Patching SCADA and PLC vulnerabilities
The time required by the vendors to fix a vulnerability,
testing the patch and releasing it is very long.
A 0-day may be fixed after various months.
And the situation is similar also for the vulnerabilities
reported directly to the vendor (coordinated disclosure)
PDF: Securing ICS Applications When Vendors Refuse Or Are Slow To Produce a Security Patch
Sometimes there is not even a patch and the
vendor releases a “recommendation” for
limiting the usage and access to the
vulnerable component!
Sometimes the patches are not applied by the customers
because not aware of the issues or to avoid downtimes
and possible problems after patching… if it works why
taking risks?