Report: Suboptimal OT patching practices prevail

Eighty-five percent of organizations have not regularly patched operational technology systems, with most only applying remediations quarterly at most, even though more than a third of OT cybersecurity incidents stemmed from software flaw abuse, according to SecurityWeek.

Inadequate personnel or expertise, operational disruption concerns, and lacking vendor support or patch testing were cited by surveyed C-level executives in North America, Europe, the Middle East, and Asia as the primary hindrances to regular OT patching, a report from TXOne Networks showed.

Operational interruption worries have prompted almost 60% to implement patches during scheduled downtimes, which TXOne noted could be difficult for high-efficiency entities.

Additional findings revealed that patch prioritization was mainly based on the importance of affected systems, fix availability, and flaw criticality, while severity scores, Exploit Prediction Scoring System, and Time-to-Exploit estimates have been leveraged to categorize vulnerabilities.

Meanwhile, enhanced monitoring and threat detection systems were only leveraged by over 50% of organizations in the absence of software fixes, noted researchers, who recommended the adoption of virtual patching, automation tools, and collaborative patch management to better defend OT systems.