ICS Dependencies (& Architecture): External Digital Systems
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Summary
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Weaknesses
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
A feature, API, or function does not perform according to its specification.
One or more system settings or configuration elements can be externally controlled by a user.
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
The implementation of the product is not consistent with the design as described within the relevant documentation.
The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of...
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's right...
The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, update...
A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client tha...
The product uses default passwords for potentially critical functionality.
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes ...
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original deve...
Concepts
CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Ta...
See Also
- Categories of Security Vulnerabilities in ICS
Securing Energy Infrastructure Executive Task Force (SEI ETF)
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.