Executive Summary
The industrial control system and operational technology security landscape reached a critical inflection point in 2026. This report analyzes 351,655 CVEs indexed by the BreachSpider platform — the most comprehensive ICS/OT vulnerability dataset available to the commercial market.
CVE Volume: The Acceleration Problem
CVE volume has grown 174% since 2017, with no sign of deceleration. The 2026 trajectory, if sustained, will set a new annual record.
| Year | CVEs Published | YoY Change |
|---|---|---|
| 2017 | 18,112 | — |
| 2020 | 19,213 | +1.6% |
| 2022 | 26,425 | +20.4% |
| 2024 | 40,589 | +31.3% |
| 2025 | 49,575 | +22.1% |
| 2026 (Jan–May) | 26,964 | +34% vs same period 2025 |
ICS/OT Vendor Vulnerability Analysis
The following covers eleven major ICS/OT vendors — the manufacturers whose products operate critical infrastructure globally.
| Vendor | CVEs | Critical | KEV | Avg CVSS | Net-Exploit Critical |
|---|---|---|---|---|---|
| Siemens | 5,283 | 464 | 50 | 6.97 | 462 |
| Rockwell Automation | 681 | 140 | 45 | 7.75 | 137 |
| Mitsubishi Electric | 210 | 56 | 0 | 7.71 | 56 |
| Honeywell | 174 | 48 | 6 | 7.73 | 48 |
| Bosch | 117 | 23 | 0 | 7.64 | 22 |
| Emerson | 91 | 20 | 0 | 7.53 | 20 |
| Omron | 91 | 14 | 0 | 7.45 | 14 |
| Yokogawa | 67 | 20 | 0 | 7.92 | 20 |
Rockwell Automation — Highest KEV Rate of Any ICS Vendor
With 45 KEV entries across 681 total CVEs, Rockwell Automation has a KEV rate of 6.6% — the highest of any major ICS vendor and 14x the global average of 0.46%. 1 in 15 Rockwell vulnerabilities is confirmed actively exploited. Average CVSS 7.75 — highest among all ICS vendors analyzed.
Siemens — Largest Absolute Attack Surface
5,283 CVEs — more than 7x the nearest ICS competitor. 462 of the 464 critical CVEs are network-exploitable. Siemens ranks 14th globally by CVE count, on par with Adobe and Cisco. Any organization running SIMATIC, SINEMA, SCALANCE, or WinCC should treat this as the highest priority remediation workstream.
CISA KEV: The Active Exploitation Crisis
| KEV Age | Count | Percentage |
|---|---|---|
| Published < 1 year ago | 161 | 10.1% |
| Published 1–3 years ago | 356 | 22.2% |
| Published > 3 years ago | 1,084 | 67.7% |
The average actively exploited vulnerability is 2,007 days old at the time of this analysis. The oldest KEV entry dates to 2002 — a 24-year-old vulnerability still being actively exploited in 2026.
Attack Surface: 78% Network-Exploitable
Among all high and critical CVEs (CVSS 7.0+): 132,321 (78.3%) require only network access. 33,304 (19.7%) require local access. Only 76 (0.04%) require physical presence. The assumption that physical perimeters protect OT is demonstrably false against this vulnerability landscape.
Top Weakness Classes in ICS/OT Context
| CWE | Weakness | High/Crit CVEs |
|---|---|---|
| CWE-89 | SQL Injection | 16,623 |
| CWE-787 | Out-of-Bounds Write | 11,403 |
| CWE-119 | Improper Memory Buffer Operations | 10,740 |
| CWE-20 | Improper Input Validation | 6,458 |
| CWE-78 | OS Command Injection | 5,095 |
| CWE-22 | Path Traversal | 5,060 |
Recommendations
Immediate (0–30 days):
- Audit all 1,601 CISA KEV vulnerabilities against your asset inventory — confirmed active exploitation, start here
- Deploy virtual patches (Suricata/Snort) for the 171 KEV entries with no patch — network-level detection is the only compensating control
- Prioritize Rockwell Automation exposure — 6.6% KEV rate, highest CVSS of any ICS vendor
- Identify all network-accessible ICS assets — 78% of critical CVEs require only network access
Short-term (30–90 days):
- Implement continuous vulnerability monitoring — 26,964 new CVEs in 5 months makes manual tracking impossible
- Establish a vulnerability age policy — if CVEs age past 90 days without compensating controls, your program has a structural gap
- Assess Siemens SIMATIC, SCALANCE, SINEMA platforms — 462 network-exploitable critical CVEs
BreachSpider indexes all 351,655 CVEs with SAGE AI enrichment, virtual patches, and NERC-CIP mapping. Get alerted within 15 minutes of a new vulnerability affecting your vendors.
Search Free Now View PricingMethodology
Data sourced from NVD, CISA KEV catalog, Zero Day Initiative, and vendor PSIRT feeds. All CVE data normalized via the BreachSpider CPE pipeline. CVSS scores represent highest available version (v4 > v3.1 > v2). Analysis as of May 25, 2026.
SAGE (Sovereign AI Governance Engine) is a proprietary enrichment system developed by CITED Relevance LLC. USPTO Provisional Patent Application 64/015,948.