Security teams trained to focus on physical safety are prone to downplay (or outright miss) growing digital-age risks. Patching of mission-critical systems can t just be switched off to apply security updates so patching can take weeks if not years. Critical infrastructure systems are interconnected by design, making it difficult to isolate effects of a service disruption or system update. Some of the most dangerous cyber-threats take advantage of known vulnerabilities in known vulnerabilities, such as WannaCry.
Source: https://threatpost.com/secure-critical-infrastructure-when-patching-isnt-possible/149987/