OT/ICS Security Interview Questions

The IT security team wants to implement their standard monthly patch cycle on your manufacturing plant's control systems. They propose scheduling automatic Windows updates for Sunday at 2 AM "when no one is working." As the OT security engineer, how do you respond to this proposal and what alternative approach do you recommend?

You're procuring a new PLC system from a vendor. The vendor claims the equipment is "secure by design" but when you ask for specifics, they can't point to any certification. Your procurement team asks what security requirements you should include in the RFP to ensure you're getting properly secured equipment. How do you specify vendor security requirements using industry standards?

Your ICS-CERT contacts you saying they've seen indicators of PIPEDREAM/INCONTROLLER malware targeting industrial environments similar to yours. They share IOCs including file hashes and network indicators. How do you assess your exposure and respond to this threat intelligence?