James Martin/CNET

Imagine if every time you were sick, all your doctor did was tell you to take some medicine.

That's it. No prescription, no details on what to take, when to take it, where to get it, if you can even take it, just, "take medicine." That'd be completely useless information.

This is essentially what the industrial control vulnerability advisories have been like over the last year, according to a new report by Dragos. The cybersecurity company focuses on critical infrastructure, which includes everything from power plants to factories to water supplies.

Government officials have increasing concern for cybersecurity surrounding critical infrastructure. Past attacks have shown that attackers can get access to power grids and factories, with Russian hackers causing a blackout in Ukraine in 2016. During 2017, Dragos looked at 163 vulnerability advisories, most of which offered no real solutions.

More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities in 2017 could disrupt a person's ability to monitor systems, according to the report.

In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except "patch your system" means nothing for 64 percent of critical infrastructure, according to the report.

That's because they were insecure to begin with, where a security patch would be like putting a band-aid on a broken leg. Advising to patch systems is great advice for the average person, who only needs to update their phones or their laptops. It's different for factories, which are running nonstop for 24 hours, Reid Wightman, Dragos' senior vulnerability analyst said.

While you can afford to have your phone off for 10 minutes while it applies the security patch, factories and power plants don't have that luxury. There's usually only one or two opportunities a year for critical infrastructure to be able to shut down and get updates, Wightman said.

That means even if they are able to get the update, by the time it's installed, it could be too late. The advisories have also urged factories to "use secure networks," but the Dragos report noted that it's not helpful either, as it doesn't specify which specific network exploits to watch for or how to apply it usefully.

These gaps in security advisories don't mean there's going to be a cyberattack causing a blackout the next day, but it certainly doesn't help prevent it, either. Critical infrastructures are getting warnings without any proper measures to fix it, and it means leaving open opportunities for attackers.

"[Operators] can take the advisory and think, 'oh, we can't really do anything about it,'" Wightman said. "They're vulnerable, with no ability to mitigate these risks."

Wightman recommends that advisories give out alternative options to lower risks if critical infrastructure operators can't patch immediately.