ICS Supply Chain: Poorly Documented or Undocumented Features

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Weaknesses

Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious t...

Inclusion of Undocumented Features or Chicken Bits

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

Insufficient Technical Documentation

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of...

Concepts

Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Ta...

See Also

  1. Categories of Security Vulnerabilities in ICS

    Securing Energy Infrastructure Executive Task Force (SEI ETF)


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.