Patch Management for OT Clients with ondeso SR and WSUS

The process control department of a group in the chemical and pharmaceutical industry had the goal of optimizing the patch management process for its OT clients within the SIMATIC PCS 7 process control system. Previously, this was done using WSUS and self-developed scripts. However, WSUS could not automatically start or stop the PCS7 runtime, which is critical for smooth operations. The company decided to combine ondeso SR and WSUS. ondeso SR provided a much clearer and user-friendly console.

As an official Product Partner for SIMATIC Automation Systems, it also had manufacturer approval from Siemens, which meant that projects could be started and stopped automatically via the SIMATIC Management Console using a jointly developed, official interface. Furthermore, with ondeso SR, the overall process could be almost completely automated. WSUS, on the other hand, enabled a faster installation of the patch.

The implementation of the project started in a plant with 300 OT clients. Within three months, our ondeso consultants from the Professional Services team, in cooperation with the process control engineers, were able to successfully automate the patch process and patch all OT clients. The formerly time-consuming patch process is now clearly structured, sources of errors have been eliminated through automated processes, and the overall duration has been significantly reduced.

The entire process was carried out via an API connection from ondeso SR to the SIMATIC Management Console and the import of the XML file provided by Siemens to describe compatible Microsoft updates.

The patches were downloaded via WSUS and by matching them against the whitelist, only the authorized patches were installed. Patches could be deployed selectively by group or production line, while the secure and automatic start and stop of PCS 7 projects brought real relief to the team. Redundant server pairs could also be patched automatically.

„In addition to the increase in efficiency of around 93 %, our customer also easily complies with manufacturer specifications thanks to the automated application of Siemens release lists,“ says Andreas Decker, OT consultant at ondeso. In addition, clear reports ensure traceability.

„Info about the scanning, distribution and installation duration of patches can now be viewed and evaluated retrospectively over up to two patch processes,“ says Decker. The combination of ondeso SR and WSUS frees the chemical and pharmaceutical group from time-consuming manual patch processes and protects the OT clients from vulnerabilities and cyber attacks.

Sounds Interesting?

Here you can download a summary of this Success Story as a PDF file.