We do not apply security patches. It is not necessary since our industrial network is completely isolated, we rely in the ‘air GAP’ to protect our systems and anyway, most manufacturers use not publish security updates. On the other hand, sometimes the software upgrade also involves hardware change, so that budgetary constraints do not permit such updates.
Well, it depends on the manufacturer, the device and the technician is responsible for the update. We don’t have actually documented, but we use different methods such as direct download of patches from the manufacturer’s website (who doesn’t publish a signed hash of the file for verification after download, or when they do, we don’t check it anyway). Sometimes, to save time, we even download the patches from our home where bandwidth is higher than in the office. We recorded it in our USB and connect to the network of industrial systems that is completely isolated from the IT network. You know, the famous ‘air gap’. Other times, is a partner or the manufacturer who comes with its USB or with his laptop and connect it directly to our industrial network to apply updates or perform any other maintenance task.
In our organization we have documented and secure processes for carrying out the update of all our industrial systems. We have different systems to be informed when any new vulnerability is discovered which could affect our systems. A comparative analysis of the risks between upgrade or leave unpatched the systems is performed, so the risk owner can set the criteria used for deciding whether to patch and in which term it should be done. Once we decided that a patch should be applied, we obtain it from a secure source verifying its integrity and authenticity, we deploy it in our test environments to verify that the update will not compromise the functionality or security of systems and, only after this, and under our strict control and supervision, the update is deployed in production within the time limit set by the risk owner.