The CWE Top 25 and ICS Coding

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. At first blush, this list may seem more relevant to the IT/business applications side of your utility – and you aren’t wrong. This annual list represents the top, easy to find, exploitable weaknesses that enable threat actors to compromise a system, steal data, or prevent an application from working. The CWE Top 25 is updated each year to enumerate the most common and current security weaknesses. By reviewing this list, developers, programmers, testers, security researchers, educators, and users can gain appreciation and understanding for some of the substandard coding practices that plague our applications and systems.

However, don’t overlook the CWE list when assessing ICS coding practices. As a matter of fact, the newly released Top 20 Secure PLC Coding Practices was partially inspired by and maps to/references CWEs at least twenty times. Vivek Ponnada, one of the co-organizers of the PLC Top 20 project, shares more on the relevance of PLC coding and CWEs and how the reference is perfect for what the PLC Top 20 list is trying to achieve. Review the newly released 2021 CWE Top 25 at MITRE.