Patching
Applying software updates to fix known vulnerabilities. Standard practice in IT environments but frequently impractical in IoT, OT, and IoMT due to vendor restrictions, uptime requirements, and unsupported devices.
What is Patching?
Applying software updates to fix known vulnerabilities. Standard practice in IT environments but frequently impractical in IoT, OT, and IoMT due to vendor restrictions, uptime requirements, and unsupported devices.
Patching is the application of software updates provided by vendors to fix known security vulnerabilities, functional bugs, and performance issues. In IT environments, patching is the primary vulnerability remediation mechanism: automated patch management pipelines can push updates to thousands of endpoints within days of vendor release. For managed IT infrastructure, consistent, timely patching is the single most impactful vulnerability management activity.
In IoT, OT, and IoMT environments, the same process is rarely possible. Medical device firmware updates require FDA-validated update packages from the manufacturer — average time to availability after a vulnerability disclosure is 6–18 months. Industrial control systems may require vendor certification that a firmware update won't affect process stability, adding months to the patching cycle. Devices running operating systems that no longer receive vendor patches cannot be patched at all regardless of vulnerability severity.
The implication is that patching must be supplemented with compensating controls for the majority of the connected device estate in regulated environments. Vulnerability management programs that measure success by "patch rate" are measuring the wrong metric for IoT and OT — the relevant metric is risk reduction, which may be achieved through segmentation, access control, and monitoring even when patching is impossible. A patched IT asset and an isolated, monitored IoT device with compensating controls may represent equivalent actual risk.
Key Facts
- Microsoft Patch Tuesday releases average 80–100 patches per month for Windows environments
- Mean time to patch critical vulnerabilities across enterprises is 16–60 days — attackers often exploit within hours of disclosure
- Over 70% of IoT and OT devices cannot be patched on standard IT timelines
- Compensating controls reduce exploitability risk by 60–80% for devices that cannot be patched
How ORDR Addresses Patching
ORDR identifies which devices in the environment have patchable vulnerabilities versus those where patches are unavailable or impractical. For patchable assets, ORDR integrates with ITSM platforms to create prioritized patch tickets. For unpatchable assets, ORDR recommends and automates compensating controls — segmentation, enhanced monitoring, access restriction — that reduce risk without requiring a device update.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.