Exploits have also been released for these vulnerabilities, all of which have been patched.
The TIA Portal flaw allowed an attacker to remotely force a malicious firmware update and execute code, modify user permissions or change application proxy settings.
Tenable's Joseph Bingham said in a blog post that these vulnerabilities in what were top-tier software systems indicated a lack of security standards in modern SCADA software.
While two flaws found in Fuji Electric's TELLUS and V-Server were rated medium, Tenable found six vulnerabilities in Schneider Electric's Indusoft Web Studio all of which were rated critical and exploitable remotely.
Five flaws were found in Schneider's Modicum Quantum PLC, two of which were rated critical, and three critical vulnerabilities were also discovered in Rockwell Automation RS Linx, all of which were susceptible to remote attack.
Bingham also outlined the way an attack could be staged on a nuclear plant, pointing out that Stuxnet virus, a joint US-Israeli effort to sabotage Iran's nuclear weapons program, needed only three new vulnerabilities to spread through an isolated network and damage centrifuges.
"Vulnerabilities are easy to find in ICS software and hardware and come with a heavy cost to systems that rely on the stability and security of these solutions," he said.
"Mitigation efforts and barriers to malicious actors can always be overcome with enough time or money."
And, he added, "All critical infrastructure is vulnerable under the right circumstances. If your organisation utilises hard or soft targets with operational technology, take the necessary precautions and keep vendors accountable for security flaws."