Too few vulnerabilities in industrial control systems (ICS) are assigned CVEs because of client non-disclosure agreements. This results in repeatedly discovering the same vulnerabilities for different clients, especially in critical infrastructure. Don C. Weber from IOActive shares his experiences as an ICS security professional and suggests improvements, including following the SANS best practices for ICS security..