Share this post
The Numbers Have Changed
The numbers around OT patch management have changed faster than most industrial organizations have responded. In 2025, CISA published 508 ICS advisories covering more than 2,100 vulnerabilities, the highest volume ever recorded and the first time the agency has exceeded 500 in a single year. More than 80% were rated as either high or critical severity. And according to ENISA's Threat Landscape 2025, which analyzed nearly 4,900 incidents, OT-targeted threats now represent 18.2% of all identified threat categories. The same report notes that critical vulnerabilities are being weaponized within days of disclosure.
This is not a stable situation being managed. It is a threat environment that has materially changed while the industrial sector's patch posture has not.
The Workaround That Became the Strategy
When OT teams can't patch quickly (and most struggle to), the standard response has been compensating controls: enhanced monitoring, network segmentation, virtual patching, intrusion detection. These measures exist specifically to reduce the blast radius of unaddressed vulnerabilities. They are, by design, a substitute for patching.
The security industry has been largely comfortable with this trade-off. The logic is sound in isolation: OT systems are complex, change control is strict, vendor support for patches is inconsistent, and a failed update on a production line is a worse outcome than a delayed one. Virtual patching in particular, that is, deploying a temporary barrier at the network layer without touching the underlying software, has become a standard recommendation precisely because it avoids the operational risk of direct remediation.
The problem is not that compensating controls are wrong. They are a reasonable response to a structural constraint. The problem is that the structural constraint has been accepted as permanent rather than addressed.
According to TXOne Networks' 2024 OT/ICS Cybersecurity Survey of 150 global C-level executives, 85% of organizations do not conduct regular patching in their OT environments. Most apply patches quarterly or less. In the oil and gas sector, 10% have stopped patching altogether.
The compensating control strategy was developed for an environment where a known vulnerability might sit in the wild for months before active exploitation. That environment no longer exists in the same way. Rapid7's 2026 Global Threat Landscape Report documents mean time-to-exploit dropping to 28.5 days. At 61 days the previous year, this dramatic acceleration is driven by AI-assisted exploit development and a maturing cybercrime ecosystem that moves from disclosure to weaponization faster than most organizations can respond.
Verizon's Data Breach Investigations Report, the benchmark IT security teams use to measure themselves, puts the median time to patch at 32 days. That is already four days behind the exploitation window. OT organizations that patch quarterly are not behind by four days, but by months, every cycle.
The compensating controls have not kept pace. The threat environment has.
Why OT Teams Can't Just Patch Faster
The reflex response is to ask why OT organizations don't simply improve their patch cadence. But that misreads the root cause.
Patching an OT device is not a routine operation. In most industrial environments, each patch event involves vendor coordination to verify compatibility, a maintenance window negotiated around production schedules, manual device-level validation, and no automated rollback path if something goes wrong. A failed patch that disrupts a production line or sensor integration is not a helpdesk ticket. It is an operational incident with real consequences, making extreme caution in OT rational.
The result is that patching is not a workflow as much as a project. Every device, every site, every update cycle is managed individually because the infrastructure does not exist to treat the fleet as a single addressable object. There is no centralized view of what software version is running where. There is no mechanism to deploy and verify a patch across hundreds of devices from a single interface. There is no atomic rollback. The management plane was never built for it.
This is not organizational reluctance. It is an architectural gap. Faster patching is not possible the way most OT estates are managed. Not because the teams lack commitment, but because the tooling does not support it at scale.
Compensating controls filled the space that management infrastructure was never built to occupy. They are not a security strategy. They are the residue of an architectural problem that has not been solved.
What Solving It Actually Requires
The organizations that have closed the gap have not done so by running harder patch programs or adding more monitoring layers. They have changed the underlying architecture.
A management plane designed for OT fleet operations, rather than one adapted from IT tooling, does several things that compensating controls cannot: it maintains a live, queryable inventory of software versions across the estate; it deploys and verifies updates fleet-wide from a single interface rather than device by device; it provides rollback as a standard operation rather than an emergency procedure; and it generates audit-ready evidence of patch status as a byproduct of normal operations rather than a pre-audit assembly exercise.
These capabilities change the economics of patching in a way that compensating controls do not. When rollback is automated and verified, the risk calculation shifts. When deployment is fleet-wide rather than per-device, the cost drops. When version state is live rather than assembled from spreadsheets and commissioning records, CVE response is a matter of querying existing data rather than manually cross-referencing an inventory that may be months out of date.
Portainer's industrial edge management platform is built for this architectural model: outbound-only agent connectivity, fleet-level deployment and rollback, and a self-hosted control plane that operates in air-gapped environments without cloud dependency. For legacy OT devices that cannot run containers natively, a gateway pattern provides a path into centralized management without requiring hardware replacement.
The regulatory context adds urgency to this timeline. NIS2 audits are underway across EU member states. The EU Cyber Resilience Act's reporting obligations take effect in September 2026. IEC 62443 is already embedded as a procurement requirement across much of the industrial supply chain. These frameworks do not ask whether organizations have compensating controls. They ask whether organizations can demonstrate patch coverage across their estate and produce evidence of it on demand.
Compensating controls do not produce that evidence. A management plane built for fleet operations does.
The Covered Organization
Patch management as a project (planned, expensive, infrequent) cannot keep pace with the current threat environment. The organizations that are genuinely covered, operationally and from a compliance standpoint, are not the ones running the most sophisticated workarounds. They are the ones who built the infrastructure to make patching a continuous, documented, reversible operation rather than a quarterly project.
The compensating controls were never the answer. They were what organizations built while waiting for the architecture to catch up.
For most OT estates, that wait has gone on long enough.
.png)