Weaknesses Addressed by ISA/IEC 62443 Requirements

A view in the Common Weakness Enumeration published by The MITRE Corporation.


Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.

This view (slice) covers weaknesses that are addressed by following requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems (IACS). Members of the CWE ICS/OT SIG analyzed a set of CWEs and mapped them to specific requirements covered by ISA/IEC 62443. These mappings are recorded in Taxonomy_Mapping elements.


Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be ...

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Dependency on Vulnerable Third-Party Component

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of ot...

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer ...

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the pro...

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Improper Restriction of Power Consumption

The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the am...

Improper Validation of Integrity Check Value

The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been ...

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Improper Write Handling in Limited-write Non-Volatile Memories

The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.

Inclusion of Undocumented Features or Chicken Bits

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows ...

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

Insufficient Psychological Acceptability

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by acc...

Insufficient Technical Documentation

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of...

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the o...

Logging of Excessive Data

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Missing Reference to Active Allocated Resource

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

Missing Support for Integrity Check

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Plaintext Storage of a Password

Storing a password in plaintext may result in a system compromise.

Reliance on a Single Factor in a Security Decision

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make...

Reliance on Insufficiently Trustworthy Component

The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, update...

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, ev...

Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Use of Weak Credentials

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

Violation of Secure Design Principles

The product violates well-established principles for secure design.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.