← Home

Patch Management in Industrial Automation and Control Systems (IACS)

Patch management is the structured process of identifying, evaluating, testing, approving, deploying and verifying software updates to reduce cybersecurity vulnerabilities while maintaining the safety, reliability and availability of Industrial Automation and Control Systems (IACS).

Unlike traditional IT systems, patching in Operational Technology (OT) cannot simply be automated or applied immediately after release. Every patch has the potential to change system behaviour, impact deterministic control, interrupt production or affect safety functions.

For this reason, ISA/IEC 62443 treats patch management as a formal risk management process rather than simply an IT maintenance activity.

IEC62443 Patch Management
Figure – The ISA/IEC 62443-2-3 patch management lifecycle: Information Gathering, Monitoring & Evaluation, Patch Testing, Patch Deployment, and Verification & Reporting.

Why Patch Management Matters

Industrial control systems often operate continuously for years with minimal downtime.

Many systems contain:

This creates an environment where vulnerabilities can remain exploitable for many years.

Modern cyber attacks frequently target known vulnerabilities that already have vendor patches available. If patches are not applied appropriately, organisations remain vulnerable to attacks that are publicly documented.

Effective patch management reduces:


Patch Management is NOT a Spectator Sport

One of the key messages from ISA/IEC 62443 is that effective patch management is a shared responsibility.

No single organisation can secure an industrial control system alone.

Successful patch management requires cooperation between:

Every stakeholder has an active role throughout the lifecycle.

The ISA training emphasises that coordinated patch management ensures:


Importance of Patch Management

Reduces Known Vulnerabilities

Software vendors continuously discover security flaws. Without patching, these weaknesses remain exposed to attackers.

Protects Against Known Malware

Many cyber attacks do not rely on new techniques. Older malware often continues to infect systems because organisations fail to install patches for vulnerabilities that have existed for many years.

Examples include:

Many industrial incidents occurred because systems remained unpatched long after updates were available.

Maintains Security Throughout the Asset Lifecycle

Industrial assets commonly remain in service for:

During that period hundreds of security vulnerabilities may be discovered. Patch management allows these assets to remain secure without requiring complete replacement.


Challenges of Patch Management in IACS

Unlike IT systems, industrial environments must balance cybersecurity with operational continuity.

Continuous Operation

Many plants operate:

Shutdowns may only occur:

This significantly limits patching opportunities.

Safety Risks

A software update may unintentionally alter:

A poorly tested patch could create greater operational risk than the original vulnerability.

Legacy Systems

Many industrial devices:

Compensating controls may be required instead of patching.

Vendor Certification

Many industrial applications are only supported using specific operating system versions. Installing operating system updates before vendor approval may invalidate support agreements.

Resource Intensive

Industrial patch management requires:

It is significantly more resource intensive than desktop IT patching.

Change Management

Every patch represents a system modification. Therefore every deployment should be managed under the organisation's:

This ensures risks are assessed before implementation.


Patch Management as a Business Imperative

Patch management is not simply an engineering activity. It is an organisational risk management process.

ISA recommends organisations:

Develop the Business Case

Demonstrate:

Educate Decision Makers

Management should understand:

Cybersecurity investment should be based on business risk rather than technical preference.

Treat Patching as Risk Management

Every decision should evaluate:

Risk of NOT patching versus Risk of applying the patch.

Neither option is automatically correct. The objective is selecting the option that produces the lowest overall operational risk.


The Patch Management Lifecycle (ISA/IEC 62443-2-3)

ISA/IEC 62443 defines a structured lifecycle for industrial patch management consisting of five major phases.

1. Information Gathering

Before any patching activity, organisations should understand their environment.

Activities include:

Without an accurate asset inventory, effective patch management is impossible.

2. Monitoring and Evaluation

Continuously monitor for:

Determine:

Conduct a formal risk assessment before making a deployment decision.

3. Patch Testing

Industrial patches should never be installed directly into production.

Testing should include:

File Authenticity

Confirm:

Review Changes

Understand:

Installation Procedure

Develop documented installation instructions.

Qualification and Verification

Confirm:

Removal Procedure

Develop rollback plans before deployment. Every patch should have an exit strategy.

Risk Mitigation

Where patching cannot occur immediately, implement compensating controls such as:

4. Patch Deployment

After approval:

Deployment should occur according to established Management of Change procedures.

5. Verification and Reporting

Following deployment, verify:

Complete:

These five stages form a continuous lifecycle of Information Gathering → Monitoring & Evaluation → Patch Testing → Patch Deployment → Verification & Reporting.


Risk-Based Patch Prioritisation

ISA/IEC 62443 recommends prioritising patches according to organisational risk rather than applying all updates immediately.

Example guidance:

Priority Typical Installation Target
High Within 1 week
Medium Within 3 months
Low Within 2 years or next planned outage
None Do not install

These are reference values only.

Organisations should establish their own patch deployment timelines based upon:

Patch deployment should always align with the organisation's change management process and should generally avoid installation during unplanned outages unless necessary.


Product Supplier Requirements

ISA/IEC 62443 also defines responsibilities for equipment manufacturers and service providers.

Vulnerability Discovery

Suppliers should maintain processes for identifying vulnerabilities through:

Each vulnerability should be analysed for:

Development, Verification and Validation

Suppliers should:

Where immediate patching is not possible, suppliers should recommend compensating controls.

Secure Distribution

Updates should be:

Communication

Suppliers should provide:

Asset owners require this information to make informed risk decisions.


Best Practices for Industrial Patch Management

Successful organisations typically:


Relationship to ISA/IEC 62443

Patch management is a fundamental component of the IACS Security Program and supports the continuous improvement model promoted throughout the ISA/IEC 62443 series.

Relevant standards include:

Standard Purpose
ISA/IEC 62443-2-1 Security Program requirements for IACS asset owners
ISA/IEC 62443-2-3 Patch Management in the IACS Environment
ISA/IEC 62443-2-4 Requirements for IACS service providers
ISA/IEC 62443-3-3 System security requirements that may necessitate ongoing patch management
ISA/IEC 62443-4-1 Secure development lifecycle for product suppliers
ISA/IEC 62443-4-2 Technical security requirements for IACS components

Key Takeaways


Standards Reference

Primary Standards

Related Guidance

AEBOK Standards Reference: Refer to ISA/IEC 62443-2-3 for the formal patch management lifecycle, risk-based prioritisation guidance, and product supplier requirements that underpin industrial patch management in IACS environments.