Patching devices in power grids is especially challenging because updates often require system shutdowns—windows of opportunity that are hard to schedule in a continuously operating network. Operators must coordinate with grid control authorities to obtain approval, and even then may only patch segments in stages to avoid disrupting supply. As a result, multiple firmware versions often coexist in one facility, complicating consistency and management of security measures.

Another major obstacle lies in the complexity and risk of firmware updates in OT devices. Each component has dozens or hundreds of configuration parameters, meaning changes that seem benign can trigger unforeseen failures. Testing must bridge simulated environments and live systems, which demands time and specialized resources. On top of that, manually collecting, analyzing, and matching security advisories to specific field assets is labor-intensive, expensive, and often error-prone—making holistic vulnerability management in critical infrastructures a substantial technical and operational burden.

‍

Source: https://gca.isa.org/blog/vulnerability-management-in-ot-why-is-patching-devices-in-the-power-grid-so-difficult