London – In today’s industrial organisations, patching process control system software to remove security vulnerabilities is a regular, ongoing activity fraught with risk.
Significant issues, such as a software regression – a bug that causes a feature to stop functioning as intended – can be the result of installing a patch.
At the same time, there is a potential for the system to become compromised if a patch has not been applied.
The calculation of whether to patch or not is governed by the tradeoff between the risk of installing a bad patch versus the risk of a penetration, which pits two equally important issues against one another.
Patching a critical system may “break it” — but failing to do so could leave it open to security vulnerability.
In addition to the security risk tradeoff, there is a more pragmatic tradeoff on use of resources to complete the patching process.
Whether it is mostly automated or done manually, it involves a certain amount of your valuable resources’ time that must be factored into the overall decision on how often to patch.