Over half of the 415 vulnerabilities found in industrial control systems (ICS) were assigned CVSS v.3.0 base scores over 7 which are designated to security issues of high or critical risk levels, with 20% of vulnerable ICS devices being impacted by critical security issues. The highest number of ICS vulnerabilities were found in engineering software (143), SCADA/HMI components (81), networking devices designed for industrial environments (66), PLCs (47) The internet (26.1%), removable media (8.3%), and email (4.9%) were the main threat vectors for computers part of industrial infrastructure networks.
Source: https://www.bleepingcomputer.com/news/security/20-percent-of-industrial-control-systems-affected-by-critical-vulnerabilities/