Security Experts:

Connect with us

Hi, what are you looking for?



Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms

Reports published by various industrial cybersecurity companies provide different numbers on ICS vulnerabilities — here’s why.

ICS vulnerability count

Reports published in the past couple of months by various industrial cybersecurity companies provide different numbers when it comes to the vulnerabilities discovered in industrial control system (ICS) products in 2022. SecurityWeek has analyzed the methodologies used by these companies in an effort to understand the discrepancies in numbers and trends.

Some companies have reported seeing an increase in the number of ICS vulnerabilities, while others claim there has been a drop. However, looking at their methodologies helps clear up any confusion and shows that the contradictory trends result from the use of different sources and different methods of counting security holes.

SecurityWeek’s analysis of the various reports shows that the number of ICS vulnerabilities has continued to grow, which is not surprising considering that security researchers are increasingly interested in this field and vendors are also stepping up their game and finding more flaws. But let’s take a look at why some headlines might suggest differently.

In its recent ICS/OT Cybersecurity Year in Review report, industrial cybersecurity firm Dragos reported seeing 2,170 CVEs in 2022, which represents a 27% increase compared to the previous year. 

Dragos has reported the highest number of ICS vulnerabilities, which is explained by the fact that the company is tracking more sources than any other vendor. Its sources include advisories from the Cybersecurity and Infrastructure Security Agency (CISA), Germany’s [email protected] and Japan’s JP-CERT, as well as advisories from individual vendors and raw data from NIST. The company’s own researchers have also discovered vulnerabilities, which are included in the count. 

“We include many individual vendors and research organizations. Several of these vendors do not coordinate with the main government-run CERTs, so we end up with CVEs that are not covered in other lists,” explained Reid Wightman, vulnerability analyst at Dragos.

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

While other ICS/OT security firms may not use as many data sources, they still reported seeing an increase in the number of vulnerabilities.

SynSaber, which only counts vulnerabilities from CISA’s ICS advisories, cataloged 1,342 vulnerabilities in 2022, compared to 1,191 in 2021 — excluding ICS medical vulnerabilities covered by CISA advisories. 

Claroty recently reported that XIoT vulnerabilities were trending down in the past three quarters, with 819 issues disclosed in H2 2021, 747 in H1 2022, and 688 in H2 2022. However, these numbers include not just ICS/OT vulnerabilities, but also some medical, IT and IoT issues, as well as flaws affecting multiple types of products. 

When it comes to ICS/OT vulnerabilities alone, Claroty cataloged a total of 940 in 2022, up from 826 in 2021. 

Claroty told SecurityWeek that its Team82 unit has developed an automated collection and analysis tool that ingests vulnerability data from trusted open sources, including the National Vulnerability Database (NVD), CISA, [email protected], MITRE, and industrial automation vendors Schneider Electric and Siemens.  

“We chose to only look at these publicly available sources in order to understand the market with an eagle-eye perspective. We wanted to look only at publicly disclosed vulnerabilities in relevant security advisories that usually reflect the vendor’s perspective on new vulnerabilities,” explained Claroty Team82 researcher Bar Ofner. 

IBM recently reported that for the first time in two years, the number of ICS vulnerabilities has decreased, from 715 in 2021 to 457 in 2022. The numbers are far lower compared to what other vendors have reported.

However, IBM told SecurityWeek that the number actually represents the number of ICS advisories published by CISA, not individual security holes. Since many advisories describe more than one vulnerability, the actual number of ICS flaws is much higher. 

Nozomi Networks’ recent OT/IoT Security Report, which provides an ICS vulnerability analysis based on CISA advisories, also shows a decrease. The company has cataloged 778 ICS vulnerabilities in 2022, down from 1,188 in 2021. 

Nozomi told SecurityWeek that it made some changes to its methodology in the second half of 2022. Based on SecurityWeek’s observations, it’s possible that the company has started counting advisories rather than individual vulnerabilities described in each advisory, which would explain the significant drop. 

The difference in the number of vulnerabilities reported by each of these companies can also come from the way vulnerabilities are counted. Some may decide to count every flaw mentioned in a CISA advisory, while others may not include issues that impact third-party components and are not specific to the ICS/OT product. 

Related: Cyber Insights 2023 | ICS and Operational Technology 

Related: ICS Vulnerabilities Chained for Deep Lateral Movement and Physical Damage 

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).