Industrial Control System Vulnerabilities Reach All-Time High

The landscape of industrial cybersecurity faces unprecedented challenges, with the volume and severity of discovered vulnerabilities reaching new heights. A recent analysis reveals that the number of industrial control system (ICS) security advisories published in 2025 surpassed 500 for the first time on record. This surge represents a dramatic escalation from the early days of tracking, highlighting a critical trend for sectors like manufacturing and energy that rely on these operational technologies.

Detailed findings show a total of 2,155 Common Vulnerabilities and Exposures (CVEs) spread across those 508 advisories last year. To put this in perspective, the figure marks a massive increase from just 103 CVEs across 67 advisories back in 2011. Equally concerning is the rising severity of these flaws. The average Common Vulnerability Scoring System (CVSS) score for advisories has climbed steadily, moving from 6.44 in 2010 to consistently above 8.0 in the past two years, indicating a greater proportion of high-risk threats.

The devices and systems most frequently impacted follow a clear pattern. The primary targets were Purdue Level 1 devices, which include essential field equipment like programmable logic controllers (PLCs) and remote terminal units (RTUs). These were followed by operational systems at Level 3, such as manufacturing execution systems (MES), and control systems at Level 2, including supervisory control and data acquisition (SCADA) platforms. Industrial network infrastructure, like routers and switches, also featured prominently. From an industry perspective, critical manufacturing and energy remained the top two most affected sectors. Notably, transportation jumped three places to rank third, while healthcare moved up four spots to fourth, signaling expanding risk across vital infrastructure.

Compounding the problem of sheer volume is a growing gap in centralized threat visibility. For over a decade, the Cybersecurity and Infrastructure Security Agency’s (CISA) ICS Advisory program served as the authoritative source for vulnerability information in this space. However, its coverage appears to be narrowing. A pivotal change occurred when CISA announced it would stop publishing updates on advisories for Siemens products, directing users instead to the vendor’s own portal. This shift points to a broader issue where a growing number of vulnerabilities lack an associated CISA advisory.

Current data underscores this worrying divergence. According to open-source tracking, only 22% of vulnerabilities identified last year had a corresponding ICSA published by CISA. This is a sharp decline from 58% in 2024 and 40% in 2023. In 2025 alone, vulnerabilities without a CISA advisory were linked to 134 different vendors. These unreported flaws are far from trivial; 61% of vulnerabilities without an ICSA in 2025 were rated as high or critical severity, predominantly affecting the same manufacturing and energy sectors tracked by official channels.

Addressing these converging challenges requires a coordinated effort. Experts advocate for a multi-faceted approach combining regulatory pressure, deeper industry collaboration, and greater vendor accountability. Key recommendations include increased transparency regarding patch timelines from manufacturers and the dedication of more resources to proactive vulnerability management. Cultivating a security mindset focused on prevention rather than reaction is essential for both technology providers and the asset owners who operate these critical systems. The path forward depends on building stronger incentives for rapid response and fostering a culture where security is integral to operational resilience.

(Source: InfoSecurity Magazine)