.png)
The vulnerability pipeline feeding ICS attackers is structurally optimized for breaking infrastructure, not stealing from it. In 2025, pure destruction vulnerabilities in ICS products outnumbered pure theft vulnerabilities 5:1.
That ratio matters because most organizations still price OT risk using the same models they built for IT: data breach probability, record counts, notification costs, regulatory fines. Those models assume the attacker wants your data. The ICS exploit pipeline says the attacker wants your availability.
At a Glance
-
ICS vulnerabilities are structurally biased toward enabling physical disruption over data theft, at a 5:1 ratio in 2025 disclosures.
-
73.5% of ICS vendor CVEs carry High Availability or Integrity impact, versus 58.4% with High Confidentiality.
-
The destruction bias widened sharply after 2019 and has exceeded 2:1 in six of the last seven years.
-
State actors do not exploit ICS vulnerabilities for destruction directly. They exploit access-enabling flaws to reach control loops, then use legitimate protocol commands as weapons.
-
Access-enabling vulnerabilities in the OT attack surface grew 6x between 2021-2022 and 2023-2024 in CISA's KEV catalog.
-
Risk quantification frameworks calibrated for data breach systematically underprice OT exposure because they were never designed to model physical-consequence scenarios.
-
Ransomware groups and state actors are converging on the same ICS devices through the same vulnerability pipeline simultaneously.
The Default Model Is Wrong
Walk into any board-level risk discussion about OT/ICS exposure and the framing is familiar. Potential data breach. Regulatory exposure. Notification liability. These are confidentiality metrics, borrowed wholesale from IT risk quantification. They made sense when the primary OT threat was an opportunistic ransomware gang encrypting a flat network and hoping someone paid.
That framing no longer matches the threat. Six distinct wiper campaigns hit ICS/OT environments in 2024-2025, more than any comparable period on record. Nation-state and hacktivist attacks with physical consequences doubled year-over-year according to the Waterfall/ICS STRIVE 2026 report. Volt Typhoon maintained five-year persistence inside U.S. energy, water, and transportation infrastructure with zero interest in exfiltrating data. The intent spectrum shifted from "pay me" to "break this when geopolitics demands it."
What the Vulnerability Data Shows
We analyzed 464 ICS vendor CVEs from the NVD (Siemens, Schneider Electric, and PLC-related products) by their CVSS v3.1 impact vectors. Each vulnerability scores Confidentiality, Integrity, and Availability impact independently. A vulnerability with High Availability but not High Confidentiality enables destruction without enabling theft. One with High Confidentiality but not High Availability enables espionage without enabling disruption.
The split is decisive. 73.5% of ICS CVEs carry High Availability or High Integrity impact, making them destruction-capable. Only 58.4% carry High Confidentiality. Among pure-category vulnerabilities (those scoring High in only one impact dimension), the gap widens sharply: 25.6% are pure destruction versus 10.6% pure theft. The remaining 63.8% are dual-use, scoring High across multiple categories. Even in that dual-use bucket, availability impact appears more frequently than confidentiality.
What this means operationally: for every ICS vulnerability that exclusively enables espionage, the pipeline delivers 2.4 that exclusively enable disruption. An attacker building a toolkit from publicly disclosed ICS flaws ends up with a destruction-heavy arsenal regardless of their original intent.
The temporal trend matters. From 2016-2018, the destruction:theft ratio hovered near parity (1.2:1 to 1.4:1). In 2019, the ratio spiked when zero pure-theft ICS CVEs appeared in the dataset. Since then, it has exceeded 2:1 in six of seven years. In 2023 it hit 6:1. In 2025, 5:1. The single exception was 2024 at 1.3:1, on a sample of just 17 CVEs. The structural bias is clear even if individual years fluctuate with small sample sizes.
77.8% of these vulnerabilities are network-exploitable. No physical access required. The destruction surface is remotely reachable.
The Mechanism: Keys, Not Bombs
State actors targeting ICS do not need buffer overflow exploits to destroy equipment. ELECTRUM (the GRU-linked group Mandiant tracks as Sandworm) used living-off-the-land scripts against a Ukrainian substation in October 2022, leveraging native MicroSCADA functionality rather than introducing custom malware. They sent a valid SCIL command to trip circuit breakers. KAMACITE spent 2025 scanning U.S. HMIs, variable frequency drives, and metering modules to identify what operational conditions would trigger process shutdowns. The destruction in each case came from legitimate protocol commands, not from exploitation of a vulnerability in the target device itself.
The vulnerability is the door. The weapon is already installed on the PLC.
What they need is access. Authentication bypass. Credential theft. Session hijacking. The vulnerabilities that get them from the corporate network to the control loop. In CISA's KEV catalog, access-enabling CWEs (improper authentication, missing authorization, hardcoded credentials) grew from 3.4% of OT-surface additions in 2021-2022 to 22.2% in 2023-2024. A 6x increase in weaponized door-openers.
The pattern: the vulnerability pipeline supplies the keys. The destruction is protocol-native. An attacker who can authenticate to a PLC can issue a shutdown command. That command is not an exploit. It is the system working as designed, for an operator who was never supposed to be there.
What This Means for Risk Registers
If your OT risk model quantifies exposure through confidentiality impact, you are measuring the wrong thing by a factor of five. The scenario is not "attacker exfiltrates 100,000 records from a historian server." The scenario is "attacker authenticates to a safety controller and disables high-pressure interlock during peak load."
The first scenario maps to breach notification costs: $150 per record, regulatory fine, reputational hit. Unpleasant but bounded. The second maps to equipment destruction, environmental release, production shutdown measured in weeks, potential safety incidents with unbounded liability. These are categorically different loss magnitudes.
Board metrics that report "potential records exposed" for OT environments are measuring one dimension of a three-dimensional problem. Only 10.6% of ICS CVEs exclusively enable data theft. Another 41.6% have no High Confidentiality impact at all. The majority of the ICS vulnerability surface has a destruction component that a data-breach calculator will never price.
The mismatch runs deeper than metrics. Risk quantification frameworks like FAIR model loss in terms of data records and response costs. Those inputs produce outputs calibrated for theft. Apply them to an OT environment where the primary threat is physical disruption and the model generates comfortably low numbers, because the model was never designed to price a turbine overspeed event or a chlorine dosing failure at a water plant.
Risk registers need three changes. Weight ICS vulnerabilities by availability and integrity impact, not confidentiality. Model loss scenarios around physical consequence: production days lost, equipment replacement cost, safety incident probability. Benchmark against the actual exploitation pipeline, which CISA's KEV catalog now shows is overwhelmingly focused on access-enabling and destruction-enabling flaws rather than data exfiltration.
What Comes Next
Waterfall Security expects ransomware to resume 30-60% annual growth in 2026-2027 after a temporary lull caused by law enforcement disruption and ecosystem churn. Those ransomware operators will hit the same PLCs and HMIs where state actors have already pre-positioned. 119 ransomware groups targeted industrial organizations in 2025, up 49% from 80 groups the prior year. That number is growing into an environment where KAMACITE and VOLTZITE already mapped the control loops.
Both destruction-motivated and extortion-motivated adversaries will target the same devices, through the same vulnerability pipeline, at record volumes simultaneously. The organizations that priced OT risk for data breach are running the wrong playbook for both threats.
Sources
-
CISA Known Exploited Vulnerabilities Catalog (1,623 entries, queried 2026-06-19)
-
NVD API 2.0 (464 ICS vendor CVEs analyzed for CVSS v3.1 impact vectors)
-
Forescout: ICS Cybersecurity in 2026 - Vulnerabilities and Path Forward
-
CISA Advisory: PRC State-Sponsored Actors Compromise U.S. Critical Infrastructure
-1.png)
.png)
.png)
.png)
