Weaknesses Addressed by ISA/IEC 62443 Requirements
A view in the Common Weakness Enumeration published by The MITRE Corporation.
Objective
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
This view (slice) covers weaknesses that are addressed by following requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems (IACS). Members of the CWE ICS/OT SIG analyzed a set of CWEs and mapped them to specific requirements covered by ISA/IEC 62443. These mappings are recorded in Taxonomy_Mapping elements.
Weaknesses
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be ...
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of ot...
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer ...
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the pro...
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the am...
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been ...
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.
The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows ...
During installation, installed file permissions are set to allow anyone to modify those files.
The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.
The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by acc...
The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of...
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the o...
The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
The product does not encrypt sensitive or critical information before storage or transmission.
The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.
The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
The product does not properly verify that the source of data or communication is valid.
The product writes data past the end, or before the beginning, of the intended buffer.
Storing a password in plaintext may result in a system compromise.
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make...
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, update...
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, ev...
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
The product uses a broken or risky cryptographic algorithm or protocol.
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
The product violates well-established principles for secure design.
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.