The Scale is FrighteningVulnerabilities are UbiquitousThere are thousands of vendors with tens of thousands of products. Each of which can have design flaws and vulnerabilities.Many products use underlying resources (like Linux, Windows, RTOS, SQL, FTP, HTTP) each of which has its own set of vulnerabilitiesVulnerabilities are known to the public and hence attackersVendors often identify them when they issue revision notices for new versions.Agencies, EDU's , corporations and individuals research and monitor.In the dark web hackers exchange and sell information.Vulnerabilities are Unlikely to be resolvedBecause software / firmware updates are almost certainly not going to be installed (even if they are available)The vulnerability needs to be identified - may require precise version and product information about installed devices.The solution needs to be identified. A risk assessment is required - could the update affect normal operation because the product feature set has changed and it no longer operates exactly the same way.The firmware needs to be updated.By the time the vulnerabilities have been identified the ‘project’ that installed the equipment has been completed and the engineers have left site leaving a complex task to janitorial or facilities staff who are not specialists.The manufacturer may not be able to resolve the issue, not be be willing and may not even be in business any more.By way of exampleThe US Department of Homeland Security monitors the important issue of the vulnerability of various industrial control systems. They maintain lists - details and in providing information on the how to resolve the issue they 1) highlight how much pain would be involved in visiting potentially 100,000's of devices to update them. 2) provide additional information on how to attack the vulnerability.  The list is far from complete and oem reporting is not mandatory. Next: Large Critical Systems Under Attack