OT Security Glossary

A electronic device that converts continuous analog signals (such as voltage or current from sensors) into discrete digital values that can be processed by digital control systems. In OT environments, ADCs are critical components in PLCs and other control systems for interfacing with analog field devices like temperature sensors, pressure transmitters, and flow meters.

A fundamental information security model standing for Availability, Integrity, and Confidentiality. In OT environments, this triad is often prioritized differently than in IT systems, with Availability typically being the highest priority, followed by Integrity, and then Confidentiality, reflecting the critical nature of continuous industrial operations.

Security measures that determine who can access specific resources, systems, or areas within an industrial environment. In OT contexts, access control encompasses both physical access to control rooms and equipment, as well as logical access to control systems, ensuring only authorized personnel can view or modify critical operational parameters.

Microsoft's directory service that provides authentication and authorization services for Windows-based networks. In industrial environments, Active Directory integration allows centralized management of user accounts and permissions across both IT and OT domains, though implementation requires careful consideration of OT network segmentation and security requirements.

A mechanical or electrical device that converts control signals into physical action, such as opening valves, moving dampers, or starting motors. Actuators are the "muscle" of industrial control systems, executing commands from controllers to manipulate physical processes and maintain desired operational parameters.

An integrated system of smart meters, communication networks, and data management systems that enables two-way communication between utilities and customers. AMI provides real-time consumption data, remote meter reading capabilities, and supports demand response programs, representing a critical component of smart grid implementations.

A sophisticated, long-term cyberattack campaign where adversaries gain unauthorized access to networks and remain undetected for extended periods. APT groups typically target critical infrastructure and industrial systems, using advanced techniques to maintain persistence while gathering intelligence or positioning for disruptive attacks on operational technology.

A network security measure that physically isolates critical systems from unsecured networks, including the internet. In OT environments, air gaps provide strong protection against remote cyberattacks, though they can be bridged through removable media, wireless communications, or supply chain compromises, requiring additional security controls.

The systematic approach to designing, implementing, and maintaining alarm systems in industrial processes to ensure operators receive actionable information about abnormal conditions. Effective alarm management reduces alarm flooding, improves operator response times, and enhances overall plant safety and reliability through prioritization and rationalization of alarm systems.

A centralized system component that collects, processes, and distributes alarm information from various control systems and field devices. The alarm server provides alarm logging, historical analysis, and notification capabilities, serving as a critical component for maintaining situational awareness and regulatory compliance in industrial operations.

The practice of identifying patterns, events, or behaviors that deviate from established baselines in industrial systems. In OT cybersecurity, anomaly detection systems monitor network traffic, device behavior, and process parameters to identify potential security threats, equipment malfunctions, or operational inefficiencies that require investigation.

A security approach that only allows pre-approved applications to execute on industrial control systems. This proactive security measure prevents unauthorized software, including malware, from running on critical OT assets, significantly reducing the attack surface and maintaining system integrity in industrial environments.

A comprehensive catalog of all hardware, software, and network components within an industrial environment, including their configurations, relationships, and security characteristics. Accurate asset inventory is fundamental to OT cybersecurity, enabling risk assessment, vulnerability management, and incident response planning.

The organization or individual responsible for industrial assets and their associated risks, including cybersecurity risks. Asset owners are accountable for implementing appropriate security measures, maintaining operational continuity, and ensuring compliance with applicable regulations and standards throughout the asset lifecycle.

The total sum of vulnerabilities and entry points that adversaries can potentially exploit to gain unauthorized access to industrial systems. The OT attack surface includes network interfaces, protocols, applications, physical access points, and human factors, requiring comprehensive security measures across all vectors.

The specific path or method that adversaries use to gain unauthorized access to industrial systems or networks. Common OT attack vectors include compromised remote access, malicious USB devices, phishing attacks targeting industrial personnel, and exploitation of unpatched vulnerabilities in control system components.

The process of verifying the identity of users, devices, or systems before granting access to industrial control systems. Strong authentication mechanisms, including multi-factor authentication, are essential for protecting OT environments from unauthorized access and ensuring accountability for system modifications.

The process of determining what actions authenticated users or systems are permitted to perform within industrial environments. Authorization controls ensure that personnel can only access and modify systems and data necessary for their roles, implementing the principle of least privilege in OT security architectures.

A control interface that allows operators to switch between automatic control (where the control system manages the process) and manual control (where operators directly control equipment). These stations are critical for operational flexibility and emergency response, providing operators with direct override capabilities during abnormal conditions.

A programmable device that manages industrial processes by receiving inputs from sensors, executing control logic, and sending outputs to actuators. Modern automation controllers integrate multiple functions including safety systems, motion control, and communication interfaces, serving as the central intelligence for industrial automation applications.

The assurance that industrial systems and data are accessible and usable when needed by authorized personnel. In OT environments, availability is typically the highest priority security objective, as system downtime can result in production losses, safety risks, and environmental hazards that far exceed the impact of data breaches.

An Iranian threat actor known to target energy sector and ICS environments, focusing on espionage and disruption.

A threat group associated with Russian interests, targeting U.S. and U.K. electric utilities through credential harvesting and lateral movement.

Building Automation and Control Networks protocol, an ANSI/ASHRAE standard for building automation and control systems. BACnet enables interoperability between different manufacturers' building control devices, supporting applications including HVAC, lighting, fire safety, and security systems through standardized communication methods.

A redundant control system that automatically takes over operations when the primary controller fails or requires maintenance. Backup controllers are essential for maintaining high availability in critical industrial processes, providing seamless failover capabilities to prevent production disruptions and ensure continuous operation.

A documented set of specifications for industrial control systems that represents a secure, stable operational state. Baseline configurations serve as reference points for change management, security monitoring, and system recovery, enabling organizations to detect unauthorized modifications and maintain system integrity.

The primary control system responsible for normal operation of an industrial process, managing variables such as temperature, pressure, flow, and level. BPCS differs from Safety Instrumented Systems (SIS) in that it focuses on operational efficiency rather than safety protection, though both systems may interact during normal operations.

A hardened computer system that serves as a secure gateway between different network security zones, particularly between corporate networks and industrial control systems. Bastion hosts provide controlled access for maintenance and monitoring activities while maintaining network segmentation and security boundaries.

A security approach that blocks known malicious applications, network addresses, or activities while allowing all other traffic by default. In OT environments, blacklisting is generally less effective than whitelisting due to the difficulty of maintaining comprehensive threat intelligence and the potential for zero-day attacks.

A form of algebra where all values are either true or false, extensively used in industrial control programming. Boolean logic operations (AND, OR, NOT) form the foundation of PLC ladder logic programming and digital control systems, enabling complex decision-making processes in automated industrial applications.

A cybersecurity vulnerability that occurs when a program writes more data to a buffer than it can hold, potentially overwriting adjacent memory locations and allowing attackers to execute malicious code. Buffer overflow attacks can compromise industrial control systems by exploiting poorly programmed applications or protocols.

A network topology where all devices share a common communication medium, such as a single cable or communication channel. Bus networks are common in industrial applications using protocols like Modbus RTU and DeviceNet, providing simple connectivity but requiring careful consideration of network termination and collision handling.

A manual switching device that allows operators to bypass automatic control systems and operate equipment directly. Bypass switches are critical safety and operational features that enable manual operation during maintenance, testing, or emergency conditions when automatic systems are unavailable or unreliable.

A sophisticated threat group identified by Dragos as the developer of the PIPEDREAM malware toolkit, representing the most advanced cross-industry ICS/OT attack capability discovered to date. CHERNOVITE demonstrates extensive knowledge of industrial protocols and has developed capabilities to disrupt, degrade, and potentially destroy physical processes across multiple industrial sectors.

The fundamental information security model consisting of Confidentiality, Integrity, and Availability. In OT environments, this triad is often reprioritized as AIC (Availability, Integrity, Confidentiality) to reflect the critical importance of maintaining continuous operations in industrial systems, where downtime can have severe safety and economic consequences.

The Cybersecurity and Infrastructure Security Agency, a federal agency within the U.S. Department of Homeland Security responsible for protecting critical infrastructure from cyber threats. CISA provides guidance, resources, and incident response support specifically for industrial control systems and critical infrastructure sectors.

The practice of collecting and storing log data from multiple industrial systems in a single, centralized location for analysis and monitoring. Centralized logging enables comprehensive security monitoring, compliance reporting, and forensic analysis across distributed OT environments while maintaining data integrity and availability.

A systematic approach to controlling modifications to industrial control systems, including hardware, software, and configuration changes. Effective change management processes in OT environments include impact assessment, testing procedures, rollback capabilities, and documentation requirements to maintain system security and operational integrity.

In cybersecurity contexts, the communication channel between compromised systems and attacker-controlled infrastructure. C2 mechanisms enable adversaries to remotely control malware, exfiltrate data, and coordinate multi-stage attacks against industrial systems, making C2 detection and blocking critical for OT security.

A industrial communication protocol that provides a unified framework for industrial automation applications. CIP is implemented over various network technologies including EtherNet/IP, DeviceNet, and ControlNet, enabling interoperability between different automation devices and systems in industrial environments.

A set of rules and standards that define how data is transmitted between devices in industrial networks. Industrial communication protocols like Modbus, DNP3, and OPC UA enable interoperability between different manufacturers' equipment while providing varying levels of security, reliability, and functionality.

Logical groupings of communication channels that connect different security zones in industrial control systems according to IEC 62443 standards. Conduits provide controlled pathways for data exchange between zones while maintaining security boundaries and enabling monitoring and access control mechanisms.

The gradual deviation of industrial control system configurations from their documented baseline states over time. Configuration drift can occur through unauthorized changes, software updates, or environmental factors, potentially introducing security vulnerabilities or operational issues that require regular monitoring and remediation.

A centralized facility where operators monitor and control industrial processes, typically containing human-machine interfaces, alarm systems, and communication equipment. Control centers serve as the nerve center for industrial operations, providing situational awareness and control capabilities for distributed industrial assets.

A feedback mechanism in industrial control systems where sensors measure process variables, controllers compare these measurements to setpoints, and actuators adjust the process to maintain desired conditions. Control loops are fundamental building blocks of automated industrial processes, enabling precise and stable operation.

Programmable devices that serve as the brain of industrial control systems, executing control logic and interfacing with field devices. Controllers include Programmable Logic Controllers (PLCs), Programmable Automation Controllers (PACs), and Remote Terminal Units (RTUs), each optimized for specific industrial applications and environments.

A sophisticated malware framework specifically designed to attack power grid infrastructure, first identified in the 2016 Ukraine power grid attack. CrashOverride demonstrates advanced understanding of industrial protocols and can directly manipulate electrical substation equipment, representing a significant escalation in ICS-targeted malware capabilities.

Essential systems and assets whose incapacitation would have a debilitating impact on national security, economic security, public health, or safety. Critical infrastructure sectors include energy, water, transportation, communications, and manufacturing, all of which rely heavily on industrial control systems requiring specialized cybersecurity protection.

Integrated systems that combine computational elements with physical processes, where embedded computers and networks monitor and control physical operations with feedback loops. CPS represents the convergence of IT and OT technologies, creating new capabilities but also new security challenges requiring comprehensive protection strategies.

Structured approaches for managing cybersecurity risks, with the NIST Cybersecurity Framework being widely adopted in industrial sectors. The framework provides a common language for cybersecurity activities, organizing them into five core functions: Identify, Protect, Detect, Respond, and Recover, applicable to both IT and OT environments.

Cybersecurity guidelines issued by India's Central Electricity Authority (CEA) focused on critical infrastructure and power sector cybersecurity requirements.

A European regulation aimed at ensuring hardware and software products are designed with secure-by-default principles throughout their lifecycle.

A control system architecture where control functions are distributed across multiple autonomous controllers connected by high-speed communication networks. DCS systems are typically used in continuous process industries like chemical plants and refineries, providing centralized monitoring with distributed control capabilities for improved reliability and performance.

A network security architecture that creates a buffer zone between trusted internal networks and untrusted external networks. In OT environments, DMZs often separate corporate IT networks from industrial control networks, hosting shared services like historians and application servers while maintaining security boundaries.

Distributed Network Protocol version 3, an open standard communication protocol used primarily in the electric utility industry for communication between control centers and remote substations. DNP3 provides robust communication over various media types and includes built-in security features for protecting critical infrastructure communications.

Domain Name System services adapted for operational technology environments, providing name resolution for industrial devices and systems. OT DNS implementations require special consideration for security, availability, and network segmentation, often utilizing private DNS zones and redundant configurations to support critical industrial operations.

A hardware-based security device that allows data to flow in only one direction, providing an unbreachable unidirectional pathway for data transfer. Data diodes are used in high-security industrial environments to enable monitoring and data collection from OT networks while preventing any possibility of reverse data flow or remote access.

A comprehensive security strategy that implements multiple layers of protection throughout industrial control systems, assuming that no single security measure is perfect. Defense-in-depth in OT environments includes network segmentation, access controls, monitoring systems, and physical security measures working together to protect critical assets.

An attack that attempts to make industrial systems or networks unavailable by overwhelming them with traffic or exploiting vulnerabilities to cause system crashes. DoS attacks against OT systems can disrupt critical industrial processes, making availability protection a primary concern in industrial cybersecurity programs.

Network communication that provides guaranteed delivery times and bounded latency for time-critical industrial applications. Deterministic networking is essential for real-time control systems, motion control, and safety applications where precise timing requirements must be met to ensure proper operation and safety.

The process of securing industrial control devices by removing unnecessary services, applying security patches, configuring strong authentication, and implementing other security measures. Device hardening reduces the attack surface of individual OT components and strengthens the overall security posture of industrial systems.

A virtual representation of physical industrial assets, processes, or systems that is updated in real-time with data from sensors and other sources. Digital twins enable advanced analytics, predictive maintenance, and cybersecurity applications by providing detailed models of industrial operations for simulation and analysis.

A leading industrial cybersecurity company specializing in protecting operational technology environments. Dragos provides threat intelligence, security monitoring, and incident response services specifically designed for industrial control systems, contributing significant research on ICS-focused threat actors and attack techniques.

A computer system with network connections to two different networks, often used to bridge between corporate IT and industrial OT networks. Dual-homed hosts require careful security configuration to prevent unauthorized network bridging while enabling necessary communication between network segments.

The unauthorized interception of communications or data transmissions in industrial networks. Eavesdropping attacks can reveal sensitive operational information, control commands, or credentials, making encrypted communication and network monitoring essential components of OT security strategies.

Computing devices located at the boundary between operational technology networks and external systems, often providing data processing, protocol translation, or security functions. Edge devices enable Industrial Internet of Things (IIoT) applications while serving as critical security enforcement points in OT architectures.

A threat group associated with the CrashOverride/Industroyer malware that targeted Ukrainian power infrastructure. Electrum demonstrates sophisticated understanding of power grid operations and industrial protocols, representing state-sponsored capabilities specifically designed to disrupt electrical power systems.

The process of converting data into a secure format that can only be read with the appropriate decryption key. In OT environments, encryption protects sensitive operational data and communications, though implementation must consider performance requirements and compatibility with legacy industrial systems.

Cybersecurity technology that continuously monitors endpoints for suspicious activities and provides automated response capabilities. EDR solutions adapted for OT environments must balance security monitoring with operational requirements, often focusing on asset discovery, behavioral analysis, and network monitoring rather than traditional endpoint agents.

Specialized computers used by engineers to configure, program, and maintain industrial control systems. Engineering workstations are high-value targets for attackers as they often have privileged access to control systems and may store sensitive configuration files, requiring enhanced security protection and monitoring.

An industrial Ethernet protocol that implements the Common Industrial Protocol (CIP) over standard Ethernet networks. EtherNet/IP is widely used in manufacturing automation, providing real-time communication capabilities and integration with enterprise systems while supporting deterministic control applications.

The process of analyzing multiple security events and operational data sources to identify patterns, relationships, and potential threats in industrial environments. Event correlation helps security teams distinguish between normal operational variations and genuine security incidents requiring response.

Systems that collect, store, and manage historical data from industrial processes and control systems. Historians provide valuable information for process optimization, regulatory compliance, and security analysis, serving as critical repositories of operational intelligence and forensic evidence.

Code or techniques that take advantage of vulnerabilities in industrial control systems to gain unauthorized access or cause unintended behavior. Exploits targeting OT systems can lead to process disruption, safety hazards, or equipment damage, making vulnerability management critical for industrial cybersecurity.

A comprehensive testing process conducted at the manufacturer's facility to verify that industrial control systems meet specified requirements before shipment to the installation site. FAT includes functional testing, performance verification, and security validation to ensure systems are ready for deployment.

A design principle where industrial systems automatically return to a safe state when malfunctions or abnormal conditions occur. Fail-safe mechanisms are fundamental to industrial safety systems, ensuring that equipment failures or cyberattacks cannot create hazardous conditions that endanger personnel or the environment.

Instruments and equipment located in the industrial process area that measure process variables or control physical operations. Field devices include sensors, transmitters, actuators, and analyzers that interface directly with industrial processes, representing the physical layer of control system architectures.

Network security devices that monitor and control traffic between different network segments based on predetermined security rules. Industrial firewalls are specifically designed for OT environments, supporting industrial protocols and providing deep packet inspection capabilities while maintaining the low latency required for real-time control.

Low-level software stored in non-volatile memory that provides basic operational instructions for industrial control devices. Firmware security is critical in OT environments as compromised firmware can provide persistent access to attackers and is often difficult to detect and remediate using traditional security tools.

The scientific investigation and analysis of digital evidence from industrial control systems following security incidents or operational anomalies. OT forensics requires specialized knowledge of industrial protocols, control system behaviors, and process operations to effectively investigate and respond to cyber incidents.

The achievement of safety through systems that correctly execute safety functions, based on standards like IEC 61508 and IEC 61511. Functional safety systems in industrial environments must be designed to handle both random failures and systematic failures, including those potentially caused by cybersecurity threats.

A software testing technique that provides invalid, unexpected, or random data inputs to industrial control system software to identify vulnerabilities and stability issues. Fuzz testing is particularly important for OT security as it can reveal protocol implementation flaws and buffer overflow vulnerabilities.

Generic Object Oriented Substation Event messages defined in the IEC 61850 standard for electrical substation automation. GOOSE messages provide fast peer-to-peer communication between intelligent electronic devices (IEDs) in substations, enabling rapid protection and control responses with sub-millisecond delivery times.

Devices that provide protocol translation, data aggregation, and communication bridging between different industrial networks and systems. Gateways enable interoperability between legacy systems and modern networks while serving as important security chokepoints for monitoring and controlling inter-system communications.

The framework of policies, procedures, and organizational structures that guide cybersecurity decision-making in industrial environments. OT security governance addresses unique operational requirements, safety considerations, and regulatory compliance needs that differ from traditional IT governance models.

An integrated approach to managing governance, risk, and compliance activities across industrial organizations. GRC frameworks for OT environments address operational risks, safety regulations, cybersecurity requirements, and business continuity needs through coordinated management processes.

Fine-grained authorization mechanisms that control access to specific industrial control system functions, data, or operations based on user roles, time restrictions, and operational conditions. Granular access control enables precise security implementation while maintaining operational flexibility and safety requirements.

Network segments that contain systems requiring communication with both trusted internal networks and less trusted external networks. Grey zones in industrial architectures often host shared services, remote access systems, or data exchange platforms that require careful security design and monitoring.

Electrical safety practices that provide safe paths for electrical current and protect against electrical hazards in industrial installations. Proper grounding is essential for both electrical safety and electromagnetic compatibility, affecting the reliability and security of industrial control and communication systems.

Highway Addressable Remote Transducer protocol, a hybrid analog and digital communication protocol widely used in process automation for communication with field instruments. HART enables digital communication over traditional 4-20mA analog loops, providing device diagnostics and configuration capabilities.

A bi-directional digital communication protocol that operates simultaneously with 4-20mA analog signals, enabling enhanced communication with field instruments. HART protocol supports device configuration, calibration, and diagnostics while maintaining backward compatibility with existing analog systems.

Software and hardware systems that enable human operators to interact with industrial control systems, displaying process information and accepting operator commands. HMIs serve as the primary interface between human operators and automated industrial processes, requiring careful design for usability, safety, and security.

Control systems where missing deadlines for critical tasks can result in system failure or catastrophic consequences. Hard real-time systems in industrial applications require deterministic response times and cannot tolerate delays, making them particularly sensitive to cybersecurity measures that might introduce latency.

The process of securing industrial control systems by reducing their attack surface through configuration changes, security updates, and removal of unnecessary services. System hardening in OT environments must balance security improvements with operational requirements and system availability.

Cryptographic functions that convert data into fixed-length strings for integrity verification and authentication purposes. Hashing algorithms are used in industrial cybersecurity for password storage, file integrity checking, and digital signatures, providing assurance that critical data has not been modified.

System design approaches that ensure industrial control systems remain operational and accessible even during component failures or maintenance activities. High availability in OT environments typically involves redundancy, failover mechanisms, and fault-tolerant architectures to minimize downtime.

Specialized database systems designed to collect, store, and manage time-series data from industrial processes and control systems. Historians provide long-term data storage, trend analysis, and reporting capabilities essential for process optimization, regulatory compliance, and security monitoring.

Decoy systems designed to attract and detect unauthorized access attempts in industrial networks. OT honeypots simulate industrial control devices or processes to identify attack techniques, gather threat intelligence, and provide early warning of potential security breaches.

Integrated hardware and software systems that monitor and control industrial processes, including SCADA systems, DCS systems, and PLC-based systems. ICS encompasses the entire spectrum of automation technology used in critical infrastructure and manufacturing environments.

Security monitoring systems specifically designed to detect unauthorized access attempts, policy violations, and malicious activities in industrial networks. OT-focused IDS solutions understand industrial protocols and can distinguish between normal operational activities and potential security threats.

The international standard for industrial automation and control systems security, providing a comprehensive framework for securing industrial environments throughout their lifecycle. IEC 62443 defines security levels, zone and conduit models, and systematic approaches to industrial cybersecurity implementation.

A network security approach that only allows communication from pre-approved IP addresses, blocking all others by default. IP whitelisting is particularly effective in OT environments where communication patterns are typically well-defined and stable, providing strong protection against unauthorized network access.

The increasing integration and interconnection of Information Technology (IT) and Operational Technology (OT) systems within industrial organizations. Convergence enables new capabilities but also introduces cybersecurity challenges requiring unified security strategies that address both domains.

Structured approaches to handling cybersecurity incidents in industrial environments, including preparation, detection, containment, eradication, and recovery activities. OT incident response requires specialized knowledge of industrial processes and coordination between IT security teams and operational personnel.

Observable evidence of security breaches or malicious activities in industrial control systems, including unusual network traffic, unauthorized file modifications, or abnormal process behaviors. IoCs help security teams identify, investigate, and respond to potential cyber threats in OT environments.

The interface points where industrial control systems receive data from sensors (inputs) and send commands to actuators (outputs). I/O modules are critical components that connect digital control systems to physical processes, requiring proper configuration and security to ensure reliable operation.

Security risks posed by individuals with authorized access to industrial systems who may intentionally or unintentionally cause harm through malicious actions, negligence, or social engineering exploitation. Insider threats require behavioral monitoring and access controls tailored to operational environments.

The assurance that industrial control system data and operations have not been modified in an unauthorized manner. Data integrity and system integrity are critical for maintaining safe and reliable industrial operations, requiring protection against both accidental corruption and malicious manipulation.

Smart devices used in substations capable of executing logic, communication, and protection functions in power systems.

A global standard for cybersecurity risk management of road vehicles throughout the lifecycle including development, production, and decommissioning.

A lightweight remote procedure call protocol that uses JSON for data encoding, sometimes employed in modern industrial control and monitoring applications for web-based interfaces and API communications. JSON-RPC provides simple request-response communication suitable for certain OT integration scenarios.

Variations in the timing of periodic signals or network communications that can affect the performance of time-sensitive industrial control systems. Network jitter must be minimized in real-time control applications to ensure precise timing and reliable operation of synchronized processes.

Intermediate systems that provide secure, controlled access to industrial networks from external locations. Jump hosts serve as security chokepoints where remote access activities can be monitored, logged, and controlled while maintaining network segmentation between corporate and operational networks.

A security approach that provides temporary, time-limited access to industrial systems only when needed for specific tasks. Just-in-time access reduces the window of exposure for privileged accounts and ensures that access permissions are reviewed and approved for each session.

Security mechanisms that operate at the operating system kernel level to protect industrial control systems from advanced threats and rootkits. Kernel-level protection provides deep system visibility and control but requires careful implementation to avoid impacting real-time performance requirements.

Centralized systems for generating, distributing, storing, and managing cryptographic keys used to secure industrial communications and data. KMS solutions for OT environments must support industrial protocols and provide high availability while maintaining strong security controls.

A framework describing the stages of cyberattacks, with the ICS Cyber Kill Chain specifically designed for industrial environments. The ICS kill chain helps security professionals understand attack progression and implement defensive measures at each stage to prevent or detect threats.

A specialized attack framework developed by Dragos that describes how adversaries target and compromise industrial control systems through Stage 1 (gaining access to ICS networks) and Stage 2 (achieving disruptive or destructive effects on physical processes).

Repositories of information about industrial systems, security threats, operational procedures, and troubleshooting guidance. Knowledge bases support security operations, incident response, and maintenance activities by providing centralized access to critical operational and security information.

Specialized information repositories containing threat intelligence, attack patterns, and defensive strategies specific to industrial control systems. These knowledge bases help security teams understand the unique threat landscape facing OT environments and implement appropriate countermeasures.

A programming language used to develop software for programmable logic controllers (PLCs) that resembles ladder diagrams used in electrical control circuits. Ladder logic provides an intuitive programming method for industrial control applications, using contacts, coils, and function blocks to implement control strategies.

Techniques used by attackers to progressively move through a network after gaining initial access, potentially reaching critical OT systems from compromised IT systems. Lateral movement in industrial environments poses significant risks as attackers can progress from business networks to control systems.

A security principle that restricts access rights to only those resources absolutely required to perform authorized activities, minimizing potential impact of compromised accounts. Implementing least privilege in OT environments requires careful balance between security restrictions and operational flexibility.

Hierarchical layers in industrial environments ranging from physical process equipment (Level 0) to enterprise business systems (Level 5), providing a framework for network segmentation and security architecture design. The Purdue Model helps organizations understand data flows and implement appropriate security controls at each level.

A human-machine interface located near equipment it controls, allowing operators to monitor and control industrial processes directly from the field. Local control panels provide manual override capabilities and emergency control functions when centralized control systems are unavailable.

The process of collecting and centralizing log data from multiple sources across an OT environment for more effective security monitoring and incident detection. Log aggregation enables comprehensive visibility across distributed industrial systems while maintaining data integrity and supporting forensic analysis.

A specialized controller that executes safety-critical functions in a Safety Instrumented System (SIS) with high reliability and fault tolerance. Logic solvers are designed to meet specific Safety Integrity Level (SIL) requirements and provide independent protection layers in industrial safety systems.

A North Korean state-sponsored group involved in financially and politically motivated attacks, including operations affecting industrial sectors.

A specialized framework that categorizes adversary tactics and techniques specifically targeting industrial control systems, extending the MITRE ATT&CK enterprise framework. The ICS matrix provides 12 tactical categories with 81 techniques, helping security professionals understand and defend against ICS-specific attacks.

Mean Time to Detection, a metric measuring the average time between when a security incident occurs and when it is first detected by monitoring systems or personnel. Reducing MTTD in OT environments is critical for minimizing the potential impact of cyberattacks on industrial operations.

Mean Time to Recovery, a metric measuring the average time required to restore industrial systems to normal operation following an incident or failure. MTTR is a key availability metric in OT environments where extended downtime can have severe operational and safety consequences.

Malicious software specifically designed to compromise, disrupt, or damage industrial control systems. Notable OT malware includes Stuxnet, TRISIS/TRITON, CrashOverride, and PIPEDREAM, demonstrating increasingly sophisticated capabilities to manipulate physical industrial processes.

An attack where adversaries position themselves between communicating industrial devices to intercept, modify, or inject malicious data into control communications. MitM attacks can compromise the integrity of control commands and sensor data, potentially leading to process disruption or safety hazards.

A serial communication protocol developed by Modicon in 1979 for use with programmable logic controllers, now widely adopted across industrial automation applications. Modbus is an open standard protocol that supports both serial and Ethernet communications, though it lacks built-in security features.

Continuous observation and analysis of industrial control systems, network traffic, and operational parameters to detect anomalies, security threats, and performance issues. Effective OT monitoring requires understanding of both cybersecurity threats and normal operational behaviors.

Authentication methods that require multiple verification factors (something you know, have, or are) to access industrial control systems. MFA significantly enhances security for remote access and privileged accounts in OT environments, though implementation must consider operational workflows.

A knowledge base from MITRE that maps defensive cybersecurity techniques to known attack behaviors, complementing MITRE ATT&CK and aiding blue team strategies.

Network Address Translation, a networking technique that modifies IP address information in packet headers while in transit. NAT can provide some security benefits in OT networks by hiding internal device addresses, though it may complicate security monitoring and forensic analysis.

North American Electric Reliability Corporation Critical Infrastructure Protection standards that establish cybersecurity requirements for electric utility operators. NERC CIP standards mandate specific security controls for bulk electric system assets, including access controls, monitoring, and incident response capabilities.

The European Union's directive on measures for a high common level of cybersecurity across the Union, establishing cybersecurity requirements for essential and important entities including critical infrastructure operators. NIS2 expands coverage and strengthens security requirements compared to the original NIS directive.

A voluntary framework developed by the National Institute of Standards and Technology that provides guidance for managing cybersecurity risks across critical infrastructure sectors. The framework organizes cybersecurity activities into five core functions applicable to both IT and OT environments.

A special publication providing guidance for securing industrial control systems, addressing their specific performance, reliability, and security requirements. NIST SP 800-82 offers practical recommendations for protecting ICS environments while maintaining operational effectiveness.

Security solutions that control access to industrial networks by authenticating and authorizing devices before allowing network connectivity. NAC systems for OT environments must support industrial protocols and device types while providing visibility into network-connected assets.

The practice of dividing industrial networks into separate segments or zones to limit the potential impact of security breaches and control access between different areas. Network segmentation is a fundamental security control in OT architectures, often implemented using VLANs, firewalls, and physical separation.

The assurance that users cannot deny performing specific actions in industrial control systems, typically achieved through digital signatures and audit logging. Non-repudiation is important for regulatory compliance and forensic analysis in critical infrastructure environments.

OPC Unified Architecture, a platform-independent communication protocol that integrates all functionality of OPC Classic specifications into one extensible framework. OPC UA provides secure, reliable communication for industrial automation with built-in security features including encryption, authentication, and authorization.

The Open Systems Interconnection model, a conceptual framework that standardizes communication functions into seven layers. Understanding the OSI model helps industrial network designers and security professionals implement appropriate security controls at different protocol layers.

Hardware and software that detects or causes changes through direct monitoring and control of industrial equipment, assets, processes, and events. OT encompasses the technology that interfaces with the physical world in industrial environments, distinguishing it from traditional IT systems.

Specialized monitoring approaches designed for operational technology environments that understand industrial protocols, process behaviors, and operational requirements. OT security monitoring provides visibility into potential threats while minimizing impact on critical industrial operations.

Remote software and firmware update mechanisms for industrial devices and systems. OTA updates can improve security and functionality but require careful implementation to maintain system integrity and avoid disrupting critical operations during update processes.

Communication protocols or architectures that allow data to flow in only one direction, often used for secure data extraction from OT networks. One-way communication provides strong security boundaries while enabling monitoring and data collection from operational systems.

Workstations where human operators monitor and control industrial processes through human-machine interfaces. Operator stations are critical components that require robust security measures as they provide direct access to control system functions and operational data.

Automated coordination of multiple systems, processes, or security tools to achieve complex operational or security objectives. Security orchestration in OT environments can automate incident response, vulnerability management, and compliance monitoring while respecting operational constraints.

Electrical protection systems that detect excessive current flow and automatically disconnect circuits to prevent equipment damage or fire hazards. Overcurrent protection is essential for electrical safety in industrial installations and affects the reliability of control and communication systems.

Conditions where industrial systems become unavailable due to excessive demand, resource exhaustion, or malicious attacks designed to overwhelm system capacity. Protection against overload conditions is critical for maintaining availability in industrial control systems.

A sophisticated malware toolkit developed by the CHERNOVITE threat group that represents the first cross-industry disruptive/destructive ICS/OT capability. PIPEDREAM demonstrates extensive knowledge of industrial protocols and can potentially impact tens of thousands of industrial devices across multiple sectors.

Systematic processes for identifying, testing, and applying security updates to industrial control systems while minimizing operational disruption. OT patch management requires careful coordination with operations teams and often involves extended testing periods to ensure system stability.

Authorized simulated cyberattacks against industrial control systems to identify vulnerabilities and assess security effectiveness. OT penetration testing requires specialized knowledge of industrial protocols and careful planning to avoid disrupting critical operations.

Security controls implemented at network boundaries to protect industrial systems from external threats. Perimeter security in OT environments includes firewalls, intrusion detection systems, and network access controls specifically designed for industrial protocols and requirements.

Security measures that protect industrial facilities, equipment, and personnel from physical threats and unauthorized access. Physical security is particularly important in OT environments where direct access to control systems or process equipment can bypass network security controls.

Formal documentation that establishes security requirements, procedures, and responsibilities for industrial control systems. OT security policies must address unique operational requirements, safety considerations, and regulatory compliance needs specific to industrial environments.

Attack techniques that enable adversaries to gain higher-level permissions than initially obtained, potentially reaching administrative or engineering-level access to industrial control systems. Preventing privilege escalation requires proper access controls and system hardening.

Specialized database systems that collect and store time-series data from industrial processes for analysis, optimization, and regulatory compliance. Process historians provide valuable operational intelligence but require security protection as they contain sensitive process information.

An industrial Ethernet standard for data communication over Industrial Ethernet, designed for collecting data from and controlling equipment in industrial systems. PROFINET provides real-time communication capabilities and supports various device types in factory automation applications.

Devices that translate between different industrial communication protocols, enabling interoperability between systems from different manufacturers or technology generations. Protocol gateways serve as critical translation points but also represent potential security vulnerabilities requiring proper configuration and monitoring.

A hierarchical model for industrial control system architecture that defines levels from field devices (Level 0) to enterprise systems (Level 5). The Purdue Model provides a framework for network segmentation, security zone definition, and data flow control in industrial environments.

A ruggedized digital computer used to control industrial processes.

Quality of Service mechanisms that prioritize network traffic to ensure critical industrial communications receive adequate bandwidth and low latency. QoS is essential in industrial networks where real-time control traffic must take precedence over non-critical communications.

The potential future impact of quantum computing on industrial cybersecurity, particularly regarding the ability to break current cryptographic algorithms. Organizations must plan for quantum-resistant cryptography to protect long-term sensitive industrial data and communications.

Network segments designed to isolate potentially compromised or suspicious industrial devices while maintaining limited monitoring and analysis capabilities. Quarantine zones enable security teams to investigate threats without allowing them to spread to critical operational systems.

Attack techniques that manipulate database queries or command interfaces in industrial systems to gain unauthorized access or extract sensitive information. Query injection attacks can compromise historian databases, configuration systems, or human-machine interfaces.

Rapid testing procedures used to verify the functionality and security of industrial control systems, particularly safety instrumented systems. QRT enables fast validation of system integrity following changes or potential security incidents.

Role-Based Access Control, a security approach that assigns permissions based on user roles within the organization rather than individual user identities. RBAC simplifies access management in industrial environments by grouping permissions according to job functions and operational responsibilities.

Microprocessor-controlled electronic devices that interface objects in the physical world to distributed control systems or SCADA systems by transmitting telemetry data and receiving supervisory control commands. RTUs are commonly used in geographically distributed infrastructure like pipelines and power grids.

Malicious software that encrypts industrial control system data or locks operators out of critical systems, demanding payment for restoration. Ransomware attacks against OT systems can halt production and create safety hazards, making backup and recovery capabilities essential.

Operating systems designed to handle time-critical applications with deterministic response times, commonly used in industrial control systems. RTOS provides predictable performance for safety-critical and time-sensitive control applications but requires specialized security considerations.

The duplication of critical components or functions in industrial systems to provide backup capabilities and improve reliability. Redundancy enhances both availability and safety in OT environments, though it requires careful design to avoid common-mode failures including cybersecurity threats.

Capabilities that allow authorized personnel to access industrial control systems from external locations for maintenance, monitoring, or emergency response. Remote access requires strong security controls including multi-factor authentication, encrypted communications, and session monitoring.

Cyberattacks where adversaries capture and retransmit valid industrial control communications to cause unauthorized actions or system responses. Replay attacks can manipulate control systems by reusing legitimate command messages, requiring timestamp validation and cryptographic protections.

Systematic evaluation of cybersecurity and operational risks facing industrial control systems, considering threat likelihood, vulnerability presence, and potential impact. OT risk assessments must address unique factors including safety consequences, operational dependencies, and regulatory requirements.

Unauthorized or malicious devices connected to industrial networks that can disrupt operations, steal data, or provide adversaries with network access. Rogue device detection requires comprehensive network monitoring and asset management capabilities tailored to OT environments.

A field device that interfaces physical equipment to a SCADA system by collecting telemetry data and transmitting control commands.

Security Assertion Markup Language, an XML-based standard for exchanging authentication and authorization data between identity providers and service providers. SAML enables single sign-on capabilities for industrial applications while maintaining centralized identity management.

Supervisory Control and Data Acquisition systems that provide high-level supervision and control of industrial processes through computer networks and human-machine interfaces. SCADA systems are widely used in critical infrastructure sectors including utilities, oil and gas, and manufacturing.

Security Information and Event Management systems that collect, analyze, and correlate security events from multiple sources to identify potential threats. SIEM solutions for OT environments must understand industrial protocols and operational patterns to effectively distinguish threats from normal operations.

Security Level classifications defined in IEC 62443 that specify graduated security capabilities from SL-1 (protection against casual misuse) to SL-4 (protection against sophisticated attacks with substantial resources). Security levels help organizations implement appropriate protection measures based on threat profiles.

Independent protection systems designed to bring industrial processes to a safe state when hazardous conditions are detected. SIS systems are critical safety barriers that must maintain high reliability and availability, making them high-value targets for sophisticated adversaries like XENOTIME.

Security mechanisms that ensure industrial control devices boot only with authenticated and trusted software, preventing malware from loading during system startup. Secure boot provides fundamental protection against firmware-level attacks and persistent malware in OT environments.

Processes and technologies that ensure software and firmware updates for industrial systems are authentic, untampered, and applied securely. Secure update mechanisms protect against supply chain attacks and ensure that security patches can be applied safely to operational systems.

An approach that integrates cybersecurity considerations into industrial system design from the earliest stages rather than adding security as an afterthought. Security by design ensures that security controls are built into the fundamental architecture and operation of industrial systems.

Attack techniques that manipulate human psychology to gain unauthorized access to industrial systems or sensitive information. Social engineering attacks targeting OT personnel can bypass technical security controls, making security awareness training critical for industrial organizations.

The first known malware specifically designed to attack industrial control systems, discovered in 2010 and targeting Iranian nuclear facilities. Stuxnet demonstrated sophisticated knowledge of industrial processes and represented a watershed moment in understanding cyber-physical attack capabilities.

Security risks introduced through the complex supply chains that provide hardware, software, and services for industrial control systems. Supply chain risks can include compromised components, malicious software, or vulnerable third-party services that provide access to critical systems.

Security measures designed to protect industrial control systems from threats introduced through supply chain partners, vendors, and service providers. Supply chain security includes vendor assessment, secure procurement processes, and verification of component integrity.

A specialized PLC used in safety-critical systems such as Safety Instrumented Systems (SIS), meeting standards like IEC 61511 and SIL levels.

A Russian threat group behind BlackEnergy and Industroyer attacks, known for targeting Ukraine's power grid and OT environments.

The foundational networking protocols used for communication in modern industrial Ethernet networks, providing reliable data transmission and addressing capabilities. The TCP/IP stack enables integration between OT and IT systems but also introduces traditional network security vulnerabilities.

Sophisticated malware specifically designed to target Schneider Electric Triconex safety instrumented systems, first discovered in 2017. TRISIS represents a significant escalation in ICS malware as it specifically targets safety systems, potentially creating life-threatening conditions.

Tactics, Techniques, and Procedures used by adversaries to compromise industrial control systems. Understanding TTPs helps security teams recognize attack patterns, implement appropriate defenses, and develop threat intelligence specific to OT environments.

Security mechanisms that detect unauthorized physical or logical modifications to industrial control devices or systems. Tamper detection provides alerts when devices have been accessed, modified, or potentially compromised by adversaries.

Information about current and emerging cybersecurity threats specifically relevant to industrial control systems and operational technology. OT threat intelligence helps organizations understand adversary capabilities, tactics, and targets to improve defensive strategies.

Systematic approaches to identifying, analyzing, and prioritizing potential security threats to industrial control systems based on system architecture and operational requirements. Threat modeling helps organizations focus security resources on the most significant risks.

IEEE standards that enable deterministic communication over standard Ethernet networks, supporting time-critical industrial applications. TSN provides guaranteed latency and reliability for real-time control while enabling convergence of IT and OT networks.

Security technique that replaces sensitive data with non-sensitive placeholder tokens, reducing the risk of data exposure in industrial systems. Tokenization can protect sensitive operational data while maintaining system functionality.

The process of prioritizing security incidents, alerts, or vulnerabilities based on their severity, impact, and urgency in industrial environments. Effective triaging ensures that the most critical threats to operational systems receive immediate attention.

Beckhoff's automation software that transforms standard PCs into powerful control systems, combining PLC and motion control functionality. TwinCAT represents the convergence of IT and OT technologies but requires careful security consideration due to its PC-based architecture.

Guidance issued by the U.S. Transportation Security Administration outlining cybersecurity measures for pipeline operators, including risk assessment and incident response requirements.

Uninterruptible Power Supply systems that provide backup electrical power to industrial control systems during utility power interruptions. UPS systems are critical for maintaining availability and preventing data loss in industrial environments, but also represent potential attack vectors if networked.

Security measures that govern the use of USB devices and ports in industrial control environments to prevent malware introduction and data exfiltration. USB control is essential as removable media represents a common attack vector for air-gapped systems.

Hardware devices that allow data to flow in only one direction, providing secure data replication from operational networks to monitoring or business systems. Unidirectional gateways enable data sharing while maintaining strong security boundaries.

Processes for securely applying software and firmware updates to industrial control systems while minimizing operational disruption and maintaining system integrity. Update management must balance security improvements with operational stability requirements.

Implementation of least privilege principles specifically for user access to industrial control systems, ensuring personnel can access only the systems and functions necessary for their roles. This reduces the potential impact of compromised accounts.

Security analytics that establish baseline patterns of user behavior and detect anomalous activities that may indicate security threats or policy violations. UBA can identify insider threats and compromised accounts in industrial environments.

Virtual Local Area Network technology that segments network traffic at the data link layer, commonly used for network segmentation in industrial environments. VLANs provide logical separation between different types of industrial traffic while using shared physical infrastructure.

Virtual Private Network technology that provides secure remote access to industrial control systems over public networks. VPNs enable remote maintenance and monitoring while encrypting communications and authenticating users.

Processes and controls for managing third-party vendor access to industrial control systems for maintenance, support, or integration activities. Vendor access management reduces supply chain risks while enabling necessary business relationships.

Systems that track and manage changes to industrial control system software, configurations, and documentation. Version control enables rollback capabilities, change tracking, and configuration management essential for OT security and reliability.

Security technique that provides protection against vulnerabilities without modifying the vulnerable systems, often using network-based controls or application-layer filtering. Virtual patching enables protection of legacy industrial systems that cannot be easily updated.

The ability to discover, monitor, and analyze industrial control system assets, communications, and activities. Comprehensive visibility is fundamental to OT security, enabling threat detection, asset management, and compliance monitoring.

A sophisticated threat group identified by Dragos that overlaps with Volt Typhoon, targeting critical infrastructure including electricity, telecommunications, and emergency services. VOLTZITE employs living-off-the-land techniques and focuses on long-term persistence for potential disruptive operations.

Systematic evaluation of security weaknesses in industrial control systems, including software vulnerabilities, configuration issues, and architectural flaws. Vulnerability assessments help organizations prioritize security improvements and remediation efforts.

Cyberattacks that compromise websites frequently visited by target organizations or personnel to deliver malware or steal credentials. Watering hole attacks can target industrial sector-specific websites to compromise OT engineers and operators.

Security approach that only allows pre-approved applications, devices, or communications while blocking everything else by default. Whitelisting is particularly effective in OT environments where operational patterns are typically stable and well-defined.

Integration of industrial control systems with Windows Active Directory domains for centralized authentication and authorization. Domain integration can simplify user management but requires careful security design to prevent lateral movement between IT and OT networks.

Networks of spatially distributed autonomous sensors that cooperatively monitor physical or environmental conditions in industrial settings. Wireless sensor networks enable flexible monitoring but require robust security measures to prevent unauthorized access.

A wireless mesh networking technology that extends the HART protocol to provide wireless communication capabilities for industrial instrumentation. WirelessHART enables flexible sensor deployment while maintaining the reliability and security needed for industrial applications.

Detailed procedures that guide personnel in performing specific tasks related to industrial control systems, including security procedures, maintenance activities, and emergency response actions. Work instructions ensure consistent and secure operational practices.

Security hardening techniques applied to industrial workstations to reduce attack surface and prevent unauthorized software execution. Workstation lockdown includes application whitelisting, service minimization, and access controls tailored to operational requirements.

The most dangerous known threat group targeting industrial control systems, responsible for the TRISIS/TRITON malware that specifically targets safety instrumented systems. XENOTIME represents state-sponsored capabilities designed to cause physical damage and potentially loss of life.

Extended Internet of Things, referring to the expanded ecosystem of connected devices that includes traditional IoT devices plus operational technology and industrial control systems. XIoT represents the convergence of IT, OT, and IoT technologies.

Attack technique that exploits XML processing vulnerabilities in industrial applications to gain unauthorized access or execute malicious code. XML injection can affect web-based HMI systems, configuration tools, and integration interfaces.

Simple encryption technique using the exclusive OR (XOR) operation, sometimes found in legacy industrial protocols or applications. While computationally efficient, XOR-based encryption provides limited security and should be replaced with stronger cryptographic methods.

Human-readable data serialization format commonly used for configuration files in modern industrial automation and cybersecurity tools. YAML files require proper access controls and validation to prevent configuration tampering.

Pattern matching rules used to identify and classify malware and other threats based on file characteristics. YARA rules can be adapted for OT environments to detect industrial-specific malware and threats targeting control systems.

Process improvement techniques that maximize production efficiency and quality in industrial operations. Yield optimization systems can be targets for cyberattacks aimed at disrupting production or stealing proprietary process information.

A major industrial automation vendor providing distributed control systems, safety instrumented systems, and other OT solutions. Like other major vendors, Yokogawa systems require proper security configuration and monitoring to protect against cyber threats.

Security framework that requires verification of every user and device before granting access to industrial systems, assuming no inherent trust based on network location. Zero trust principles can enhance OT security but require careful implementation to maintain operational requirements.

Attacks that exploit previously unknown vulnerabilities in industrial control systems before patches or defenses are available. Zero-day exploits represent significant risks to OT environments, requiring defense-in-depth strategies and behavioral monitoring.

Low-power wireless communication protocol used for industrial sensor networks and building automation applications. Zigbee networks require proper security configuration and monitoring to prevent unauthorized access and ensure reliable operation.

Network security architecture that groups industrial assets into zones based on security requirements and operational functions, controlling communication between zones. Zone-based segmentation is a fundamental principle of IEC 62443 and industrial network security.

Logical or physical groupings of industrial assets with similar security requirements, risk profiles, and operational functions according to IEC 62443 standards. Security zones enable structured security implementation and risk management in complex industrial environments.