A new report from Forescout reveals a record number of industrial control system (ICS) vulnerabilities and growing blind spots that could leave critical infrastructure exposed.
The report draws on more than 15 years of ICS advisory data and finds that from March 2010 to January 31, 2026, CISA/ICS-CERT published 3,637 ICS advisories about 12,174 vulnerabilities affecting 2,783 products from 689 vendors.
Vulnerabilities are also becoming more severe. The average CVSS score of advisories has been trending upwards (see below). Back in 2010, the average was 6.44, classified as medium severity. In 2024, the average crossed 8.0 for the first time and it remained there in 2025. The number of attacks on OT and critical infrastructure continues to grow too.
In terms of addressing the threat the OT/ICS sector is increasingly turning to regular update cycles, echoing Microsoft’s Patch Tuesday. Even if patching in OT isn’t as easy as in IT, having mature security response programs at vendors and a regular cadence of available patches can help asset owners plan their risk assessment and mitigation activities. Several vendors now directly publish cybersecurity advisories for their own products — decreasing the exclusive reliance on the CISA/NVD ecosystem.
The forthcoming EU Cyber Resilience Act (CRA) is making an impact too, encouraging vendors to take a more proactive approach to establish coordinated disclosure processes and release patches. The EU is not the only authority driving change through regulation. For example, Mitsubishi addressed a vulnerability due to requirements under Chinese cybersecurity laws last September.
The authors conclude, “Addressing the challenge of vulnerability management in OT/ICS requires a combination of regulatory pressure, industry collaboration, and vendor accountability. Increased transparency about patch timelines, dedicated resources for vulnerability management, and stronger incentives for rapid response could help accelerate the process across the sector. Additionally, fostering a culture of proactive security, rather than reactive fixes, would benefit vendors and asset owners.”
You can read more about the findings on the Forescout blog.
Image credit: Branex/Dreamstime.com
