The applicability of CISA’s Known Exploited Vulnerabilities Catalog (KEVC) to operational technology (OT) environments—particularly where patching is infeasible—remains unassessed, leaving critical infrastructure operators without validated mitigation guidance. Method: We conduct a systematic empirical study integrating vulnerability feature analysis, exploit feasibility assessment, and vendor-provided mitigation categorization, grounded in industrial control system security practices. Contribution/Results: We find that only 13% of KEVC entries include OT-applicable, non-patch-based mitigations—a previously undocumented gap. To address this, we propose and empirically validate a method for automatically generating technical workarounds from vulnerability characteristics (e.g., attack vectors, impacted components, configuration dependencies). Our approach demonstrates initial efficacy in producing actionable, OT-contextualized mitigations. This work establishes the first rigorous evaluation of KEVC’s OT relevance and delivers a practical, automation-ready framework for generating deployable vulnerability mitigations in patch-constrained critical infrastructure environments.

We examine the state of publicly available information about known exploitable vulnerabilities applicable to operational technology (OT) environments. Specifically, we analyze the Known Exploitable Vulnerabilities Catalog (KEVC) maintained by the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to assess whether currently available data is sufficient for effective and reliable remediation in OT settings. Our team analyzed all KEVC entries through July 2025 to determine the extent to which OT environments can rely on existing remediation recommendations. We found that although most entries in the KEVC could affect OT environments, only 13% include vendor workarounds or mitigations as alternatives to patching. This paper also examines the feasibility of developing such alternatives based on vulnerability and exploit characteristics, and we present early evidence of success with this approach.