Knowing the meaning of OT terms helps to better secure the OT world from cyberattacks
Which abbreviations and keywords do you need to know to start in OT Security? We do not aim here to give a comprehensive view but instead to give a small survival guide for anyone willing to start in OT Security.
Access Control List (ACL)
A mechanism that implements access control for a system resource by listing which users or processes are permitted to access a system resource.
Active Directory Service (AD)
An Active Directory Service hierarchically stores information about network objects and makes this information available to administrators, users, and applications. Using Active Directory, the network and its object are organized by constructs such as domains, trees, forests, trust relationships, organizational units, and sites. Because Active Directory is based on standard direct access controls, it can interoperate with other directory services and can be accessed by third-party applications that follow these protocols. AD is so widely used in different industries that it has become a de facto standard. (Source: Microsoft)
Anomaly Detection Solutions / Passive Monitoring
In general Anomaly Detection refers to various techniques deployed when analyzing dataflows on a network in order to identify deviations from usual or approved patterns.
Anomaly Detection solutions are also commonly used as seamlessly integrated OT security solutions into production lines and machines. Those appliances usually comprise a series of sensors, installed on the network where production machines are connected, and a dashboard (software with human-readable data). OT Anomaly Detection solutions also offer asset discovery capabilities, thus signaling when new assets or systems are connected to a monitored network or vulnerability management.
Authentication is the process of confirming the correctness of the claimed identity by a user or a device.
Can be achieved by providing different factors:
- the knowledge factor: something known to a user, for example, a password or a PIN
- the ownership factor: something owned by a user, for example, a token
- the inherence factor: something that a user is or does, for example a fingerprint or a retinal scan
For robust authentication, it is recommended to use at least 2 different factors of authentication.
Attack Surface refers to a list of system inputs that an attacker can use to attempt to compromise a system. Hardening techniques can be used to ensure that the exposed attack surface is as little as possible.
Business Continuity Plan (BCP)
A Business Continuity Plan is a plan for emergency response that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. Any event that could have a negative impact on production operations should be included in a BCP. (Source SANS)
Chief Information Security Officer (CISO)
A Chief Information Security Officer (CISO) controls information security issues in an organization and is responsible for securing anything related to digital information. Additionally, a CISO establishes the cybersecurity strategy of an organization. (Source: Techopedia)
Common Industrial Protocol (CIP)
The Common Industrial Protocol (CIP) is a communication protocol for industrial automation applications. CIP encompasses a comprehensive suite of messages and services for a broad array of industrial automation applications – including control, safety, energy, synchronization & motion, information and network management. CIP allows users to integrate these applications with enterprise-level Ethernet networks and the Internet. (Source: ODVA)
A data diode is a type of network security device that allows data to flow in only one direction. Specifically, a data diode is designed to permit data to pass from a secure network to an insecure network. Data diodes are usually employed in highly sensitive environments such as military or government networks.
Distributed Control System (DCS)
A Distributed Control System (DCS) is a type of control system used in industrial and manufacturing processes that is composed of multiple controllers distributed throughout a system or a plant.
Demilitarized Zone (DMZ)
In computer security, a demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet. Demilitarized Zones help to enable a layered security model by providing network segmentation. (Source SANS)
FAT vs. SAT
Factory Acceptance Test (FAT) and Site Acceptance Test (SAT) are two pivotal moments to introduce a new system or piece of equipment to a production environment.
The system’s vendor performs a FAT before shipping it to a customer. The purpose of a FAT is to verify that the equipment or system meets the requirements specified by the customer and desired level of security.
The system’s customer repeats a subset of a FAT after the system installation. The purpose of a SAT is to ensure that the system works as intended in the customer’s environment. (Source: partially SANS)
Group Policy Object (GPO)
A Group Policy Object (GPO) is a virtual collection of policy settings. GPOs allow automatic deployment of Security Policies via Active Directory. (Source: Microsoft)
Hardening is the process of identifying and fixing vulnerabilities in a system.
Highway Addressable Remote Transducer (HART) Protocol
The Highway Addressable Remote Transducer (HART) Protocol is a bi-directional communication protocol that provides data access between intelligent field instruments and host systems. (Source: Field Comm Group)
Hazard and Operability Study (HAZOP)
A Hazard and Operability Study (HAZOP) is a systematic, rigorous, procedural review of the possible hazards in a plan or operation.
A Historian acts as a data store for OT process data. Often it consists of a relational database. It contains events logs and time series. It is usually accessible via a GUI, a web interface, or an API.
Human Machine Interface (HMI)
An HMI presents process data to human operators. HMIs are usually organized as a model diagram of the process.
Industrial Control Systems (ICS) Security
Industrial Control Systems (ICS) Security concerns protecting manufacturing systems from any potential threat.
Generally, a firewall is a system that monitors network traffic, both inbound and outbound based on a set of predetermined rules. More specifically, Industrial Firewalls are designed for monitoring network interfaces between security zones in a segmented environment.
Least Privilege is the principle of allowing users or applications the least amount of permissions necessary to perform their intended function. (Source: SANS)
Local Area Network (LAN)
A local area network (LAN) is a computer network within a small geographical area such as a home, school, computer laboratory, office building, or group of buildings. (Source: techopedia)
Malware is a generic term for several different types of malicious code. (Source: SANS)
Manufacturing Execution System (MES)
A traditional view of a Manufacturing Execution System (MES) is of computerized systems designed to integrate with and extend the capabilities of other systems, e.g., by providing Recipe Management for process control equipment. (Source: GAMP Good Practice Guide: Manufacturing Execution Systems – A Strategic and Program Management Approach)
NIST SP 800
The National Institute of Standards and Technology (NIST) is a US agency that promotes technology and innovation. Among its publication, NIST’s Special Publication (SP) 800 series presents information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. (Source: nist.gov)
Network Time Protocol (NTP)
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Next-Generation Firewalls (NGFWs)
A firewall is a network security system that monitors and controls incoming and outgoing traffic based on a predetermined set of rules. Next-generation firewalls include traditional firewalls with other network device filtering functions, such as an application firewall using in-line deep packet inspection(DPI) or an intrusion prevention system (IPS). Compared to older and more traditional solutions, NGFWs use a more exhaustive inspection style like checking packet payloads and matching signatures for harmful activities (e.g., exploitable attacks and malware).
Operational Technology (OT)
Hardware and software that detects or causes a change through the direct monitoring and or control of industrial equipment, assets process, and events. (Source: Gartner)
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware.)
Process Control System (PCS)
A Process Control System (PCS) is employed to monitor a manufacturing line or cell in an industrial environment.
A PCS usually utilizes Programmable Logic Controllers (PLCs) to propagate input and output.
Programmable Logic Controller (PLC)
PLCs are general-purpose computer-based devices that control industrial equipment and processes.
A type of malware that is a form of extortion. It works by encrypting a victim's hard drive denying them access to key files. The victim must then pay a ransom to decrypt the files and gain access to them again. The number of attacks of this kind targeting manufacturing companies has been rapidly increasing in the past years.
A risk, from an OT perspective, is anything that can potentially lead to failure, downtime, and/or disruption of production.
Security Information and Event Management (SIEM)
A Security Information and Event Management is a system that centralizes analysis of security alerts and system logs generated by applications and network hardware. SIEM solutions also provide interfaces for threat hunting, security incidents and forensics for human analysts.
Security Orchestration, Automation and Response (SOAR)
Security Orchestration, Automation and Response refers to a stack of software tools that enables the collection of data about security threats and respond without human intervention.
Security Operation Center (SOC) / Cyber Defense Center (CDC)
A Security Operation Center (SOC), or Cyber Defense Center (CDC), is a centralized team within an organization that continuously monitors security logs, non-compliance vulnerabilities, and security incidents based on a set of defined objectives, to assist in the reduction of risk to systems.
Supervisory Control and Data Acquisition (SCADA)
SCADA is a supervisory system used to control industrial and infrastructure processes. SCADA can be categorized as site SCADA or Regional SCADA depending on the geographical span that they cover. (Source: SANS)
Virtual Private Network(VPN)
A VPN connection refers to the process of establishing a private and secure link or path between one or more local and remote network devices. (Source: techopedia)
Wide Area Network (WAN)
A wide area network (WAN) is a network that exists over a large-scale geographical area, as compared to other network types, such as a local area network (LAN).