2021 CWE Most Important Hardware Weaknesses
The 2021 CWE™ Most Important Hardware Weaknesses is the first of its kind and the result of collaboration within the Hardware CWE Special Interest Group (SIG), a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government.
The goals for the 2021 Hardware List are to drive awareness of common hardware weaknesses through CWE, and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle. Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause.
MITRE maintains the CWE web site with the support of the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), presenting detailed descriptions of the 2021 Hardware List weaknesses along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 900 programming, design, and architecture weaknesses that can lead to exploitable vulnerabilities. MITRE also publishes the CWE Top-25 Most Dangerous Software Weaknesses on an annual basis.
The 2021 CWE Most Important Hardware Weaknesses
Below is a brief listing of the weaknesses in the 2021 CWE Most Important Hardware Weaknesses listed in numerical order by CWE identifier. This is an unranked list.
The initial survey effort to begin the identification of a “Top-N” list for hardware was done by members of the SIG who each chose a prioritized set of 10 weaknesses from the 96 hardware entries in the CWE corpus. This process identified a total of 31 unique entries. The HW CWE team also provided a set of questions for participants to weigh during their thinking, including those applicable to prevalence and detection metrics, mitigation metrics, exploitability metrics, and other miscellaneous metrics. From an initial set of 27 questions, the SIG members identified 9 as particularly significant in their consideration for voting on the list:
When reflecting on the 31 entries identified during the initial survey, the SIG determined that the ideal length for a published “Top-N” list should be approximately ten percent of the total hardware CWE entries – roughly 10. Accordingly, the SIG convened to hold a formal voting session to distill the previously selected 31 entries in September 2021. Using a card-sorting platform and a Likert-scale approach, each SIG member had the opportunity to transfer the 31 entries into various "buckets" of priority (via drag and drop). There were five buckets:
After the voting, the CWE team and SIG members collectively reviewed the findings and applied a scoring method where the buckets were assigned weights of +2, +1, 0, -1, and -2, respectively. For each CWE entry, these weights were multiplied against the percentage of votes in each bucket, with the percentage expressed as a value between 0 and 1. The highest possible score was 2.0 (with 100% of all votes for “Strongly Support”). The entry with the highest score had a score of 1.42. This resulted in a ranked order of the 31 previously selected hardware CWEs with a clear delineation in score after the highest 12 and the highest 17 entries. The highest 12 entries had scores from 1.03 to 1.42, and the next 5 entries ranges from 0.91 to 0.97. The next highest score was 0.80. These entries became the 2021 CWE Most Important Hardware Weaknesses List and the Hardware Weaknesses on the Cusp (see above and below). While our methodology came up with a ranking for these 12(+5) entries, the HW CWE team and the SIG believe that it is impractical to think of the list as a hierarchical, ordered set in terms of importance. The entries should be thought of as a set of mostly equal hardware weakness concerns based on our methodology.
With these criteria, future versions of the CWE Most Important Hardware Weaknesses will evolve to cover different weaknesses. Our goal is to provide the most useful list possible for the community. Limitations of our methodology are articulated below.
Weaknesses on the Cusp
In a similar way to the CWE Top 25 Most Dangerous Software Weaknesses, the CWE team feels it is important to share these five additional hardware weaknesses that were supported by the Hardware CWE SIG yet ultimately scored just outside of the final 2021 CWE Most Important Hardware Weaknesses list.
Individuals that perform mitigation and risk decision-making using the 2021 CWE Hardware List may want to consider including these additional weaknesses in their analyses. Weaknesses on the Cusp are listed in numerical order by CWE-ID.
Limitations of the Methodology
The methodology used to generate the inaugural CWE Most Important Hardware Weaknesses List is limited somewhat in terms of scientific and statistical rigor. In the absence of more relevant data from which to conduct systematic inquiry, the list was compiled using a modified Delphi method leveraging subjective opinions, albeit from informed content knowledge experts.
The software CWE Top-25 leverages CVE® data within the NIST National Vulnerability Database (NVD) for a data-driven approach that considers weakness type frequency and severity. This is not possible in the hardware domain primarily because there are limited associations of HW CWEs with CVEs due to the HW CWE's infancy. Recently, the CVE program has been working to issue CVE records for hardware vulnerabilities. While post-release hardware vulnerabilities are far less frequent than that of software, as more hardware vulnerability data is readily available, the CWE Hardware List methodology will potentially change.
The 2021 CWE Hardware team includes (in alphabetical order by last name): John Butterworth, Steve Christey Coley, Kerry Crouse, Christina Johns, Gananand Kini, Chris Lathrop, Luke Malinowski, and Alec Summers.
Also, tremendous thanks go to the HW CWE SIG membership, which includes at the time of publication (in alphabetical order by first name):
Alric Althoff, Tortuga Logic
... and many others who chose to remain anonymous.