ICSs are designed for performance and safety, not security. The recent Siemens Programmable Logic Controller (PLC) and VxWorks (real time operating system for ICS field devices) vulnerability disclosures lay bare significant security gaps in ICSs. Moreover, the differences between IT and ICSs led to the conflicting recommendations on the Siemens PLC vulnerability by Microsoft and Siemens. The Siemens and VxWorks vulnerabilities coupled with the Hatch Nuclear Plant cyber incident demonstrate we are still learning what is unique about ICS cyber security.