This report is organized in three sections. First, the different sources of ICS vulnerability information are summarized. Then the common ICS vulnerabilities are presented according to categories that describe a general problem observed in multiple ICS security assessments.
These three general categories are grouped by:
- 1. Vulnerabilities inherent in the ICS product.
- 2. Vulnerabilities caused during the installation, configuration, and maintenance of the ICS.
- 3. The lack of adequate protection because of poor network design or configuration.
Nonattributable ICS vulnerabilities are listed with the common vulnerability descriptions to aid in understanding the issues. General recommendations based on empirical knowledge gained through performing ICS security assessments are then grouped by software development recommendations for ICS vendors, ICS network configuration, and maintenance recommendations for ICS owners.