Industrial devices are less likely to be patched due to expensive downtime, and threat actors have taken notice.