Cyber security | 20 November 2025

Everyone talks about OT patch management, but what happens when you can’t? In industrial environments, it’s not always as simple as applying an update and moving on. Many legacy systems are still in use because they work, they’re too expensive to replace, or they’re tied into processes that can’t be taken offline without major disruption. Some devices weren’t designed with patching in mind, and in other cases, updates need vendor approval or come with the risk of system failure.

The result is that a lot of organisations are left with ageing, vulnerable assets that can’t be patched, even when the risks are known. And while IT teams can temporarily mitigate issues with updates or endpoint tools, OT environments don’t always have that flexibility.

So if patching isn’t an option, what does security look like instead? In many environments, OT patch management becomes less about updates and more about managing risk in other ways.

Why OT patch management often isn’t realistic

In theory, applying patches should reduce risk and keep systems secure. In OT environments, the reality is very different. Updates are often delayed, restricted or avoided altogether for several reasons:

1. Legacy equipment still in use

Many industrial control systems were never designed with patching in mind. Some are decades old, run on outdated operating systems, or aren’t supported by the original vendor anymore. Even identifying what can be patched is a challenge.

2. Downtime isn’t an option

Unlike IT, OT systems often run 24/7. Stopping production to apply an update can lead to financial loss, service disruption or safety concerns. Even a short outage might not be acceptable.

3. Vendor dependencies and certification issues

In a lot of cases, you can’t apply a patch without the vendor approving or providing it. Some vendors only test patches occasionally, and others require engineering visits or revalidation before anything can be changed.

4. Safety and regulatory constraints

Any change to a live control system can affect compliance, quality or operational safety. Patching might introduce new unknowns, especially in highly regulated sectors like energy or oil and gas.

5. Remote or hard-to-reach assets

Some OT devices sit across different sites, offshore platforms or remote facilities. Applying patches to every device isn’t always practical.

These factors mean that many organisations operate with unpatched systems for years. That doesn’t remove the risk, it just shifts the focus onto what else can be done.

The risks of relying on unpatched systems

These challenges show how difficult OT patch management becomes when vulnerabilities can’t be fixed directly. When OT assets can’t be patched, the vulnerabilities remain in place and can be exploited for years. That creates several risks organisations can’t ignore:

1. Open doors for attackers

Unpatched systems are often the easiest entry point for ransomware, malware or targeted attacks. Once inside, attackers can move across networks, disrupt processes or access critical data.

2. Increased impact of zero-day threats

If a vulnerability becomes public and there’s no available patch, systems stay exposed with no direct fix. That leaves organisations dependent on compensating controls.

3. Business and operational disruption

A compromised PLC, SCADA server or engineering workstation can bring production to a halt. In sectors like manufacturing, energy and utilities, even a short interruption has serious consequences.

4. Compliance and regulatory pressure

Regulators increasingly expect organisations to show how risks are being managed, even when patching isn’t possible. Lack of visibility or control over ageing assets becomes a security and audit issue.

5. Third-party and supply chain exposure

If a vulnerability sits in a legacy system managed by a vendor, there’s limited control, but the organisation still carries the risk.

Leaving systems unpatched isn’t a passive decision. It creates an ongoing security gap that needs to be actively managed in other ways.

What organisations can do when patching isn’t possible

When OT patch management isn’t possible, compensating controls become essential. If updates can’t be applied, the focus has to shift from fixing vulnerabilities to limiting their impact. That means putting the right controls, processes and backups in place to reduce risk and improve resilience.

Here are some of the most effective steps:

1. Track versions and configuration changes

Without visibility of what’s running where, it’s impossible to manage vulnerabilities. Keeping accurate records of software versions, firmware and configuration changes helps teams understand their exposure and respond faster.

2. Maintain secure backups and recovery options

If a legacy asset becomes compromised or fails, the ability to quickly restore the previous configuration is essential. Controlled, up-to-date backups reduce downtime and avoid guesswork.

3. Monitor and document changes to critical systems

When multiple engineers or vendors access OT assets, small changes can introduce new weaknesses. A structured change management process helps prevent unauthorised updates and supports accountability.

4. Control who has access (and what they can change)

Limiting access to critical systems reduces the chance of accidental or malicious activity. Role-based access, authentication and audit trails help protect systems that can’t be patched.

5. Use compensating controls and segmentation

If a vulnerability can’t be fixed, it can still be contained. Network segregation, firewalls, monitoring and stricter access policies make it harder for attackers to move laterally.

6. Keep documentation centralised and up to date

Legacy environments are often complex, with limited vendor support. Accurate documentation helps teams troubleshoot faster, assess risk and plan improvements.

These measures don’t replace patching, but they make unpatched systems safer to run, and much easier to recover if something goes wrong.

Building resilience beyond patching

If patching isn’t an option, organisations need a parallel strategy that reduces the risk of attack and speeds up recovery. This is a critical part of OT patch management for ageing or unsupported systems. That means treating unpatched systems as part of an active risk plan, not a forgotten problem.

• Plan for failure, not perfection - Instead of assuming systems will stay secure, teams should plan for how they’ll respond if a vulnerability is exploited. This reduces downtime and stops incidents escalating.
• Test recovery processes - Backups and configuration files are only useful if they work when needed. Regular testing helps prove that systems can be restored quickly and accurately.
• Hold vendors accountable - If a system relies on third-party support, there should be clarity over who is responsible for updates, documentation and emergency fixes.
• Manage lifecycle and obsolescence - Ageing assets can’t run forever. Mapping out replacement timelines and identifying high-risk systems early helps avoid sudden failures and unsupported environments.
• Strengthen visibility across sites and teams - Industrial networks often span multiple locations, contractors and suppliers. Centralising oversight of configurations, access and changes helps catch issues before they turn into incidents.

Resilience doesn’t mean eliminating every vulnerability, it means being prepared to respond, restore and recover when you can’t remove the risk entirely.

Making Unpatchable Systems Safer to Run

Patching will always be part of good security practice, but in OT environments, it isn’t always realistic. Legacy systems, vendor restrictions, safety risks and operational uptime all get in the way. That doesn’t mean the risk disappears, it just has to be managed differently.

When patching isn’t an option, the focus shifts to visibility, control and recovery. Being able to track configurations, monitor changes, restrict access and restore systems quickly makes a significant difference when vulnerabilities can’t be fixed directly. It also helps organisations demonstrate accountability to regulators, insurers and stakeholders.

The goal isn’t to remove every gap, but to make unpatched systems safer to run and easier to recover. Those with the right processes and tools in place are far better prepared to deal with the risks that come with ageing OT assets.

If patching isn’t possible, the right controls still are, see how Asset Guardian helps protect ageing OT systems.