In a pair of recent Kaspersky Labs reports, it has been identified that approximately ninety-one percent of public-facing ICS systems are remotely exploitable:
According to a review of publicly accessible ICS hosts, a staggering 91.1 percent likely belong to large organizations and have vulnerabilities that can be exploited remotely; 3.3 percent of the hosts contain remotely exploitable vulnerabilities that are considered critical.
One report, “Industrial Control Systems Vulnerabilities Statistics,” carried out by the company’s Security Services team, takes a comprehensive look at industrial control system security throughout the 2015 calendar year, breaking down all 189 ICS vulnerabilities dug up in 2015. While it may seem like there’s been an influx of ICS bugs over the last 12 months, the figure is actually more or less in line with statistics from the last few years and comes in just three bugs fewer than the all time high of 192 discovered in 2012.
The number 189 vulnerabilities does mark a tenfold increase from 2010 however, when only 19 vulnerabilities were identified.
In my experience, this is not out of the ordinary, although the Operational Technology community is warming up to the idea they need cyber security controls to prevent bad things from happening. There are just too many successful ICS cyber attacks for the older, less savvy OT people to continue to keep their heads in the sand.