CWE-1358: Security Vulnerabilities in ICS Categories

The entries in this graph represent CWEs that are linked to the Security Vulnerabilities Categories specific to Industrial Control Systems (ICS). These categories were identified by the Securing Energy Infrastructure Executive Task Force (SEI ETF) and published in March 2022. While CWE mainly focused on vulnerabilities in enterprise IT software in the past, the weaknesses and categories highlighted in this graph specifically pertain to issues affecting ICS that were not previously addressed by CWE. It is important to note that the weaknesses identified in this graph are based on recommendations from the "Nearest IT Neighbor" approach and other suggestions provided by the CWE team. Please be aware that these associations may change in future CWE versions.

The provided diagram illustrates the hierarchical connections between weaknesses of different levels of abstraction. At the highest level, weaknesses are categorized and grouped by pillars. Categories, which are not technically weaknesses themselves, serve as specific CWE entries used for grouping similar weaknesses. Pillars, on the other hand, represent highly abstract descriptions of weaknesses. Beneath these top-level entries, weaknesses exist at varying levels of abstraction. Classes remain abstract and generally independent of particular languages or technologies. Base level weaknesses, on the other hand, offer more specific types of weaknesses. Variants represent weaknesses described in meticulous detail, typically limited to specific languages or technologies. A chain refers to a series of weaknesses that need to be sequentially accessible to exploit a vulnerability. Conversely, a composite refers to a collection of weaknesses that must all coexist simultaneously to exploit a vulnerability.