CWE CATEGORY: ICS Operations (& Maintenance): Gaps in obligations and training
Weaknesses in this category are related to the "Gaps in obligations and training" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "OT ownership and responsibility for identifying and mitigating vulnerabilities are not clearly defined or communicated within an organization, leaving environments unpatched, exploitable, and with a broader attack surface." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Relationships in this category are not authoritative and subject to change. See Maintenance notes.
This category might be subject to CWE Scope Exclusion SCOPE.HUMANPROC (Human/organizational process).
This category was created in CWE 4.7 to facilitate and illuminate discussion about weaknesses in ICS with [REF-1248] as a starting point. After the release of CWE 4.9 in October 2022, this has been under active review by members of the "Boosting CWE" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG). Subgroup members did not find any CWEs to add to this category in CWE 4.11. There may be some gaps with respect to CWE's current scope, which will require consultation with many CWE stakeholders to resolve.