CWE-CAPEC ICS/OT special interest group focuses on security weaknesses within these environments
MITRE, in partnership with the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), announced the expansion of the Common Weakness Enumeration/Common Attack Pattern Enumeration and Classification (CWE/CAPEC) program. Operated by the CISA-funded Homeland Security Systems Engineering and Development Institute (HSSEDI), the CWE/CAPEC program announces a new special interest group (SIG) focusing on security weaknesses in industrial control systems (ICS) and operational technology (OT) frameworks.
Greg Shannon and Alec Summers were named as the co-chairs of the CWE-CAPEC ICS/OT SIG, which held its kickoff meeting on Wednesday, May 18.
The initiative offers a forum for researchers and technical representatives from organizations operating in ICS/OT design, manufacturing, and security, according to a GitHub post. The platform provides a meeting place for ICS/OT vulnerability researchers, engineers, security professionals, and companies representing OEMs/system integrators, tools/infrastructure vendors, and asset owners and operators. Managers and other organizational leaders are also welcome, although it is preferred that they are accompanied by technical staff.
The initiative enables interaction, sharing of opinions and expertise, and leveraging each other’s experiences to support continued growth and adoption of CWE as a common language for defining ICS/OT security weaknesses and their associated patterns of attack.
“While IT has an extant body of work related to identifying and classifying security weaknesses, IT and ICS/OT are different, and existing IT classifications are not always useful in describing and managing security weaknesses in ICS/OT systems,” the GitHub post said. “Addressing this gap will help all stakeholders communicate more efficiently and effectively and promote a unity of effort in identifying and mitigating ICS/OT security weaknesses, especially in critical infrastructure,” it added.
Under the direction of Congress, DOE CESER’s Securing Energy Infrastructure Executive Task Force (SEI ETF) stakeholders were tasked to identify new classes of security vulnerabilities in ICS, according to data released by the New Categories of Security Vulnerabilities (NCSV) Technical Project Team (TPT). The team began by analyzing baseline assumptions and capabilities in identifying, classifying, and prioritizing security vulnerabilities in ICS, and reached a consensus on 20 categories of security vulnerabilities in ICS that are distinct from any existing categories identified in IT, it added.
The SEI ETF is a voluntary group of senior leaders representing energy sector asset owners and operators, vendors/manufacturers, standards organizations, research and academic institutions, national laboratories, and government agencies.
“One of the first findings that NCSV TPT produced was that no classification system for security vulnerabilities exists for either IT or OT,” the team said. “Classification as a process involves the orderly and systematic assignment of each entity to one and only one class within a system of mutually exclusive and non-overlapping classes. Upon surveying the landscape of potential classification systems for security vulnerabilities, the TPT concluded that no well-founded classification system exists that meets this standard, such as those used to classify stars or living organisms,” it added.
The TPT identified MITRE’s CWE database as the best platform to integrate and expand the TPT’s work. CWE is a recognized source of software and hardware weakness types that serves as a common language, a measuring stick for security tools, and a baseline for weakness identification, mitigation, and prevention efforts. The TPT engaged MITRE, briefed its work, and gained agreement from MITRE to stand up a SIG, which will examine how to best include the categories in the CWE framework.
“As influenced by collaboration with the SEI ETF, CWE 4.7 is planned to be released with new entries related to improper handling of extreme environmental conditions, missing/incorrect documentation, and reliance on third-party/untrustworthy components,” the GitHub post said. Future versions of CWE will include additional categories based on the work by the SEI ETF, as well as input from the ICS/OT SIG, it added.
“The work done by the Securing Energy Infrastructure Executive Task Force to develop new categories of security vulnerabilities that are focused on ICS—and distinct from existing IT vulnerability categories—has begun to fill an important gap,” Puesh Kumar, director of the DoE’s CESER, told SecurityWeek. “CWE and CAPEC are at the forefront of classifying security weaknesses and common attack patterns within cyber-physical systems. The SIG represents a powerful opportunity to advance the state of the practice in identifying, classifying, and mitigating security weaknesses in both energy and other critical infrastructure sectors,” he added.
There has been an increased focus on ICS systems in recent weeks and months with the goal of securing these critical environments. A legislative bill was introduced in the U.S. House of Representatives this week that seeks to amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency (CISA) to establish an industrial control systems cybersecurity training initiative and for other purposes.
Earlier, the ICS Cyber Emergency Response Team of the CISA expanded the scope of the Idaho National Laboratory’s Control Environment Laboratory Resource (CELR) research zone. The laboratory environment will now deliver an interactive test site for ICS and OT environments. Last month, the CISA expanded its Joint Cyber Defense Collaborative (JCDC) initiative to include the ICS industry consisting of security vendors, integrators, and distributors.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
