An encryption algorithm that applies the DES cipher three times to each data block, commonly offered by VSAT providers for secure data transmission.

Triple Data Encryption Standard tunneling protocol providing encrypted communication channels for securing data transmission over VSAT and cellular networks.

A standard analog sig nal range used in industrial instrumentation, where 4 milliamps represents the low end of the measurement range and 20 milliamps represents the high end. The use of 4 milliamps rather than 0 provides a "live zero" to distinguish between low readings and system failures.

Standard analog signal range used in industrial instrumentation, where 4mA represents minimum value and 20mA represents maximum value.

Wi-Fi standard operating on 5.6 GHz frequency band providing 54 Mbps data rates, representing early high-frequency Wi-Fi implementation.

Wi-Fi standard operating on 2.4 GHz frequency band with initially lower data rates than 802.11a, becoming widely adopted due to better range characteristics.

Wi-Fi standard providing backward compatibility with 802.11b while achieving 54 Mbps data rates on the 2.4 GHz band.

IEEE security standard introduced in June 2004 that formed the foundation for WPA2, implementing AES 256-bit encryption and RADIUS server integration.

Wi-Fi standard providing significantly higher data rates than previous generations through improved antenna and signal processing technologies.

An IEEE standard defining the physical layer and media access control for low-rate wireless personal area networks. This standard serves as the foundation for Zigbee, wireless HART, and ISA-100 protocols, making it crucial for industrial wireless communications.

The process of converting continuous analog signals into discrete digital values that controllers can process and store in memory.

Central wireless network device that allows Wi-Fi devices to connect to a wired network, contrasted with device-to-device connectivity.

A wireless networking device that allows Wi-Fi devices to connect to a wired network, acting as a bridge between wireless and wired infrastructure.

Established procedures for authenticating and authorizing access to OT systems, including credential management and sharing restrictions.

Acknowledgment frames sent by receiving devices to confirm successful receipt of data packets in Wi-Fi communications.

A powered network monitoring device that guarantees complete traffic capture without signal degradation, providing reliable monitoring capabilities for critical network segments.

Testing methods that actively probe systems and may potentially disrupt operations, inappropriate for live OT environments.

Powered network tap devices that guarantee complete traffic capture with no signal degradation or communication loss.

Testing methodologies that involve generating new network traffic, writing data to system storage, installing software on target systems, or otherwise changing the state of systems being tested. Active testing provides comprehensive security assessment but carries higher risk of operational disruption.

Security testing methods that involve sending test traffic, attempting to exploit vulnerabilities, or otherwise interacting with systems in ways that could potentially cause disruption. These techniques are standard in IT penetration testing but inappropriate for most ICS assessments.

A device that takes physical action in a process based on commands from a controller, such as opening a valve, starting a pump, or adjusting motor speed. Actuators are the mechanism by which control systems affect the physical world.

A sophisticated, long-term cyber attack campaign typically conducted by nation-state actors or advanced criminal groups, characterized by extended dwell time, advanced techniques, and specific strategic objectives.

A encryption algorithm commonly available in 128-bit and 256-bit implementations, used to secure wireless communications by encrypting data transmitted over spread spectrum systems.

Advanced Encryption Standard using symmetric key encryption, available in 128-bit and 256-bit key lengths for securing wireless communications.

Alberta Electric System Operator Critical Infrastructure Protection - a regional adaptation of NERC CIP standards for the Alberta electrical system.

A network security measure that involves physical isolation of systems from unsecured networks, including the Internet. True air-gapping is nearly impossible in practice due to maintenance and operational requirements.

A suite of tools for auditing wireless networks, capable of monitoring, attacking, testing, and cracking wireless network security.

Two-way communication systems that enable utilities to remotely read meter data and manage customer services, forming the foundation of smart grid operations.

An upgraded smart grid technology that enables bi-directional communication between utility companies and smart meters at customer locations, allowing remote meter reading, rate changes, and service disconnection/reconnection.

An earlier generation of smart metering technology that enabled one-way communication from customer meters to utility companies, typically collected by trucks with receivers driving through neighborhoods or via telephone/power line carriers.

A continuous variable measurement from a sensor that changes over time, such as temperature, pressure, flow rate, or level. These inputs provide precise numerical values rather than simple on/off states.

A variable control command from a controller to an actuator specifying a particular percentage, level, or position, such as commanding a valve to 75% open. This allows for fine-grained control of processes.

A cloud-based service model where SCADA and other industrial applications are hosted remotely and accessed through communication links rather than being installed on-site.

A network protocol that maps IP addresses to MAC addresses, creating tables that can be passively read to identify connected devices without generating disruptive traffic.

Network tool that passively reads Address Resolution Protocol tables to identify active devices without directly interrogating systems

A unique number assigned to autonomous systems on the internet, used to identify network ownership and routing information.

The organization responsible for running and maintaining an industrial facility on a day-to-day basis. The operator may be the same entity as the asset owner or may be a contracted company.

The organization that owns an industrial facility and bears ultimate responsibility for its operation, maintenance, and regulatory compliance. The owner may contract operations to another company.

Frame types used during Wi-Fi connection establishment to negotiate connection parameters between client devices and access points.

The most common approach to control system penetration testing where testers are provided with initial IT network access to simulate the post-compromise state following a successful phishing attack or similar initial intrusion.

A security discipline focused on ensuring that security controls are effective and that security standards or internal policies are properly implemented organization-wide. Assurance requires mature governance systems and established policies and standards.

A knowledge base of adversary tactics and techniques based on real-world observations, developed by MITRE Corporation to help organizations understand and defend against cyber threats.

The collection of systems, ports, applications, and services that an organization exposes to potential attackers, particularly those accessible from the internet or other external networks.

Any pathway or method that attackers can use to compromise systems, including software installations, network connections, and device interfaces.

A Windows feature that automatically executes programs or scripts when removable media is inserted, historically exploited by malware but now typically disabled for security reasons.

The process of rendering a physical system automatic, self-moving, and self-controlling to minimize or eliminate human intervention. Automation requires inputs (sensors), control logic (controllers), and outputs (actuators) working in a continuous loop.

In the context of security, ensuring systems and data are accessible when needed. In OT environments, availability is the top priority because process disruptions can have safety and operational consequences.

The need for OT systems to maintain extremely high uptime, often 99.99999% availability, which translates to only minutes of allowable downtime per year.

A method of bypassing normal authentication or security mechanisms to gain unauthorized access to a system, used by attackers to maintain persistent access to compromised systems.

A flat electronic circuit board containing slots for various functional modules in a PLC, similar to expansion slots in a computer but designed for industrial applications.

Specialized communication protocol designed for building automation systems, HVAC control, and utility management with support for multiple communication media and device profiles.

A category of USB-based attacks that exploit the trust model between USB devices and host systems, typically involving HID device impersonation to execute malicious commands.

The practice of using one person's access credentials to allow another person entry to secure areas, creating security vulnerabilities and accountability problems.

Highly automated airport systems that sort, store, and route luggage using conveyor belts, tracking systems, and integration with flight scheduling to ensure bags reach the correct aircraft.

An industrial control system that integrates and manages building functions including HVAC, lighting, fire suppression, security systems, and building access control. BAS typically uses protocols like BACnet or LonWorks.

Control systems that automate all aspects of large buildings including heating, cooling, emergency lighting, security, and fire suppression systems.

The speed of data transmission in serial communication, measured in bits per second, with common rates including 9600, 19200, and 38400 baud.

In wireless networking, periodic broadcast frames sent by access points to announce their presence and network parameters; attackers monitor beacons to identify target networks for cloning.

Periodic broadcast frames sent by access points containing network information including SSID, security settings, and connection parameters.

Two-way satellite communication allowing both sending and receiving data, contrast to receive-only broadcast systems.

Penetration testing approach where testers enter environments with no prior knowledge about target systems, most closely simulating real-world external attacks but carrying higher risks in control system environments.

The team responsible for defending the environment during red team exercises. The blue team typically doesn't know the specific timing, methods, or targets of the red team's attacks, creating a realistic testing environment.

Short-range wireless technology designed as replacement for RS-232 serial cables, available in Enhanced Data Rate and Low Energy variants.

Use of VSAT as secondary communication link when primary connections (MPLS, POTS) fail or become unavailable.

Information stolen from compromised systems and databases, often including usernames, passwords, and personal information that becomes available through various sources.

A device that connects two different types of networks, such as converting Zigbee communications to Wi-Fi or Ethernet.

The integration of new technology into existing industrial systems that are already deployed and operational in the field.

Integrated systems that control and monitor building services such as lighting, heating, ventilation, air conditioning, fire safety, and security systems.

A specially cut key that can open many locks of the same type through impact and turning techniques, commonly used in physical security assessments and by criminals.

The responsibility of penetration testing teams to document every step of their process through screenshots, logs, and detailed descriptions. This documentation provides defending teams with clear remediation roadmaps and prevents unsubstantiated security claims.

A communication system that allows multiple instruments to share a common communication trunk, reducing wiring requirements and enabling enhanced device capabilities.

The systematic examination of an organization's operations, revenue sources, competitive advantages, and strategic vulnerabilities to understand why it might be targeted by adversaries and which systems are most critical to protect.

An electronic component that stores electrical energy; in Kill USB devices, capacitors accumulate and amplify USB port power to destructive levels.

A device that uses cellular network infrastructure to provide wireless communication capabilities, increasingly being embedded directly into industrial equipment such as PLCs and RTUs.

Primary frequency used by direct sequence spread spectrum systems, such as channels 1, 6, or 11 in Wi-Fi networks.

Device or software component that applies spreading codes to input data before transmission, enabling spread spectrum communication by distributing signal energy across multiple frequencies.

The foundational information security model consisting of Confidentiality, Integrity, and Availability. In OT security, this triad is inverted, with availability and integrity prioritized over confidentiality.

A method for describing IP address ranges using a slash followed by a number (e.g., /24) to indicate the subnet mask.

Communication model where only designated client devices can initiate transactions, with servers responding to client requests but not initiating communication independently.

Critical infrastructure facilities subject to specific federal reporting requirements when security breaches occur, requiring notification to multiple agencies within strict timeframes.

Coaxial cable used in VSAT installations to carry RF signals between outdoor and indoor units with low signal loss.

High-fidelity transmission cables used in VSAT systems to connect outdoor and indoor units with minimal signal loss.

Infrastructure used by attackers to communicate with compromised systems, issue commands, and exfiltrate data; typically involves encrypted channels to evade detection.

Standardized rules and conventions that define how data is transmitted and received over networks, ensuring devices and systems can understand each other effectively.

Security measures that provide alternative protection when standard security controls cannot be implemented, such as physical security for shared credentials.

An action or failure to act that violates regulatory requirements, potentially resulting in fines, reputational damage, or other consequences.

The most basic type of digital twin that models a single component such as an engine, transmission, or sensor to understand its fundamental operation and test concepts.

In the context of the Purdue Model, a controlled communication pathway between security zones that manages and restricts information flow according to security policies.

The process of examining exported device settings and operational parameters to identify security misconfigurations, weak authentication, and inadequate access controls.

Multi-stage process by which Wi-Fi devices authenticate and establish communication with access points or other devices.

The operational technology (OT) network containing industrial control systems, PLCs, HMIs, and other devices that monitor and control physical processes.

The decision-making component of an automation system that receives inputs, processes them according to programmed logic, and sends commands to outputs. Examples include PLCs and DCS controllers.

The increasing integration of physical and digital worlds, which has created new capabilities for OT systems but also increased their vulnerability to cyber attacks.

Technology products that are ready-made and available for purchase, rather than custom-developed solutions.

The practice of using different usernames and passwords for IT and OT systems to prevent lateral movement between environments.

An attack method where stolen username/password combinations are tested against multiple systems to gain unauthorized access.

In NERC CIP terminology, any device with a routable interface that requires specific physical security protections including "six walls of protection" and access monitoring.

Systems and assets whose disruption would have significant impact on national security, economic security, public health, or safety. Examples include energy, water, transportation, and healthcare sectors.

The most critical assets in an OT environment, typically the control system devices at IEC 62443 levels 3, 2, 1, and 0 that directly control industrial processes.

A standardized method for ranking vulnerabilities typically using 1-through-10 scales, helping organizations prioritize remediation efforts to address the greatest amount of risk in the shortest amount of time.

Common Vulnerability Scoring System score ranging from 0 to 10 that indicates the severity of a vulnerability. Scores between 9-10 are considered critical.

Deliberate, malicious action taken by a threat actor to compromise, disrupt, or damage computer systems, networks, or data through various techniques and tools.

The ability of cyber attacks to make subtle changes that go unnoticed for weeks or months, rather than causing immediate obvious failures.

Successful penetration or compromise of security defenses resulting in unauthorized access to systems, data, or networks by threat actors.

Any occurrence in cyberspace that may have an impact on organizational operations, ranging from benign network activity to serious security incidents.

Cyber event with actual or potentially adverse effects on organizational systems, operations, or assets requiring response and investigation.

A model describing the stages of a cyber attack, from initial reconnaissance through objective achievement, used for threat analysis and defensive planning.

The process of converting digital values from controller memory into analog signals that can drive field devices such as valve actuators.

A specialized system that receives and stores process data from controllers for long-term trending, analysis, and regulatory compliance.

Microsoft technology that formed the foundation for original OPC implementations, creating significant firewall and security challenges due to random port usage.

A highly integrated, redundant control system designed for complex processes within a single geographical facility. DCS systems typically feature primary and backup controllers, redundant networking, and are common in refineries, chemical plants, and power generation.

Management frames used to forcibly disconnect devices from wireless networks, often exploited in security attacks.

A security strategy that uses multiple layers of security controls to protect systems, acknowledging that no single control is perfect.

Fictional oil company case study used to demonstrate realistic red team scenario development with multiple threat actor types including nation-state, activist, criminal, and insider threats.

An attack that disrupts or prevents legitimate access to services or systems, often by overwhelming resources or exploiting vulnerabilities.

Unique identifier (1-247 in Modbus) that specifies which field device should respond to a particular protocol message.

Direct wireless connection between two Wi-Fi devices without requiring an access point, commonly used for file transfers in early Wi-Fi implementations.

A binary input to a control system that has only two states: on or off, open or closed, true or false. Examples include limit switches, float switches, and contact closures.

A binary command from a controller that turns a device either on or off, such as starting a pump or opening a valve fully.

A virtual model of a physical process, component, or system that uses computational mathematics to replicate real-world operation. Digital twins enable testing, training, optimization, and anomaly detection without affecting actual operations.

A standardized metal mounting rail used throughout the industrial automation industry for mounting PLCs, power supplies, and other control equipment.

Underlying radio technology used by Wi-Fi to spread signals across wide frequency ranges, covered in Module 1.

A modulation technique that spreads data across multiple frequency channels simultaneously, providing resistance to interference and improved security. Used by Wi-Fi and ISA-100 systems, contrasting with frequency hopping spread spectrum approaches.

Example of publisher-subscriber VSAT model using bundled antennas in single dish for broadcast television content distribution.

The stage of an attack where adversaries map out control systems and assets after gaining initial access to the network. This phase involves identifying what systems are present, their configurations, and their relationships to understand the environment before proceeding to impact operations.

Another term for digital input; see Digital Input.

Another term for digital output; see Digital Output.

A specialized SCADA system designed for managing electrical power distribution at lower voltages to neighborhoods and end customers, stepping down from transmission levels.

In the Purdue Model, Level 3.5 serves as a secure boundary between trusted OT networks (below) and less-trusted IT/internet networks (above). The DMZ contains security devices and data exchange servers that mediate communication.

Communication protocol developed for North American utility applications, enabling communication between SCADA master stations and field devices like RTUs and IEDs.

A tool that performs DNS reconnaissance to discover subdomains, IP addresses, and other network information associated with a target domain.

A critical component of rules of engagement that identifies systems that should never be tested due to their operational importance. These systems could cause enormous financial loss or operational disruption if they go down even briefly.

The process of searching for, collecting, and analyzing specific documents, files, and information during red team exercises to achieve intelligence objectives or demonstrate access to sensitive systems.

An attack that overwhelms systems with excessive requests or traffic, making them unavailable to legitimate users.

In the oil and gas industry, the processing and refining of raw materials into products like gasoline and plastics, and their distribution to end customers.

Spread spectrum technique that spreads signal energy continuously across a wide frequency band using XOR operations with pseudorandom codes, typically implemented in 2.4 GHz, 5.6 GHz, and 6 GHz bands.

Network architecture where systems have connections to multiple networks simultaneously, creating potential security vulnerabilities that require careful management.

A network configuration where a device has simultaneous connections to two different networks, creating potential security vulnerabilities.

Nickname for Intelsat I, first commercial communications satellite launched April 6, 1965.

Network communications between devices or network segments within the same network zone, common in industrial control system communications.

An enhanced version of GSM technology that provides improved data transmission capabilities.

Non-volatile memory used in PLCs to store critical system firmware and retain programs and data during power outages.

A specialized computer system designed for specific applications, running minimalistic operating systems and purpose-built for particular functions rather than general computing.

OT systems that monitor and automatically adjust industrial processes to keep emissions within regulatory limits while maintaining operational efficiency.

A specialized SCADA system designed for monitoring and controlling high-voltage electrical transmission systems, typically managing remote substations from centralized control centers.

Various security protocols used to protect Wi-Fi communications, evolving over time to address discovered vulnerabilities.

The interconnected network of power generation, transmission, and distribution systems that deliver electricity to consumers, requiring precise real-time balancing of supply and demand.

The process of converting raw digital values from controllers into meaningful physical units (such as feet, PSI, or percentage) that operators can understand and use.

Specialized computers that provide configuration and programming capabilities for control systems, including control logic development, HMI graphics creation, and system commissioning.

In the context of ICS, the physical process being controlled, such as manufacturing, chemical blending, or power generation.

The use of operational technology to minimize environmental impacts through precise control of emissions, waste generation, and resource consumption.

Industrial protocol that runs industrial automation applications over standard Ethernet networks.

Rockwell Automation's Ethernet-based industrial protocol that encapsulates ControlNet communications within TCP/IP, using ports 44818 for explicit messaging and 2222 for implicit messaging.

A specialized wireless device designed for security testing that can clone legitimate access points and perform man-in-the-middle attacks. This tool demonstrates the potential for rogue access point deployment and highlights the importance of comprehensive wireless monitoring.

A wireless attack technique where attackers create a malicious wireless access point that impersonates a legitimate one to intercept user communications.

A piece of code or technique that takes advantage of a vulnerability to cause unintended behavior in a system. Exploits are not inherently malicious but become dangerous through their payloads.

A method of attacking the security of a computer system or network from an external or public source using the same mindset, framework, and tools that an attacker would use, with no insider knowledge of the target environment.

Penetration testing conducted from outside the organization's network perimeter, typically from the internet, focusing on reconnaissance and exposed systems.

A testing process conducted at vendor facilities to verify that systems meet specifications before delivery to customer sites. The course emphasizes that cybersecurity testing should be integrated into FAT processes.

United States regulatory agency responsible for managing and licensing radio frequency spectrum allocations.

Zigbee device capable of transmitting, receiving, storing, forwarding data and coordinating network functions.

Spread spectrum technique that rapidly switches transmission frequency according to a predetermined pseudorandom sequence, commonly implemented in 900 MHz band for long-range industrial applications.

Industrial control equipment such as PLCs, RTUs, and smart instrumentation that directly interfaces with physical processes and equipment.

Operational management teams who own and manage daily operational risks and are responsible for implementing security controls. In industrial environments, this includes plant engineers, operators, and maintenance personnel.

Database architecture optimized for speed rather than data persistence, used in HMI systems to provide millisecond-level updates while automatically discarding outdated information.

A level-sensing device that uses a floating component to make or break an electrical contact when liquid reaches a certain height, providing a digital input signal to controllers.

A sensor that measures the volume of liquid passing through pipes over a specific time period.

The comprehensive reconnaissance phase of red team exercises involving both digital and physical intelligence gathering to map target attack surfaces, identify potential access points, and understand security measures.

A digital communication protocol used in industrial automation for connecting field devices to control systems.

A method of transmitting radio signals by rapidly switching among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver. Commonly used in 900 MHz industrial radio systems for improved reliability and interference resistance.

A strategy used to spread negative or misleading information about security threats, often to influence decision-making or sell products.

Zigbee device capable of performing routing, coordination, and complete network management functions, including the ability to relay data between other devices in the mesh network.

Numerical identifier in protocols like Modbus that specifies what operation to perform, such as reading coils, writing registers, or controlling devices.

Satellite orbital position matching Earth's rotation period, maintaining fixed position relative to ground stations to enable consistent communication links.

An open-source software development toolkit for implementing software-defined radio systems, commonly used with Ubuntu Linux for RF spectrum analysis.

High-speed messaging protocol within IEC 61850 that enables protection coordination and fault isolation in electrical substations with 4-millisecond response requirements.

A packet-based wireless communication service that enables cellular networks to carry TCP/IP data packets using standard networking protocols.

Satellite-based navigation system used in wireless audits to record the precise location of wireless signal detections.

Balanced penetration testing approach that provides sufficient information to ensure safety while maintaining enough unknowns to meaningfully test security controls, commonly used in control system environments.

The deployment of new technology in new industrial systems that are being built from the ground up.

Fundamental safety and legal principles that must be followed when conducting security testing on operational technology systems.

The original European standard for mobile voice communication that became the de facto global standard.

Hydrogen sulfide detection device required in certain industrial environments for personnel safety during assessment activities

Malicious capabilities embedded in physical devices like cables or USB devices that can compromise systems through hardware rather than software.

A communication protocol that allows digital communication with field instruments while maintaining compatibility with existing 4-20 mA analog systems.

Substantial financial penalties imposed by regulatory authorities for non-compliance with mandatory OT security requirements.

A computer device class that includes keyboards, mice, and other input devices; exploited in USB attacks because HID devices typically have unrestricted system access.

Human Interface Device such as keyboards and mice that register with computer systems without security restrictions, often exploited by USB attack tools to execute commands through simulated keystrokes.

Network configuration that suppresses SSID broadcasting in beacon frames, providing limited security benefit due to other discovery mechanisms.

An antenna that focuses radio frequency energy in a specific direction, providing increased range and signal strength.

A graphical user interface that allows human operators to monitor processes and interact with control systems. HMIs display process status and allow operators to change setpoints and issue commands.

Computer systems that provide operators with graphical interfaces for monitoring and controlling industrial processes, displaying real-time data and enabling control actions.

A physical location where people can access the Internet using Wi-Fi technology, often created by mobile devices sharing cellular connections.

Ground-based antenna infrastructure managing satellite communications between multiple remote VSAT terminals and terrestrial networks.

A network configuration where multiple remote terminals communicate through a central hub station.

The critical role that humans play in both causing and preventing OT security incidents, making human awareness and judgment essential components of security.

Control system component that provides operators with graphical interfaces for monitoring and controlling industrial processes, often containing web interfaces that can present security vulnerabilities.

A web service that helps discover email addresses associated with specific domains and identifies email formatting patterns used by organizations.

Control systems that combine proprietary controllers for real-time process control with standard IT technologies for operator interfaces and business integration.

Network protocol used for diagnostic and error messages, commonly used in ping commands but often disabled for security reasons.

The umbrella term for all types of control systems used in industrial environments, including SCADA, DCS, SIS, and others. ICS encompasses the software, hardware, controllers, networks, and all components involved in monitoring and controlling physical processes.

Specialized computer systems used to control and monitor industrial processes. These systems include programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other devices that control physical processes in industrial facilities.

The visual representation of the MITRE ATT&CK for ICS framework that organizes all tactics across the top row and corresponding techniques beneath each tactic. This matrix serves as a navigation tool for understanding the complete attack lifecycle in industrial control systems.

Industrial Control System protocols specifically designed for real-time control communications requiring low latency and high reliability.

A framework describing the typical progression of industrial control system security programs from initial spot checks through control implementation to comprehensive penetration testing validation.

A methodology to identify, quantify, and rank vulnerabilities within industrial control systems using passive techniques that do not harm the target system, emphasizing collaboration with operational personnel.

A security system that monitors network traffic and flags anomalies for investigation without automatically blocking traffic.

Interior component of VSAT system containing electronics, power supply, and connection ports for integration with network equipment.

The international standard that defines six programming languages approved for PLC programming, including ladder logic, function block diagrams, and structured text.

Specialized controllers used exclusively in the power industry for high-speed monitoring and protection of electrical power systems.

A unique identifier used by Zigbee devices instead of IP addresses, enabling networks to support up to 65,535 devices per network segment.

The final stage of an attack where adversaries achieve their ultimate objectives, such as disrupting operations, preventing operator response, causing equipment damage, or creating safety hazards. In OT environments, this phase can result in physical consequences including plant shutdowns, explosions, or environmental harm.

Structured approach to handling and investigating security breaches or cyber attacks in industrial environments.

Observable artifacts or behaviors that suggest a system may have been compromised by malicious activity, such as unusual network traffic patterns or unauthorized communications.

Observable evidence that a system has been compromised, including suspicious network traffic, file modifications, or unusual system behavior.

Evidence that suggests a system or network has been breached or infected with malware.

The broad term for automating processes without human intervention using technological systems.

The central control systems for factories, power plants, refineries, and other industrial facilities that manage complex manufacturing and production processes.

Integration of hardware and software used to monitor and control industrial processes and equipment.

Complex OT systems that manage dangerous industrial processes like chemical production, oil refining, and power generation with multiple safety layers.

Computer-based systems that monitor and control industrial processes, including manufacturing, power generation, water treatment, and other critical infrastructure operations. These systems typically include components such as SCADA systems, PLCs, and HMIs.

The first successful attack phase where attackers achieve initial access to target environments through internet-based, email-based, physical access, supply chain, or insider threat vectors.

A measurement or signal from the physical world that provides information to a controller, such as temperature, pressure, flow, level, or switch status. Inputs are essential for automation because controllers cannot control what they cannot measure.

Digital devices that serve as the interface between real-world process conditions and digital control systems, sensing physical conditions and converting them to digital information.

One of the three pillars of cybersecurity, referring to ensuring that data and systems remain accurate, complete, and trustworthy.

Proprietary knowledge and information about how systems operate. In the context of digital twins, the physics models and operational parameters represent valuable IP that must be protected.

The theft of valuable manufacturing processes and operational techniques through observation and replication, even without access to written recipes or formulas.

First commercial communications satellite, also known as Early Bird, launched in 1965 marking beginning of commercial satellite communications.

A method of attacking the security of a system from within the network using the same tools that a real attacker would use, focusing on validating network segmentation and access controls for users already inside the environment.

Penetration testing conducted from within the organization's network, often simulating insider threats or compromised internal systems.

The act of directly challenging or stopping unsafe practices when they are observed, rather than simply reporting them after the fact.

Security tools that monitor network or system activities for malicious activities or policy violations and generate alerts for security personnel.

The approach used in ICS vulnerability assessment where testers think like detectives examining evidence rather than adversaries trying to break into systems, emphasizing safe collection and analysis of system artifacts.

The network of physical devices embedded with sensors, software, and connectivity that enables them to collect and exchange data. Industrial IoT (IIoT) applies these concepts to industrial environments.

A security system that monitors network traffic and automatically blocks suspicious activity in real-time.

A protocol suite for securing Internet Protocol communications by authenticating and encrypting IP packets.

Internet Protocol Security tunneling providing encrypted and authenticated communication channels over public networks.

A wireless communication standard for industrial automation applications, providing standardized protocols for wireless sensor networks.

An internationally recognized wireless standard developed by the International Society for Automation as a vendor-agnostic protocol for industrial wireless communications.

An industrial automation standard (ISA-100.11a) for wireless networking in process control and related applications. Developed as an open standard alternative to proprietary wireless protocols, providing reliable and secure wireless operation for non-critical monitoring and control functions.

International standard framework defining cybersecurity requirements and guidelines for industrial automation and control systems

International standard for wireless communications in automation environments, developed by the International Society of Automation.

Radio frequency bands reserved for industrial, scientific, and medical purposes, including 2.4 GHz used by Wi-Fi and Zigbee.

Industrial, Scientific, and Medical frequency bands (900 MHz, 2.4 GHz, 5.6 GHz) designated for unlicensed use including Wi-Fi applications.

Systems including computers, servers, databases, and firewalls that process, store, or transmit information.

Network zone that sits between corporate IT networks and operational technology networks, typically containing systems like data historians, patching servers, and jump boxes that bridge the two environments.

An intermediary system that manages and controls user access between different network segments, similar to trampolines that users must traverse to reach their destination.

Modified wireless access point firmware that enables advanced wireless attacks, including automatic response to client device probe requests.

A destructive USB device that uses capacitors and diodes to amplify USB port power to levels that permanently damage connected electronic devices.

A wireless network detector and intrusion detection system that works with Wi-Fi, Bluetooth, and other wireless protocols.

Frequency range used by modern VSAT systems, first commercially developed by Schlumberger and Hughes Aerospace in 1985.

A frequency range (12-18 GHz) commonly used for VSAT communications, offering advantages including smaller antenna requirements.

The most common PLC programming language that uses graphical symbols resembling electrical relay diagrams to represent control logic.

A covert network access tool disguised as a USB Ethernet adapter that provides various network attack capabilities including remote access and man-in-the-middle attacks.

The communication link between SCADA terminals and field devices that collect data from instrumentation and sensors.

Final segment of communication path connecting end-user locations to broader network infrastructure.

The time delay between signal transmission and reception, particularly problematic in satellite communications due to the distances involved.

The process by which attackers move through a network after initial compromise, seeking to access additional systems and escalate privileges.

A network security method that uses VLAN tagging to keep different customers' data streams separate throughout the transmission path.

Network segmentation technique isolating data link layer and network layer functions to improve security and network management.

A method of creating multiple virtual circuits for the same customer using network layer addressing.

Older operating systems like Windows NT and Windows 2000 that are still commonly used in OT environments despite being obsolete in IT contexts.

Older systems that may lack modern security features, be out of vendor support, or be incompatible with current security technologies.

The lowest level containing sensors and actuators that interface directly with the physical process but have no independent decision-making capability.

Basic control level containing PLCs and controllers that have the capability to make controlled changes to the physical world.

Supervisory control level containing HMIs, SCADA servers, and operator consoles that can send control commands to Level 1 controllers.

Operations and control zone containing support systems like data historians that need to connect to control systems but don't directly command controllers.

The DMZ security boundary between OT (below) and IT (above) networks, containing firewalls, data diodes, and data exchange servers.

Business network (Level 4) and internet-connected systems (Level 5) that should be segmented from OT environments.

Radio frequency bands requiring federal agency approval and specific authorization for use, providing dedicated frequencies with legal protection from interference.

A wireless communication system that operates on frequencies allocated exclusively to a specific organization through government licensing, providing dedicated spectrum access and protection from interference.

Radio frequency systems requiring government license for operation, providing exclusive use of specific frequencies with legal protection.

The operational lifespan of systems, with IT systems typically lasting years while OT systems operate for decades, creating different security maintenance requirements.

Direct unobstructed path between transmitting and receiving antennas, critical for reliable RF communications.

The use of 4 milliamps instead of 0 milliamps as the low end of analog signal ranges, enabling detection of system faults when signals drop to zero.

Advanced attack technique using legitimate system tools, utilities, and processes already present in the target environment to avoid detection by security controls.

A technique where attackers use legitimate, built-in operating system tools rather than installing malware, making detection more difficult.

Control functions performed autonomously by a controller at a field location without requiring communication with or commands from supervisory systems.

The practice of unlocking locks without the original key by manipulating lock components; a common physical security assessment technique.

An open wireless communication standard for long-range, low-power industrial and IoT applications, used for wireless input/output devices.

A low-power wide-area network protocol designed for Internet of Things applications requiring long-range communication.

Early Wi-Fi security mechanism restricting network access based on hardware addresses, easily circumvented by address spoofing.

Intentional cyber attacks that can create scenarios that would never occur in normal operations but could have catastrophic consequences.

Intentional actions designed to compromise security, such as unauthorized access attempts or information gathering activities.

An authorized user (employee or contractor) who intentionally causes harm to an organization's systems or data, as demonstrated by historical attacks like Shamoon.

Malicious software that can compromise systems and spread through various connection methods, including charging cables and network connections.

An attack where the attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly.

A cybersecurity attack where an attacker intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. In wireless contexts, this often involves rogue access points that masquerade as legitimate networks.

Regulatory obligations that must be met by organizations in specific industries or regions, with enforcement mechanisms and penalties for non-compliance.

Central servers in SCADA systems that initiate communication with field devices and coordinate data collection from remote sites.

Communication model where only master devices can initiate transactions, with slave devices waiting to be polled before responding with data.

A specific location in controller memory where input values are stored and from which output values are read.

Middleware software that sits between business systems and plant floor control systems, managing production scheduling, inventory, work orders, and material tracking.

Systems that bridge control systems with enterprise applications, handling batch management, work orders, logistics, and quality control.

A wireless network topology where each device can communicate with multiple other devices, enabling automatic routing around failed devices and eliminating single points of failure.

A network architecture where devices connect to multiple other devices, providing redundant communication paths and improved reliability.

In the oil and gas industry, the transportation and storage of oil and gas via pipelines, trucks, rail, or storage facilities.

A comprehensive framework created by MITRE that documents how attackers break into control system environments and impact plant networks. The framework organizes adversary behavior into tactics, techniques, and procedures based on real-world incidents.

A not-for-profit organization that operates federally funded research and development centers in the United States. MITRE develops frameworks and tools to improve cybersecurity, including the ATT&CK framework for documenting adversary behaviors.

Historical term for human-machine interfaces, still found on older equipment and documentation, now replaced by HMI for political correctness.

Open, royalty-free industrial communication protocol originally developed by Modicon, widely adopted due to its simplicity and clear-text format.

A network communication protocol used for connecting industrial devices and controllers.

Ethernet version of Modbus that encapsulates traditional Modbus messages within TCP/IP headers, using port 502 for communication.

A routing technique that directs data from one network node to the next based on short path labels rather than long network addresses.

Wide area networking technology used to connect remote facilities and provide dedicated communication circuits

Multi-Protocol Label Switching network technology commonly used for business communications, often backed up by VSAT.

The integration challenges created when OT systems consist of components from multiple suppliers, requiring coordination between vendors for security updates.

Low bandwidth data transmission suitable for telemetry, polling, and small transaction applications typical of VSAT usage.

Regulatory standards requiring specific physical and cybersecurity controls for electric power systems

A company that manufactures professional network monitoring and tap devices used for traffic analysis and security monitoring.

The practice of keeping OT systems separate from external networks like the Internet to prevent remote attacks and maintain security boundaries.

A specialized analysis tool that extracts and analyzes files, images, and other objects transmitted across networks from packet capture data.

A technique used to passively monitor network traffic and gain insights into communications without actively probing systems. In industrial environments, this technique can reveal operational data and control commands that traverse the network.

A hardware device that provides access to network communications for monitoring and analysis purposes without disrupting normal network operations.

A unique identifier assigned to each device on a bus network, enabling controllers to communicate with specific instruments.

Memory that retains stored information when power is removed, typically used for storing PLC programs and critical system data.

Network communications entering or leaving a network, typically between different network zones or external systems.

Protocol used to synchronize computer clocks across networks, critical for accurate logging and event correlation

Unexplained shutdown or safety system activation in industrial control systems, often caused by communication failures.

The outdoor component of a VSAT system that includes the satellite dish, transceiver/receiver, and weatherproof enclosures.

A vendor that provides specific components, devices, or subsystems used in industrial control systems, such as Siemens, Rockwell Automation, or Schneider Electric.

An antenna that radiates or receives radio frequency energy equally in all horizontal directions, providing 360-degree coverage.

Antenna design capable of transmitting and receiving radio signals in a 360-degree pattern, typically used for master stations requiring broad coverage areas.

A security architecture concept where the most sensitive systems (crown jewels) are at the center, protected by multiple layers of security controls.

A security architecture concept where control system devices at the core are protected by multiple layers of security controls, with each layer providing protection for the layers beneath it.

Standardized interface technology that enables communication between diverse industrial devices and enterprise applications without requiring device-specific drivers.

Modern version of OPC that addresses security and platform limitations through built-in encryption, authentication, single-port communication, and platform independence.

The collection and analysis of information from publicly available sources, including websites, social media, public records, and other openly accessible materials. Attackers use OSINT to gather information about target organizations without being detected.

Information related to manufacturing processes, control systems, and site operations that could have severe impacts if accessed by unauthorized parties.

Hardware and software systems that monitor and control physical devices, processes, and infrastructure in industrial environments. OT is distinguished from Information Technology (IT) by its focus on operational processes rather than information processing.

Intelligence gathered from publicly available sources, including websites, social media, news articles, and other information freely accessible on the internet.

The hardware and software systems used to monitor and control physical processes in industrial environments. OT systems differ from traditional IT systems in that they directly control physical processes and often have different security requirements.

The central switching infrastructure that distributes communications throughout industrial control environments.

Systematic testing of operational technology systems to identify security defects, configuration issues, and hardening opportunities without impacting system performance.

Exterior component of VSAT system including dish antenna, transceiver, and weatherproof enclosure.

A command or signal from a controller to a device that affects the physical process, such as starting a pump, opening a valve, or displaying information to an operator.

A testing methodology that begins assessment at the most externally exposed systems and progressively moves toward more sensitive internal systems.

Unit of data transmitted over a network, containing both header information and payload data.

A specialized device that provides advanced traffic filtering and routing capabilities for complex network monitoring scenarios.

Process of selecting and analyzing specific packets based on criteria such as protocol, IP address, or content.

A small network device that sits inline with existing network connections to provide remote access capabilities while appearing as a transparent network component to monitoring systems.

Basic error detection mechanism in serial communication that adds an extra bit to make the total number of 1 bits even (even parity) or odd (odd parity).

A simple, unpowered device that enables traffic monitoring but may not capture all network communications reliably.

Assessment techniques that gather information without sending packets to target devices, minimizing risk of disruption to operational systems.

Simple network tap devices that split network signals without requiring power, though with potential for signal loss.

Security assessment methods that gather information without actively probing or potentially disrupting target systems, essential for OT environments.

Testing approaches that focus on observing and analyzing systems without generating new network traffic or modifying system states. Passive testing minimizes operational disruption while still providing valuable security insights.

Security testing methods that involve observing and documenting system configurations, network traffic, and operational parameters without sending probing traffic or attempting to exploit vulnerabilities.

The difficulty of applying security updates to OT systems due to availability requirements and complexity, making traditional IT patching approaches impractical.

A billing model where users pay for services based on actual usage, such as bandwidth consumption in VSAT systems.

Pricing model where costs are based on actual bandwidth consumption rather than flat monthly rates.

Malicious code or commands delivered by an exploit to accomplish the attacker's objective, such as data theft, system control, or destructive actions.

Commercial Wi-Fi implementation that restricts network access until payment authentication is completed, demonstrating connection state transitions.

Control systems that use general-purpose computers running specialized software instead of dedicated hardware controllers like PLCs.

A file format for storing network traffic data that can be analyzed offline to understand communication patterns and identify security concerns.

A testing methodology that simulates how motivated attackers with no prior knowledge of the environment might attempt to compromise systems, typically testing defensive capabilities by attempting to move from external networks through corporate systems to industrial control systems.

Authorized security testing where human testers simulate real-world attacks to identify vulnerabilities and security gaps in systems and networks.

The ability to maintain access to compromised systems over extended periods through techniques that survive system reboots, security scans, and routine maintenance activities.

Safety equipment designed to protect workers from workplace hazards. In industrial wireless audits, this may include hard hats, safety glasses, Nomex flame-retardant coveralls, and steel-toed boots, depending on facility hazard levels.

Highly regulated production processes that use OT systems to ensure medications are produced with exact specifications and zero tolerance for errors.

A social engineering attack that uses deceptive communications (typically email) to trick users into revealing sensitive information or installing malware.

The unique vulnerability of OT systems where cyber attacks can cause physical damage to equipment and infrastructure requiring repair or replacement.

The protective measures including surveillance cameras, locks, and alarms that prevent unauthorized physical access to OT systems.

The tangible, real-world consequences that result from OT system operations or failures, affecting people, property, and the environment.

The attack framework used by WiFi Pineapple devices to conduct wireless attacks, including access point impersonation and client exploitation.

An industrial computer designed for reliable control of manufacturing processes and automated systems. PLCs read inputs, execute control logic, and generate outputs in real-time.

An assessment technique that probes network devices to identify open TCP and UDP ports, but which can potentially disrupt industrial control systems not designed to handle simultaneous connection attempts.

Plain Old Telephone Service traditional landline connections often backed up by satellite communication.

Safety equipment required for personnel working in industrial environments, which may include hard hats, safety glasses, fire-resistant clothing, and specialized detection devices.

Authentication method using a shared password between clients and access points for network access control.

An analogy for OT safety systems that automatically activate when conditions exceed safe parameters, similar to how a pressure cooker valve releases pressure when it becomes too high.

A device that measures the force exerted by gases or liquids within containers or systems.

Frame types used by client devices to discover available wireless networks and by access points to respond with network information.

In the MITRE ATT&CK framework, these are real-world examples of how specific techniques have been used by attackers in documented incidents. Procedures provide concrete evidence of how theoretical attack techniques are implemented in practice.

The most complex type of digital twin that models entire operational processes such as zero-inventory manufacturing or facility-wide operations, enabling optimization of complex, multi-variable systems.

A digital twin that models the interactions between multiple components, such as how an engine, transmission, and braking system work together, enabling analysis of complex system behaviors.

A fieldbus communication protocol used in industrial automation for connecting field devices to control systems.

Industrial computer that controls manufacturing processes and machinery, often containing firmware and communication interfaces that can present security vulnerabilities.

A characteristic of spread spectrum technology meaning it can carry any communication protocol without altering or affecting the underlying data or protocol structure.

Devices that translate between different communication protocols, enabling unified communication with diverse field equipment using different proprietary protocols.

Organizational structure showing the different network protocols and their relationships in captured traffic.

Process by which Wi-Fi devices agree on communication parameters during connection establishment.

Technology characteristic allowing spread spectrum to work with any data protocol or communication standard without modification to the underlying communication method.

An RFID research and penetration testing device that can read, clone, and emulate various RFID and proximity cards used in access control systems.

A component that creates pseudo-random number sequences used in spread spectrum systems to encode and decode wireless communications, with common algorithms including time-based seeds like seconds since 1970.

Algorithm that produces sequences of numbers that appear random but are actually deterministic, used in spread spectrum systems.

Mathematical algorithm that produces sequences of numbers that appear random but are predictable and reproducible when the same seed value is used, essential for synchronizing spread spectrum communications.

Information gathering using only publicly available sources such as websites, social media, professional platforms, and published materials.

Communication model where publishers continuously broadcast data to all subscribers on the network, typically using UDP for real-time data distribution.

One-way communication architecture where central source distributes content to multiple receiving locations.

A reference architecture model (formalized in ISA-95 and IEC 62443) that defines hierarchical security zones for OT networks from Level 0 (field devices) through Level 5 (internet), specifying that communication should only flow between adjacent levels.

Attacks that subtly alter manufacturing processes to produce defective products without immediately obvious failures.

A type of malware that encrypts files and locks users out of systems while demanding payment for restoration.

Software that allows remote control of computer systems; can be used legitimately by administrators or maliciously by attackers.

Management frames used when devices move between access points or reconnect after temporary disconnection.

In industrial contexts, extremely demanding timing requirements such as 4-millisecond fault detection in power systems or 10,000 samples per second in substation automation.

An operating system designed to provide predictable response times and deterministic behavior required for industrial control applications.

The initial phase of an attack where attackers gather information about their target. In industrial environments, reconnaissance activities are often invisible to the target organization and may involve gathering information from public sources.

A small group of trained experts from multiple disciplines (physical security, cybersecurity, social engineering) who work together to simulate sophisticated, coordinated attacks against organizational defenses.

The most comprehensive form of security testing involving multi-faceted attacks that can include physical security breaches, social engineering, network penetration, and other techniques designed to test technical, human, and procedural security elements.

Limited Zigbee device providing only basic sensor or actuator functionality without routing capabilities, designed for battery operation with minimal power consumption.

Mandatory legal requirements issued by governmental or regulatory bodies that asset owners must comply with or face fines, penalties, or operational shutdown. Examples include NERC CIP, FDA regulations, and FERC requirements.

The process of adhering to laws, regulations, and standards that govern OT security and critical infrastructure protection.

The original form of industrial control using electromechanical relays connected with electrical wiring to create logical functions.

The consistent, uninterrupted operation of critical systems enabled by OT technology, ensuring services like power and water remain available 24/7.

The ability of cyber attackers to target OT systems from anywhere in the world without physical presence, creating a global threat landscape.

Harm to an organization's reputation and stakeholder confidence resulting from publicized compliance failures or security incidents.

The process of analyzing control system operations, logic, and processes to understand how they function. Attackers use reverse engineering to determine how to effectively disrupt or manipulate industrial processes.

The portion of the electromagnetic spectrum used for wireless communications, typically measured in megahertz (MHz) or gigahertz (GHz).

The portion of the electromagnetic spectrum used for radio frequency communications, with specific bands allocated for different purposes including licensed and unlicensed uses.

Zigbee device with limited capabilities, able to communicate but not coordinate network functions.

A technology that uses radio waves to identify and track objects, commonly used in access control systems and vulnerable to cloning attacks.

The process of duplicating radio frequency identification cards or badges to gain unauthorized physical access to facilities using specialized reading and writing devices.

The potential that a threat will exploit a vulnerability to cause harm to a system or organization.

The process of evaluating whether the benefits of a particular action justify the security risks it creates, often different for OT and IT systems.

A specialized tool for analyzing network traffic to detect beaconing behaviors and command and control communications.

An unauthorized wireless access point installed on a network, either maliciously by an attacker or inadvertently by well-meaning personnel. These devices can create security vulnerabilities by bypassing network security controls and providing unauthorized network access.

Communication pattern where a master device polls slave devices sequentially, communicating with only one device at a time in a predetermined order.

Multi-drop serial communication standard that enables multiple devices to share a two-wire communication bus, with all devices receiving all messages but only addressed devices responding.

A switch feature that enables remote monitoring of network traffic but may impact network performance.

Request to Send/Clear to Send frame types used for collision avoidance in wireless networks, particularly important in hidden node scenarios.

Industrial control devices that interface with field equipment and communicate with central control systems, typically used in geographically distributed operations.

A USB device that appears as a flash drive but registers as a keyboard to execute pre-programmed keystroke sequences, often used to deploy malware or establish remote access.

Omnidirectional short antenna (typically less than 10 inches) commonly used in cellular modem applications.

Formal documentation that describes what attacking teams can do, what defending teams can do, what systems should never be touched, and what actions are prohibited during security testing.

A single line of ladder logic that represents a complete logical statement, with power flowing from left to right when conditions are satisfied.

OT systems that continuously monitor critical parameters and automatically implement protective measures when conditions approach dangerous thresholds.

A centralized control system architecture designed for monitoring and controlling geographically dispersed assets such as oil wells, water pumps, or electrical substations from a central control room.

A compact RTU designed for basic data collection and totalization functions in small industrial applications.

Supervisory Control and Data Acquisition system endpoint where operators monitor and control industrial processes.

The continuous process by which a PLC reads inputs, executes the control program, updates outputs, and performs communication tasks.

The process of creating realistic attack narratives that define red team motivations, capabilities, objectives, and constraints to frame exercise activities and success criteria.

Oil services company that co-developed first Ku band VSAT system with Hughes Aerospace for oilfield operations.

A strategic approach to selecting testing methodologies based on whether the focus is organizational processes, systems and networks, or specific products and applications.

Unauthorized expansion of testing boundaries during project execution, either by testing teams seeking new challenges or vendors seeking increased revenue.

Radio communication system where components traditionally implemented in hardware are instead implemented in software.

Risk management and compliance teams responsible for risk oversight, security governance, and policy compliance. These teams often provide support and guidance to operational teams while maintaining oversight responsibilities.

A comprehensive open-source platform that integrates multiple security tools for intrusion detection and network analysis.

Automated devices that can be deployed to perform wireless attacks or security assessments without manual operation.

A device that measures physical conditions such as temperature, pressure, flow, level, vibration, or position and provides this information as an input to control systems.

The name assigned to a wireless network that identifies it to users and devices. SSIDs can be broadcast publicly or hidden, and their analysis forms a crucial component of wireless discovery and security assessment.

A 2012 malicious insider attack at Saudi Aramco where three system administrators deployed destructive malware to 30,000 computers, causing massive operational disruption.

Authentication credentials that are shared among multiple operators for safety reasons, typically with compensating physical security controls.

The principle that regulatory compliance requires participation from all employees who interact with OT systems, not just compliance specialists.

The approach to OT security where everyone who interacts with these systems contributes to their protection, rather than relying solely on technical specialists.

A search engine that indexes internet-connected devices and systems, allowing users to discover exposed infrastructure, services, and potential vulnerabilities.

The power level of a radio frequency signal, typically measured in decibels (dBm) and used to determine wireless coverage quality.

A card used in cellular systems to identify and authenticate users on cellular networks.

Subscriber Identity Module used in cellular systems for authentication and network access.

An independent control system that monitors the main process control system and automatically intervenes to maintain safe conditions if the primary control system fails or if the process enters dangerous parameters. SIS acts as a safety net, like a lifeguard watching over the primary system.

Independent control systems designed to ensure processes remain in safe states, activating only when conditions could harm personnel, equipment, or the environment.

Testing conducted at customer facilities to verify that systems function properly in their operational environment. The course emphasizes integrating cybersecurity testing into SAT processes to ensure systems are secure before commissioning.

NERC CIP requirement that critical cyber assets must be physically protected by six walls (typically an equipment cabinet) with controlled access and monitoring.

An enhanced electrical grid infrastructure that incorporates bi-directional digital communications with intelligent devices, enabling real-time monitoring, demand response, and automated control.

SMS-based phishing attacks that use text messages to deliver malicious links or social engineering content to mobile device users.

Network protocol used for collecting information and configuring network devices remotely

A centralized facility where security professionals monitor, detect, analyze, and respond to cybersecurity incidents.

The manipulation of human psychology and conventional social interactions to elicit desired responses such as providing access, information, or assistance to unauthorized individuals.

Software that emulates PLC functionality on general-purpose computers, enabling the same control logic to run in virtualized environments.

A radio communication system where traditional hardware components are implemented in software, enabling flexible analysis and implementation of various wireless technologies.

Switch port configured to mirror traffic from other ports, enabling passive network monitoring without interrupting communications

A network switch port configured to mirror traffic from other ports, enabling passive monitoring and analysis without disrupting normal network operations.

A switch feature that mirrors traffic from other ports to enable monitoring without disrupting normal operations.

Highly targeted email attacks directed at specific individuals using personalized information and realistic pretexts to increase the likelihood of successful credential theft or malware deployment.

A test instrument used to examine the spectral composition of radio frequency signals. In wireless audits, spectrum analyzers help identify active frequencies, signal strength, and potential interference sources across different RF bands.

Technology that distributes signal energy across multiple frequencies using pseudorandom codes, providing benefits including frequency reuse, jamming resistance, signal hiding, and bandwidth sharing.

A pseudo-random sequence used in spread spectrum systems to encode data before transmission and decode it after reception, known only to authorized transmitters and receivers.

A network name that identifies a specific Wi-Fi network, with all devices joining the same SSID using the same spreading codes and pseudo noise generators.

A wireless attack technique where attackers create fake access points using the same name as legitimate networks to intercept user communications.

The higher consequences of OT security failures compared to IT security failures, including potential safety hazards and environmental damage.

Voluntary guidelines and best practices developed by organizations like ISO, ISA, IEC, IEEE, and NIST that provide recommendations for designing, implementing, and securing systems. Compliance with standards is optional but demonstrates due diligence.

The distinction between voluntary best practices (standards) and mandatory requirements with enforcement mechanisms (regulations).

Modern satellite internet constellation providing global broadband coverage using advanced VSAT technology.

Sophisticated malware campaign targeting Siemens industrial control systems, particularly uranium enrichment centrifuges, demonstrating the first widely-documented cyber weapon designed for physical destruction.

A subdivision of a larger domain name, typically used to organize different services or sections of a website (e.g., mail.example.com).

High-level monitoring and control performed from a central location (such as a control room) over multiple field controllers or remote sites, typically via SCADA systems.

Cyber attack method targeting less-secure elements in the supply chain to gain access to primary targets, including compromising software or hardware during development or manufacturing processes.

Any unusual behavior or activity that could indicate security threats, including both malicious actions and innocent mistakes.

NASA's first geosynchronous satellite communication system (Syncom 1-3) that transmitted 1964 Olympics coverage.

In the context of ICS, all the supporting infrastructure that allows industrial control to operate, including sensors, actuators, networks, protection devices, and communication systems.

A digital twin that models larger, complex environments such as entire facilities or interconnected processes, enabling analysis and optimization at a systems level.

A company responsible for combining components from multiple OEM vendors into a complete, functioning control system by programming controllers, building networks, creating HMIs, and conducting acceptance testing.

A discussion-based exercise that simulates security incidents or emergencies in a low-risk environment, allowing teams to practice response procedures and identify gaps in preparedness without impacting operational systems.

High-level objectives or organizational categories that represent the strategic goals that attackers pursue during their campaigns against industrial systems. In the MITRE ATT&CK framework, tactics serve as the primary organizational structure.

The configuration system that maps field device addresses to HMI display elements, including scaling parameters, alarm limits, and display characteristics.

The practice of unauthorized individuals following authorized personnel through secure entrances without proper authentication.

A command-line packet analyzer that enables capture and analysis of network traffic with better performance characteristics than GUI-based tools for high-volume industrial networks.

Communication endpoints that allow different network services to operate on the same system, identified by numerical values (e.g., port 80 for HTTP, port 502 for Modbus).

Lightweight command-line packet capture utility suitable for resource-constrained deployments.

Legitimate remote access software that can be misused by attackers to maintain persistent access to compromised systems.

The constraints in OT environments that prevent many automated security approaches used in IT systems, requiring greater human involvement.

The specific methods or approaches that adversaries employ to achieve their tactical objectives. Each tactic in the MITRE ATT&CK framework contains multiple techniques that represent different ways of accomplishing the same strategic goal.

The natural process by which secure systems become vulnerable over time as new attack techniques emerge, operating systems evolve, and security configurations appropriate for older systems become inadequate for newer environments.

Automated remote measurement and transmission of data from distant sources to receiving equipment for monitoring purposes.

Security awareness practice of acknowledging and greeting unknown individuals within ten feet, making eye contact, and asking helpful questions about their purpose and authorization.

The activity of identifying vulnerabilities, software bugs, or security flaws in systems, typically using either automated tools or manual approaches. Testing is exploratory in nature, looking for unknown problems.

Independent assurance functions, typically internal audit teams, that provide independent validation of security controls and report directly to executive leadership and boards of directors.

External companies that provide communication services, creating dependencies that must be managed in industrial applications.

Potential source of danger or harm to organizational assets, including malicious actors, natural disasters, system failures, or human errors that could exploit vulnerabilities.

Individual, group, or organization responsible for cyber attacks, ranging from individual hackers to sophisticated nation-state sponsored groups with varying motivations and capabilities.

Governance model identifying operational management (first line), risk management/compliance (second line), and independent assurance/audit (third line) as distinct roles in organizational risk management.

A methodical testing progression that begins with external penetration testing, progresses to internal penetration testing, and concludes with ICS vulnerability assessment, mirroring real-world attack patterns.

A systematic methodology for OT security testing that progresses from external penetration testing to internal penetration testing to ICS vulnerability assessment.

Specific sequence of steps required for Wi-Fi connection establishment, each with distinct security implications.

Wi-Fi connection framework progressing through unauthenticated/unassociated, authenticated/unassociated, and authenticated/associated states.

An unpowered network tap device that provides passive network monitoring capability without requiring external power sources.

A methodology for ICS vulnerability assessment that starts with systems at the highest level of network architecture and works down toward field devices, following the same path external attackers would take.

An example of OT efficiency where sensors and algorithms dynamically adjust signal timing based on real-time traffic conditions and historical patterns.

Combined transmitter and receiver component in VSAT outdoor unit for bidirectional satellite communication.

Portable devices such as laptops, smartphones, USB drives, and tablets that can be brought into operational environments from external networks, potentially carrying malware infections.

A device within sensors that converts physical measurements into standardized electrical signals for transmission to control systems.

A command-line network protocol analyzer that can be used to capture and analyze network traffic. In industrial environments, TShark can help attackers understand communication patterns and identify valuable information transmitted over the network.

Behavioral patterns and methods used by threat actors to plan, execute, and sustain cyber attacks, providing insights for defensive planning and threat hunting.

The behavior patterns used by adversaries in cyber attacks, described in frameworks like MITRE ATT&CK.

The principle that organizations should control both ends of encrypted communication tunnels to maintain security.

Modifications to OT systems or processes that have not been approved through proper channels, potentially creating security or safety risks.

Radio frequency bands (900 MHz, 2.4 GHz, 5.6 GHz, 6 GHz) available for public use without requiring specific authorization, similar to private IP address ranges in networking.

A wireless communication system that operates in frequency bands designated for general use without requiring specific government licenses, typically using spread spectrum technology.

Network using basic layer 2 switches without configuration logic that only forward traffic to intended ports.

In the oil and gas industry, the exploration and production phases, which can occur offshore or onshore.

A standard interface for connecting devices to computers, commonly exploited in attacks due to automatic device recognition and trust relationships.

A security discipline focused on confirming that security specifications and controls have been properly implemented, typically involving code reviews, configuration audits, or formal inspections against established standards.

A network segmentation technology that allows logical separation of network traffic while using the same physical infrastructure.

Virtual Local Area Network segmentation technique using identifier tags to separate different types of network traffic on shared infrastructure.

Memory that loses stored information when power is removed, used for high-speed program execution and real-time data processing in PLCs.

A secure connection that encrypts data transmitted over an insecure network, providing privacy and security for wireless communications.

Compression and optimization techniques improving virtual private network performance over high-latency connections like satellite links.

A satellite communication technology that uses relatively small satellite dishes (typically less than 3 meters) to provide communication capabilities.

Weakness, flaw, or deficiency in system design, implementation, or configuration that could be exploited by threats to cause harm to organizational operations or assets.

A systematic approach to identifying security defects in systems and opportunities to improve security configurations, typically using automated tools and manual techniques to catalog potential security issues.

Software that combines port scanning with vulnerability database correlation to identify specific security weaknesses, but which can be disruptive to industrial control systems.

A real-time operating system commonly used in embedded industrial control devices.

An attack technique that systematically dials phone numbers to identify modems and other remote access systems that could provide unauthorized network access.

The practice of searching for wireless networks while moving in a vehicle, bicycle, or on foot. This technique enables comprehensive coverage of large facilities and helps map the geographic distribution of wireless signals.

The ability of OT systems to identify and eliminate sources of waste through continuous monitoring and process optimization.

Critical infrastructure that uses OT systems to monitor water quality, control treatment processes, and ensure safe drinking water for communities.

An obsolete wireless security protocol that provides weak encryption and is easily compromised.

Penetration testing approach where organizations provide comprehensive information about target environments to reduce safety risks while enabling deeper security evaluation.

Nonprofit organization formed in 1999 to maintain wireless networking standards and ensure interoperability between vendors.

A wireless attack platform that clones legitimate wireless access points to capture user credentials and communications through man-in-the-middle techniques.

Security protocol developed as WEP replacement but quickly compromised, leading to WPA2 development.

Security protocols designed to secure wireless networks. WPA3 represents the current standard with enhanced encryption and security features, while earlier versions (WPA, WPA2) have known vulnerabilities that make them less suitable for security-sensitive environments.

A network security standard designed to simplify the connection of devices to wireless networks. While convenient, WPS has known security vulnerabilities that make it unsuitable for long-term wireless security in industrial environments.

A commercially available USB spectrum analyzer device from MetaGeek that enables RF spectrum analysis when connected to laptop computers.

A wireless audit platform used for network penetration testing and security research, capable of conducting various wireless attacks including SSID cloning and client exploitation.

An early wireless security protocol that has been deprecated due to significant security vulnerabilities. Often referred to as "Welcome Everyone to the Party" due to its ease of exploitation.

A specialized security assessment that identifies and evaluates all wireless technologies deployed in industrial environments, including Wi-Fi, spread spectrum communications, and wireless I/O systems.

Original name for Wi-Fi technology before abbreviation, emphasizing the goal of reliable wireless networking.

A wireless mesh network communication protocol designed for process automation applications. Built on the proven HART protocol foundation, it enables wireless communication between field devices and control systems using 802.15.4 radio technology.

Industrial wireless communication systems used to connect remote sensors and actuators to control systems, often using protocols like ISA 100.11A or proprietary RF systems.

Specific attack technique targeting wireless communications to intercept and potentially modify data transmissions.

A network of sensors and/or actuators that communicate via wireless protocols rather than hardwired connections, reducing installation costs for distributed devices.

The first industry standard for wireless communications in industrial control systems, developed by the HART Communication Foundation to extend wired HART protocol capabilities to wireless applications.

A network protocol analyzer that allows users to capture and analyze network traffic in real-time. In industrial cybersecurity, Wireshark can be used both by attackers to understand network communications and by defenders to monitor network activity.

A security protocol for wireless networks, with WPA, WPA2, and WPA3 representing successive generations of improved security.

Wireless security protocols that replaced WEP, providing stronger encryption and authentication mechanisms for wireless networks.

A network security standard that allows easy establishment of secure wireless connections, though it has known vulnerabilities.

Example of receive-only satellite service delivering audio content to mobile receivers in vehicles.

A directional antenna that provides focused signal transmission and reception in a specific direction, typically used in point-to-point wireless communications requiring long range.

Early wireless attack platform based on modified router firmware, predecessor to more advanced tools like the WiFi Pineapple.

A vulnerability in software or hardware that is unknown to the vendor and for which no patch or fix is available.

Attack that takes advantage of previously unknown vulnerabilities for which no patches or protective measures exist, providing attackers temporary advantage before defenses can be developed.

Portable software versions that run without permanent installation, though may still require system modifications.

A penetration testing methodology where testing teams receive only basic information like company name and domain, with no network diagrams or insider knowledge, mirroring how real attackers would approach the target.

A wireless communication standard based on 802.15.4 that enables low-power, low-data-rate communication between devices in a mesh network topology. Commonly used in industrial sensor networks, smart lighting systems, and IoT applications due to its low power consumption and self-healing network capabilities.

In the Purdue Model, a defined security area where devices with similar trust levels, functions, and security requirements reside. Zones are separated by controlled conduits.