The following is a list that gives some insight into platform vulnerabilities:

• OS and vendor software patches may not be developed until after security vulnerabilities are found
• OS and application security patches are not maintained
• OS and application security patches are implemented without exhaustive testing
• Critical configurations are not stored or backed up
• Inadequate authentication and authorization, inadequate testing of security changes
• Inadequate physical protection (location, unauthorized access) for critical systems
• Insecure remote access on ICS components
• Lack of redundancy for critical components