Patch management is the structured process of identifying, evaluating, testing, approving, deploying and verifying software updates to reduce cybersecurity vulnerabilities while maintaining the safety, reliability and availability of Industrial Automation and Control Systems (IACS).
Unlike traditional IT systems, patching in Operational Technology (OT) cannot simply be automated or applied immediately after release. Every patch has the potential to change system behaviour, impact deterministic control, interrupt production or affect safety functions.
For this reason, ISA/IEC 62443 treats patch management as a formal risk management process rather than simply an IT maintenance activity.
Industrial control systems often operate continuously for years with minimal downtime.
Many systems contain:
This creates an environment where vulnerabilities can remain exploitable for many years.
Modern cyber attacks frequently target known vulnerabilities that already have vendor patches available. If patches are not applied appropriately, organisations remain vulnerable to attacks that are publicly documented.
Effective patch management reduces:
One of the key messages from ISA/IEC 62443 is that effective patch management is a shared responsibility.
No single organisation can secure an industrial control system alone.
Successful patch management requires cooperation between:
Every stakeholder has an active role throughout the lifecycle.
The ISA training emphasises that coordinated patch management ensures:
Software vendors continuously discover security flaws. Without patching, these weaknesses remain exposed to attackers.
Many cyber attacks do not rely on new techniques. Older malware often continues to infect systems because organisations fail to install patches for vulnerabilities that have existed for many years.
Examples include:
Many industrial incidents occurred because systems remained unpatched long after updates were available.
Industrial assets commonly remain in service for:
During that period hundreds of security vulnerabilities may be discovered. Patch management allows these assets to remain secure without requiring complete replacement.
Unlike IT systems, industrial environments must balance cybersecurity with operational continuity.
Many plants operate:
Shutdowns may only occur:
This significantly limits patching opportunities.
A software update may unintentionally alter:
A poorly tested patch could create greater operational risk than the original vulnerability.
Many industrial devices:
Compensating controls may be required instead of patching.
Many industrial applications are only supported using specific operating system versions. Installing operating system updates before vendor approval may invalidate support agreements.
Industrial patch management requires:
It is significantly more resource intensive than desktop IT patching.
Every patch represents a system modification. Therefore every deployment should be managed under the organisation's:
This ensures risks are assessed before implementation.
Patch management is not simply an engineering activity. It is an organisational risk management process.
ISA recommends organisations:
Demonstrate:
Management should understand:
Cybersecurity investment should be based on business risk rather than technical preference.
Every decision should evaluate:
Risk of NOT patching versus Risk of applying the patch.
Neither option is automatically correct. The objective is selecting the option that produces the lowest overall operational risk.
ISA/IEC 62443 defines a structured lifecycle for industrial patch management consisting of five major phases.
Before any patching activity, organisations should understand their environment.
Activities include:
Without an accurate asset inventory, effective patch management is impossible.
Continuously monitor for:
Determine:
Conduct a formal risk assessment before making a deployment decision.
Industrial patches should never be installed directly into production.
Testing should include:
Confirm:
Understand:
Develop documented installation instructions.
Confirm:
Develop rollback plans before deployment. Every patch should have an exit strategy.
Where patching cannot occur immediately, implement compensating controls such as:
After approval:
Deployment should occur according to established Management of Change procedures.
Following deployment, verify:
Complete:
These five stages form a continuous lifecycle of Information Gathering → Monitoring & Evaluation → Patch Testing → Patch Deployment → Verification & Reporting.
ISA/IEC 62443 recommends prioritising patches according to organisational risk rather than applying all updates immediately.
Example guidance:
| Priority | Typical Installation Target |
|---|---|
| High | Within 1 week |
| Medium | Within 3 months |
| Low | Within 2 years or next planned outage |
| None | Do not install |
These are reference values only.
Organisations should establish their own patch deployment timelines based upon:
Patch deployment should always align with the organisation's change management process and should generally avoid installation during unplanned outages unless necessary.
ISA/IEC 62443 also defines responsibilities for equipment manufacturers and service providers.
Suppliers should maintain processes for identifying vulnerabilities through:
Each vulnerability should be analysed for:
Suppliers should:
Where immediate patching is not possible, suppliers should recommend compensating controls.
Updates should be:
Suppliers should provide:
Asset owners require this information to make informed risk decisions.
Successful organisations typically:
Patch management is a fundamental component of the IACS Security Program and supports the continuous improvement model promoted throughout the ISA/IEC 62443 series.
Relevant standards include:
| Standard | Purpose |
|---|---|
| ISA/IEC 62443-2-1 | Security Program requirements for IACS asset owners |
| ISA/IEC 62443-2-3 | Patch Management in the IACS Environment |
| ISA/IEC 62443-2-4 | Requirements for IACS service providers |
| ISA/IEC 62443-3-3 | System security requirements that may necessitate ongoing patch management |
| ISA/IEC 62443-4-1 | Secure development lifecycle for product suppliers |
| ISA/IEC 62443-4-2 | Technical security requirements for IACS components |
Primary Standards
Related Guidance