Which of the following is a common attack vector?

Software bugs are indeed a common attack vector because they represent vulnerabilities in software applications or systems that can be exploited by attackers. Vulnerabilities are often unintended flaws or mistakes in the code that can lead to unauthorized access, data breaches, or system malfunctions. Attackers can take advantage of these bugs to execute a variety of malicious activities, such as injecting harmful code, escalating privileges, or bypassing security controls. Therefore, identifying and addressing software bugs is a critical part of maintaining a secure environment in accordance with best practices outlined in cybersecurity frameworks like ISA/IEC 62443.

The other options represent good security practices or controls rather than attack vectors. Strong authentication procedures help prevent unauthorized access, external compliance audits ensure adherence to security standards, and physical security measures protect against physical threats to facilities and equipment. While these measures are essential for a robust security posture, they do not serve as attack vectors themselves.