CWE Industrial Control System and Operational Technology Special Interest Group (established in May 2022)
Next Meeting: CWE ICS/OT SIG Fall Workshop on November 14, 2023 from 1-4PM ET. This workshop is intended for SIG members that have participated in previous subgroup efforts to map CWE to the ISA/IEC 62443 set of standards. We will make a concerted effort to complete the remaining milestones associated with that previous effort.
Co-Chair: Matthew Luallen Co-Chair: Alec Summers
In partnership with the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), the CWE program – operated by the CISA-funded Homeland Security Systems Engineering and Development Institute (HSSEDI) – has formed a new special interest group focusing on security weaknesses in industrial control systems (ICS) and operational technology (OT): the CWE ICS/OT SIG. The kickoff was held on Wednesday, May 18, 2022.
The CWE ICS/OT SIG offers a forum for researchers and technical representatives from organizations operating in ICS/OT design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting continued growth and adoption of CWE as a common language for defining ICS/OT security weaknesses and their associated patterns of attack.
While IT has an extant body of work related to identifying and classifying security weaknesses, IT and ICS/OT are different, and existing IT classifications are not always useful in describing and managing security weaknesses in ICS/OT systems. Addressing this gap will help all stakeholders communicate more efficiently and effectively and promote a unity of effort in identifying and mitigating ICS/OT security weaknesses, especially in critical infrastructure.
ICS/OT vulnerability researchers, engineers, security professionals, and companies representing OEMs/system integrators, tools/infrastructure vendors, and asset owners and operators. Managers and other organizational leaders are also welcome, although it is preferred that they are accompanied by technical staff.
Under the direction of Congress, DOE CESER’s Securing Energy Infrastructure Executive Task Force (SEI ETF) – a voluntary group of senior leaders representing energy sector asset owners and operators, venders/manufacturers, standards organization, research and academic institutions, National Laboratories, and government agencies – identified 20 new categories of security vulnerabilities for ICS that are distinct from any category of vulnerability or weakness identified in information technology (IT).
As influenced by collaboration with the SEI ETF, CWE 4.7 was released with the following new or updated CWE entries:
- CWE-1384: Improper Handling of Physical or Environmental Conditions
- CWE-1059: Insufficient Technical Documentation
- CWE-1357: Reliance on Insufficiently Trustworthy Component
Future versions of CWE will include additional categories based on the work by the SEI ETF, as well as input from the ICS/OT SIG.
This sub-working group engages stakeholders in boosting CWE content for ICS/OT, including expanding content when applicable by adding new entries or enhancing existing entries. The effort identifies gaps in the current [ICS/OT CWE view] (https://cwe.mitre.org/data/definitions/1358.html) and analyzes the scope and nature of those gaps. The effort also adds appropriate weaknesses to categories without any weaknesses, where supported by CWE’s established scope. The group also contributes to public discussions of potential changes to CWE’s scope that may benefit the ICS/OT community. Boosting may include the identification of sub-domains of weaknesses.
- Launched October 12, 2022
This sub-working group produces a documented association of the CWE list of software and hardware weakness types to the current ISA/IEC 62443 cybersecurity standards in ICS/OT. If there are no restrictions imposed by ISA or other parties, then CWE will capture these associations using “Taxonomy Mappings” elements within the relevant CWE weaknesses. The group also contributes to public discussions of potential changes to CWE’s scope that may benefit the ICS/OT community.
- Launched October 11, 2022
Sign-up for the ICS/OT CWE SIG mailing listserv to receive updates and meeting notifications: cwe@mitre.org
Please reach out to co-chairs Alec Summers (asummers@mitre.org) or Matthew Luallen (matthew.luallen@cymanii.org) with any questions.