate Report.
3.2 Microsoft products supported for Patch Compliance calculation
The Patch Compliance Engine supports compliance calculation for patches for the following types of Microsoft products:
● Windows OS - for all supported OS versions. For details see section Entities supported for Patch Compliance calculation
CS-HFCSE613en-2101A 18 3 Patch Compliance Engine Overview
● .Net Framework
3.3 Entities supported for Patch Compliance calculation
The following Windows operating systems, as well as all their patches and updates, are supported by the Patch Compliance Engine:
● Windows XP
■ Windows XP Service Pack 1
■ Windows XP Service Pack 2
■ Windows XP Service Pack 3
■ Windows Vista, Service Pack 1
■ Windows Vista, Service Pack 2
■ Windows 7 Service Pack 1
■ Windows 8.1
■ Windows 10 Version 1507
■ Windows 10 Version 1511
■ Windows 10 Version 1607
■ Windows 10 Version 1703
■ Windows 10 Version 1709
■ Windows 10 Version 1803
■ Windows 10 Version 1809
■ Windows 10 Version 1903
CS-HFCSE613en-2101A 19 3 Patch Compliance Engine Overview
■ Windows 10 Version 1909
■ Windows 10 Version 2004
● Windows Server 2003
■ Windows Server 2003 R2
■ Windows Server 2003, Service Pack 1
■ Windows Server 2003, Service Pack 2
■ Windows Server 2008 R2 Service Pack 1
■ Windows Server 2008 Service Pack 2
■ Windows Server 2008 Service Pack 2, Rollup KB4489887
■ Windows Server 2016 Version 1607
■ Windows Server 2016 Version 1709
■ Windows Server 2019 Version 1809
CS-HFCSE613en-2101A 20 4 Requirements
4 Requirements
This chapter specifies the requirements for using the Honeywell Forge Cybersecurity - Patch Compliance Engine, as detailed in the following sections .
4.1 Requirements for data collection
Data collection requires the following:
● VSE version 7.1 and higher versions
● Honeywell Windows Supplemental version 2.20.1 and higher versions (PA)
● Honeywell Server Station (PA) version 2.10.1
● Distribution of the file that enables the collection of the configuration data required for calculating the hardening compliance
4.2 Requirements for the Patch Compliance Engine
Use of the Patch Compliance Engine requires the following:
● The VSE is configured as specified in section Requirements for data collection and is connected to the Security Center for data transfer.
● The Patch Compliance Engine is installed on the same machine as the Reports Center.
Note: In addition, it is advisable to have the Patch Compliance Engine installed on the same machine as the Reports Center.
● VC2017_redist.x86.exe – Visual C++ 2017 32-bit Redistributable Package
CS-HFCSE613en-2101A 21 5 Collecting the Qualification Data at the VSE
5 Collecting the Qualification Data at the VSE
This chapter provides instructions for collecting the configuration data at the VSE.
To enable the collection of the configuration data:
1. In the Security Center, distribute the device properties zip file to the relevant VSEs by using Software Distribution.
Note: For further information on how to load and distribute the software distribution package from the Security Center, see section Remote Activity Types in the Security Center Getting Started Guide.
2. In the VSE, configure the device properties for each asset profile for which the patch compliance data needs to be calculated.
Note: You only have to enter manually the Vendor and Product properties. The OS-related properties - the OS, OS Full Build Number, and Architecture - are collected automatically by running the Collect Daily execution profile.
3. Ensure that the Collect Weekly and Collect Monthly collection profiles are activated.
These profiles collect the details of all installed patches in all devices configured in the VSE.
After these requirements are met, you can run the reports as detailed in section Collecting configuration matrix information on Windows machines :
CS-HFCSE613en-2101A 22 5 Collecting the Qualification Data at the VSE
5.1 Collecting configuration matrix information on Windows machines
The following configuration data must be collected on Windows machines:
● OS Information, OS Full Build Number, and Architecture, which are collected by running the execution profile Collect Daily.
● Details of all installed patches in all devices configured in the VSE - collected by running the execution profiles Collect Monthly and Collect Weekly.
When a patch compliance report is being requested, both OS information and Windows updates data are retrieved from the Security Center database, in order to perform the patch compliance calculation.
CS-HFCSE613en-2101A 23 6 Installing the Patch Compliance solution
6 Installing the Patch Compliance solution
Warning: If the Patch Compliance Engine version 1.5.1 is installed on the target machine, ensure that you uninstall it before running this installation of the Patch Compliance Engine as detailed below. After the installation of the Patch Compliance Engine is successfully completed, re-install the Patch Compliance Engine by using the new installation package provided.
The installation of the Patch Compliance solution is performed by using a wizard.
To run the installation wizard:
1. Download and run the file Install_Patch_Compliance_1.0.X.exe.
Note: While the screenshots in this guide refer to version 1.0.2, the actual version number can be different in the installation package.
2. Use the License Agreement page to accept the terms of the license agreement and click Next.
3. Use the Choose Install Folder page to select whether to leave the default path or browse to select another path.
The Pre-Installation Summary page displays your choices, as shown below.
CS-HFCSE613en-2101A 24 6 Installing the Patch Compliance solution
Figure 6-1: Pre-Installation Summary page
4. Click Install to run the installation wizard. If the installation was successful, the Install Complete page shown below is displayed at the end of the process.
Figure 6-2: Install Complete page
CS-HFCSE613en-2101A 25 7 Importing the Qualification Matrix
7 Importing the Qualification Matrix
The Patch Compliance Engine process loads a qualification matrix Excel report with the Honeywell third-party qualification matrix for each vendor.
Attention: The instructions below refer to qualification matrix all vendors but Microsoft.
For devices that do not belong to a specific vendor, or for Microsoft devices, you should fill-in the default Microsoft qualification matrix. When using this matrix, the only vendor possible is Microsoft and the only allowed product name is Default; any division to products is irrelevant.
To fill in the qualification matrix file:
1. In the VSE, define for each asset profile the values in the device properties, namely: the vendor and product. For example: Honeywell and Experion.
2. From the public repository (https://bitbucket.org/hce- honeywell/patch-compliance-matrix/src/master/), download a qualification matrix Excel file with no data, which contains the following tabs:
■ Summary - A single tab per workbook, to specify the vendor's name and the published date
CS-HFCSE613en-2101A 26 7 Importing the Qualification Matrix
Figure 7-1: Qualification matrix Excel file - Summary tab
Note: The vendor name should be identical to the name specified in the VSE for the device in the device properties.
■ Matrix - One or more tabs with the criteria for determining the compliance of the patches
Figure 7-2: Qualification file's Matrix tab
3. Fill-in at least the following mandatory details for each patch:
Note: The product name should be identical to the name specified in the VSE for the device in the device properties.
■ Patch ID
Note: The patch ID string must not exceed 20 characters
■ OS - select the relevant Windows version from the list
■ Architecture - 32-bit, 64-bit, or both
■ Patched Product - The name of the product to which the patch is applied. For each product there can be multiple patched products; for example, .Net framework, Internet Explorer, and OS
■ Release Date
■ Security - Yes, No or Unspecified
CS-HFCSE613en-2101A 27 7 Importing the Qualification Matrix
4. After the rightmost column, insert another column for the product; for example, Experion R400 or Experion R500.
5. After processing all qaulification matrix Excel files, put all files in a dedicated directory whose path is:
6. In this directory, open the command line and then run the relevant batch file for uploading all newly-placed qualification matrix files:
■ UploadQualificationMatrix.cmd - for non secure connections
■ UploadQualificationMatrixSecure.cmd - for secure connections
Figure 7-3: Uploading the qualification matrix file
CS-HFCSE613en-2101A 28 7 Importing the Qualification Matrix
Warning: After you uploaded successfully all files, you are advised to remove the files or move them to another directory, to ensure that they will not be re-imported the next time you run the batch file. In addition, uninstalling the Patch Compliance service automatically deletes all files in this folder, so you are advised to back up these files in any case.
The upload process displays all errors and warnings about the contents of the qualification matrix file, as well as information about the upload process itself.
Note: If the severity of the displayed error is Error, the upload process fails. In such a case, first resolve the critical issue shown in the error notification and then repeat the upload process.
7.1 Statuses of patches
A patch can have one of the following statuses:
● Qualified - The patch is installed on the machine and meets all criteria defined in the qualification matrix.
● Undefined - The patch is installed but is not listed or is selected as undefined in the qualification matrix file. This may pose a problem as some patches must not be installed.
● Missing patch - The patch is listed in the qualification matrix file but is not installed on the machine.
● Not qualified - A patch is installed on the device but the qualification matrix file indicates that it must not be installed (vendor status = failed).
Implementing the report's input is performed based on the status of the patch: Missing patches should be installed, patches that are not qualified
CS-HFCSE613en-2101A 29 7 Importing the Qualification Matrix
should be removed, and, most importantly, undefined patches should be investigated.
CS-HFCSE613en-2101A 30 Appendices
Appendices
This user guide includes the following appendices:
● Device Categories for Compliance Calculation
CS-HFCSE613en-2101A 31 Appendix A: Device Categories for Compliance Calculation
Appendix A: Device Categories for Compliance Calculation
The compliance calculation for the device types specified below is performed by the Reports Center, and does not require configuring the qualification matrix for these devices.
● ESVT
● ESV (Process)
● ESV (SCADA)
● ES-C
● ES-CE
● ES-F
● ES-T
● EAS
● eServer
The compliance calculation for the device types specified below is performed by the Patch Compliance engine, and requires configuring the qualification matrix for these devices.
● ACE
● 3rd Party Server
● 3rd Party Workstation
● Windows
CS-HFCSE613en-2101A 32 Honeywell Process Solutions
1250 W Sam Houston Pkwy S #150, Houston, TX 77042
Honeywell House, Skimped Hill Lane Bracknell, Berkshire, RG12 1EB
Building #1, 555 Huanke Road, Zhangjiang Hi-Tech Park, Pudong New Area, Shanghai, China 201203 CS-HFCSE613en-2101A www.honeywellprocess.com January 2021