In a nutshell, SCADA systems are industrial control systems (ICS) that specifically provide supervisory-level control over machinery and/or industrial processes that span a wide geographical area (such as energy distribution plants). SCADA systems contain Supervisory Computers as well as many other devices, chief of which are Programmable Logic Controllers (PLCs) and Remote Transmission Units (RTUs). Both PLCs and RTUs participate in the local management of more specific sub-processes. PLCs have sensors and actuators that receive commands from and send information to other components of the SCADA system. PLCs, RTUs, and other sensors connected to SCADA systems collect data that help plant supervisors make critical decisions based on real-time information. Supervisors need only to look at the Human Machine Interfaces (HMIs), where the different functions and data elements of SCADA systems are presented for human review and control. As can be surmised from its functions, SCADA systems are versatile and can be found in all kinds of industrial settings and infrastructures. Looking into the vulnerabilities that made up the count from each year gives a general idea of where weaknesses can be found when it comes to SCADA systems. In 2015, vulnerabilities were found in Schneider Electric’s ProClima software which is designed to help in the thermal management of an environment. By tricking a target user to open a malicious file or visit a malicious URL, threat actors can execute arbitrary code on the system. 2016 saw a spike in discovered vulnerabilities, most of which from the vendor Advantech. Its WebAccess SCADA software had 109 discovered vulnerabilities during this year. An example of these includes the inadequate validation found in one of its components that could lead to threat actors executing arbitrary code. The slight decrease in 2017 was followed by a jump in 2018. A large portion of this count was from WebAccess and Wecon’s LeviStudioU, an HMI software. Delta Industrial Automation and Omron were also among the vendors that had newly discovered vulnerabilities in 2018. For the former, most of the vulnerabilities were from DOPSoft, while for the latter it was CX-Supervisor. Both are HMI software packages. In 2019, many of the same vendors had vulnerabilities reported in their SCADA software. Same as the previous year, WebAccess and LeviStudioU recorded the most vulnerabilities. The two are followed by Delta Industrial Automation, with its CNCSoft ScreenEditor software accounting for most of its new vulnerabilities. Even within the limits of the data set, the varied source and nature of these discoveries seem to imply that a wide range of vulnerabilities still exists across the vendors in the market. It should be noted that SCADA system vulnerabilities still frequently include unsophisticated bugs like stack and buffer overflows, as well as information disclosure and others. These vulnerabilities allow attackers to execute arbitrary code (RCE), perform denial of service (DoS), or steal information. Rooting out where vulnerabilities can exist in SCADA systems can help integrators understand how and where to apply mitigations to prevent exploitation and neutralize attacks. Unfortunately, SCADA systems oversee a large number of devices, sensors, and software, which equates to a wider attack surface. HMIs display data from various sensors and machines connected to a SCADA system to help users make decisions that they can also implement using the same interface. Because of their capabilities and role in SCADA systems, HMIs can be an ideal target for potential threat actors aiming to gain control over processes or steal critical information.