{"id":4552,"date":"2026-02-19T14:36:38","date_gmt":"2026-02-19T14:36:38","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/02\/19\/industrial-control-system-vulnerabilities-hit-record-highs\/"},"modified":"2026-02-19T14:36:38","modified_gmt":"2026-02-19T14:36:38","slug":"industrial-control-system-vulnerabilities-hit-record-highs","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/19\/industrial-control-system-vulnerabilities-hit-record-highs\/","title":{"rendered":"Industrial Control System Vulnerabilities Hit Record Highs"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>The number of industrial control system (ICS) security advisories published in 2025\u00a0topped 500 for the first time since records began, with the severity of vulnerabilities also increasing, according to Forescout.<\/p>\n<p>The security vendor revealed the findings in its new report, <em>ICS Cybersecurity in 2026: Vulnerabilities and the Path Forward.<\/em><\/p>\n<p>It said there were a total of 2155 CVEs published across 508 ICS advisories last year. That\u2019s an increase\u00a0from 103 CVEs across 67 advisories in 2011 \u2013 when records began.<\/p>\n<p>The average CVSS score of advisories climbed from 6.44 in 2010 to above 8.0 in 2024 and 2025.<\/p>\n<p><em>Read more on ICS threats: CISA Issues Advisories on Critical ICS Vulnerabilities Across Multiple Sectors.<\/em><\/p>\n<p>According to the report, the most affected asset types last year, in order, were:<\/p>\n<ul>\n<li>Purdue Level 1 devices: eg, field controllers, RTUs, PLCs and IEDs<\/li>\n<li>Purdue Level 3 operation systems: eg, MES, PLM, EMS and others<\/li>\n<li>Purdue Level 2 control systems: eg, DCS, SCADA and BMS<\/li>\n<li>Industrial network infrastructure like routers and switches<\/li>\n<\/ul>\n<p>Critical manufacturing and energy were the top two most affected industries, with transportation jumping three places from the previous year to third and healthcare moving up four places to fourth.<\/p>\n<h2><strong>A CISA-Shaped Gap in Reporting<\/strong><\/h2>\n<p>More concerning for operators of industrial and operational technology is a growing gap in threat visibility.<\/p>\n<p>CISA\/ICS-CERT has been \u201cthe authoritative source\u201d about vulnerabilities in this field since the ICS Advisory (ICSA) program was started in 2010, Forescout noted. However, according to the open source ICS advisory project, a growing number of vulnerabilities don\u2019t have an associated ICSA published by CISA.<\/p>\n<p>\u201cOn January 10, 2023 CISA announced they would stop publishing updates on advisories affecting Siemens products, and instead, will be redirecting users to Siemens\u2019 ProductCERT for the latest updates,\u201d Forescout explained.<\/p>\n<p>\u201cThis shows the need for vulnerability information beyond CISA. Yet, the situation is not restricted to Siemens and not limited to updates only.\u201d<\/p>\n<p>In fact, according to the ICS advisory project, only 22% of vulnerabilities last year had an associated ICSA published by CISA \u2013 down from 58% in 2024 and 40% in 2023.<\/p>\n<p>\u201cThere were vulnerabilities without an associated ICSA published by 134 vendors in 2025. Clearly, there a fair amount of OT\/ICS risk that is not tracked by ICSAs,\u201d said the report.<\/p>\n<p>\u201cVulnerabilities without an ICSA are no less important than those with a dedicated advisory from CISA. In fact, 61% of vulnerabilities in 2025 without an ICSA had a high or critical severity. And like those vulnerabilities tracked by CISA, these mostly affected the manufacturing and energy sectors.\u201d<\/p>\n<h2><strong>A Call to Action<\/strong><\/h2>\n<p>The security vendor called for a combination of \u201cregulatory pressure, industry collaboration, and vendor accountability\u201d to address the challenges of vulnerability management in OT\/ICS environments.<\/p>\n<p>\u201cIncreased transparency about patch timelines, dedicated resources for vulnerability management, and stronger incentives for rapid response could help accelerate the process across the sector,\u201d it concluded.<\/p>\n<p>\u201cAdditionally, fostering a culture of proactive security, rather than reactive fixes, would benefit vendors and asset owners.&#8221;<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>The number of industrial control system (ICS) security advisories published in 2025\u00a0topped 500 for the first time since records began, with the severity of vulnerabilities also increasing, according to Forescout. The security vendor revealed the findings in its new report, ICS Cybersecurity in 2026: Vulnerabilities and the Path Forward. It said there were a total<\/p>\n","protected":false},"author":2,"featured_media":4553,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4552","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4552-31f21ad6-c451-429d-b22a-60085c6a058f-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4552"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4552\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4553"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}