Industrial Control Systems Under Siege: The ICS Vulnerability Crisis

CybrPulse

CybrPulse

4 min read
Industrial Control Systems Under Siege: The ICS Vulnerability Crisis

Industrial control systems used to live in air-gapped networks, protected by physical isolation. That era is over. In 2025, ICS vulnerabilities hit record highs with over 500 security advisories published for the first time since tracking began, according to Forescout's latest research. The average severity climbed above 8.0 on the CVSS scale. For operators of critical infrastructure, the question isn't if they'll be targeted, but when.

The Numbers Tell the Story

2025 saw 2,155 CVEs published across 508 ICS advisories. Compare that to 2011 when records began: 103 CVEs across 67 advisories. That's a 20x increase in raw vulnerability count. But volume isn't the only problem. The average CVSS score jumped from 6.44 in 2010 to above 8.0 in the past two years. Higher severity, more frequency, broader attack surface.

The most affected asset types break down along the Purdue Model:

  • Level 1 devices: Field controllers, RTUs, PLCs, and IEDs. These are the components that physically control industrial processes.
  • Level 3 operation systems: MES, PLM, EMS. The management layer that coordinates production.
  • Level 2 control systems: DCS, SCADA, BMS. The supervisory layer that monitors and controls industrial operations.
  • Industrial network infrastructure: Routers, switches, firewalls designed for OT environments.

Critical manufacturing and energy topped the list of affected industries. Transportation jumped three places to third. Healthcare moved up four places to fourth. The sectors that underpin modern society are the most exposed.

The CISA Gap

There's a growing visibility problem. CISA's ICS-CERT has been the authoritative source for industrial vulnerability intelligence since 2010. But according to the open source ICS advisory project, only 22% of vulnerabilities in 2025 had an associated ICSA published by CISA. That's down from 58% in 2024 and 40% in 2023.

In January 2023, CISA stopped publishing updates for Siemens products entirely, redirecting users to Siemens' ProductCERT instead. The problem has expanded beyond Siemens. In 2025, 134 vendors had vulnerabilities without associated ICSAs. That's 78% of ICS risk that doesn't show up in CISA's official advisory feed.

Vulnerabilities without ICSAs aren't minor issues. 61% carried high or critical severity ratings. They affected the same industries as CISA-tracked vulnerabilities: manufacturing and energy. The difference is that most organizations rely on CISA as their primary ICS threat intelligence source. If a vulnerability doesn't get an ICSA, it's invisible to many defenders.

Why ICS is Different

Traditional IT security doesn't map to operational technology. IT systems prioritize confidentiality first. OT systems prioritize availability and safety. You can't just patch a running process control system the way you patch a server. Downtime in OT environments means production loss, supply chain disruption, or in worst cases, physical danger.

The convergence of IT and OT has expanded the attack surface without expanding the security posture to match. Legacy systems designed for air-gapped networks now connect to enterprise networks, cloud platforms, and remote access tools. Each connection is a potential entry point.

Adversaries know this. Dragos' 2026 OT Cybersecurity Report notes that threat groups are advancing through the ICS Cyber Kill Chain at different speeds. Some focus on initial access. Others have reached Stage 2, conducting reconnaissance and testing inside OT environments to understand control loops and position for future manipulation of industrial processes.

Poland's energy sector attack in December 2025 compromised industrial control systems directly. Cyble reported 5,967 ransomware attacks globally in 2025, many targeting critical infrastructure. Claroty estimates 12% of OT devices carry known exploitable vulnerabilities. The gap between threat and defense continues to widen.

What Defenders Can Do

Visibility is the foundation. You can't secure what you don't see. Asset discovery in OT environments requires passive monitoring that doesn't interfere with operational processes. Tools built for IT networks often create noise or compatibility issues in OT. Purpose-built OT security platforms can identify devices, map network topology, and track communication patterns without disrupting operations.

Vulnerability management in OT requires a different approach than IT. Patching windows are measured in quarters, not days. Compensating controls matter more. Network segmentation isolates critical systems. Monitoring for anomalous behavior catches what signatures miss. Threat intelligence that understands OT attack patterns helps prioritize which vulnerabilities actually matter in your environment.

The CISA gap means defenders need multiple intelligence sources. Vendor advisories, open source projects like the ICS advisory project, commercial threat intelligence feeds, and sector-specific ISACs all contribute pieces of the puzzle. CybrPulse aggregates and correlates threat data across sources, surfacing what's relevant to your specific industrial environment before it becomes a headline.

Regulatory pressure is increasing. The SEC's cybersecurity disclosure rules apply to publicly traded companies operating critical infrastructure. European NIS2 requirements mandate specific OT security measures. Cyber insurance underwriters are asking harder questions about ICS security posture. Compliance is table stakes, not a security strategy, but it's driving budget and executive attention toward the problem.

The Path Forward

The ICS vulnerability crisis isn't slowing down. Digital transformation in industrial environments accelerates attack surface expansion. Legacy systems built for 20+ year lifespans connect to networks designed for rapid iteration. The skills gap in OT security continues to widen as experienced engineers retire and new threats emerge faster than training can keep pace.

What's needed is a combination of regulatory pressure, industry collaboration, and vendor accountability. Patch timelines need transparency. Vulnerability disclosure needs standardization across vendors. Asset owners need dedicated resources for OT vulnerability management, not just IT security teams asked to cover one more area.

Proactive security beats reactive fixes. That means threat modeling industrial environments, not just enterprise networks. It means security by design in new OT deployments, not bolted-on solutions for legacy systems. It means treating OT security as a safety issue, not just a compliance checkbox.

The data is clear: ICS vulnerabilities are increasing in volume and severity. Visibility gaps are growing. Adversaries are positioning for impact beyond data theft. The organizations that treat this as a strategic risk, not a technical problem, are the ones that will maintain operational resilience when the next wave of attacks hits.

CybrPulse tracks ICS threats alongside traditional IT vulnerabilities, correlating threat intelligence from CISA, vendor advisories, research disclosures, and active exploitation indicators. When a new ICS advisory drops, we map it to affected assets, prioritize based on exploitability and impact, and surface it before it reaches your environment. Signal over noise, for the systems that keep the lights on.

Read more