OT Vulnerability Management: Which Risks Actually Matter?

The Dragos 2026 OT/ICS Year in Review argues that industrial vulnerability management must prioritize exposures tied to observed adversary activity and high-leverage systems, not just CVSS severity. The report notes that only a small fraction of CVEs require immediate action (3% NOW) and only ~4% are observed exploited in the wild, but those exploited vulnerabilities account for disproportionate operational risk; public advisories and CVSS scores are often incomplete or inaccurate (15% incorrect CVSS, 25% lacking guidance), and risk concentrates where vulnerabilities are accessible and affect systems that provide visibility or control (engineering workstations, SCADA/control servers, virtualization, remote access).