CWE VIEW: Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS
CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability. Show Details:
1358 - Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS
![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1364 (ICS Communications: Zone Boundary Failures) Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1364 (ICS Communications: Zone Boundary Failures) > 669 (Incorrect Resource Transfer Between Spheres) The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1364 (ICS Communications: Zone Boundary Failures) > 754 (Improper Check for Unusual or Exceptional Conditions) The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1364 (ICS Communications: Zone Boundary Failures) > 668 (Exposure of Resource to Wrong Sphere) The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1365 (ICS Communications: Unreliability) Weaknesses in this category are related to the "Unreliability" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1365 (ICS Communications: Unreliability) > 1384 (Improper Handling of Extreme Physical Environment Conditions) The product does not properly detect and handle extreme conditions in the product's physical environment, such as temperature, radiation, humidity, power, or other physical phenomena. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1366 (ICS Communications: Frail Security in Protocols) Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1366 (ICS Communications: Frail Security in Protocols) > 327 (Use of a Broken or Risky Cryptographic Algorithm) The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1359 (ICS Communications) > 1366 (ICS Communications: Frail Security in Protocols) > 358 (Improperly Implemented Security Check for Standard) The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) > 1367 (ICS Dependencies (& Architecture): External Physical Systems) Weaknesses in this category are related to the "External Physical Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) > 1367 (ICS Dependencies (& Architecture): External Physical Systems) > 1357 (Reliance on Uncontrolled Component) The product's design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM). ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) > 1367 (ICS Dependencies (& Architecture): External Physical Systems) > 1338 (Improper Protections Against Hardware Overheating) A hardware device is missing or has inadequate protection features to prevent overheating. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) > 1368 (ICS Dependencies (& Architecture): External Digital Systems) Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) > 1368 (ICS Dependencies (& Architecture): External Digital Systems) > 610 (Externally Controlled Reference to a Resource in Another Sphere) The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1360 (ICS Dependencies (& Architecture)) > 1368 (ICS Dependencies (& Architecture): External Digital Systems) > 1357 (Reliance on Uncontrolled Component) The product's design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM). ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1369 (ICS Supply Chain: IT/OT Convergence/Expansion) Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1369 (ICS Supply Chain: IT/OT Convergence/Expansion) > 636 (Not Failing Securely ('Failing Open')) When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.Failing Open ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1370 (ICS Supply Chain: Common Mode Frailties) Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1370 (ICS Supply Chain: Common Mode Frailties) > 329 (Generation of Predictable IV with CBC Mode) The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1370 (ICS Supply Chain: Common Mode Frailties) > 1357 (Reliance on Uncontrolled Component) The product's design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM). ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1371 (ICS Supply Chain: Poorly Documented or Undocumented Features) Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1371 (ICS Supply Chain: Poorly Documented or Undocumented Features) > 912 (Hidden Functionality) The software contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the software's users or administrators. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1371 (ICS Supply Chain: Poorly Documented or Undocumented Features) > 1059 (Insufficient Technical Documentation) The product does not contain sufficient
technical or engineering documentation (whether on paper or
in electronic form) that contains descriptions of all the
relevant software/hardware elements of the product, such as
its usage, structure, architectural components, interfaces, design, implementation,
configuration, operation, etc. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1371 (ICS Supply Chain: Poorly Documented or Undocumented Features) > 1242 (Inclusion of Undocumented Features or Chicken Bits) The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1372 (ICS Supply Chain: OT Counterfeit and Malicious Corruption) Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1372 (ICS Supply Chain: OT Counterfeit and Malicious Corruption) > 1278 (Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques) Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1372 (ICS Supply Chain: OT Counterfeit and Malicious Corruption) > 1198 (Privilege Separation and Access Control Issues) Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1372 (ICS Supply Chain: OT Counterfeit and Malicious Corruption) > 1231 (Improper Prevention of Lock Bit Modification) The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1361 (ICS Supply Chain) > 1372 (ICS Supply Chain: OT Counterfeit and Malicious Corruption) > 1233 (Security-Sensitive Hardware Controls with Missing Lock Bit Protection) The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1373 (ICS Engineering (Construction/Deployment): Trust Model Problems) Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1373 (ICS Engineering (Construction/Deployment): Trust Model Problems) > 269 (Improper Privilege Management) The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1373 (ICS Engineering (Construction/Deployment): Trust Model Problems) > 807 (Reliance on Untrusted Inputs in a Security Decision) The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1373 (ICS Engineering (Construction/Deployment): Trust Model Problems) > 349 (Acceptance of Extraneous Untrusted Data With Trusted Data) The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1374 (ICS Engineering (Construction/Deployment): Maker Breaker Blindness) Weaknesses in this category are related to the "Maker Breaker Blindness" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1375 (ICS Engineering (Construction/Deployment): Gaps in Details/Data) Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1376 (ICS Engineering (Construction/Deployment): Security Gaps in Commissioning) Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1376 (ICS Engineering (Construction/Deployment): Security Gaps in Commissioning) > 276 (Incorrect Default Permissions) During installation, installed file permissions are set to allow anyone to modify those files. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1376 (ICS Engineering (Construction/Deployment): Security Gaps in Commissioning) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1377 (ICS Engineering (Construction/Deployment): Inherent Predictability in Design) Weaknesses in this category are related to the "Inherent Predictability in Design" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1362 (ICS Engineering (Constructions/Deployment)) > 1377 (ICS Engineering (Construction/Deployment): Inherent Predictability in Design) > 1278 (Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques) Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1378 (ICS Operations (& Maintenance): Gaps in obligations and training) Weaknesses in this category are related to the "Gaps in obligations and training" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1379 (ICS Operations (& Maintenance): Human factors in ICS environments) Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1379 (ICS Operations (& Maintenance): Human factors in ICS environments) > 655 (Insufficient Psychological Acceptability) The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1379 (ICS Operations (& Maintenance): Human factors in ICS environments) > 451 (User Interface (UI) Misrepresentation of Critical Information) The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1380 (ICS Operations (& Maintenance): Post-analysis changes) Weaknesses in this category are related to the "Post-analysis changes" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1381 (ICS Operations (& Maintenance): Exploitable Standard Operational Procedures) Weaknesses in this category are related to the "Exploitable Standard Operational Procedures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 406 (Insufficient Control of Network Message Volume (Network Amplification)) The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 285 (Improper Authorization) The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.AuthZ ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 295 (Improper Certificate Validation) The software does not validate, or incorrectly validates, a certificate. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 20 (Improper Input Validation) The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 601 (URL Redirection to Untrusted Site ('Open Redirect')) A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Open RedirectCross-site RedirectCross-domain Redirect ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 346 (Origin Validation Error) The software does not properly verify that the source of data or communication is valid. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1382 (ICS Operations (& Maintenance): Emerging Energy Technologies) > 296 (Improper Following of a Certificate's Chain of Trust) The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1383 (ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements) Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. ![]() ![]() 1358 (Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS) > 1363 (ICS Operations (& Maintenance)) > 1383 (ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements) > 710 (Improper Adherence to Coding Standards) The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. Maintenance This view was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS. It is under active development. In future versions, new weaknesses will be added based on input from the CWE-CAPEC ICS/OT Special Interest Group (SIG). However, there may be some issues that are outside of the current scope of CWE, which will require consultation with many CWE stakeholders to resolve.
More information is available — Please select a different filter. |
Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2022, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |