Patching security vulnerabilities in industrial control systems (ICS) is useless in most cases and actively harmful in others. The answer boils down to threat modeling.
Securing industrial control systems
Attacking legacy ICS infrastructure is expensive and time-consuming, limiting threat actors to nation-states and organized crime.
Worsening attacks on ICS
In the beginning, there was Stuxnet. The US-Israeli malware took out the targeted Iranian centrifuges, but collateral damage put the sabotage-ware front and center in the news as the world’s first known nation-state attacks against industrial control systems. Other nations have since followed suit.
Getting better threat intel
Private industry has better threat intel than the intelligence community. The focus on intrusion analysis has led the private sector to be able to produce intelligence reports that rival and, in many cases, far exceed similar reporting in classified government settings. Simply stated, the best place to collect data relevant to cyber threats is in the networks of the targeted companies.