Skip to content

Glossary

Complete reference for terms, abbreviations, protocols, threat terminology, and BreachSpider-specific concepts. Definitions reflect ICS/OT security practice and regulatory requirements.

Core Vulnerability Terms

AV (Attack Vector) -- CVSS field indicating the network context required to exploit a vulnerability. Values: NETWORK, ADJACENT, LOCAL, PHYSICAL.

BCS (BreachSpider Confidence Score) -- BreachSpider's proprietary exploitation priority score. Combines CVSS, EPSS, KEV status, PoC availability, patch status, and ICS/OT relevance into a single 0.0-10.0 score. Proprietary to CITED Relevance LLC.

BSID (BreachSpider ID) -- Unique identifier assigned by BreachSpider to each CVE in the corpus. Format: BS-YYYY-NNNNNN-S where S is severity code. Stable across updates.

CNA (CVE Numbering Authority) -- Organizations authorized to assign CVE IDs. MITRE, major vendors, and large security firms are CNAs.

CRA (CITED Relevance Advisory) -- Advisory numbering system for vulnerability research published by CITED Relevance LLC. Format: CRA-YYYY-NNN.

CVE (Common Vulnerabilities and Exposures) -- The standard identifier for publicly known cybersecurity vulnerabilities. Maintained by MITRE. Format: CVE-YYYY-NNNNN.

CVSS (Common Vulnerability Scoring System) -- Industry standard for assessing vulnerability severity. Version 3.1 is current. Score 0.0-10.0. Critical: 9.0-10.0, High: 7.0-8.9, Medium: 4.0-6.9, Low: 0.1-3.9.

CWE (Common Weakness Enumeration) -- Catalog of software and hardware weakness types maintained by MITRE. Each CWE identifies a class of vulnerability (e.g., CWE-89 is SQL Injection). Used to classify the root cause of a CVE.

EPSS (Exploit Prediction Scoring System) -- Daily probability score (0.0-1.0) estimating the likelihood a CVE will be exploited in the next 30 days. Maintained by FIRST.org. A score of 0.98 means in the top 2% of all CVEs by exploitation probability.

KEV (Known Exploited Vulnerabilities) -- A catalog of CVEs with confirmed active exploitation in the wild. Launched November 2021. Federal agencies must remediate KEV entries within mandated timeframes. BreachSpider ingests KEV updates every 15 minutes.

NVD (National Vulnerability Database) -- NIST database that enriches CVE data with CVSS scores, CWE classifications, and CPE (affected product) data. Primary data source for BreachSpider's corpus.

BreachSpider Priority Tiers

BreachSpider assigns a remediation priority tier to each finding based on BCS score, KEV status, exploit maturity, and asset criticality.

ACCEPTED RISK -- Finding has been acknowledged with a documented risk acceptance reason. Remains visible in the findings list but excluded from active counts. Must include rationale for the acceptance and be reviewed on a scheduled cadence.

MONITOR -- Medium priority. No active exploitation confirmed and patch is available but no urgency. Review at the next patch cycle and re-evaluate if exploit maturity or KEV status changes.

PATCH NEXT -- High priority. Assigned when CVSS is 7.0+ with a functional exploit, or KEV-listed on a lower-criticality asset. Remediate at the next scheduled maintenance window.

PATCH NOW -- Highest priority. Assigned when a CVE is KEV-listed and affects a confirmed asset, or when CVSS is 9.0+ with a weaponized exploit and the asset is network-reachable. Remediate within 24-72 hours or apply compensating controls with documented risk acceptance.

Exploit Maturity

BreachSpider classifies the public availability and reliability of exploits for each CVE into four tiers.

FUNCTIONAL -- Working exploit code exists that reliably reproduces the vulnerability. Used in penetration testing frameworks. Indicates elevated risk even without confirmed wild exploitation.

NONE -- No public exploit code known. Exploitation requires independent vulnerability research.

POC (Proof of Concept) -- Exploit code exists publicly (GitHub, ExploitDB, Metasploit module) but may be unreliable or require modification. Elevates exploitation probability significantly.

WEAPONIZED -- Exploit is packaged into malware, exploit kits, or ransomware and has been observed in active campaigns. Treat as PATCH NOW regardless of CVSS score.

ICS/OT Asset Types

DCS (Distributed Control System) -- Industrial control system for continuous process control in refineries, chemical plants, and power generation. Unlike SCADA, DCS operates within a single facility with tight, deterministic control loops. Common DCS vendors: Honeywell Experion, Emerson DeltaV, Yokogawa CENTUM, ABB 800xA, Siemens PCS 7.

Engineering Workstation -- Windows-based computer used by engineers to program PLCs and HMIs using vendor software (Siemens TIA Portal, Rockwell Studio 5000, Schneider Unity Pro). Engineering workstations are typically connected to both the corporate IT network and the OT network simultaneously, making them the most common initial access vector in ICS attacks. Stuxnet used engineering workstation compromise as its primary propagation method.

Historian -- Industrial database server that records time-series process data from PLCs, DCS, and SCADA systems. Common products include OSIsoft PI (now AVEVA PI) and Wonderware. Historians typically bridge OT and IT networks, making them a high-value pivot point for attackers.

HMI (Human Machine Interface) -- Operator interface for industrial control systems. Displays process status, alarms, and control elements. Runs on Windows in most modern installations. Web-based HMIs are increasingly common and introduce standard web vulnerabilities (XSS, authentication bypass) into OT environments.

ICS (Industrial Control Systems) -- Broad term for systems that monitor and control industrial processes. Includes SCADA, DCS, PLC, HMI, and SIS. Security requirements differ from IT due to real-time constraints, safety implications, and long asset lifecycles.

MTU (Master Terminal Unit) -- The central SCADA component that polls RTUs, processes data, and sends control commands. MTU compromise is equivalent to full SCADA system compromise, enabling an attacker to manipulate or disrupt all downstream field devices.

PLC (Programmable Logic Controller) -- Industrial digital computer used for automation of manufacturing lines, process control, and utility systems. PLCs execute ladder logic or structured text programs and interface directly with sensors and actuators. Common vendors: Siemens, Rockwell Allen-Bradley, Schneider Electric, Mitsubishi.

RTU (Remote Terminal Unit) -- Field device used in SCADA systems to collect data from sensors and transmit to a master station. Common in electric utilities and pipeline monitoring. Distinguished from PLCs by their use in geographically distributed systems with intermittent connectivity.

SIL (Safety Integrity Level) -- IEC 61511 classification for the reliability requirement of a safety function. SIL 1 through SIL 4, where SIL 4 is the highest integrity requirement. Higher SIL ratings require more rigorous engineering and testing. Patching a SIL-rated system requires recertification, which often delays security updates by months.

SIS (Safety Instrumented System) -- Independent control system designed to bring a process to a safe state when predetermined conditions are violated. Governed by IEC 61511. SIS are the last line of defense before catastrophic physical failure. TRITON/TRISIS malware specifically targeted Schneider Electric Triconex SIS in 2017, representing the first known malware designed to disable safety systems.

Industrial Protocols

BACnet (Building Automation and Control Networks) -- ASHRAE/ISO standard protocol for building automation systems (HVAC, lighting, access control). Increasingly relevant to OT security as building systems connect to enterprise networks and can serve as lateral movement paths into industrial zones.

DNP3 (Distributed Network Protocol 3) -- Communication protocol used in SCADA systems, particularly in electric utilities and water treatment. Supports event-driven reporting and time-stamped data. DNP3 Secure Authentication adds challenge-response authentication but is not widely deployed.

EtherNet/IP -- Rockwell Automation and ODVA industrial protocol using Common Industrial Protocol (CIP) over standard Ethernet. Widely used in manufacturing and packaging automation. Operates on TCP port 44818.

HART (Highway Addressable Remote Transducer) -- Communication protocol for field instruments (sensors, transmitters) overlaid on 4-20mA analog signals. Allows digital communication with field devices without replacing wiring. WirelessHART extends the protocol to mesh networking.

Modbus -- Serial communication protocol used in PLCs and SCADA. One of the most common ICS protocols. Original version (Modbus RTU/ASCII) has no authentication, encryption, or integrity checking. Any device on the network can read or write registers. Modbus TCP operates on port 502.

OPC-DA (OPC Data Access) -- Legacy OPC standard based on Microsoft DCOM technology. Predecessor to OPC-UA. Significant security weaknesses due to DCOM architecture, including dynamic port allocation that complicates firewall rules. Should be replaced with OPC-UA where possible.

OPC-UA (Open Platform Communications Unified Architecture) -- Modern ICS communication protocol designed for secure, platform-independent data exchange between systems. Supports encryption, authentication, and authorization. Successor to OPC-DA without DCOM dependency.

PROFINET -- Siemens and Profibus International industrial Ethernet standard for automation. Susceptible to DCP (Discovery and Configuration Protocol) flooding attacks that can cause denial of service on manufacturing networks. Operates at Layer 2, making it difficult to firewall.

S7Comm -- Siemens proprietary protocol used for communication between Siemens S7 PLCs and programming tools (TIA Portal, Step 7). Operates on TCP port 102. Has no authentication in legacy implementations. Stuxnet exploited S7Comm to inject malicious ladder logic into S7-315 and S7-417 PLCs.

S7Comm-Plus -- Enhanced version of S7Comm used in newer Siemens S7-1200 and S7-1500 PLCs. Includes integrity protection but has been subject to authentication bypass vulnerabilities (CVE-2019-13945).

Compliance and Regulatory

BES (Bulk Electric System) -- The interconnected electrical transmission network in North America subject to NERC CIP mandatory reliability standards. BES Cyber Assets are ICS components whose compromise could affect BES reliability within 15 minutes.

Compensating Control -- A security measure implemented in place of a required control when the primary control is not feasible. In OT environments, network segmentation and protocol filtering are common compensating controls when patching is not possible. Must be documented with risk acceptance rationale. BreachSpider tracks compensating controls in the finding acknowledgment workflow.

ESP (Electronic Security Perimeter) -- NERC CIP term for the logical border surrounding a network to which BES Cyber Systems are connected. Access points to the ESP must be documented and controlled under CIP-005.

IACS (Industrial Automation and Control Systems) -- Term used in IEC 62443 to describe systems that control industrial processes. Functionally equivalent to ICS but used specifically in IEC 62443 compliance context.

IEC 62443 -- International standard series for industrial cybersecurity. Covers security for industrial automation and control systems (IACS). Defines security levels (SL 1-4) and maturity requirements for operators, integrators, and component manufacturers.

MFA (Multi-Factor Authentication) -- Authentication requiring two or more verification factors. NERC CIP CIP-007 R5 requires multi-factor authentication for interactive remote access to high and medium impact BES Cyber Systems.

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) -- Mandatory cybersecurity standards for the bulk electric system in North America. Key standards: CIP-005 (Electronic Security Perimeters), CIP-007 (Systems Security Management), CIP-010 (Configuration Management), CIP-011 (Information Protection).

NIST (National Institute of Standards and Technology) -- US agency that maintains cybersecurity frameworks including NIST SP 800-82 (ICS security guide) and NIST CSF (Cybersecurity Framework).

PSP (Physical Security Perimeter) -- NERC CIP term for the physical boundary controlling access to locations containing BES Cyber Systems. Defined under CIP-006. Requires visitor logs, card access, and camera monitoring.

RBAC (Role-Based Access Control) -- Access control model where permissions are assigned to roles rather than individuals. BreachSpider implements RBAC with Admin and Member roles per organization.

SSO (Single Sign-On) -- Authentication method allowing users to access multiple systems with one set of credentials. Common enterprise requirement for security tools. Reduces credential sprawl but creates a single point of failure if the identity provider is compromised.

Threat Intelligence

APT (Advanced Persistent Threat) -- A sophisticated, typically nation-state or nation-state-sponsored threat actor conducting long-term targeted intrusion campaigns. ICS-targeting APTs include SANDWORM (Russia/GRU), XENOTIME (Russia), CHERNOVITE (assessed Russia), and VOLTZITE (assessed China).

C2 (Command and Control) -- Communication channel between an attacker and compromised systems. Also written as C&C. In OT attacks, C2 may use industrial protocols (Modbus, DNP3) to blend with legitimate traffic, complicating network-based detection.

IOA (Indicator of Attack) -- Behavioral evidence of an ongoing attack, focusing on attacker actions rather than artifacts. IOAs are more useful than IOCs for early detection in OT environments where traditional EDR is absent.

IOC (Indicator of Compromise) -- Forensic artifact suggesting a system has been compromised. Examples: malicious IP addresses, file hashes, registry keys. Useful for detection after an incident but less useful for prevention because attackers can change indicators trivially.

Lateral Movement -- Post-compromise technique where an attacker moves from an initial foothold to other systems in the network. In ICS environments, the most common lateral movement path is from the IT network to OT via the historian, DMZ, or engineering workstation.

Living off the Land (LotL) -- Attack technique using legitimate system tools and software (PowerShell, WMI, PsExec) rather than custom malware to evade detection. VOLTZITE is assessed to use LotL techniques extensively in critical infrastructure targeting. Particularly effective in OT where endpoint detection is minimal.

Pivot -- Using a compromised system as a stepping stone to attack other systems. In ICS attacks, the historian or DMZ server is commonly used as the pivot point between IT and OT networks because these systems have network adjacency to both zones.

TTP (Tactics, Techniques, and Procedures) -- Describes how a threat actor operates. Tactics are high-level goals, techniques are the methods used to achieve them, procedures are specific implementations. Documented in MITRE ATT&CK for ICS framework.

BreachSpider Platform

Asset-to-CVE Matching -- BreachSpider's process of connecting enriched CVE data to assets in your environment. High-confidence matches use product ID and version range data. Low-confidence matches use vendor-only data. Matching runs automatically when assets are added or updated and when new CVEs are ingested.

Board Report -- BreachSpider report format designed for executive and board audiences. Presents security posture in business terms: risk score trends, KEV exposure, remediation velocity, compliance status. Generated from the Reports section. Does not contain raw CVE data.

Confidence Tier -- The reliability level of an asset-to-CVE match. HIGH means product and version were confirmed against the CVE's affected range. LOW means vendor-only match without version confirmation. Confidence tier determines whether a finding is actionable or requires further asset enrichment.

Finding -- A confirmed match between a CVE and an asset in your environment. A finding is more specific than a CVE: it connects a known vulnerability to a specific device in your environment with a confidence tier (HIGH or LOW) and a remediation priority.

IIoT (Industrial Internet of Things) -- Connected sensors, devices, and systems in industrial environments. IIoT devices often run lightweight firmware with limited patching capability and expand the attack surface beyond traditional ICS components.

Magic Link -- BreachSpider's passwordless authentication method. A one-time login link is sent to the user's registered email address. The link expires after 15 minutes. No password is stored or transmitted.

PSIRT (Product Security Incident Response Team) -- Vendor team responsible for receiving vulnerability reports and coordinating patches. Major ICS vendors (Siemens ProductCERT, Schneider PSIRT, Rockwell PSIRT) publish advisories consumed by BreachSpider.

RAG (Retrieval Augmented Generation) -- AI technique where the model retrieves relevant documents before generating a response. BreachSpider's SAGE uses RAG to ground responses in KEV, CSAF, and enrichment data rather than general AI knowledge.

SAGE (Sovereign AI Governance Engine) -- BreachSpider's proprietary AI reasoning engine for ICS/OT vulnerability analysis. USPTO Provisional Patent App. 64/015,948. Outputs are mathematically confidence-traced, not probabilistic.

Strike List -- BreachSpider's prioritized remediation queue, ranked by BCS score within each environment. Surfaces the highest-priority findings across all assets. The Strike List answers the question: "What do I fix first today?"

Vendor-Wide Match -- A low-confidence finding where a CVE is matched to an asset based on vendor name only, without product or version confirmation. Vendor-wide matches indicate the CVE affects products from that vendor but cannot confirm whether your specific device is affected. Reduce vendor-wide matches by adding specific product IDs and version numbers to your assets.

Vulnerability Types and CWE Reference

The top CWEs by frequency in the BreachSpider corpus of 354,000+ CVEs. Each entry describes the weakness class, its ICS/OT relevance where applicable, and typical impact.

CWE-20: Improper Input Validation -- Software does not validate or incorrectly validates input, allowing attackers to craft data that is processed in an unintended way. In ICS environments, improper input validation on protocol parsers (Modbus, DNP3, OPC-UA) can cause PLCs and gateways to crash or execute arbitrary code.

CWE-22: Path Traversal -- Attacker manipulates file path inputs (using ../ sequences or encoded variants) to access files outside the intended directory. On HMIs and web-based SCADA interfaces, path traversal can expose configuration files, credentials, or process data.

CWE-59: Improper Link Resolution Before File Access (Symlink Attack) -- Software follows symbolic links without verifying the target, allowing an attacker to read, write, or delete unintended files. Relevant on engineering workstations and historians running on Linux or Windows where temp directories are shared.

CWE-74: Injection -- Parent class for all injection vulnerabilities where attacker-supplied data is interpreted as code or commands. Encompasses SQL injection, command injection, LDAP injection, and others. The root cause is mixing data and control channels.

CWE-77: Command Injection -- Attacker injects operating system commands through application inputs that are passed to a shell or system call. Similar to CWE-78 but involves commands interpreted by the application rather than the OS shell directly. Common in network appliances and industrial gateways with web management interfaces.

CWE-78: OS Command Injection -- Attacker injects operating system commands through application inputs that are passed to system() or equivalent calls. On HMIs and engineering workstations running Windows, OS command injection typically leads to SYSTEM-level code execution. From there, an attacker can reach connected PLCs via TIA Portal or Studio 5000.

CWE-79: Cross-Site Scripting (XSS) -- Attacker injects malicious scripts into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as the legitimate page. In OT, XSS on web-based HMIs or SCADA portals can be used to hijack operator sessions or modify displayed process values. The most frequently reported CWE in the BreachSpider corpus (44,000+ CVEs).

CWE-89: SQL Injection -- Attacker inserts SQL commands into application queries through user-controlled input, allowing unauthorized database access, modification, or deletion. In ICS contexts, SQL injection on historian web interfaces or asset management portals can expose process data or enable privilege escalation.

CWE-94: Code Injection -- Attacker injects arbitrary code that is then executed by the application. Distinct from command injection (CWE-78) in that the injected code runs within the application process rather than spawning a shell. Common in scripting environments, template engines, and industrial software that evaluates user-supplied expressions.

CWE-119: Improper Restriction of Operations within Memory Buffer -- Parent class for buffer-related vulnerabilities (overflows, underflows, out-of-bounds access). Software performs operations on a memory buffer without ensuring the operation stays within the buffer boundary. Extremely common in C/C++ firmware running on PLCs, RTUs, and embedded industrial devices.

CWE-120: Buffer Copy without Checking Size (Classic Buffer Overflow) -- Program copies data to a buffer without verifying that the source data fits within the destination buffer. The foundational buffer overflow class. In embedded ICS firmware, this typically leads to device crash or remote code execution.

CWE-121: Stack-Based Buffer Overflow -- Buffer overflow that corrupts data on the program stack, typically overwriting the return address to redirect execution. In ICS context, this typically leads to remote code execution on PLC or HMI firmware. A compromised PLC can manipulate physical processes directly. High severity regardless of CVSS network vector.

CWE-122: Heap-Based Buffer Overflow -- Buffer overflow that corrupts dynamically allocated memory on the heap. Exploitable for arbitrary code execution through heap manipulation techniques. Common in industrial protocol parsers and file format handlers in engineering software.

CWE-125: Out-of-Bounds Read -- Software reads data past the end or before the beginning of an allocated buffer. Can leak sensitive information (memory contents, encryption keys, process data) or cause crashes. Frequently found in protocol parsing code in industrial communication stacks.

CWE-190: Integer Overflow or Wraparound -- Arithmetic operation produces a value that exceeds the maximum for its integer type, wrapping around to a small or negative number. Often leads to undersized buffer allocations followed by buffer overflows. Common in embedded systems with fixed-width integer types.

CWE-200: Exposure of Sensitive Information -- Application reveals data that should be restricted, such as system internals, credentials, or user data. In ICS environments, information disclosure can reveal network topology, firmware versions, or process parameters that aid further attacks.

CWE-264: Permissions, Privileges, and Access Controls -- Broad class covering failures in permission enforcement. Deprecated in favor of more specific CWEs (CWE-284, CWE-862, CWE-863) but still widely referenced in older CVE entries. Indicates the vulnerability involves unauthorized access due to permission mismanagement.

CWE-269: Improper Privilege Management -- Software does not properly assign, modify, track, or check privileges for an actor. Allows users to gain elevated access beyond their intended role. In ICS, this often manifests as operator accounts that can access engineering functions.

CWE-276: Incorrect Default Permissions -- Software sets overly permissive default access rights during installation or resource creation. Common in industrial software installations that run as SYSTEM or root by default and leave configuration files world-readable.

CWE-284: Improper Access Control -- Software does not restrict or incorrectly restricts access to a resource. Parent class for authorization-related vulnerabilities. In ICS, improper access control on web portals or REST APIs can allow unauthorized users to read or modify process configurations.

CWE-287: Improper Authentication -- Software does not prove or insufficiently proves that the user is who they claim to be. Authentication bypass vulnerabilities in industrial software allow unauthenticated access to control systems. Common in web interfaces for HMIs and SCADA systems where default credentials or weak session management persist.

CWE-306: Missing Authentication for Critical Function -- Software does not perform any authentication for functionality that requires a verified identity. The most consequential CWE in ICS/OT. Modbus, DNP3, and many older industrial protocols have no authentication by design. Any device on the network can send control commands. Network segmentation is the primary compensating control.

CWE-310: Cryptographic Issues -- Broad class covering misuse of cryptography: weak algorithms, insufficient key length, improper certificate validation, hardcoded keys. In OT, many legacy protocols transmit data in cleartext, and firmware updates are often unsigned, enabling man-in-the-middle attacks.

CWE-352: Cross-Site Request Forgery (CSRF) -- Web application does not verify that a request was intentionally sent by the authenticated user. An attacker tricks the user's browser into sending a forged request. On web-based HMIs, CSRF can be used to trigger control actions (setpoint changes, valve operations) through a malicious link sent to an operator.

CWE-362: Race Condition -- Software behavior depends on the sequence or timing of events, and the correct ordering is not enforced. Attackers can exploit the timing window between a security check and the use of the checked resource (TOCTOU). Difficult to exploit reliably but can lead to privilege escalation or data corruption.

CWE-399: Resource Management Errors -- Broad class covering failures in managing system resources (memory, file handles, connections). Deprecated in favor of more specific CWEs but still referenced in older entries. Can lead to denial of service through resource exhaustion.

CWE-400: Uncontrolled Resource Consumption (DoS) -- Software does not properly limit resource usage, allowing an attacker to exhaust CPU, memory, disk, or network bandwidth. In IT environments, a DoS is an inconvenience. In OT environments, a DoS on a PLC or safety controller can stop a production line or prevent safety systems from responding. Treat as higher severity than CVSS suggests in OT context.

CWE-401: Memory Leak -- Software does not release allocated memory after use, causing progressive memory consumption until the process or system fails. On resource-constrained ICS devices (PLCs, RTUs), even small memory leaks can cause operational failures over hours or days of continuous runtime.

CWE-416: Use After Free -- Software references memory after it has been freed, leading to corruption, crashes, or code execution. A high-severity class that is a common target for exploitation in browsers, document parsers, and network protocol handlers. In ICS, use-after-free in protocol stacks can enable remote code execution on field devices.

CWE-434: Unrestricted Upload of File with Dangerous Type -- Application allows file uploads without validating file type, enabling attackers to upload executable code (web shells, malware). On SCADA web servers and HMI file exchange interfaces, this can lead to direct code execution on the control system host.

CWE-476: NULL Pointer Dereference -- Software attempts to use a pointer that is NULL, causing a crash. Typically results in denial of service rather than code execution. On safety-critical ICS devices, an unhandled NULL dereference can take a controller offline.

CWE-502: Deserialization of Untrusted Data -- Software deserializes data from an untrusted source without validation, allowing attackers to craft serialized objects that execute arbitrary code upon deserialization. Common in industrial application servers, historians, and OPC-UA implementations. Particularly relevant in Java-based industrial software (e.g., GE iFIX, Inductive Automation Ignition).

CWE-639: Authorization Bypass Through User-Controlled Key (IDOR) -- Software uses a user-supplied key (ID, filename, index) to access a resource without verifying the user's authorization for that specific resource. Commonly known as Insecure Direct Object Reference (IDOR). In multi-tenant platforms, IDOR can expose one organization's data to another.

CWE-732: Incorrect Permission Assignment for Critical Resource -- Software sets permissions on a critical resource (config file, registry key, database) in a way that allows unintended actors to read or modify it. In ICS, overly permissive file permissions on PLC project files or historian databases can allow unauthorized process modifications.

CWE-770: Allocation of Resources Without Limits or Throttling -- Software allocates resources (memory, threads, connections) without imposing limits, allowing an attacker to exhaust system resources. In ICS, connection flooding on Modbus TCP port 502 or EtherNet/IP port 44818 can overwhelm PLCs with limited connection tables.

CWE-787: Out-of-Bounds Write -- Software writes data past the end or before the beginning of an allocated buffer. Can corrupt adjacent memory, crash the process, or enable arbitrary code execution. The third most common CWE in the BreachSpider corpus. Frequently found in firmware for PLCs, network switches, and protocol parsers.

CWE-798: Use of Hard-Coded Credentials -- Software contains embedded usernames, passwords, or cryptographic keys that cannot be changed by the administrator. Extremely common in OT firmware and embedded devices. Vendors ship PLCs, HMIs, and industrial switches with fixed default passwords or maintenance backdoors. Often discovered years after deployment. Cannot be remediated without a firmware update.

CWE-862: Missing Authorization -- Software does not perform an authorization check when an actor attempts to access a resource or perform an action. Distinct from CWE-306 (missing authentication): the user may be authenticated but the application does not verify they have permission for the specific operation. Frequently found in REST APIs and web management interfaces.

CWE-863: Incorrect Authorization -- Software performs an authorization check but does it incorrectly, allowing actors to access resources or perform actions beyond their intended privileges. Examples include flawed role checks, permission inheritance errors, and scope confusion in OAuth implementations.

CWE-918: Server-Side Request Forgery (SSRF) -- Attacker causes the server to make HTTP requests to an attacker-chosen destination, potentially accessing internal services or metadata endpoints. In ICS context, SSRF on an internet-facing component (HMI web interface, remote access portal) can be used to pivot into internal OT networks. CR0019 (SteVe OCPP EV charging infrastructure) is an SSRF example from CITED Relevance LLC research.