The number of industrial control system (ICS) security advisories published in 2025 topped 500 for the first time since records began, with the severity of vulnerabilities also increasing, according to Forescout.
The security vendor revealed the findings in its new report, ICS Cybersecurity in 2026: Vulnerabilities and the Path Forward.
It said there were a total of 2155 CVEs published across 508 ICS advisories last year. That’s an increase from 103 CVEs across 67 advisories in 2011 – when records began.
The average CVSS score of advisories climbed from 6.44 in 2010 to above 8.0 in 2024 and 2025.
According to the report, the most affected asset types last year, in order, were:
- Purdue Level 1 devices: eg, field controllers, RTUs, PLCs and IEDs
- Purdue Level 3 operation systems: eg, MES, PLM, EMS and others
- Purdue Level 2 control systems: eg, DCS, SCADA and BMS
- Industrial network infrastructure like routers and switches
Critical manufacturing and energy were the top two most affected industries, with transportation jumping three places from the previous year to third and healthcare moving up four places to fourth.
A CISA-Shaped Gap in Reporting
More concerning for operators of industrial and operational technology is a growing gap in threat visibility.
CISA/ICS-CERT has been “the authoritative source” about vulnerabilities in this field since the ICS Advisory (ICSA) program was started in 2010, Forescout noted. However, according to the open source ICS advisory project, a growing number of vulnerabilities don’t have an associated ICSA published by CISA.
“On January 10, 2023 CISA announced they would stop publishing updates on advisories affecting Siemens products, and instead, will be redirecting users to Siemens’ ProductCERT for the latest updates,” Forescout explained.
“This shows the need for vulnerability information beyond CISA. Yet, the situation is not restricted to Siemens and not limited to updates only.”
In fact, according to the ICS advisory project, only 22% of vulnerabilities last year had an associated ICSA published by CISA – down from 58% in 2024 and 40% in 2023.
“There were vulnerabilities without an associated ICSA published by 134 vendors in 2025. Clearly, there a fair amount of OT/ICS risk that is not tracked by ICSAs,” said the report.
“Vulnerabilities without an ICSA are no less important than those with a dedicated advisory from CISA. In fact, 61% of vulnerabilities in 2025 without an ICSA had a high or critical severity. And like those vulnerabilities tracked by CISA, these mostly affected the manufacturing and energy sectors.”
A Call to Action
The security vendor called for a combination of “regulatory pressure, industry collaboration, and vendor accountability” to address the challenges of vulnerability management in OT/ICS environments.
“Increased transparency about patch timelines, dedicated resources for vulnerability management, and stronger incentives for rapid response could help accelerate the process across the sector,” it concluded.
“Additionally, fostering a culture of proactive security, rather than reactive fixes, would benefit vendors and asset owners.”
