After understanding the threat landscape facing industrial organizations, the next question is more practical: which vulnerabilities actually put operations at risk?
According to Dragos analysis across 2025, just 3 percent of vulnerabilities were categorized as NOW, requiring immediate action, while 71 percent were better addressed through planned mitigation, and 27 percent offered limited practical risk reduction even if remediated. At the same time, the data shows that the signals defenders rely on are often incomplete or misleading. A staggering 15 percent of CVEs carried incorrect CVSS scores, and 25 percent of advisories included no patch or mitigation guidance at all, forcing organizations to make prioritization decisions without sufficient context. This creates a fundamental disconnect during OT vulnerability management. Organizations are asked to respond to a large and growing volume of vulnerabilities, while the information used to prioritize them is often inconsistent, incomplete, or detached from how industrial environments actually operate.
The Dragos 2026 OT/ICS Cybersecurity Year in Review, drawing on insights from across the Dragos Intelligence Fabric, including threat intelligence, incident response, vulnerability research, and real-world assessments, shows a consistent pattern. Industrial organizations face a high volume of vulnerabilities, but only a small fraction meaningfully contributes to operational risk. The challenge is not identifying vulnerabilities. It is in determining which ones actually matter, based on how adversaries operate and how industrial environments are structured. When viewed through that lens, vulnerability prioritization becomes less about volume and more about assets, access, and operational impact.
The first question we need to ask is not about severity; it is whether the vulnerability is being used. The Year in Review shows that only a small percentage of vulnerabilities, approximately 4 percent, are observed to be actively exploited in the wild. However, those vulnerabilities account for a disproportionate share of real-world risk. Adversaries consistently rely on a limited and repeatable set of vulnerabilities, often reusing known techniques rather than constantly adopting new ones. This behavior reflects efficiency, not limitation. Once a technique is proven to work across environments, it continues to be used.
This has two important implications. First, many high-severity vulnerabilities will never be relevant to their environment. Second, vulnerabilities that are actively exploited, even if they appear less critical on paper, should be treated as immediate priorities. When a vulnerability is tied to observed adversary activity, its importance is no longer theoretical. It represents a proven pathway that has already been used to gain access, establish persistence, or move closer to operational systems.
This is where vulnerability prioritization must begin: not with what could be exploited, but with what is already being used against environments like yours.
A vulnerability only matters if it is reachable. The Year in Review shows that vulnerabilities exist across both core OT environments and the broader set of systems that support industrial operations. While 73 percent of advisories apply to assets deep within ICS environments, a meaningful portion applies to systems at the enterprise boundary (22 percent) the same systems adversaries consistently use to gain initial access.
These include:
- Remote access infrastructure
- Identity and authentication systems
- Internet-facing edge devices
- Operational support platforms, including engineering tools and data systems
These systems are often treated as separate from OT, but in practice they are tightly connected to it. They enable visibility into operations, coordination across environments, and access to systems that influence production or control processes.
This is where exposure becomes the defining factor. A vulnerability affecting an isolated system may present little practical risk. The same vulnerability on an externally accessible one connected to operational workflows can become a direct entry point. Across observed incidents, adversaries do not typically begin with core control systems. They begin in these connected, accessible layers, and then move inward. If defenders lack visibility into these pathways, adversaries can operate within the - gaining access, establishing persistence, and positioning themselves for further movement - without being detected. Prioritization, in this context, is not about whether a system is vulnerable. It is about whether it is exposed along the pathways adversaries already use to reach operational assets.
Adversaries do not need to directly manipulate control devices to disrupt operations. Instead, they target systems that allow them to observe, manage, or influence multiple assets at once. The Year in Review highlights that only a small subset of vulnerabilities affects systems that influence visibility and control over operations. Specifically:
- 27 percent of vulnerabilities could impact both view and control
- A negligible percentage affect control alone
- Very few affect visibility alone
This reflects a key characteristic of industrial environments: impact is often indirect. Across incident response engagements, these high-leverage systems consistently include:
- Engineering workstations used to configure and manage industrial assets
- SCADA and control servers that provide centralized visibility
- Virtualization platforms that host multiple operational systems
- Remote access gateways that connect users to industrial environments
Compromising these systems provides scale and allows adversaries to move beyond a single device and interact with broader portions of the environment. This is where many vulnerability prioritization efforts fall short. Risk is not defined by the vulnerability alone, but by what the compromised system allows an adversary to do next.
Dragos Intelligence Fabric insights reinforce that adversaries frequently operate within intermediate layers - the systems that connect enterprise and operational environments - before ever interacting directly with control systems.
Most attacks impacting industrial organizations follow a progression. Adversaries gain initial access, expand their foothold, and then move toward systems that influence operations. Certain vulnerabilities accelerate this process by enabling:
- Credential access and privilege escalation
- Lateral movement across IT and OT boundaries
- Expansion into systems that influence physical processes
Vulnerabilities that do not directly affect industrial devices can significantly increase risk if they shorten the path from initial access to operational disruption. This is particularly important in environments where visibility is limited across these connected systems. Without a clear understanding of how systems interact, it’s possible to overlook vulnerabilities that do not appear critical in isolation but play a key role in enabling adversary movement.
The challenge in OT vulnerability management is in understanding which ones actually matter. In practice, this means prioritizing vulnerabilities that enable movement between environments, expand access across systems, and reduce the effort required to reach operational assets.
The 2026 Dragos OT/ICS Cybersecurity Year in Review shows that while only a small fraction of vulnerabilities require immediate action, public scoring and advisory data are often incomplete or inaccurate leading to misalignment. Risk is concentrated in vulnerabilities that are exploited, accessible, and tied to high-leverage systems. Cyber threat intelligence is most effective when it connects these elements - adversary behavior, asset context, and operational impact - into a single view. That is the role of the Dragos Intelligence Fabric: bringing together telemetry, threat intelligence, vulnerability research, and incident response insights to help defenders move from awareness to action. Organizations that succeed will not be those that attempt to remediate everything. They will be those that consistently focus on the vulnerabilities that enable adversaries to reach and impact the systems that influence physical operations.
For a deeper look at the data, threat activity, and defensive priorities shaping industrial cybersecurity, download the Year In Review report today.