Blog

ICS Advisories, OT CVEs, and Your Environment

Sorting through the growing volume of vulnerabilities, patches, advisories, and alerts can be challenging for larger dedicated teams. The task can feel nearly overwhelming for smaller teams with other responsibilities.

If you aren’t sure how to get started or otherwise feel a little lost, you’re not alone. ICS and OT defenders are dealing with a steady stream of disclosures from CISA, vendors, CERTs, and independent researchers. In 2025 alone, CISA published 508 ICS advisories, up from 423 in 2024 and 380 in 2023. Across all sources, unique advisories rose from 1,830 in 2024 to 2,207 in 2025. Advisories also continued arriving at a pace of roughly 50 to 60 per month, which puts pressure on teams that are already short on time and staff.

Are There More Vulnerabilities in ICS than Before?

Well, yes and no.

Looking at the number of reported OT CVEs and advisories, there has been an increase year over year. More disclosures are being published by CISA, vendors, international CERTs, independent researchers, and security firms. That includes contributions from mature vendor PSIRTs, community research efforts, and programs such as ZDI. The overall disclosure ecosystem has grown, and the available data has grown with it.

The rising number of CVEs and advisories can also be tied to the growing number of reporting parties and the continued maturity of vendor disclosure programs. Vendors with the highest advisory counts are often among the most security mature. Siemens, Rockwell Automation, and Schneider Electric are highlighted as examples of organizations with established internal disclosure processes. A higher advisory count can reflect visibility and process maturity.

As government, media, and the public continue to pay close attention to ICS and critical infrastructure, more effort is being dedicated to vulnerability discovery and disclosure. That increased attention reflects the real impact that exploited vulnerabilities can have on critical infrastructure environments. At the same time, official CISA coverage now represents a smaller slice of the overall disclosure picture. CISA ICS advisory coverage dropped from 28.3% in 2024 to 17.5% in 2025, which means a large share of industrial vulnerability disclosures now comes from outside official CISA ICS channels.

So the rising numbers do not give the full story on whether ICS is more secure or less secure. They do show that more people are looking, more organizations are reporting, and more data is available to the OT community than in years past.

Getting a Bird’s Eye View of OT CVEs

Before you can dive deep into protecting your network and systems, an important first step is to have a good understanding of what devices are in your OT environment.

That starts with asset inventory and environment visibility. If you do not know which vendors, products, versions, and protocols exist in your environment, it becomes very difficult to determine whether a CVE is even relevant. Our recent report’s prioritization framework begins with that same idea. Step one is confirming whether the affected product, version, and feature are actually present in your environment before time is spent on deeper analysis.

Once you have an understanding of what you are working with, advisory dashboards and curated data sources can make it easier to filter through the vulnerability landscape without spending hours reading every advisory manually. That kind of visibility matters even more today because official government channels no longer cover the majority of industrial disclosures. Teams need a practical way to connect external advisory data to internal asset context.

Having a bird’s eye view of your OT environment also helps narrow your focus. There is little value in spending time on vulnerabilities tied to products that are not present in your environment. Good visibility makes it easier to focus on the vendors, assets, and systems that actually matter to your organization.

Understanding and Prioritizing Relevant CVEs

Once you have compiled a list of vulnerabilities that might have an impact on your organization, the next step is to determine how to go about addressing them. The key is to prioritize and strategize.

One thing many teams look at first is the severity score associated with each vulnerability. Severity scores are still useful as a common language for discussing theoretical impact. They account for things like attack vector, attack complexity, privileges required, and user interaction. These details can help guide initial triage. In OT environments, though, that score is only one part of the picture. Our ICS CVE Research report explains that CVSS does not account for network architecture, compensating controls, operational consequence, or the realities of deploying patches in live industrial environments.

Recent data reinforces the importance of context. Of the 2,203 vulnerabilities scored High or Critical in the 2024 and 2025 dataset, only 29 appeared in CISA’s Known Exploited Vulnerabilities catalog. That is 1.32%. Our research also found that 98.4% of those High and Critical vulnerabilities were never confirmed as weaponized in the wild. That tells us teams need precision and context when they prioritize CVEs that may affect their environment.

For example, if a CVE can only be exploited in a device that sits behind strong segmentation and tightly controlled communications, that issue may require a different response timeline than a lower scored vulnerability affecting a reachable controller deeper in the OT environment. Reachability matters. The report notes that many common vulnerability classes can be exploited without authentication if an attacker can reach the device, which makes environment context a major part of prioritization.

There are three questions to ask whenever you are addressing a vulnerability:

Applicable: Does this apply to my environment?
Critical: Is this critical in the context of my environment and systems?
Fixable: Is there a permanent fix I can deploy in my environment?

Security efforts should prioritize the vulnerabilities that sit at the intersection of these three categories for the most efficient use of time and resources.

It is also important to recognize that some reported vulnerabilities may not have a practical fix available. In 2024 and 2025, 70% of advisories included a patch, but 45% recommended hardware or software upgrades as the remediation path. The report also found that 7.5% of advisories were explicitly identified as end-of-life, meaning no patch is forthcoming and replacement is the official recommendation.

For many operators, those realities turn compensating controls into a long-term part of the security program. Network-level protection, communication whitelisting, and protocol validation all become important options when patching is delayed or unavailable.

These “forever day” and end-of-life issues still need to be tracked. They matter for compliance, risk management, maintenance planning, and operational decision-making. They also make it even more important to understand your environment, your asset criticality, and your architecture before assigning urgency based on a score alone.