← R.CAUDLE · Riverman The OT Stability Doctrine Rev 01 · 2026.05.11

Doctrine · OT firmware · Change management

The OT Stability Doctrine

Why "if it ain't broke, don't fix it" is professional excellence.

In Operational Technology, firmware stability isn't a compromise — it's a core operational requirement. In OT, change is risk. Stability is security.

This isn't laziness or technological ignorance. It is the accumulated wisdom of keeping critical infrastructure running 24/7/365 for decades.

Originated by River Caudle

§ The Numbers

IT cadence vs. OT cadence.

DimensionTraditional ITOT Reality
Patch frequencyMonthly or moreAnnually or less; planned outages only
Firmware updatesQuarterly to annuallyOnly when operationally necessary
Hardware refresh3–5 years15–25 years typical
Downtime toleranceHours to daysZero
Testing methodology"Deploy to dev, then prod"Months of validation before any production change

§ Why OT Firmware Stays Static

Four reasons. None of them are laziness.

1 · Validated configurations are sacred

When a system configuration has been tested, validated, and proven stable in production, changing it requires extraordinary justification. Every firmware update represents weeks-to-months of compatibility testing, risk of new bugs, disruption to proven procedures, and revalidation of all connected systems.

2 · Downtime costs are catastrophic

  • Automotive manufacturing — $22,000 per minute of downtime
  • Oil & gas production — $100,000+ per hour of unplanned outage
  • Pharmaceutical batch loss — millions in destroyed product
  • Utility disruption — public safety and regulatory penalties

3 · Interoperability is complex

OT environments include equipment from dozens of vendors, systems installed across multiple decades, proprietary protocols and interfaces, custom integrations and modifications. A single firmware change can cascade through these interdependencies in unpredictable ways.

4 · "Security" updates can reduce security

New firmware may change communication patterns; updates can break existing security monitoring; changed behaviors may bypass safety systems; untested code is inherently less secure than proven code.

§ The Professional Approach

What proper OT firmware management actually is.

Comprehensive change control

  • Business justification for any update
  • Full impact analysis across all systems
  • Rollback procedures and testing
  • Documentation of all changes and rationales

Lifecycle planning

  • Firmware versions matched to equipment lifecycle
  • Spare parts inventory includes matching firmware
  • Knowledge retention for legacy versions
  • Vendor support agreements for extended lifecycles

Risk-based decision making

  • Updates only when risk of not updating exceeds risk of change
  • Operational requirements always supersede IT policies
  • Production stability is the primary metric
  • Safety implications override all other considerations

§ Common IT Misconceptions

What IT keeps getting wrong about OT.

The myth

  • "Old firmware is insecure"
  • "Regular updates prevent problems"
  • "Vendors stop supporting old versions"
  • "New features justify updates"

The reality

  • Tested, proven firmware with known behaviors is often more secure than new code with unknown vulnerabilities
  • In OT, updates often create problems. The most stable system is one that hasn't changed
  • OT vendors understand lifecycle requirements. Many support versions for 15+ years
  • If the system meets operational requirements, new features are unnecessary risks

§ Case Study

The real cost of forced updates.

A major automotive manufacturer had a stable controls network running for eight years without issues. IT policies mandated quarterly firmware updates.

  • Year 1 — three production outages, $2.4M in downtime
  • Year 2 — compatibility issues forced hardware replacement, $8M cost
  • Year 3 — return to OT-managed firmware policy
  • Years 4–10 — zero firmware-related outages

The lesson. The "cost" of running old firmware was $0. The cost of updating it was $10.4M.

§ Implementation Guidelines

For operators, vendors, and IT/OT teams.

For OT operators

  1. Document current firmware versions and why they were chosen
  2. Establish clear criteria for when updates are justified
  3. Maintain vendor relationships that respect stability requirements
  4. Train IT partners on OT operational requirements
  5. Create and enforce firmware management policies

For technology vendors

  1. Design products for 15+ year lifecycles
  2. Never force updates through artificial means
  3. Maintain compatibility with ancient protocols
  4. Price support realistically for long lifecycles
  5. Respect that stability is a feature customers pay for

For IT/OT convergence

  1. Establish separate policies for IT and OT systems
  2. Recognize that OT stability requirements aren't negotiable
  3. Design security controls that don't require frequent changes
  4. Accept that OT and IT have different, valid approaches
  5. Focus on outcomes (uptime, safety) not compliance checkboxes

§ Key Takeaways

Five takeaways.

  1. Stability IS security in OT environments.
  2. Firmware updates must be justified by operational need, not vendor schedules.
  3. Professional OT management means knowing when NOT to change things.
  4. Vendors must support old versions as a core business requirement.
  5. IT and OT require different approaches — both are valid in their domains.

"In IT, you update to prevent problems. In OT, updates often ARE the problem. Understanding this difference is the beginning of OT wisdom."

The OT Stability Doctrine · originated by River Caudle Used under the Riverman Fair License v2.0

The OT Stability Doctrine · River Caudle · MMXXVI