A discussion is provided of the work and tools required to find security and safety vulnerabilities in processes and to break a negative chain of events. A vulnerability, which is a flaw or weak spot in a system design, implementation, operation, or management that can be exploited, has security effects in software that allow hackers, viruses, and worms to proliferate apace. However, flaws are also widely found in computer hardware, including industrial controllers. Many vulnerabilities in the industrial world result from security glitches instead of software bugs or omissions, and companies should classify flaws according to how or where they enter into a product's life cycle--whether at the product design, implementation, configuration, or other stage. It is possible now for malware to change or delete a human machine interface (HMI) application, OPC server, or data historian. Vulnerabilities have to be dealt with in just about all microprocessor-based systems, and not all are exploitable, but research shows that about 8% of bugs can be exploited. Technical weakness can be classified generally as either inherent protocol, product design, implementation, or misconfiguration vulnerabilities. For instance, most wireless systems are insecure at deployment because users do not know how to configure them properly. Vendors are often blamed for vulnerabilities, but end users, consultants, integrators, vendors, and standards bodies all have a part. Standards bodies therefore have to begin to define security as part of any standard, including defining appropriate security features into new or revised protocol specifications (based on formal threat analysis) and defining appropriate external countermeasures when robust security features are not available in the older specifications. A provided list of flaw-finding tools includes, among others, binary analysis, threat modeling, and application and device profiling.