OT Cybersecurity Glossary

This glossary of terms was compiled for the benefit of newcomers and experts alike, aiming to clarify terms commonly used within the context of OT (Operational Technology) environments.

 

A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z

A

Advanced Encryption Standard (AES)
Commonly used in cybersecurity, governmental computer security, and electronic data protection, AES is a cryptographic algorithm used for encrypting sensitive data. A symmetric-key algorithm, it uses the same key for encryption and decryption.

Access Control List (ACL)
An access control mechanism that identifies the system entities (users, processes, etc.) that are permitted to access a system resource (files, data, etc.).

Actuator
The component of a device or machine that converts energy into mechanical force, similar to how a muscle in a body converts energy into the movement of a leg or arm.

Advanced Persistent Threats (APT)
An attack that uses sophisticated hacking techniques to not only access a network but also to remain hidden in that network for a long period of time without being detected.

Allowlist
Sometimes called a whitelist, this is a list of entities (e.g., files applications, hosts, or processes) that are known to be benign and thus allowed to execute within an organization and/or information system.

Asset
Anything used by a company to achieve its goals, encompassing equipment, spare parts, tools, vehicles, and buildings.

Asset Lifecycle
The asset lifecycle is typically broken down into four stages:

  • Onboarding: The stage where the asset is assessed rigorously prior to delivery. Once verified as secure, it can be introduced onto the shopfloor.
  • Staging: The stage where the asset’s security configurations are customized by factory operators to minimize vulnerabilities.
  • Production: The stage where the asset is incorporated into the production line after a meticulous auditing of the connections between factory networks and cloud platforms.
  • Maintenance: The stage where the asset is in operation and undergoing regular upkeep procedures so it can remain aligned with the factory environment and security protocols as they evolve.

Attack
An attack is an attempt to gain unauthorized access to system services, resources, or information, or to compromise the integrity, availability, or confidentiality of the system.

Attack Surface
All the potential points in a system where an attacker can gain unauthorized access or initiate malicious behaviors.

Antivirus
Technology and software products that can detect malicious code, prevent systems from being infected, and remove any malicious code.

Authentication
The process of verifying the identity of a user, process, or device, typically done before allowing them entry into a system or access to resources within an information system. This is a process to ascertain the identity of an entity.

Authorization
Typically given in conjunction with authentication, authorization determines the access rights of a system entity attempting to access a system. This process ascertains what access rights an entity has once its identity has been successfully verified.

B

Backdoor
A form of entry that bypasses normal authentication procedures to access protected data or a computer system. Though created by developers or security teams for troubleshooting, attackers can also use these to invade a network or device.

Behavioral Analytics (BA)
A technique that leverages analytics, artificial intelligence (AI), big data, and machine learning (ML) to detect malicious activity based on anomalous behavior.

Botnet
A botnet can be seen as an ‘army’ of compromised computers used by attackers to create and send viruses or spam, or to flood a network with messages as a denial of service attack.

Buffer Overflow
When input is placed into a buffer or data holding area that exceeds its capacity, the existing information is overwritten. Adversaries use this condition to force a system to crash or to insert their own code to appropriate control of the system.

C

CIA Triad
The foundational cybersecurity principles of confidentiality, integrity, and availability. In IT, confidentiality is key, while in OT, availability takes precedence.

Cloud Computing
An alternative to using local computer systems to store, manage, and process data, cloud computing uses remote servers in the datacenter of a cloud provider instead.

Common Industrial Protocol (CIP)
This protocol refers to a suite of messages and services used for the control, safety, configuration and information of OT devices owned by the Open Device Vendors Association (ODVA).

Common Vulnerabilities and Exposures (CVEs)
A detailed index of known security threats, this database is maintained by the MITRE Corporation and is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Computer Numerical Control (CNC)
The automated control of machine tools (their control, movement and precision) via the preprogrammed computer software that is built into the tools.

Confidentiality
Controlling information access to keep data secure or private.

Control
The part of the ICS responsible for overseeing and managing physical processes, incorporating all control servers, field devices, actuators, sensors and the communication systems that provide support.

Control Center
The control center includes a control server and communication routers, with additional components like the Human Machine Interface (HMI), engineering workstations and the data historian all linked via a Local Area Network (LAN). It gathers and logs information from field sites, displays it on the HMI, and can trigger actions based on detected events. The control center also manages centralized alarms, trend analysis, and reporting.

Control Loop
A system that uses sensors to measure, a controller to make decisions, and actuators to enact said decisions. Take a thermostat for example; it senses the temperatures, decides if it needs to heat up or cool down, and then adjusts accordingly.

Control Server
The control server, essential in an Industrial Control Systems (ICS) network, runs control software that interferes with lower-tier control devices like Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). In the context of Supervisory Control and Data Acquisition (SCADA) systems, this server is frequently referred to as a SCADA server, Master Terminal Unit (MTU), or supervisory controller.

Controller
A program or device that automatically regulates a controlled variable.

Critical Infrastructure
The assets, networks, and systems that underpin the function of civilians’ daily lives. Any threat to a critical infrastructure sector could have severe national security, economic, and public health or safety consequences.

Cyber Espionage
The theft of data, information, or intellectual property from and through computer systems.

Cyberattack
Another term for attack.

Cyber-Physical Systems (CPS)
Modern digital systems that integrate computing, communication, and physical processes, enabling digital commands to directly impact the physical world.

Cyber-Physical Systems Detection and Response (CPSDR)
TXOne Networks’ approach to security that combines agent-based behavioral analysis and device fingerprinting to detect changes in operational baselines and curtail unexpected system changes before they can affect the organization’s operations.

Cybersecurity Framework (CSF)
Released by the NIST (National Institute of Standards and Technology), this serves as an outline for cybersecurity best practices for businesses and is a voluntary guidance. It encompasses 6 areas: Identify, Protect, Detect, Respond, Recover and Govern.

Cybersecurity & Infrastructure Security Agency (CISA)
A component of the US Department of Homeland Security dedicated to the protection of cybersecurity and infrastructure across all levels of government and throughout all the US states.

D

Database
A storage place for information which typically contains data from entire organizations, such as process details, personnel information, recipes, and financial records.

Data exfiltration
The theft or unauthorized movement of data from personal or corporate devices.

Decryption
Reverting encrypted messages back into their original form (plaintext).

Deep Packet Inspection (DPI)
A method that identifies threats by examining the content of data packets.

Defense-in-Depth
A strategy that combines people, technology, and operations capabilities to prevent reliance on any single point for security. This layered approach to cybersecurity controls assumes that threats can come from multiple sources, reducing the risk of a single vulnerability compromising the entire system’s security.

Demilitarized Zone
A logical segment within the network perimeter, strategically placed between internal and external networks to enforce the Information Assurance policy of the internal network during external data exchanges. It allows limited access to external, untrusted sources for publishable information while safeguarding internal networks from external attacks.

Denial of Service
Blocking authorized entities from accessing a system resource or delaying system operations and functions.

Digitalization
Adopting digital technologies to transform an organization into a digital business that provides new revenue and value-producing opportunities.

Distributed Control System (DCS)
As opposed to a centrally located control system, the control of a process in a DCS is achieved through multiple interconnected units or components that work in tandem, each with its own level of intelligence or control capability. This distributed approach allows for more flexibility, scalability, and redundancy in the control system and also means that the rest of the system can continue to operate independently or with minimal disruption should one part of the system fail.

Domain
A logical grouping of devices and system resources within an environment or context. Users are given access rights to those resources according to a security policy, security model, or security architecture that applies to everyone within the domain.

Domain Name System (DNS)
The method through which domain names are translated into Internet Protocol (IP) addresses so they can be easily located.

E

Encryption
The transformation of data through cryptography from plaintext into ciphertext in order to hide the data’s original meaning and thus prevent it from being known or used.

End-of-Life (EoL)
The final stage of an asset or product, meaning it is no longer of use to the organization or operations and will no longer be maintained.

Endpoint
Physical devices, such as laptops, which are connected to a computer network and thus able to exchange information with said networks.

Endpoint Detection and Response (EDR)
A security tool that continuously monitors devices used by end-users. It gives security teams a clear view of what’s happening on these devices and helps detect various types of threats, including known, unknown, and advanced threats. Additionally, it has capabilities to respond to these threats effectively. Notably, it operates off behavior-centric analysis rather than signature-centric analysis.

Engineering Workstation (EWS)
A computer used for developing and supporting process control applications. Process control applications monitor and manage industrial processes such as temperature, pressure, and chemical composition to ensure efficiency, safety, and reliability.

Exploit
A code or program used by a hacker to identify and capitalize on vulnerabilities in an application or system.

Extensible Markup Language (XML)
A set of rules that allows data to be organized using simple, easy-to-understand tags. These tags, which are like labels or markers enclosed in angle brackets (<>), help define, send, check, and parse data between different programs and organizations. This structure ensures that data is well-organized and can be easily read and interpreted by both humans and computer systems.

F

Fab
Short for ‘fabrication’, this term is shorthand used in manufacturing industries to refer to semiconductor production facilities and is synonymous with semiconductor fabrication plants.

Failover
The process of automatically switching to an alternative computer, network, system or resource when a primary one fails, with the goal of minimizing or preventing negative impacts on users and ensuring operational continuity.

File Transfer Protocol (FTP)
Used for transferring files from one host to another, FTP is a standard network protocol that enables businesses and individuals to transfer files, and websites to upload and download files as needed.

Firewall
Firewalls are devices that manage data flow between interconnected networks. They can either be software on a standard computer or a dedicated hardware appliance. By forwarding or dropping packets based on predefined rules, firewalls help create secure zones within a network and regulate open ports to protect against unauthorized access.

H

Hacker
An individual capable of compromising or controlling digital devices and networks via unauthorized access to an account or network. There are 3 types of hackers:

  • Black hat hackers: Those that discover vulnerabilities in computer systems and software for the purpose of exploiting them for personal gain (financial or reputational) or with other malicious intent.
  • White hat hackers: Those that use their technical skills to test network security, thereby revealing the vulnerabilities of a system and giving organizations the chance to address them.
  • Grey hat hackers: Though they also attempt to violate standards and principles, they differ from black hat hackers because their purpose is for the common good, not to cause harm or for personal gain.

Hardening
An industry term for the process of identifying and remediating vulnerabilities within a system.

Human Machine Interface (HMI)
The hardware or software that enables a person to interact with a device, system, or machine, such as touchscreens and keyboards. Operators and engineers can use these for monitoring and configuration purposes.

I

Identification
The process of verifying that a user, process, or device is the entity it claims to be.

Incident
An event that potentially harms, or actually harms, the confidentiality, integrity, or availability of an information system or its data, or that violates security policies and procedures.

Incident Response
The contingency plan or strategy that an organization establishes in the event of a cyberattack.

Industrial Control System
An ICS provides digital or physical ways for humans to interface with machinery to monitor, regulate, and control its behavior in automated industrial processes. This term includes various types of control systems, such as Supervisory Control and Data Acquisition (SCADA) systems, and configurations like Programmable Logic Controllers (PLC).

Industrial Internet of Things (IIoT)
The extension of the Internet of Things (IoT) to industrial sectors and applications, the IIoT is integral to the precipitous transformation and optimization of cyber-physical systems and production processes. Real-time data from sensors inform the “decisions” of industrial devices and infrastructures while machines are enabled to take on and automate tasks that were out of their reach in previous industrial revolutions.

Input/Output (I/O)
The way data is transferred or communicated from an information system (like a computer) to another computer system or human operator in the outside world.

Integrity
Integrity refers to keeping information intact by safeguarding it from unauthorized changes or destruction, and by ensuring its authentication and non-repudiation.

Internet Protocol (IP)
A set of rules that governs the communication and exchange of data over the Internet by organizing data into packets, ensuring both sender and receiver follow the same protocols for data transmission.

Information Technology (IT)
The use of computers, networks, storage and other physical devices to create, secure, store, process and exchange electronic data.

Internet of Things (IoT)
The Internet of Things refers to when physical devices are connected to the Internet. These “smart” devices are capable of gathering and sharing data from their surroundings with other devices and networks. The analysis and processing of this data enables these devices to function with little to no human interaction, improving the levels of automation as IoT continues to evolve.

Intrusion Detection System (IDS)
A network device or security service that monitors network traffic or system events to detect anomalous or signature-based data packets related to known threats and provide real-time or near real-time warnings of unauthorized attempts to access system resources.

Intrusion Prevention System (IPS)
A system designed to identify and ideally halt intrusive activities before they can reach their intended targets.

International Organization for Standardization (ISO)
Established in 1947 as an independent, non-governmental entity, ISO gathers international expertise to establish best practices. Its mission encompasses addressing issues ranging from climate change to artificial intelligence, with a focus on enhancing the quality of life worldwide.

K

Known Exploited Vulnerabilities (KEV) Catalog
Published and maintained by the Cybersecurity & Infrastructure Security Agency (CISA), this catalog is a list of vulnerabilities that have been successfully exploited in the wild. This compilation was created to help organizations stay informed on threat activity and help them manage their own vulnerabilities.

L

Lateral Movement
A technique used by attackers to expand their access within a network after gaining initial unauthorized entry. This allows them to reach valuable assets and maintain persistence in the network.

Legacy System
Outdated software, hardware, or technology that remains in use due to user familiarity, high replacement costs, or its integral role in the organization’s operations.

Local Area Network (LAN)
A group of computers and devices located within a limited geographical area, connected by a communication link that allows interaction among all devices on the network.

M

Malware
Software or firmware designed to perform unauthorized processes, such as stealing data or causing damage, which compromises the confidentiality, integrity, or availability of information systems. While often used for financial gain, malware can also be deployed by state-sponsored hackers.

Malware Signature
In cybersecurity, a malware signature is a clear indicator or pattern, like a footprint, linked to a malicious attack directed at a computer network or system. This pattern can be observed as a specific byte sequence within files or network transmissions.

Man-in-the-Middle Attacks
A form of cyberattack where the attacker positions themselves between two entities in a communication channel to intercept and steal data.

Mean Time to Recovery (MTTR)
An average of how long it takes to repair a system or asset from the time when failure occurs to when it is operational again.

Micro-Segmentation
The practice of dividing a network into segments so that precise security controls can be applied to each individual segment or zone. This isolation allows more exact control in determining whether two endpoints should access each other, and enables policies based on the principle of least privilege to reduce the risk of lateral movement and data breaches.

Mitigation
The use of security policies and processes to moderate and lessen the impact of a cyberattack. Mitigation encompasses threat prevention, threat detection and identification and threat remediation.

MITRE ATT&CK
A valuable, continuously updated knowledge base that catalogs cybercriminal behavior, covering each phase of the cyberattack lifecycle. Universally accessible, it aids security teams in modeling, detecting, preventing, and mitigating threats. Though MITRE itself is a name rather than an acronym, ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. The framework helps simulate cyberattacks, create effective security policies, and enhance security technologies. It organizes tactics and techniques into matrices for enterprise, mobile, and ICS environments, providing a common language for threat prevention and collaboration among security professionals.

Multi-Factor Authentication (MFA)
A method of verifying user identity where users must present two or more forms of credentials to gain access to a resource or system.

N


National Institute of Standards and Technology (NIST)
Founded in 1901, and now part of the U.S. Department of Commerce, the NIST develops cybersecurity best practices, guidelines and standards, contributing primarily to areas like cryptography, emerging technologies, risk management and identity and access management.

O

One-Day Vulnerabilities
Known vulnerabilities with patches or mitigations available that have not been applied yet. The term ‘one day’ signifies the duration between vulnerability disclosure and system patching. Since this period often lasts longer than a day, these vulnerabilities are sometimes known as ‘n-day’ vulnerabilities.

On-Prem (On-Premise)
Private datacenters housed and maintained within a company’s own facilities.

Operating System
A system that controls the execution of computer programs and manages resources, input/output, and data. It provides essential commands for applications to run.

Operational Technology (OT)
Commonly utilized in industries such as manufacturing, mining, oil and gas, utilities, and transportation, OT includes systems like Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs), and Computer Numerical Control (CNC). Unlike IT which focuses on informational activities and data protection, OT is concerned with production output, machinery maintenance, and worker safety, impacting the physical world through the operation of industrial equipment.

Original Design Manufacturer (ODM)
A business that transforms the initial specifications provided by another company or individual into the actual product design according to those specifications.

Original Equipment Manufacturer (OEM)
A business that manufactures products for other companies to sell under their own brands. An example would be an OEM making computers that Dell or Lenovo market as their own.

OT Security
Operational Technology (OT) security involves securing the foundational systems that drive industrial operations, like manufacturing plants and utility grids. These systems demand uninterrupted operation, posing challenges for implementing updates and handling malware incidents efficiently. OT security strategies aim to maintain the reliability of these systems, understand their specialized communication protocols and defend against targeted attacks aimed at exploiting weaknesses in their infrastructure.

OT Zero Trust
A cybersecurity strategy that prioritizes continuous validation of security status, rejecting implicit trust. It emphasizes comprehensive visibility into assets, applications, and user activities and regards all operational assets and activities as untrusted until proven trustworthy. The four cornerstones of OT Zero Trust are:

  • Inspect: Scan all inbound devices brought on site and scan assets before onboarding to prevent supply chain attacks.
  • Lock Down: Trust lists secure endpoints and networks alike by specifying what is allowed and blocking everything else.

  • Segment: Network segmentation groups vulnerable assets into operations-friendly safe zones, preventing attackers from moving and malware from spreading.
  • Reinforce: Shield assets at a network level to secure vulnerabilities in legacy and other unpatched assets without interrupting their work.

P

Packet
A small piece of a larger message. When data is transmitted through a digital network, it gets divided into packets that the computer or device receiving the packets recombines.

Payload
The data transmission’s information, like the cargo in a supply truck. This is often the component of malware that actually carries out the malicious action.

Penetration Testing
A stress test where a cybersecurity expert attempts to hack into a computer system to identify the vulnerabilities an actual threat actor might find.

Phishing
A social engineering attack that obtains personal information via email or websites while in the guise of a legitimate organization.

Port
A hardware interface for transmitting data to and from a computing device. Personal computers feature various types of ports, including internal ones for disk drives, monitors, and keyboards, and external ones for modems, printers, mice, and other peripherals. In TCP/IP and UDP networks, “port” refers to an endpoint for a logical connection.

Port Scanning
Employing software to remotely ascertain the accessibility of ports on a system, namely, to see if the system permits connections through those ports.

Principle of Least Privilege (PoLP)
When following this information security principle, a user is given as minimal access as possible, only enough for them to perform their job functions. This focuses on user access control as opposed to zero trust, which focuses on authorization/verification.

Privilege Escalation Attack
An attack where the attacker exploits a vulnerability to gain entry to a system and gain higher levels of access that are normally restricted.

Programmable Logic Controller (PLC)
The Programmable Logic Controller (PLC) serves as the brain of industrial setups, processing input from sensors, executing programmed operations, and issuing commands to control devices. Originally designed for basic logic tasks with electrical components, PLCs now handle intricate processes and play a vital role in systems such as SCADA and DCS, extensively employed across industries for machine and process control.

Protocol
A set of rules governing communication between systems, each designed for particular needs like efficiency, reliability, real-time operations, or facilitating communication between legacy and modern systems via IP/Ethernet.

R

Ransomware
Malware that extorts its victims by locking their files through encryption until a ransom is paid to unlock and restore access to the data.

Real-Time
In real-time computing, tasks are carried out in tandem with the related physical process, enabling immediate use of the results to influence the ongoing process.

Remote Desktop Protocol (RDP)
The most commonly used protocol for remote use of a computer. This means that a user can access the computer without being physically present in the same location.

Remote Terminal Units (RTUs)
RTUs monitor and control field devices like actuators, sensors and valves, and are commonly installed in a remote location as part of a large system. They are the interface between Supervisory Control and Data Acquisition (SCADA) and physical processes.

Risk
Risk is about understanding how using an information system could impact what an organization does, what it owns, or its stakeholders, based on the possible harm from a threat and how probable it is for that harm to come to pass.

Risk Assessment
The process of systematically identifying risks and gauging the potential consequences of those risks.

S

Safety Instrumented System (SIS)
A protective mechanism using sensors, logic, and controls to stop operations if safety thresholds are breached. Also referred to as Emergency Shutdown System (ESS), Safety Interlock System (SIS), or Safety Shutdown System (SSD).

Security Assertion Mark Language (SAML)
The primary role of SAML in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an Identity Provider (IdP) and a web application.

Security Socket Layer (SSL)
An Internet security protocol that encrypts data during transmission. Developed by Netscape, SSL ensures privacy, authentication, and data integrity by encrypting data, authenticating devices through a handshake, and digitally signing data to verify its integrity.

Security Information and Event Management (SIEM)
SIEM (Security Information and Event Management) is a network monitoring technology that collects log data and conducts network inspections to detect threats. It’s a cybersecurity strategy that leverages alerts and security logs from monitoring tools, analyzed using SIEM technology, to guide security practices and response strategies.

Small-to-Medium Businesses (SMB)
Typically, small businesses are characterized as those with employees numbering between 1 and 100, while medium-sized businesses would number between 100-999 employees.

Supervisory Control and Data Acquisition (SCADA)
A SCADA system consists of three main components: sensors and motors (equipment), Programmable Logic Controllers (PLCs) or Remote Terminal Units (RTUs), and Human Machine Interfaces (HMIs). The PLCs and RTUs act as intermediaries, collecting data from the equipment and sending it to the HMIs. HMIs then display this data in a user-friendly format for operators to analyze and react to. These systems allow operators to manage and control equipment over long distances and are widely used in industrial plants, across most verticals.

T

Tactics, Techniques and Procedures (TTP)
A term used by cybersecurity experts to describe a threat actor’s behavior, processes and strategies when launching a cyberattack. The analysis is broken down into three levels:

  • Tactics: The motivation behind the attack, and the overall approach, i.e., what the threat actor intends to gain.
  • Techniques: The methods used by the threat actor to achieve their goals.
  • Procedures: The step-by-step details of the attack, including all the tools and methods used. This helps analysts create profiles to identify the responsible threat actor or threat group.

TCP/IP
The basic language or set of rules used to communicate on the Internet.

Threat
Any situation or event that can exploit a vulnerability, accidentally or intentionally, and damage, destroy or obtain an asset in an organization.

Threat Event
An incident that could lead to harmful consequences or a negative impact.

Threat Intelligence
Information derived from evidence-based analysis of cyberattacks, organized and studied by cybersecurity professionals. This data encompasses the methods used in attacks, indicators of ongoing attacks, and the potential impacts various attack types can have on businesses.

V

Virtual Private Network (VPN)
A method that ensures secure communication over a public network by encrypting the data exchanged between two connected networks. This encryption of all information at the Internet Protocol level is achieved through “tunneling”.

Virtual Patching
A security measure against threats targeting known and unknown vulnerabilities. This defense strategy involves setting up multiple layers of security policies and rules to block exploits from reaching vulnerable network routes. An ideal virtual patching solution should encompass various capabilities, such as monitoring and blocking malicious activities in vital traffic, preventing intrusions, safeguarding web-facing applications, and flexible deployment in physical, virtual, or cloud setups.

Virus
Software that copies itself into other programs, typically with harmful intent. It spreads by integrating into existing software and becomes active when the infected program runs.

Vulnerability
A weakness, or a gap, in an organization’s hardware, software, or procedures. There are known vulnerabilities, catalogued in the KEV, and unknown vulnerabilities, both of which could be exploited by threats.

W

Watering Hole Attack
A form of cyberattack where the attacker infects websites that the target user commonly visits, so that the victim could be infected with malware.

Whitelist
Sometimes called an allowlist, this is a list of entities (e.g. files, applications, hosts or processes) that are known to be benign and thus allowed to execute within an organization and/or information system.

Worm
An independent program that can self-replicate and spread its complete version to other networked devices, sometimes resulting in the harmful consumption of computer resources.

Z

Zero Day
This term refers to the day when a new vulnerability becomes publicly known. A zero day exploit is an attack exploiting such a vulnerability before a patch is developed (“day one” signifies when the patch becomes available).

Zero Trust
Built on the concept of “never trust, always verify”, this cybersecurity principle emphasizes the most stringent authentication and verification protocols possible to protect organizations’ data and systems. Operating under the zero trust concept, every single person, asset, application and network is presumed a threat until they can be proven trustworthy.