The likelihood of cyber-attacks against information systems and related production control systems has increased. In order to lower the risk of cyber-attacks, OS makers release timely security updates. However, the amount of time that is available for applying patches is limited on production control systems and the possibility of side effects is a concern. Therefore, we focused on the patch application cycle and the period of pretest, and proposed optimal OS measures for production control systems. We presented the method for quantifying the risk of cyber-attacks on production control systems due to security patches not being applied and for expressing the risk as a monetary amount. This method was also proposed for deriving the patch application cycle, the number of applications, and the optimum test duration. We concluded that this method help to understand the patch management and related security measure and to protect production control systems from cyber-attacks.
