Many organizations are still concerned that patching operational technology (OT) systems can lead to equipment downtime and operational disruptions, and consequently they do not conduct regular patching, according to cyber-physical security firm TXOne Networks.
The data comes from TXOne’s 2024 Annual OT/ICS Cybersecurity Report, which is based on a survey of 150 C-level executives in North America, Europe, the Middle East and Asia.
The survey found that 85% of organizations don’t conduct regular patching. A majority install patches quarterly or less often, which leaves them exposed to attacks for extended periods of time.
This is despite a vast majority experiencing cybersecurity incidents affecting their OT environments in the past year, and 37% of OT security incidents involving exploitation of software vulnerabilities.
When asked about the main challenges to regular OT patching, the most commonly cited reason was the lack of personnel or expertise (48%), followed by concerns about operational disruptions or downtime (47%), and the lack of vendor support or patch testing (43%). In fact, 41% of organizations delay patching until vendor support is available.
Security patches potentially causing significant disruption has long been a concern for industrial organizations, and while cybersecurity firms and vendors have come a long way in helping customers secure their systems, they often still face hesitation.
Save the date: 2025 ICS Cyber Security Conference – October 27-30, Atlanta
Nearly 60% of respondents apply patches during planned downtime or maintenance windows to reduce the risk of operational disruptions, but TXOne pointed out that this can be challenging in organizations with high-efficiency demands.
Many respondents said they test patches in a controlled environment before live deployment (55%), and some rely on phased deployment of patches (44%).
Patches are mainly prioritized based on the criticality of the impacted system (in 61% of cases), followed by patch availability for specific assets (52%), and risk exposure and vulnerability criticality (49%).
Vulnerabilities are prioritized in 55% of cases based on their CVSS score (which can be misleading for ICS) and inclusion in known exploited vulnerability (KEV) databases. Many organizations also rely on Exploit Prediction Scoring System tools (49%) and Time-to-Exploit estimates tools (47%).
Just over half of organizations rely on enhanced monitoring and intrusion detection when patches are not available, and 46% use compensating controls such as network segmentation and system hardening to mitigate the impact of vulnerabilities.
In order to overcome patching-related challenges, TXOne recommends adopting more flexible and collaborative patch management strategies, integrating automation tools, and using virtual patching.
Additional information on OT security threats and trends is available in the full 2024 Annual OT/ICS Cybersecurity Report.
Related: ICS/OT Security Budgets Increasing, but Critical Areas Underfunded: Report
Related: Nine Threat Groups Active in OT Operations in 2024: Dragos