IEC 62443-2-3 Patch Management in the IACS Environment
ISA/IEC TR 62443-2-3 gives guidance for building a patch management programme in an
Industrial Automation and Control System (IACS) environment. It sits in the series under
Policies & Procedures and is aimed at anyone designing or running IACS patch
processes — typically asset owners working with product suppliers and service providers.
Patch management here is the structured cycle of finding, evaluating, testing,
approving, deploying and verifying software updates so known vulnerabilities shrink — without
sacrificing safety, reliability or availability.
Teaching note: Content below paraphrases ISA training material on IACS patch
management (aligned to TR 62443-2-3, including Annex B / Annex C themes) for learning. Always
refer to the published technical report for normative or project wording.
Figure – The ISA/IEC 62443-2-3 patch management lifecycle: Information Gathering, Monitoring
& Evaluation, Patch Testing, Patch Deployment, and Verification & Reporting.
Learning objectives
Explain how IACS patching counters malware and known-vulnerability exploitation.
Identify asset-owner responsibilities across the patch lifecycle.
Identify product-supplier and service-provider expectations for vulnerability handling, updates and communication.
Why IACS patching is hard — and still essential
Plants often run continuous processes with infrequent outages, long equipment life, vendor-certified
software stacks and safety-related systems. That leaves years of known weaknesses exposed if
updates never land. Attackers weaponise newly published vulnerabilities quickly, and older
malware still succeeds on unpatched hosts.
At the same time every patch is a change. Changes can affect safety, reliability,
certification and performance. Deployment therefore belongs inside change and configuration
management — not as an ad-hoc IT push.
Patching is resource-heavy: skilled people, representative test beds, careful documentation and
scarce maintenance windows. Coordinated effort keeps systems secure and functional.
Patch management is not a spectator sport
No single party can secure an industrial system alone. Effective IACS patching is a
shared responsibility — asset owners, integrators, maintainers and product
suppliers (plus the service providers and IT/OT teams that support them) all have active roles.
Coordination is what makes patches tested properly, downtime limited, and the plant both secure
and operable.
A business imperative (risk management, not only tech)
Reference: Themes from ISA-TR62443-2-3, Annex B
Build the business case — operational, financial and cybersecurity benefits of a managed patch programme.
Educate decision makers — executives and IT/OT leaders need to see why patching reduces exposure and protects integrity.
Treat patching as risk management — part of the organisation’s broader risk strategy, not a standalone technical chore.
Weigh risks versus benefits — structured assessment of whether security/reliability gains outweigh operational risk, cost and downtime.
Asset owner requirements — the five lifecycle stages
Reference: ISA-TR62443-2-3, Figure B.1 (as taught in patch-management training)
Asset-owner work spans five continuous stages. Under Information Gathering, owners also
assess the existing environment, categorise and classify assets,
maintain inventory, manage supplier relationships and understand
supportability.
Stage
Typical activities
1. Information gathering
Assess the live environment; inventory assets; classify criticality; map suppliers and supportability.
2. Monitoring & evaluation
Monitor and identify patches; decide applicability; run risk assessment; make the install / defer / reject decision.
3. Patch testing
Confirm file authenticity; review change content; define install and removal procedures; qualify and verify behaviour; plan risk mitigation / compensating controls.
4. Patch deployment
Notify stakeholders; prepare systems; schedule windows; deploy via change control.
5. Verification & reporting
Verify success and side-effects; complete training and documentation.
Teaching point: Industrial patches should not go straight into production. Testing
covers authenticity, impact review, install/rollback procedures and qualification that control,
comms, HMI and safety behaviour remain acceptable. Where install must wait, compensate
(segmentation, tighter filtering, monitoring, reduced attack surface).
Once the IACS vendor has approved a patch, organisations often use a risk-based
target window. The table is a reference pattern for building plant-specific guidelines — not a
universal SLA.
Priority
Example target after vendor approval
High
Within 1 week
Medium (default)
Within 3 months
Low
Within 2 years or the next available outage
None
Never install
Align deployment with internal change management — approval cycles can lengthen real calendars.
Prefer planned windows. Applying patches during an unplanned outage can add risk when the plant is already degraded.
Product supplier / service provider requirements
Reference: ISA-TR62443-2-3, Annex C themes
The product supplier should have a policy covering patch management for its own
product and vulnerabilities in software the product depends on.
Defined frequency for discovery / identification work.
Analysis of exposure, end-user impact, root cause and change complexity.
Development, verification and validation
Create and validate a mitigation for each relevant vulnerability.
Provide compensating controls asset owners can use to shrink the attack surface when updates are slow or impractical.
Distribution of cybersecurity updates
Make updates available over a secure channel within a reasonable timeframe.
Point to patch sources for third-party software embedded in the product.
Account for enterprise update mechanisms (for example WSUS) and evolving OS vendor release patterns (traditional “Patch Tuesday” plus out-of-band releases).
Communication and outreach
Make the patch management policy available to the asset owner.
Address asset-owner communications in supplier patch documentation.
Provide timely technical assistance and clear paths to report suspected attacks or vulnerabilities.
Communicate lifecycle / support status to asset owners and system integrators.
Relationship within the 62443 series
Document
How it connects
TR 62443-2-3
Primary guidance for IACS patch management programmes.