Webinar: Bridging IT–OT Gaps: OT-Led Data Transformation in Action

Register Now
Get In Touch
Get In Touch

Measuring What Matters in ICS Patch Management

In the world of industrial Cyber Security, patching isn’t just about applying updates; it’s about proving control, reducing risk, and maintaining stability. Yet, many OT teams either struggle to define what success looks like or adopt IT-style metrics that simply don’t translate to operational realities.

This article explores a more relevant approach to measuring patching success in ICS and OT environments; one that emphasizes alignment, outcomes, and confidence over speed or volume.

Why IT Metrics Miss the Mark in OT

Metrics like “average time to patch” or “number of patches applied” might make sense in IT environments, but in OT, they can be misleading or even counterproductive.

Patch timelines in OT are influenced by vendor approvals, strict change windows, and the need for thorough validation. What matters more than speed is doing it right, safely, and in alignment with operational constraints.

Similarly, tracking how many assets were patched misses the point if your highest-risk systems remain untouched or if a rushed deployment causes instability.

A More Meaningful Approach to Measurement

Instead of focusing on generic numbers, OT teams benefit more from qualitative indicators that align with operational goals and provide insight into systemic improvement.

Key Questions to Guide Patching Measurement

  • Are we reaching the systems that matter most?
  • Are patches being applied successfully and verified?
  • Are we staying within maintenance and change windows?
  • Are operational teams confident in the patching process?
  • Is risk demonstrably decreasing over time?

Signs of a Healthy ICS Patching Program

Based on Dexcent’s work in high-stakes OT environments, here are several high-value performance signals to look for:

1. Coverage Confidence

How well are patching efforts reaching the intended systems? Instead of counting endpoints, assess the proportion of high-value, risk-prone assets being addressed in each cycle.

2. Technical Stability

Are patches being applied without triggering rollbacks or post-deployment issues? A strong program minimizes disruption while increasing trust in each patch cycle.

3. Planning Predictability

Are patch cycles completed within the planned timeframes? Consistent execution is a key marker of maturity and cross-functional coordination.

4. Post-Patch Validation

How quickly and reliably can systems be returned to a verified operational state? Fast doesn’t matter…what matters is clarity and assurance.

5. Risk Visibility

Can your team show that vulnerabilities are being reduced over time? Even without hard numbers, the ability to track and communicate risk reduction builds credibility and supports compliance.

Dexcent Case Study Snapshots

Bringing Stability to SCADA Patching Operations
A Canadian pipeline operator was struggling to complete patching within designated windows due to competing priorities and complex vendor approval processes. Dexcent implemented a multi-phase cycle that aligned with the operator’s SCADA architecture and vendor certification timelines. Over time, patching became a predictable process, freeing internal teams to focus on operational support while improving audit-readiness.

Delivering Scalable OT Patching Across a North American Pipeline Network
Facing strict regulatory timelines and a massive, distributed asset base, a pipeline operator needed a repeatable, scalable approach to patching. Dexcent worked alongside infrastructure and resiliency teams to establish playbooks, embed validation steps, and coordinate with vendors. The result was a high-confidence program capable of sustaining quarterly cycles across thousands of assets.

Read the full case studies at https://www.dexcent.com/case-studies 

Building a Culture of Continuous Improvement

Rather than obsessing over speed or volume, successful organizations use measurement as a feedback loop to improve coordination, increase control, and demonstrate resilience.

Here’s how to get started:

  • Start Small: Focus on one or two key indicators like success consistency or cycle completion.
  • Focus on Relevance: Measure what reflects operational realities and supports compliance or safety.
  • Communicate Progress: Use visual dashboards or cycle summaries to share performance insights across teams.
  • Use Feedback to Improve: Let performance insights inform planning, team coordination, and vendor engagement.

Final Thought

In ICS environments, patching is as much about confidence as it is about compliance. You don’t need dozens of metrics; you need the right ones, rooted in your systems, people, and regulatory environment.

Dexcent’s ICS Patching-as-a-Service integrates performance tracking into every engagement, helping OT teams not only do the work but prove it’s being done well.

Download the eBook: ICS Patching-as-a-Service – Transforming Risk into Operational Resilience

Andrew Capper

Vice President of Industrial Digital Transformation

Linkedin Envelope
Read Bio

Andrew Capper is Vice President of Industrial Digital Transformation at Dexcent, helping industrial organizations improve data-driven decision-making by optimizing the data journey, reuniting siloed information, and delivering a trustworthy version of the truth.

With more than 25 years of experience, he is known as a results-driven leader who delivers on commitments and tackles complex information management challenges with a practical, human-centric approach. His work spans digital transformation strategy and roadmaps, governance, digital maturity assessments, and performance measurement through clear KPIs and metrics. Andrew is a NAIT graduate with training in Instrumentation Engineering Technology and Security Systems, and he brings a strong focus on safer, more effective operations from data producers through to data consumers

Nader Asgharinia

MP, P.Eng.

Vice President of Enterprise SCADA & Advanced Applications.

Linkedin Envelope
Read Bio

Nader Asgharinia, PMP, P.Eng., is Vice President of Enterprise SCADA & Advanced Applications at Dexcent, leading the delivery of complex, mission-critical solutions with a clear focus on client experience and operational excellence. With more than 30 years in business execution and over 25 years managing multi-million-dollar programs for mission-critical and SCADA systems, he brings a pragmatic, delivery-at-scale approach to every engagement. Nader is recognized for building high-performing teams, driving disciplined portfolio execution, and delivering measurable business outcomes, including significant growth in program portfolios and team capacity over time. He holds a B.Sc.(Hons.) in Electrical and Electronics Engineering from the University of Newcastle-Upon-Type in the UK, a B.Sc. in Computer Science from the University of Calgary, completed Georgetown University’s Director’s Program, is a Professional Engineer in Alberta, and a Project Management Professional.

Gerrit Nel

CISSP, CISM – Vice President of OT Infrastructure and Cyber Security Services

Linkedin Envelope
Read Bio

Tobias (Gerrit) Nel, CISSP, CISM, is Vice President of OT Infrastructure and Cyber Security Services at Dexcent, leading the development and delivery of practical services and solutions that integrate, complement, or replace OT infrastructure and protect OT assets from cyber threats. He is known for building resilient security frameworks, governance processes, and integrated solutions that reduce risk and support compliance across diverse industries. Gerrit has over 40 years of relevant IT/OT experience and has built and delivered highly skilled and high-performance delivery teams. His strengths include Cyber Security roadmaps, security architecture, incident response, and alignment to standards such as IEC 62443, NIST, and NERC CIP. Furthermore, he has deep foundational technical experience in Networking and OT infrastructure systems architectures that he leverages in building and leading successful delivery teams. Gerrit holds a B.Sc. in Computer Science from the University of Johannesburg and brings deep cross-sector experience supporting clients in oil and gas, mining, chemical, healthcare, financial, and government environments.

Jaydeep Deshpande

P.Eng. – President

Linkedin Envelope
Read Bio

Jaydeep Deshpande, P.Eng., is a seasoned and decisive executive with over 25 years of experience driving operational excellence, profitability, and market growth in national and multinational organizations. As President, he is recognized for his strategic leadership, disciplined execution, and ability to lead organizations through change. Jaydeep is passionate about developing people, building strong leadership teams, and fostering a positive, performance-driven culture. His expertise spans strategic planning, business diversification, financial management, and organizational transformation, with a consistent focus on delivering growth-oriented, profitable results. He holds a Bachelor of Chemical Engineering from the University of Alberta, is a Prosci Certified Change Practitioner and Project Management Professional (PMP), and has completed the CMA Accelerated Accounting Program, bringing deep financial and strategic insight to executive decision-making.

Karim Amarshi

Chairman of the Board

Linkedin Envelope
Read Bio

Karim Amarshi is Chair of Dexcent’s Board of Directors, providing governance leadership and strategic oversight to support the company’s long-term strategy and executive team. With nearly 40 years as an entrepreneur and owner-operator, he is recognized for building high-performance organizations and forging strategic alliances across Information Technology, government, health care, education, and energy. He is the former co-owner and Chief Executive Officer of one of Canada’s leading enterprise Information Technology solution providers, where he led the organization through three successful mergers and helped scale long-term client and vendor partnerships. Karim remains active across a diverse business portfolio, serving as a founding principal, officer, and advisor to organizations spanning Information Technology, hospitality, manufacturing, retail, and real estate in Canada and internationally.

Yasmin Jivraj

FCIPS, I.S.P. | Board Member

Linkedin Envelope
Read Bio

Yasmin Jivraj, FCIPS, I.S.P., is a Board Member at Dexcent, providing executive guidance and strategic oversight to support corporate management and long-term business direction. Over a 35-year career, she has held senior leadership roles across private, public, and non-profit organizations, with a track record of building operating foundations and driving profitable growth. Following a 15-year tenure as a co-owner and President of one of Canada’s leading strategic Information Technology solution providers, she expanded her governance leadership through active board service in post-secondary education and community-focused organizations. She is recognized for decisive, purpose-led leadership, clear communication, and deep expertise in technology, business models, and methodologies that help enterprise organizations advance digital transformation.

Nadir Jivraj

CEO, Board Member

Linkedin Envelope
Read Bio

As Chief Executive Officer, Nadir is accountable for providing overall leadership and Dexcent’s Industrial operational performance. Nadir has been involved as an executive sponsor with Oil & Gas and Mining companies for over 35 years, and through the years has developed a strong working relationship with the Executive leadership team of many Fortune 500 companies.

Nadir is known for recognizing value and superior investment opportunities in the technology services sector. His pursuit of highly prospective technology companies around the world has resulted in numerous company start-ups. Prior to starting Dexcent, Nadir had led companies through highly profitable business transactions, including the merger of Atlas Systems Group with CompCanada (later renamed Acrodex) in 2000 and later as Chairman of the Board of Axcend Pvt – an engineering solutions provider – based in Bangalore, India from 2004 – 2014. Acrodex and Axcend were sold in 2015