Industrial Control System Vulnerabilities Hit Record Highs
Industrial Control System Vulnerabilities Hit Record Highs
https://www.infosecurity-magazine.com/news/industrial-control-system-vulns/
Publish Date: 2026-02-19 08:00:00
Source Domain: www.infosecurity-magazine.com
The number of industrial control system (ICS) security advisories published in 2025 topped 500 for the first time since records began, with the severity of vulnerabilities also increasing, according to Forescout.
The security vendor revealed the findings in its new report, ICS Cybersecurity in 2026: Vulnerabilities and the Path Forward.
It said there were a total of 2155 CVEs published across 508 ICS advisories last year. That’s an increase from 103 CVEs across 67 advisories in 2011 – when records began.
The average CVSS score of advisories climbed from 6.44 in 2010 to above 8.0 in 2024 and 2025.
Read more on ICS threats: CISA Issues Advisories on Critical ICS Vulnerabilities Across Multiple Sectors.
According to the report, the most affected asset types last year, in order, were:
- Purdue Level 1 devices: eg, field controllers, RTUs, PLCs and IEDs
- Purdue Level 3 operation systems: eg, MES, PLM, EMS and others
- Purdue Level 2 control systems: eg, DCS, SCADA and BMS
- Industrial network infrastructure like routers and switches
Critical manufacturing and energy were the top two most affected industries, with transportation jumping three places from the previous year to third and healthcare moving up four places to fourth.
A CISA-Shaped Gap in Reporting
More concerning for operators of industrial and operational technology is a growing gap in threat visibility.
CISA/ICS-CERT has been “the authoritative source” about vulnerabilities in this field since the ICS Advisory (ICSA) program was started in 2010, Forescout noted. However, according to the open source ICS advisory project, a growing number of vulnerabilities don’t have an associated ICSA published by CISA.
“On January 10, 2023 CISA announced they would stop publishing updates on advisories affecting Siemens products, and instead, will be redirecting users to Siemens’ ProductCERT for the latest updates,” Forescout explained.
“This shows the need for vulnerability information…
