← Home

IEC 62443-2-3 Patch Management in the IACS Environment

ISA/IEC TR 62443-2-3 gives guidance for building a patch management programme in an Industrial Automation and Control System (IACS) environment. It sits in the series under Policies & Procedures and is aimed at anyone designing or running IACS patch processes — typically asset owners working with product suppliers and service providers.

Patch management here is the structured cycle of finding, evaluating, testing, approving, deploying and verifying software updates so known vulnerabilities shrink — without sacrificing safety, reliability or availability.

Teaching note: Content below paraphrases ISA training material on IACS patch management (aligned to TR 62443-2-3, including Annex B / Annex C themes) for learning. Always refer to the published technical report for normative or project wording.

Reference: ISA/IEC TR 62443-2-3 — Patch management in the IACS environment
Related: IEC 62443-2-1 Security Program (2024) | IEC 62443-2-1 CSMS (2010) | IEC 62443-4-1 Product Security Lifecycle

IEC 62443-2-3 Patch Management lifecycle
Figure – The ISA/IEC 62443-2-3 patch management lifecycle: Information Gathering, Monitoring & Evaluation, Patch Testing, Patch Deployment, and Verification & Reporting.

Learning objectives


Why IACS patching is hard — and still essential

Plants often run continuous processes with infrequent outages, long equipment life, vendor-certified software stacks and safety-related systems. That leaves years of known weaknesses exposed if updates never land. Attackers weaponise newly published vulnerabilities quickly, and older malware still succeeds on unpatched hosts.

At the same time every patch is a change. Changes can affect safety, reliability, certification and performance. Deployment therefore belongs inside change and configuration management — not as an ad-hoc IT push.

Patching is resource-heavy: skilled people, representative test beds, careful documentation and scarce maintenance windows. Coordinated effort keeps systems secure and functional.


Patch management is not a spectator sport

No single party can secure an industrial system alone. Effective IACS patching is a shared responsibility — asset owners, integrators, maintainers and product suppliers (plus the service providers and IT/OT teams that support them) all have active roles.

Coordination is what makes patches tested properly, downtime limited, and the plant both secure and operable.


A business imperative (risk management, not only tech)

Reference: Themes from ISA-TR62443-2-3, Annex B


Asset owner requirements — the five lifecycle stages

Reference: ISA-TR62443-2-3, Figure B.1 (as taught in patch-management training)

Asset-owner work spans five continuous stages. Under Information Gathering, owners also assess the existing environment, categorise and classify assets, maintain inventory, manage supplier relationships and understand supportability.

Stage Typical activities
1. Information gathering Assess the live environment; inventory assets; classify criticality; map suppliers and supportability.
2. Monitoring & evaluation Monitor and identify patches; decide applicability; run risk assessment; make the install / defer / reject decision.
3. Patch testing Confirm file authenticity; review change content; define install and removal procedures; qualify and verify behaviour; plan risk mitigation / compensating controls.
4. Patch deployment Notify stakeholders; prepare systems; schedule windows; deploy via change control.
5. Verification & reporting Verify success and side-effects; complete training and documentation.
Teaching point: Industrial patches should not go straight into production. Testing covers authenticity, impact review, install/rollback procedures and qualification that control, comms, HMI and safety behaviour remain acceptable. Where install must wait, compensate (segmentation, tighter filtering, monitoring, reduced attack surface).

Installation timeframes after vendor approval

Reference: ISA-TR62443-2-3, Figure B.5 (reference guidance)

Once the IACS vendor has approved a patch, organisations often use a risk-based target window. The table is a reference pattern for building plant-specific guidelines — not a universal SLA.

Priority Example target after vendor approval
High Within 1 week
Medium (default) Within 3 months
Low Within 2 years or the next available outage
None Never install

Product supplier / service provider requirements

Reference: ISA-TR62443-2-3, Annex C themes

The product supplier should have a policy covering patch management for its own product and vulnerabilities in software the product depends on.

Discovery of vulnerabilities

Development, verification and validation

Distribution of cybersecurity updates

Communication and outreach


Relationship within the 62443 series

Document How it connects
TR 62443-2-3 Primary guidance for IACS patch management programmes.
62443-2-1 Asset-owner Security Program — patching supports ongoing SP / CSMS discipline.
62443-2-4 Service-provider security programme requirements for integration and maintenance work.
62443-4-1 / 4-2 Secure development and component capabilities that make quality updates possible.
62443-3-3 System requirements that often assume sustained vulnerability handling in operation.

Key takeaways


Standards reference