What is one reason why IACS systems are highly vulnerable to attack?

ISA/IEC 62443 highlights that many IACS environments operate with long lifecycles and strict availability requirements, which often results in delayed or infrequent patching.

Step 1: Legacy systems and uptime constraints

IACS components may run for decades without replacement. Applying patches can introduce operational and safety risks, so updates are often postponed.

Step 2: Accumulated vulnerabilities

Unpatched systems accumulate known vulnerabilities that attackers can exploit using publicly available tools.

Step 3: Why other options are incorrect

IACS systems are no longer isolated. They do require patches, and they rarely run the latest updates.

Therefore, unpatched software is a major vulnerability factor.