Work related to describing and classifying security weaknesses in information technology (IT) through efforts such as Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumerations and Classifications (CAPEC™) has been a major focus of the community for some time. However, a similar requirement for industrial control systems (ICS)/operational technology (OT) has been identified but not yet received similar attention — that is, until now.
Earlier this year, representatives from the ICS/OT and CWE/CAPEC communities joined together to create a special interest group (SIG) to address the need for describing and managing security weaknesses in ICS/OT systems.
Introducing the “CWE-CAPEC ICS/OT SIG”
Formed in April 2022 by a partnership between the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and the CWE/CAPEC Program (operated by the CISA-funded Homeland Security Systems Engineering and Development Institute (HSSEDI)), the CWE-CAPEC ICS/OT SIG is a forum for researchers and technical representatives from organizations operating in ICS/OT design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting continued growth and adoption of CWE as a common language for defining ICS/OT security weaknesses and their associated patterns of attack.
The CWE-CAPEC ICS/OT SIG helps all stakeholders communicate more efficiently and effectively and promote a unity of effort in identifying and mitigating ICS/OT security weaknesses, especially in critical infrastructure. Participants include ICS/OT vulnerability researchers, engineers, security professionals, and companies representing OEMs/system integrators, tools/infrastructure vendors, and asset owners and operators.
Properly identifying a problem is the first step in addressing it. The CWE-CAPEC ICS/OT SIG has determined that while IT has an extant body of work related to identify and classifying security weaknesses, IT and ICS/OT are different, and existing IT classifications are not always useful in describing and managing security weaknesses in ICS/OT systems. Therefore, addressing this gap will help all stakeholders communicate more efficiently and effectively and promote a unity of effort in identifying and mitigating ICS/OT security weaknesses, especially in critical infrastructure.
Towards that end, the CWE-CAPEC ICS/OT SIG has stood-up two sub-working groups to focus on areas of special interest as a first step towards helping set the groundwork for enhancing CWE’s ICS/OT content:
- “Boosting CWE Content” Sub-Working Group — This sub-working group will engage stakeholders in boosting CWE content for ICS/OT, including expanding content when applicable by adding new entries or enhancing existing entries. The effort will identify gaps in the current ICS/OT CWE View and analyze the scope and nature of those gaps. The effort will also add appropriate weaknesses to categories without any weaknesses, where supported by CWE’s established scope. The group will also contribute to public discussions of potential changes to CWE’s scope that may benefit the ICS/OT community. Boosting may include the identification of sub-domains of weaknesses.
- “Mapping CWE to ISA/IEC 62443” Sub-Working Group — The goal of this sub-working group is to have a documented association of the CWE list of software and hardware weakness types to the current ISA/IEC 62443 cybersecurity standards in ICS/OT. If there are no restrictions imposed by ISA or other parties, then CWE will capture these associations using “Taxonomy Mappings” elements within the relevant CWE weaknesses. The group will also contribute to public discussions of potential changes to CWE’s scope that may benefit the ICS/OT community.
We are at the beginning stages of this effort, and while the CWE-CAPEC ICS/OT SIG has made early progress, this is a long-term effort that will benefit significantly from ongoing community participation. To learn how you can participate, visit https://github.com/CWE-CAPEC/ICS-OT_SIG.