First Generation cellular technology, the original analog mobile phone standard that preceded digital cellular networks.

Triple Data Encryption Standard - symmetric encryption algorithm that applies DES cipher three times to each data block. Commonly used in VSAT and cellular networks for secure data transmission, though now considered legacy encryption.

3rd Generation Partnership Project - standards organization responsible for developing specifications for cellular technology, including 4G LTE and 5G networks.

Standard analog signal range in industrial instrumentation where 4mA represents low measurement and 20mA represents high. The 4mA "live zero" distinguishes between low readings and complete system failures (0mA indicates wire break or power loss).

Fifth Generation cellular network technology providing higher speeds, lower latency, and greater device density than previous generations. Increasingly relevant for industrial IoT applications.

IEEE standard family defining Wi-Fi wireless networking protocols, including variants 802.11a/b/g/n/ac/ax/be representing different generations and capabilities.

Wi-Fi standard operating on 5.6 GHz frequency band providing 54 Mbps data rates. Early high-frequency implementation with shorter range than 2.4 GHz alternatives.

Wi-Fi standard operating on 2.4 GHz frequency band with lower initial data rates than 802.11a but better range characteristics, leading to widespread adoption.

Wi-Fi standard providing backward compatibility with 802.11b while achieving 54 Mbps data rates on 2.4 GHz band.

IEEE security standard introduced June 2004 that formed the foundation for WPA2, implementing AES 256-bit encryption and RADIUS server integration.

Wi-Fi standard providing significantly higher data rates through MIMO (multiple antenna) technology and improved signal processing.

IEEE standard defining physical and MAC layers for low-rate wireless personal area networks. Foundation for Zigbee, WirelessHART, and ISA-100 industrial protocols.

Asea Brown Boveri - major industrial automation and power technology company providing control systems, drives, and instrumentation for industrial applications.

Networking device that bridges wireless clients to wired networks, managing authentication, encryption, and data forwarding between Wi-Fi devices and Ethernet infrastructure.

Established procedures for authenticating and authorizing access to OT systems, including credential management policies and restrictions on credential sharing.

Acknowledgment frames sent by receiving devices in Wi-Fi communications to confirm successful packet receipt, enabling reliable data transmission.

Security testing methods involving sending probe traffic or attempting exploits that could disrupt operations. Generally inappropriate for live OT environments due to availability requirements.

Device that converts control signals into physical action such as opening valves, starting pumps, or adjusting motor speed. The mechanism by which control systems affect the physical world.

Network protocol mapping IP addresses to MAC addresses. ARP tables can be passively read during assessments to identify connected devices without generating disruptive traffic.

Modern symmetric encryption standard available in 128-bit and 256-bit key lengths. Current best practice for securing wireless and network communications, replacing older DES and 3DES algorithms.

Two-way communication systems enabling utilities to remotely read meters, manage customer services, and implement demand response. Foundation of smart grid operations.

Sophisticated, long-term cyber attack campaigns typically conducted by nation-state actors or advanced criminal groups. Characterized by extended dwell time, advanced techniques, and specific strategic objectives.

Alberta Electric System Operator - organization responsible for electrical grid operations in Alberta, Canada, with its own critical infrastructure protection requirements.

Alberta Electric System Operator Critical Infrastructure Protection - regional adaptation of NERC CIP standards for the Alberta electrical system.

Physical network isolation from unsecured networks including the Internet. True air-gapping is nearly impossible in practice due to maintenance requirements, remote access needs, and operational dependencies.

Suite of tools for auditing wireless network security, capable of monitoring, testing, and analyzing wireless encryption weaknesses. Used in security assessments and penetration testing.

Continuous variable measurement from sensors providing numerical values rather than binary states. Examples include temperature (0-500°F), pressure (0-150 PSI), or flow rate (0-1000 GPM).

Variable control command specifying precise positions or percentages, such as commanding a valve to 75% open or a motor to 1850 RPM. Enables fine-grained process control.

Application Programming Interface - standardized methods for software components to communicate. In OT contexts, APIs enable integration between control systems and business applications.

Cloud-based service model where SCADA and industrial applications are hosted remotely and accessed through communication links rather than installed on-site. Introduces dependency on third-party providers.

Network tool that passively reads Address Resolution Protocol tables to identify active devices without directly interrogating systems, making it suitable for OT environments.

Organization responsible for daily operation and maintenance of industrial facilities. May be the same entity as the owner or a contracted company.

Organization owning an industrial facility and bearing ultimate responsibility for operation, maintenance, and regulatory compliance. May contract operations to another company.

Wi-Fi frame types used during connection establishment to negotiate parameters between client devices and access points, including supported data rates and security settings.

Common penetration testing approach providing testers with initial IT network access to simulate post-compromise state following successful phishing or other initial intrusion.

Security discipline ensuring controls are effective and policies are properly implemented organization-wide. Requires mature governance and established standards. See also: Three Lines of Defense.

Collection of systems, ports, applications, and services exposed to potential attackers, particularly those accessible from internet or external networks.

Any pathway or method attackers can use to compromise systems, including software installations, network connections, device interfaces, and supply chain components.

Windows feature that automatically executes programs when removable media is inserted. Historically exploited by malware, now typically disabled for security. Legacy systems may still have this enabled.

Earlier generation smart metering enabling one-way communication from customer meters to utilities, typically via drive-by collection, telephone, or power line carriers. Predecessor to AMI.

Process of rendering physical systems self-moving and self-controlling to minimize human intervention. Requires inputs (sensors), control logic (controllers), and outputs (actuators) in continuous loops.

Unique number assigned to autonomous systems on the internet, used to identify network ownership and routing information during reconnaissance activities.

In security contexts, ensuring systems and data are accessible when needed. In OT environments, availability is top priority because process disruptions have safety and operational consequences. See also: CIA Triad.

Method of bypassing normal authentication or security mechanisms to gain unauthorized access. Used by attackers to maintain persistent access after initial compromise.

Flat circuit board in PLCs containing slots for functional modules, similar to expansion slots in computers but designed for industrial environments with ruggedized connectors.

Building Automation and Control Network - specialized protocol for building automation systems, HVAC control, and utility management supporting multiple communication media.

Category of USB-based attacks exploiting trust between USB devices and host systems, typically involving HID device impersonation to execute malicious commands.

Security violation where access credentials are shared between individuals, creating accountability gaps and access control bypasses.

Highly automated airport systems using conveyor belts, tracking, and flight integration to sort, store, and route luggage to correct aircraft.

Serial communication speed measured in bits per second. Common industrial rates include 9600, 19200, and 38400 baud. Mismatch between devices prevents communication.

Periodic broadcast from Wi-Fi access points containing network information including SSID, security settings, and connection parameters. Enables client devices to discover available networks.

Two-way satellite communication enabling both data transmission and reception, contrasting with receive-only broadcast systems like satellite TV.

Penetration testing where testers have no prior system knowledge, most closely simulating external attacks but carrying higher operational risks in control systems.

Team responsible for defending environments during red team exercises. Typically unaware of specific timing, methods, or targets, creating realistic testing conditions.

Short-range wireless technology originally designed to replace RS-232 serial cables. Available in Enhanced Data Rate (EDR) and Low Energy (BLE) variants.

Use of VSAT as secondary communication when primary links (MPLS, landlines) fail, ensuring continuous connectivity for remote locations.

Information stolen from compromised systems including usernames, passwords, and personal data. Often available through dark web markets or public breach disclosures.

Device connecting different network types, such as converting Zigbee communications to Wi-Fi or Ethernet, enabling protocol translation and network integration.

Integration of new technology into existing operational industrial systems already deployed in the field. Contrasts with greenfield installations of entirely new facilities.

Integrated systems controlling building services including HVAC, lighting, fire safety, and security. A specialized type of industrial control system.

Specially cut key used during covert entry that can open many locks of same type through impact techniques. Used in physical security assessments and by criminals.

Penetration testing responsibility to document every step through screenshots, logs, and detailed descriptions. Provides defending teams clear remediation roadmaps.

Communication system allowing multiple instruments to share common trunk, reducing wiring and enabling enhanced device capabilities through digital communication.

Systematic examination of operations, revenue sources, competitive advantages, and strategic vulnerabilities to understand why organizations might be targeted and which systems are most critical.

Electronic component storing electrical energy. In Kill USB devices, capacitors accumulate and amplify USB port power to destructive levels.

Closed-Circuit Television - video surveillance systems used for physical security monitoring and incident investigation.

Device using cellular network infrastructure for wireless communication, increasingly embedded directly into industrial equipment like PLCs and RTUs.

Primary frequency used by direct sequence spread spectrum systems, such as Wi-Fi channels 1, 6, or 11 in the 2.4 GHz band.

Chemical Facility Anti-Terrorism Standards - DHS regulations governing chemical industry cybersecurity requirements and physical security measures.

Component applying spreading codes to data before transmission, enabling spread spectrum communication by distributing signal energy across multiple frequencies.

Confidentiality, Integrity, Availability - the three pillars of cybersecurity. OT systems prioritize Availability and Integrity over Confidentiality due to safety and operational requirements.

Method for describing IP address ranges using slash notation (e.g., /8, /16, /24) to indicate subnet masks. Foundational for configuring routing on IP networks.

Critical Infrastructure Protection - standards and regulations designed to protect essential infrastructure systems from cyber and physical threats.

Cybersecurity and Infrastructure Security Agency - U.S. federal agency providing cybersecurity guidance, threat intelligence, and incident response support for critical infrastructure.

Communication model where only designated clients initiate transactions, with servers responding to requests but not initiating communication independently. Common in SCADA polling architectures.

Critical infrastructure facilities subject to specific federal reporting requirements when security breaches occur, requiring multi-agency notification within strict timeframes.

Coaxial cable used in VSAT installations to carry RF signals between outdoor and indoor units with minimal signal loss.

Infrastructure used by attackers to communicate with compromised systems, issue commands, and exfiltrate data. Typically uses encrypted channels to evade detection.

Ready-made technology products available for purchase rather than custom-developed solutions. COTS components in OT systems may have security vulnerabilities designed for IT environments.

Standardized method for ranking vulnerability severity using 0-10 scales. Helps organizations prioritize remediation efforts to address greatest risk in shortest time. Critical vulnerabilities score 9.0-10.0.

Standardized rules and conventions defining how data is transmitted and received over networks, ensuring different devices and systems can interoperate effectively.

Alternative security measures providing protection when standard controls cannot be implemented, such as physical security for shared operator credentials.

Action or failure violating regulatory requirements, potentially resulting in fines, reputational damage, or operational restrictions.

Most basic digital twin type modeling single components (engines, transmissions, sensors) to understand fundamental operation and test concepts.

In Purdue Model, controlled communication pathway between security zones managing and restricting information flow according to security policies.

Process of examining exported device settings and operational parameters to identify security misconfigurations, weak authentication, and inadequate access controls.

Multi-stage process by which Wi-Fi devices authenticate and establish communication with access points or other devices, involving scanning, authentication, and association.

Operational technology (OT) network containing industrial control systems, PLCs, HMIs, and other devices monitoring and controlling physical processes.

Decision-making component receiving inputs, processing them according to programmed logic, and sending commands to outputs. Examples include PLCs and DCS controllers.

Increasing integration of physical and digital worlds, creating new OT capabilities but also increasing vulnerability to cyber attacks through expanded attack surfaces.

Central Processing Unit - in OT contexts, typically refers to processor modules in PLCs and controllers that execute control logic, manage I/O, and handle communications. Distinct from general-purpose IT CPUs in design and real-time requirements.

Practice of using different usernames and passwords for IT and OT systems to prevent lateral movement between environments following credential compromise.

Attack method testing stolen username/password combinations against multiple systems to gain unauthorized access, exploiting password reuse across services.

In NERC CIP terminology, any device with routable interface requiring specific physical security protections including "six walls of protection" and access monitoring.

Systems and assets whose disruption would significantly impact national security, economic security, public health, or safety. Includes energy, water, transportation, healthcare sectors.

Most critical assets in an environment. In OT systems, typically control devices at IEC 62443 Levels 3, 2, 1, and 0 that directly control industrial processes.

Common Vulnerabilities and Exposures - standardized identifiers for publicly disclosed cybersecurity vulnerabilities, enabling consistent vulnerability tracking and management.

Common Vulnerability Scoring System score ranging from 0-10 indicating vulnerability severity. Scores 9.0-10.0 are critical, 7.0-8.9 high, 4.0-6.9 medium, 0.1-3.9 low.

Deliberate, malicious action to compromise, disrupt, or damage computer systems, networks, or data through various techniques and tools.

Successful penetration of security defenses resulting in unauthorized access to systems, data, or networks by threat actors.

Any occurrence in cyberspace potentially impacting organizational operations, ranging from benign network activity to serious security incidents.

Cyber event with actual or potentially adverse effects on organizational systems, operations, or assets requiring response and investigation.

Model describing attack stages from initial reconnaissance through objective achievement, used for threat analysis and defensive planning. See also: MITRE ATT&CK.

Digital-to-Analog conversion - process of converting digital values from controller memory into analog signals that drive field devices like valve actuators and variable speed drives.

Specialized system receiving and storing process data from controllers for long-term trending, analysis, and regulatory compliance. Provides time-series data storage optimized for industrial applications.

Unix/Linux command-line utility for low-level copying and conversion of raw data. In forensics and incident response, used to create bit-for-bit copies of hard drives preserving all data including deleted files and slack space.

Wi-Fi management frames used to disconnect devices from networks. Often exploited in attacks to force clients to reconnect and expose credentials.

Defensive Computing Conference - annual hacker convention showcasing security research, vulnerabilities, and attack techniques.

Security strategy using multiple layers of controls to protect systems, acknowledging no single control is perfect. Each layer provides backup if others fail.

Network segment between internal networks and external networks providing controlled access between security zones. In Purdue Model, Level 3.5 serves as DMZ between OT and IT networks.

Attack overwhelming systems with excessive requests or traffic, making them unavailable to legitimate users. Particularly dangerous in OT environments where availability is critical.

Data Encryption Standard - obsolete symmetric encryption algorithm, predecessor to 3DES and AES. No longer considered secure but still found in legacy OT systems.

Unique identifier (1-247 in Modbus) specifying which field device should respond to protocol messages, enabling master-slave communication on shared networks.

Dynamic Host Configuration Protocol - network service automatically assigning IP addresses to devices. May be disabled in OT environments preferring static addressing for predictability.

Department of Homeland Security - U.S. federal agency responsible for critical infrastructure protection, including cybersecurity standards and incident response coordination.

Binary input to control systems with only two states: on or off, open or closed, true or false. Examples include limit switches, float switches, contact closures.

Binary command from controller turning devices on or off, such as starting pumps or opening valves fully. Contrasts with analog outputs providing variable control.

Virtual model of physical process, component, or system using computational mathematics to replicate real-world operation. Enables testing, training, optimization, and anomaly detection without affecting actual operations. See also: Component Twin, Product Twin, Process Twin, System Twin.

Standardized metal mounting rail used throughout industrial automation for mounting PLCs, power supplies, terminal blocks, and other control equipment. Defined by DIN (German standards) specifications.

Modulation technique spreading data across multiple frequencies simultaneously using pseudorandom codes. Provides interference resistance and security. Used by Wi-Fi and ISA-100 systems.

Example of publisher-subscriber VSAT model using bundled antennas for broadcast television content distribution, demonstrating one-way satellite communication.

Attack stage where adversaries map control systems and assets after gaining initial network access. Involves identifying systems, configurations, and relationships before proceeding to impact operations.

Microsoft technology forming foundation for original OPC implementations. Created significant firewall challenges due to random port usage, addressed by OPC UA.

Highly integrated, redundant control system for complex processes within single geographical facilities. Features primary and backup controllers, redundant networking. Common in refineries, chemical plants, power generation.

Communication protocol developed for North American utility applications, enabling SCADA master stations to communicate with field RTUs and IEDs. Widely used in electrical and water utilities.

Specialized SCADA system for managing electrical power distribution at lower voltages to neighborhoods and customers, stepping down from transmission levels.

Domain Name System - internet system translating domain names to IP addresses. DNS reconnaissance reveals organizational infrastructure and potential attack targets.

Tool performing DNS reconnaissance to discover subdomains, IP addresses, and network information associated with target domains during security assessments.

Critical component of rules of engagement identifying systems that should never be tested due to operational importance. Could cause enormous financial loss or disruption if unavailable even briefly.

Process of searching for, collecting, and analyzing specific documents, files, and information during red team exercises to achieve intelligence objectives or demonstrate access to sensitive systems.

In oil and gas industry, processing and refining of raw materials into products like gasoline and plastics, and their distribution to end customers.

Network architecture where systems connect to multiple networks simultaneously, creating potential security vulnerabilities requiring careful management to prevent unintended bridging.

Period cyber attacks remain undetected while making subtle changes, often weeks or months rather than causing immediate obvious failures.

Extensible Authentication Protocol-Transport Layer Security - certificate-based authentication method providing strong security for wireless networks through mutual authentication.

Nickname for Intelsat I, first commercial communications satellite launched April 6, 1965, marking beginning of commercial satellite communications era.

Network communications between devices or segments within same network zone, common in industrial control system communications. Contrasts with North-South traffic.

Endpoint Detection and Response - security monitoring software for individual devices providing threat detection, investigation, and response capabilities.

Electrically Erasable Programmable Read-Only Memory - non-volatile memory in PLCs storing critical system firmware and retaining programs/data during power outages.

Specialized computer system designed for specific applications, running minimalistic operating systems purpose-built for particular functions rather than general computing.

OT systems monitoring and automatically adjusting industrial processes to maintain emissions within regulatory limits while optimizing operational efficiency.

Energy Management System - software applications used by electric utilities to monitor, control, and optimize generation and transmission system performance in real-time.

Various security protocols protecting Wi-Fi communications, evolving over time to address discovered vulnerabilities. Current best practice is WPA3 with AES encryption.

Interconnected network of power generation, transmission, and distribution systems delivering electricity to consumers, requiring precise real-time balancing of supply and demand.

Specialized SCADA system for monitoring and controlling high-voltage electrical transmission systems, typically managing remote substations from centralized control centers.

Process of converting raw digital values from controllers into meaningful physical units (feet, PSI, percentage) that operators can understand and use.

Specialized computers providing configuration and programming capabilities for control systems, including control logic development, HMI graphics creation, and system commissioning.

Enhanced version of GSM technology providing improved data transmission capabilities over second-generation cellular networks.

European Union Agency for Cybersecurity - EU authority providing guidance and standards for critical infrastructure protection across member states.

In ICS contexts, the physical process being controlled, such as manufacturing, chemical blending, or power generation. The real-world system that control systems interact with.

Use of operational technology to minimize environmental impacts through precise control of emissions, waste generation, and resource consumption.

Environmental Protection Agency - U.S. federal agency responsible for environmental protection and regulation enforcement, including industrial facility oversight.

Engineering, Procurement, and Construction - project delivery method for industrial facilities where single contractor handles design, equipment procurement, and construction.

Enterprise Resource Planning - integrated business management software handling financials, supply chain, manufacturing, and human resources across organizations.

Embedded Subscriber Identity Module - programmable SIM card technology enabling remote provisioning and management of cellular connections without physical card swapping.

Industrial protocol running automation applications over standard Ethernet networks, developed by Rockwell Automation and managed by ODVA.

Wireless attack technique where attackers create malicious access points impersonating legitimate ones to intercept user communications and credentials.

Code or technique taking advantage of vulnerabilities to cause unintended system behavior. Exploits are not inherently malicious but become dangerous through their payloads.

Method of attacking system security from external or public sources using attacker mindset, framework, and tools, with no insider knowledge of target environment.

Penetration testing conducted from outside organization's network perimeter, typically from internet, focusing on reconnaissance and exposed systems.

Federal Aviation Administration - U.S. aviation regulatory body overseeing commercial aviation safety including cybersecurity requirements for aircraft and air traffic control systems.

Testing process conducted at vendor facilities to verify systems meet specifications before delivery to customer sites. Should include cybersecurity testing before deployment.

Federal Communications Commission - U.S. federal agency regulating radio communications and managing spectrum allocations for licensed and unlicensed wireless systems.

Food and Drug Administration - U.S. pharmaceutical and medical device regulatory body with cybersecurity requirements for medical manufacturing and device security.

Strategy spreading negative or misleading information about security threats to influence decision-making or sell products. Common in security vendor marketing.

United States regulatory agency managing and licensing radio frequency spectrum allocations for all wireless communications.

Federal Energy Regulatory Commission - federal agency regulating interstate energy markets and approving reliability standards for electrical grid.

Industrial control equipment such as PLCs, RTUs, and smart instrumentation directly interfacing with physical processes and equipment.

Operational management teams owning and managing daily operational risks, responsible for implementing security controls. Includes plant engineers, operators, maintenance personnel. See also: Three Lines of Defense.

Database architecture optimized for speed rather than persistence, used in HMI systems for millisecond-level updates while automatically discarding outdated information.

Level-sensing device using floating component to make or break electrical contact when liquid reaches certain height, providing digital input to controllers.

Sensor measuring volume of liquid passing through pipes over specific time periods, providing flow rate measurements to control systems.

Comprehensive reconnaissance phase involving both digital and physical intelligence gathering to map target attack surfaces, identify access points, and understand security measures.

Digital communication protocol used in industrial automation for connecting field devices to control systems, providing interoperability between vendors.

Method of transmitting radio signals by rapidly switching among many frequency channels using pseudorandom sequences known to both transmitter and receiver. Common in 900 MHz industrial radio systems.

File Transfer Protocol - network protocol for transferring files between systems. Often disabled in secure OT environments due to lack of encryption.

Zigbee device capable of transmitting, receiving, storing, forwarding data and coordinating network functions, including routing between other devices in mesh networks.

Numerical identifier in protocols like Modbus specifying what operation to perform, such as reading coils, writing registers, or controlling devices.

In wireless communications, the measure of antenna directivity and signal amplification. High-gain antennas focus energy in specific directions for longer range, while low-gain antennas provide broader coverage patterns.

Packet-based wireless service enabling cellular networks to carry TCP/IP data packets using standard networking protocols, foundation for mobile data services.

High-speed messaging protocol within IEC 61850 enabling protection coordination and fault isolation in electrical substations with 4-millisecond response requirements.

Satellite orbital position matching Earth's rotation period, maintaining fixed position relative to ground stations to enable consistent communication links.

Satellite-based navigation system used in wireless audits to record precise locations of wireless signal detections for mapping coverage areas.

Original European standard for mobile voice communication that became de facto global standard for 2G cellular networks.

GNU's Not Unix (recursive acronym) - free software project providing Unix-like operating system components. Foundation for Linux operating systems widely used in security tools and embedded systems.

Open-source software development toolkit for implementing software-defined radio systems. Used with Ubuntu Linux and SDR hardware for RF spectrum analysis and wireless protocol research.

Generic Object Oriented Substation Events - high-speed messaging protocol for electrical substation protection and control.

Group Policy Object - Windows Active Directory mechanism for centralized configuration management across enterprise networks.

Global Positioning System - satellite-based navigation and timing system.

Balanced penetration testing providing sufficient information to ensure safety while maintaining enough unknowns to meaningfully test security controls. Common in control system environments.

Governance, Risk, and Compliance - integrated approach managing organizational governance, risk management, and regulatory compliance requirements.

Deployment of new technology in new industrial systems being built from ground up, contrasting with brownfield integration into existing systems.

Fundamental safety and legal principles that must be followed when conducting security testing on operational technology systems.

Global System for Mobile Communication - 2G cellular standard.

Graphical User Interface - visual interface for software applications, such as HMI screens for operators.

Hydrogen sulfide detection device required in certain industrial environments for personnel safety during assessment activities due to toxic gas hazards.

Malicious capabilities embedded in physical devices like cables or USB devices that compromise systems through hardware rather than software.

Highway Addressable Remote Transducer - communication protocol allowing digital communication with field instruments while maintaining 4-20 mA analog compatibility.

High-Definition Multimedia Interface - digital video/audio interface standard.

Network configuration suppressing SSID broadcasting in beacon frames. Provides limited security benefit due to other discovery mechanisms revealing network presence.

Antenna focusing radio frequency energy in specific direction, providing increased range and signal strength for point-to-point communications.

Communication protocol enabling digital communication with field instruments while maintaining compatibility with existing 4-20 mA analog systems, enabling device configuration and diagnostics.

Human-Machine Interface - graphical interface allowing operators to monitor processes and interact with control systems, displaying status and accepting operator commands.

Physical location where people can access Internet using Wi-Fi technology, often created by mobile devices sharing cellular connections.

Hypertext Transfer Protocol (Secure) - web communication protocols. HTTPS provides encryption, essential for protecting credentials and sensitive data.

Ground-based antenna infrastructure managing satellite communications between multiple remote VSAT terminals and terrestrial networks.

Network configuration where multiple remote terminals communicate through central hub station, common in VSAT satellite communications.

Critical role humans play in both causing and preventing OT security incidents, making human awareness and judgment essential security components.

Computer device class including keyboards, mice, and input devices. Exploited in USB attacks because HID devices typically have unrestricted system access without security prompts.

Human Intelligence - intelligence gathered from human sources through interviews, observations, and interpersonal interactions.

Heating, Ventilation, and Air Conditioning - building climate control systems, often automated through building automation systems.

Control systems combining proprietary controllers for real-time process control with standard IT technologies for operator interfaces and business integration.

Input/Output - interface between control systems and field devices, including both physical modules and logical addressing.

Inter-Control Center Communication Protocol - used for exchanging real-time operational data between electrical utility control centers.

Industrial Control Systems - umbrella term for all control systems used in industrial environments, including SCADA, DCS, SIS, and others.

Communication protocols specifically designed for real-time industrial control requiring low latency and high reliability, such as Modbus, DNP3, Ethernet/IP.

Framework describing typical progression of industrial control system security programs from initial spot checks through control implementation to comprehensive penetration testing validation.

Methodology to identify, quantify, and rank vulnerabilities within industrial control systems using passive techniques that don't harm target systems, emphasizing collaboration with operational personnel.

Intrusion Detection System - security tools monitoring network or system activities for malicious activities or policy violations, generating alerts for security personnel.

International Electrotechnical Commission - international standards organization developing electrical and electronic technology standards including industrial automation security.

International standard defining six programming languages approved for PLC programming, including ladder logic, function block diagrams, and structured text.

Series of standards for industrial automation and control systems security, defining security levels, zones, and technical requirements for secure industrial systems.

Intelligent Electronic Device - specialized controllers used exclusively in power industry for high-speed monitoring and protection of electrical power systems.

Institute of Electrical and Electronics Engineers - technical professional organization and standards body developing networking and electrical standards including 802 series.

Unique identifier used by Zigbee devices instead of IP addresses, enabling networks to support up to 65,535 devices per network segment.

Final attack stage where adversaries achieve ultimate objectives, such as disrupting operations, preventing operator response, causing equipment damage, or creating safety hazards.

Structured approach to handling and investigating security breaches or cyber attacks in industrial environments, balancing investigation needs with operational continuity.

Observable artifacts or behaviors suggesting system compromise by malicious activity, such as unusual network traffic patterns or unauthorized communications.

Interior component of VSAT system containing electronics, power supply, and connection ports for integration with network equipment.

Broad term for automating processes without human intervention using technological systems including sensors, controllers, actuators, and communication networks.

Umbrella term for all control systems used in industrial environments, including SCADA, DCS, SIS, and others. Encompasses software, hardware, controllers, networks monitoring and controlling physical processes.

Systems including computers, servers, databases, and firewalls that process, store, or transmit information. Different security priorities than OT systems.

First successful attack phase where attackers achieve initial access through internet-based, email-based, physical access, supply chain, or insider threat vectors.

Measurement or signal from physical world providing information to controllers, such as temperature, pressure, flow, level, or switch status. Essential for automation because controllers cannot control what they cannot measure.

Digital devices serving as interface between real-world process conditions and digital control systems, sensing physical conditions and converting them to digital information.

One of three cybersecurity pillars, ensuring data and systems remain accurate, complete, and trustworthy. In OT environments, second in priority after availability. See also: CIA Triad.

Proprietary knowledge about how systems operate. In digital twins, physics models and operational parameters represent valuable IP requiring protection.

Theft of valuable manufacturing processes and operational techniques through observation and replication, even without accessing written recipes or formulas.

Specialized controllers used exclusively in power industry for high-speed monitoring and protection of electrical power systems with sub-cycle response times.

First commercial communications satellite, also known as Early Bird, launched 1965 marking beginning of commercial satellite communications.

Method of attacking system security from within network using tools real attackers would use, focusing on validating network segmentation and access controls for users already inside environment.

Penetration testing conducted from within organization's network, often simulating insider threats or compromised internal systems to test lateral movement controls.

Network protocol used for diagnostic and error messages, commonly used in ping commands but often disabled in OT environments for security.

Network of physical devices embedded with sensors, software, and connectivity enabling data collection and exchange. Industrial IoT (IIoT) applies concepts to industrial environments.

Protocol suite securing Internet Protocol communications by authenticating and encrypting IP packets, commonly used for VPN tunnels.

Act of directly challenging or stopping unsafe practices when observed, rather than simply reporting them after the fact. Critical safety culture component.

Security system monitoring network traffic and automatically blocking suspicious activity in real-time, contrasting with IDS passive alerting.

Approach used in ICS vulnerability assessment where testers think like detectives examining evidence rather than adversaries breaking into systems, emphasizing safe collection and analysis.

Indicators of Compromise - forensic evidence of potential intrusion or malicious activity.

Internet of Things - network of connected smart devices.

Fundamental networking protocol for data transmission. Also refers to Intellectual Property in business contexts.

Internet Protocol Security - protocol suite for secure communications.

Internet Protocol Security tunneling providing encrypted and authenticated communication channels over public networks, protecting data confidentiality and integrity.

International Society of Automation - professional organization developing industrial automation standards including ISA-95 and ISA/IEC 62443.

Industrial automation standard (ISA-100.11a) for wireless networking in process control. Developed as open standard alternative to proprietary wireless protocols.

International standard framework defining cybersecurity requirements and guidelines for industrial automation and control systems security.

Industrial, Scientific, and Medical frequency bands (900 MHz, 2.4 GHz, 5.6 GHz) designated for unlicensed use including Wi-Fi and industrial wireless applications.

Internet Service Provider - company providing internet connectivity services.

Information Technology - computing systems primarily handling data and information, with different security requirements than OT systems.

Network zone between corporate IT networks and operational technology networks, typically containing data historians, patching servers, and jump boxes bridging environments.

Intermediary system managing and controlling user access between different network segments, providing access control and audit trails for cross-zone communications.

Modified wireless access point firmware enabling advanced wireless attacks, including automatic response to client device probe requests for evil twin attacks.

Destructive USB device using capacitors and diodes to amplify USB port power to levels permanently damaging connected electronic devices. Demonstrates physical attack vectors.

Wireless network detector and intrusion detection system working with Wi-Fi, Bluetooth, and other wireless protocols for security monitoring and site surveys.

Frequency range (12-18 GHz) used by modern VSAT systems, first commercially developed by Schlumberger and Hughes Aerospace in 1985. Enables smaller antenna sizes.

Most common PLC programming language using graphical symbols resembling electrical relay diagrams to represent control logic, making it intuitive for electricians and technicians.

Covert network access tool disguised as USB Ethernet adapter providing various network attack capabilities including remote access and man-in-the-middle attacks.

Communication link between SCADA terminals and field devices collecting data from instrumentation and sensors, often most vulnerable part of control networks.

Time delay between signal transmission and reception. In networking, particularly problematic in satellite communications due to distance (~250ms round-trip to geosynchronous orbit). Critical consideration for real-time control systems.

Process by which attackers move through networks after initial compromise, seeking to access additional systems and escalate privileges toward crown jewel targets.

Network security method using VLAN tagging to keep different customers' data streams separate throughout transmission path.

Older operating systems like Windows NT and Windows 2000 still commonly used in OT environments despite being obsolete in IT contexts, often due to vendor support requirements.

Older systems lacking modern security features, out of vendor support, or incompatible with current security technologies. Common in OT due to long system lifecycles.

Lowest level containing sensors and actuators interfacing directly with physical process but having no independent decision-making capability.

Basic control level containing PLCs and controllers capable of making controlled changes to physical world.

Supervisory control level containing HMIs, SCADA servers, and operator consoles that can send control commands to Level 1 controllers.

Operations and control zone containing support systems like data historians needing to connect to control systems but not directly commanding controllers.

DMZ security boundary between OT (below) and IT (above) networks, containing firewalls, data diodes, and data exchange servers.

Business network (Level 4) and internet-connected systems (Level 5) that should be segmented from OT environments.

Radio frequency bands requiring federal agency approval and specific authorization for use, providing dedicated frequencies with legal protection from interference.

Wireless communication system operating on frequencies allocated exclusively to specific organization through government licensing, providing dedicated spectrum access and interference protection.

Operational lifespan of systems. IT systems typically last 3-5 years while OT systems operate 15-30+ years, creating different security maintenance requirements and patch challenges.

Laboratory Information Management System - software managing laboratory operations and data in pharmaceutical and chemical manufacturing.

Direct unobstructed path between transmitting and receiving antennas, critical for reliable RF communications above certain frequencies.

Open-source Unix-like operating system widely used in security tools, embedded systems, and increasingly in industrial control systems. Provides flexibility and security advantages over legacy Windows systems.

Use of 4 milliamps instead of 0 milliamps as low end of analog signal ranges, enabling detection of system faults when signals drop to zero (indicating wire break or power loss).

Technique where attackers use legitimate built-in operating system tools rather than installing malware, making detection more difficult and bypassing many security controls.

Control functions performed autonomously by controller at field location without requiring communication with or commands from supervisory systems.

Practice of unlocking locks without original key by manipulating lock components. Common physical security assessment technique.

Open wireless communication standard for long-range, low-power industrial and IoT applications, used for wireless input/output devices.

Low-power wide-area network protocol designed for Internet of Things applications requiring long-range communication with minimal power consumption.

Long Term Evolution - fourth generation (4G) cellular technology providing higher speeds than 3G networks.

Mergers and Acquisitions - business transactions involving consolidation of companies or assets.

Media Access Control address - unique identifier assigned to network interface controllers, used for device identification at data link layer.

Early Wi-Fi security mechanism restricting network access based on hardware addresses. Easily circumvented by address spoofing, providing minimal security.

Intentional cyber attack that can create scenarios never occurring in normal operations but with potentially catastrophic consequences.

Intentional actions designed to compromise security, such as unauthorized access attempts or information gathering activities.

Authorized user (employee or contractor) intentionally causing harm to organization's systems or data, as demonstrated by historical attacks like Shamoon.

Malicious software that can compromise systems and spread through various connection methods, including charging cables and network connections.

Attack where attacker secretly intercepts and potentially alters communications between two parties who believe they're communicating directly.

Regulatory obligations that must be met by organizations in specific industries or regions, with enforcement mechanisms and penalties for non-compliance. Contrasts with voluntary standards.

Middleware software between business systems and plant floor control systems, managing production scheduling, inventory, work orders, and material tracking.

Central servers in SCADA systems initiating communication with field devices and coordinating data collection from remote sites. See also: Master-Slave.

Communication model where only master devices can initiate transactions, with slave devices waiting to be polled before responding with data. Common in Modbus and other industrial protocols.

Specific location in controller memory where input values are stored and from which output values are read. Fundamental to PLC addressing schemes.

Wireless network topology where each device can communicate with multiple other devices, enabling automatic routing around failed devices and eliminating single points of failure.

Network architecture where devices connect to multiple other devices, providing redundant communication paths and improved reliability. Used by Zigbee and WirelessHART.

Multi-Factor Authentication - security process requiring multiple verification methods (password, token, biometric) to authenticate users.

In oil and gas industry, transportation and storage of oil and gas via pipelines, trucks, rail, or storage facilities.

Originally Massachusetts Institute of Technology Research and Engineering, now organization name. Not-for-profit operating federally funded research and development centers.

Framework documenting adversary tactics, techniques, and procedures based on real-world cyberattack observations. Organized by attack lifecycle phases.

Comprehensive framework created by MITRE documenting how attackers break into control system environments and impact plant networks, organized by tactics and techniques.

Visual representation of MITRE ATT&CK framework organizing tactics across top row and corresponding techniques beneath each tactic. Navigation tool for understanding complete attack lifecycle.

Not-for-profit organization operating federally funded research and development centers in United States. Develops frameworks and tools improving cybersecurity, including ATT&CK framework.

Man-Machine Interface - historical term for human-machine interfaces, now replaced by HMI for political correctness. Still found on older equipment and documentation.

Open, royalty-free industrial communication protocol originally developed by Modicon. Widely adopted due to simplicity and clear-text format, though lacks inherent security.

Network communication protocol used for connecting industrial devices and controllers, proprietary to Modicon/Schneider Electric.

Ethernet version of Modbus encapsulating traditional Modbus messages within TCP/IP headers, using port 502 for communication. Most common Modbus variant in modern systems.

Multi-Protocol Label Switching - label-based routing technique commonly used for business communications, often backed up by VSAT.

Multi-Protocol Label Switching network technology providing reliable, secure connections for business communications including industrial facilities.

Managed Security Service Provider - company providing outsourced monitoring and management of security devices and systems.

Maximum Transmission Unit - largest packet size that can be transmitted on network without fragmentation.

Routing technique directing data from one network node to next based on short path labels rather than long network addresses, improving routing efficiency.

Integration challenges created when OT systems consist of components from multiple suppliers, requiring coordination between vendors for security updates and compatibility.

Low bandwidth data transmission suitable for telemetry, polling, and small transaction applications typical of VSAT usage in industrial applications.

National Aeronautics and Space Administration - U.S. space agency.

Non-Disclosure Agreement - legal contract protecting confidential information shared during business relationships or security assessments.

North American Electric Reliability Corporation - organization responsible for electrical grid reliability standards in North America.

North American Electric Reliability Corporation Critical Infrastructure Protection - mandatory cybersecurity standards for bulk electric system, with financial penalties for non-compliance.

Company manufacturing professional network monitoring and tap devices used for traffic analysis and security monitoring.

Practice of keeping OT systems separate from external networks like Internet to prevent remote attacks and maintain security boundaries.

Specialized analysis tool extracting and analyzing files, images, and other objects transmitted across networks from packet capture data.

Technique used to passively monitor network traffic and gain insights into communications without actively probing systems. Reveals operational data and control commands traversing networks.

Hardware device providing access to network communications for monitoring and analysis without disrupting normal network operations.

Powered network monitoring device guaranteeing complete traffic capture without signal degradation, providing reliable monitoring for critical network segments.

Protocol synchronizing computer clocks across networks, critical for accurate logging and event correlation in security investigations.

National Institute of Standards and Technology - U.S. standards and technology agency developing cybersecurity frameworks and guidelines.

Network Mapper - popular network discovery and security auditing tool capable of port scanning, service detection, and OS fingerprinting.

Unique identifier assigned to each device on bus network, enabling controllers to communicate with specific instruments on shared communication trunk.

Memory retaining stored information when power is removed, typically used for storing PLC programs and critical system data in EEPROM.

Network communications entering or leaving network, typically between different network zones or external systems. Contrasts with East-West traffic.

Network Time Protocol - networking protocol for clock synchronization.

Unexplained shutdown or safety system activation in industrial control systems, often caused by communication failures, EMI, or transient conditions.

Outdoor Unit - outdoor component of VSAT system including dish and transceiver.

Open DeviceNet Vendors Association - organization managing Ethernet/IP standards.

Original Equipment Manufacturer - companies manufacturing components or systems used in other companies' products.

Antenna design transmitting and receiving radio signals in 360-degree horizontal pattern, typically used for master stations requiring broad coverage. Contrasts with directional antennas.

Security architecture concept where control system devices at core are protected by multiple layers of security controls, with each layer providing protection for layers beneath it.

Open Platform Communications - set of standards for industrial communication between automation devices and systems, enabling vendor-neutral data exchange.

Standardized interface technology enabling communication between diverse industrial devices and enterprise applications without requiring device-specific drivers.

Intelligence gathered from publicly available sources, including websites, social media, news articles, and other freely accessible information.

Information related to manufacturing processes, control systems, and site operations that could have severe impacts if accessed by unauthorized parties.

Hardware and software systems monitoring and controlling physical processes in industrial environments. Different security requirements than IT systems due to direct control of physical processes.

Vendor providing specific components, devices, or subsystems used in industrial control systems, such as Siemens, Rockwell Automation, or Schneider Electric.

Occupational Safety and Health Administration - federal agency regulating workplace safety and enforcing safety standards.

Open Systems Interconnection - seven-layer networking model defining network communication functions.

Open Source Intelligence - information gathering from publicly available sources for reconnaissance.

Operational Technology - computing systems monitoring and controlling physical processes, facing unique security challenges due to design and operational requirements.

Central switching infrastructure distributing communications throughout industrial control environments.

Systematic testing of operational technology systems to identify security defects, configuration issues, and hardening opportunities without impacting system performance.

Outdoor component of VSAT system including satellite dish, transceiver, and weatherproof enclosures.

Command or signal from controller to device affecting physical process, such as starting pump, opening valve, or displaying information to operator.

Testing methodology beginning assessment at most externally exposed systems and progressively moving toward more sensitive internal systems.

Unit of data transmitted over network, containing header information (addresses, protocols) and payload data.

Specialized device providing advanced traffic filtering and routing capabilities for complex network monitoring scenarios.

File format for storing network traffic data that can be analyzed offline to understand communication patterns and identify security concerns.

Process of selecting and analyzing specific packets based on criteria such as protocol, IP address, or content.

Small network device sitting inline with existing network connections to provide remote access capabilities while appearing transparent to monitoring systems.

Basic error detection mechanism in serial communication adding extra bit to make total number of 1 bits even (even parity) or odd (odd parity).

Simple, unpowered device enabling traffic monitoring but may not capture all network communications reliably due to signal splitting.

Assessment techniques gathering information without sending packets to target devices, minimizing risk of disruption to operational systems.

Testing approaches focusing on observing and analyzing systems without generating new network traffic or modifying system states. Minimizes operational disruption while providing valuable security insights.

Security testing methods involving observing and documenting system configurations, network traffic, and operational parameters without sending probing traffic or attempting exploits.

Difficulty of applying security updates to OT systems due to availability requirements and complexity, making traditional IT patching approaches impractical.

Billing model where users pay for services based on actual usage, such as bandwidth consumption in VSAT systems.

Malicious code or commands delivered by exploit to accomplish attacker's objective, such as data theft, system control, or destructive actions.

Commercial Wi-Fi implementation restricting network access until payment authentication completed, demonstrating connection state transitions.

Control systems using general-purpose computers running specialized software instead of dedicated hardware controllers like PLCs.

Packet Capture - file format for storing network traffic data.

Packet Capture Next Generation - enhanced packet capture file format with additional metadata capabilities.

Protected Critical Infrastructure Information - sensitive information about critical infrastructure protected from public disclosure.

Testing methodology simulating how motivated attackers with no prior knowledge might attempt to compromise systems, typically testing defensive capabilities by attempting movement from external networks through corporate systems to industrial control systems.

Ability to maintain access to compromised systems over extended periods through techniques surviving system reboots, security scans, and routine maintenance.

Safety equipment protecting workers from workplace hazards. In industrial wireless audits, may include hard hats, safety glasses, Nomex coveralls, and steel-toed boots depending on facility hazards.

Highly regulated production processes using OT systems to ensure medications are produced with exact specifications and zero tolerance for errors.

Social engineering attack using deceptive communications (typically email) to trick users into revealing sensitive information or installing malware.

Unique vulnerability of OT systems where cyber attacks can cause physical damage to equipment and infrastructure requiring repair or replacement.

Protective measures including surveillance cameras, locks, and alarms preventing unauthorized physical access to OT systems.

Tangible, real-world consequences resulting from OT system operations or failures, affecting people, property, and environment.

Process Information - refers to OSIsoft PI System, a data historian system commonly used in industrial environments.

Attack framework used by WiFi Pineapple devices to conduct wireless attacks, including access point impersonation and client exploitation.

Specialized wireless device designed for security testing that can clone legitimate access points and perform man-in-the-middle attacks. Demonstrates potential for rogue access point deployment.

Programmable Logic Controller - industrial computer control system continuously monitoring input devices and making decisions based on custom programs to control output devices.

Assessment technique probing network devices to identify open TCP and UDP ports. Can potentially disrupt industrial control systems not designed to handle simultaneous connection attempts.

Plain Old Telephone Service - traditional landline telephone connections often backed up by satellite communication in remote locations.

Personal Protective Equipment - safety gear required in industrial environments.

Authentication method using shared password between clients and access points for network access control. Used by WPA/WPA2 personal modes.

Device measuring force exerted by gases or liquids within containers or systems, providing pressure readings to control systems.

Wi-Fi frame types used by client devices to discover available wireless networks and by access points to respond with network information.

In MITRE ATT&CK framework, real-world examples of how specific techniques have been used by attackers in documented incidents. Provide concrete evidence of theoretical attack technique implementation.

Systematic examination of industrial processes to identify and evaluate hazards that could result in accidents or releases. Required by regulations like OSHA PSM, PHA findings often drive safety instrumented system requirements.

Most complex digital twin type modeling entire operational processes such as zero-inventory manufacturing or facility-wide operations, enabling optimization of complex, multi-variable systems.

Digital twin modeling interactions between multiple components, such as how engine, transmission, and braking system work together, enabling analysis of complex system behaviors.

Fieldbus communication protocol used in industrial automation for connecting field devices to control systems, particularly common in European installations.

Industrial computer designed for reliable control of manufacturing processes and automated systems. Reads inputs, executes control logic, and generates outputs in real-time scan cycles.

Characteristic of spread spectrum technology meaning it can carry any communication protocol without altering or affecting underlying data or protocol structure.

Devices translating between different communication protocols, enabling unified communication with diverse field equipment using different proprietary protocols.

Organizational structure showing different network protocols and their relationships in captured traffic.

Process by which Wi-Fi devices agree on communication parameters during connection establishment.

RFID research and penetration testing device that can read, clone, and emulate various RFID and proximity cards used in access control systems.

Component creating pseudo-random number sequences used in spread spectrum systems to encode and decode wireless communications. Common algorithms include time-based seeds like seconds since 1970.

Mathematical algorithm producing number sequences appearing random but actually deterministic and reproducible when same seed value used. Essential for synchronizing spread spectrum communications.

Pounds per Square Inch - pressure measurement unit.

Paid Time Off - employee leave benefits.

Information gathering using only publicly available sources such as websites, social media, professional platforms, and published materials.

Communication model where publishers continuously broadcast data to all subscribers on network, typically using UDP for real-time data distribution. Common in DCS and process control.

Reference architecture model (formalized in ISA-95 and IEC 62443) defining hierarchical security zones for OT networks from Level 0 (field devices) through Level 5 (internet). Specifies communication should only flow between adjacent levels.

Real-time operating system commonly used in embedded industrial control devices and automotive systems.

Attacks subtly altering manufacturing processes to produce defective products without immediately obvious failures, difficult to detect and potentially dangerous.

Portion of electromagnetic spectrum used for wireless communications, typically measured in megahertz (MHz) or gigahertz (GHz).

Technology using radio waves to identify and track objects, commonly used in access control systems and vulnerable to cloning attacks.

Remote Authentication Dial-In User Service - centralized authentication system commonly used with WPA2 Enterprise wireless security.

Type of malware encrypting files and locking users out of systems while demanding payment for restoration. Particularly dangerous in OT environments due to availability impacts.

Remote Access Trojan - malware providing unauthorized remote access and control of compromised systems.

Rivest Cipher 4 - stream cipher used in WEP encryption, now considered obsolete and insecure due to cryptographic weaknesses.

Remote Desktop Protocol - proprietary protocol developed by Microsoft for remote access to Windows-based systems.

Wi-Fi management frames used when devices move between access points or reconnect after temporary disconnection.

Specialized tool for analyzing network traffic to detect beaconing behaviors and command and control communications characteristic of compromised systems.

In industrial contexts, extremely demanding timing requirements such as 4-millisecond fault detection in power systems or 10,000 samples per second in substation automation.

Operating system designed to provide predictable response times and deterministic behavior required for industrial control applications, contrasting with general-purpose operating systems.

Initial attack phase where attackers gather information about targets. In industrial environments, reconnaissance activities often invisible to target organization and may involve gathering information from public sources.

Small group of trained experts from multiple disciplines (physical security, cybersecurity, social engineering) working together to simulate sophisticated, coordinated attacks against organizational defenses.

Most comprehensive form of security testing involving multi-faceted attacks including physical security breaches, social engineering, network penetration, and other techniques testing technical, human, and procedural security elements.

Limited Zigbee device providing only basic sensor or actuator functionality without routing capabilities, designed for battery operation with minimal power consumption.

Mandatory legal requirements issued by governmental or regulatory bodies that asset owners must comply with or face fines, penalties, or operational shutdown. Examples include NERC CIP, FDA regulations, FERC requirements.

Process of adhering to laws, regulations, and standards governing OT security and critical infrastructure protection.

Original form of industrial control using electromechanical relays connected with electrical wiring to create logical functions, predecessor to PLC ladder logic.

Consistent, uninterrupted operation of critical systems enabled by OT technology, ensuring services like power and water remain available 24/7.

Software allowing remote control of computer systems. Can be used legitimately by administrators or maliciously by attackers.

Ability of cyber attackers to target OT systems from anywhere in world without physical presence, creating global threat landscape.

Switch feature enabling remote monitoring of network traffic but may impact network performance. See also: SPAN Port.

Industrial control devices interfacing with field equipment and communicating with central control systems, typically used in geographically distributed operations like pipelines and utilities.

Harm to organization's reputation and stakeholder confidence resulting from publicized compliance failures or security incidents.

Process of analyzing control system operations, logic, and processes to understand how they function. Attackers use reverse engineering to determine how to effectively disrupt or manipulate industrial processes.

Radio Frequency - electromagnetic waves used for wireless communication, often referring to industrial wireless systems operating at 900 MHz.

Portion of electromagnetic spectrum used for radio frequency communications, with specific bands allocated for different purposes including licensed and unlicensed uses.

Process of duplicating radio frequency identification cards or badges to gain unauthorized physical access to facilities using specialized reading and writing devices.

Request for Proposal - document organizations use to solicit bids from potential vendors for projects or services.

Potential that threat will exploit vulnerability to cause harm to system or organization.

Process of evaluating whether benefits of particular action justify security risks it creates, often different for OT and IT systems.

Real Intelligence Threat Analytics - network traffic analysis tool for security monitoring.

Unauthorized wireless access point installed on network, either maliciously by attacker or inadvertently by well-meaning personnel. Creates security vulnerabilities by bypassing network security controls.

Communication pattern where master device polls slave devices sequentially, communicating with only one device at time in predetermined order.

Recommended Standard 232 - serial communication interface standard for point-to-point connections, historically common in industrial automation.

Multi-drop serial communication standard enabling multiple devices to share two-wire communication bus, with all devices receiving all messages but only addressed devices responding.

Remote Switch Port Analyzer - remote network traffic monitoring feature.

Real-Time Operating System - operating system providing deterministic timing for industrial control.

Request to Send/Clear to Send frame types used for collision avoidance in wireless networks, particularly important in hidden node scenarios.

Remote Terminal Unit - microprocessor-controlled electronic device interfacing objects in physical world to distributed control systems or SCADA systems.

USB device appearing as flash drive but registering as keyboard to execute pre-programmed keystroke sequences, often used to deploy malware or establish remote access.

Omnidirectional short antenna (typically less than 10 inches) commonly used in cellular modem applications, named for resemblance to rubber ducky toys.

Formal documentation describing what attacking teams can do, what defending teams can do, what systems should never be touched, and what actions are prohibited during security testing.

Single line of ladder logic representing complete logical statement, with power flowing left to right when conditions satisfied.

Independent control system monitoring main process control system and automatically intervening to maintain safe conditions if primary system fails or process enters dangerous parameters. Acts as safety net.

OT systems continuously monitoring critical parameters and automatically implementing protective measures when conditions approach dangerous thresholds.

Security Account Manager - Windows database storing user account and password information.

Storage Area Network - dedicated high-speed network providing block-level storage access.

Systems, Applications & Products in Data Processing - enterprise resource planning software.

Site Acceptance Test - testing conducted at customer facilities to verify system functionality in operational environment.

Supervisory Control and Data Acquisition - control system architecture comprising computers, networked data communications, and graphical user interfaces for managing geographically dispersed assets.

Compact RTU designed for basic data collection and totalization functions in small industrial applications.

Supervisory Control and Data Acquisition system endpoint where operators monitor and control industrial processes from central locations.

Continuous process by which PLC reads inputs, executes control program, updates outputs, and performs communication tasks, typically completing in milliseconds.

Process of creating realistic attack narratives defining red team motivations, capabilities, objectives, and constraints to frame exercise activities and success criteria.

Strategic approach to selecting testing methodologies based on whether focus is organizational processes, systems and networks, or specific products and applications.

Unauthorized expansion of testing boundaries during project execution, either by testing teams seeking new challenges or vendors seeking increased revenue.

Software Defined Radio - radio system where traditional hardware components are implemented in software, enabling flexible analysis of wireless technologies.

Risk management and compliance teams responsible for risk oversight, security governance, and policy compliance. Provide support and guidance to operational teams while maintaining oversight. See also: Three Lines of Defense.

Comprehensive open-source platform integrating multiple security tools for intrusion detection and network analysis.

Centralized facility where security professionals monitor, detect, analyze, and respond to cybersecurity incidents 24/7.

Automated devices that can be deployed to perform wireless attacks or security assessments without manual operation.

Device measuring physical conditions such as temperature, pressure, flow, level, vibration, or position and providing information as input to control systems.

Network name identifying specific Wi-Fi network, with all devices joining same SSID using same spreading codes and pseudo noise generators.

Authentication credentials shared among multiple operators for safety reasons, typically with compensating physical security controls to maintain accountability.

Principle that regulatory compliance requires participation from all employees interacting with OT systems, not just compliance specialists.

Approach to OT security where everyone interacting with systems contributes to their protection, rather than relying solely on technical specialists.

Search engine indexing internet-connected devices and systems, allowing users to discover exposed infrastructure, services, and potential vulnerabilities.

Security Information and Event Management - platform for security event correlation and analysis. SIEM environments aggregate logs from multiple sources for centralized monitoring, alerting, and compliance reporting.

Signals Intelligence - intelligence gathered from electronic signals and communications interception.

Power level of radio frequency signal, typically measured in decibels (dBm) and used to determine wireless coverage quality and range.

Subscriber Identity Module used in cellular systems for authentication and network access, containing subscriber identity information.

Simulation environment - isolated testing environment replicating production systems for testing security controls, patches, and changes without impacting operations. Critical for OT systems where production testing carries unacceptable risks.

Network protocol for collecting information and configuring network devices remotely, often exploited due to weak default community strings.

Safety Instrumented System - system designed to bring industrial processes to safe state when predetermined conditions violated.

Testing conducted at customer facilities to verify systems function properly in operational environment. Should include cybersecurity testing before commissioning.

NERC CIP requirement that critical cyber assets must be physically protected by six walls (typically equipment cabinet) with controlled access and monitoring.

Enhanced electrical grid infrastructure incorporating bi-directional digital communications with intelligent devices, enabling real-time monitoring, demand response, and automated control.

Server Message Block - network communication protocol providing shared access to files and services.

SMS-based phishing attacks using text messages to deliver malicious links or social engineering content to mobile device users.

Short Message Service - text messaging service on mobile phones.

Simple Mail Transfer Protocol - internet standard for email transmission.

Simple Network Management Protocol - protocol for network device management.

Security Orchestration, Automation, and Response - platform integrating security tools and automating incident response workflows. SOAR environments enable automated threat detection, investigation, and remediation actions, improving response times and consistency.

Security Operations Center - centralized facility for security monitoring and incident response.

Manipulation of human psychology and social interactions to elicit desired responses such as providing access, information, or assistance to unauthorized individuals.

Software emulating PLC functionality on general-purpose computers, enabling same control logic to run in virtualized environments.

Radio communication system where components traditionally implemented in hardware are instead implemented in software, enabling flexible wireless protocol analysis and implementation.

Switch Port Analyzer - switch feature mirroring traffic from other ports to enable monitoring without disrupting operations. Used with network taps for passive monitoring.

Highly targeted email attacks directed at specific individuals using personalized information and realistic pretexts to increase likelihood of successful credential theft or malware deployment.

Test instrument examining spectral composition of radio frequency signals. In wireless audits, identifies active frequencies, signal strength, and potential interference sources across RF bands.

Technology distributing signal energy across multiple frequencies using pseudorandom codes, providing frequency reuse, jamming resistance, signal hiding, and bandwidth sharing benefits.

Pseudo-random sequence used in spread spectrum systems to encode data before transmission and decode after reception, known only to authorized transmitters and receivers.

Structured Query Language - programming language for managing and querying relational databases.

Secure Shell - encrypted network protocol for secure remote system administration and file transfer.

Service Set Identifier - network name identifier for wireless networks.

Secure Sockets Layer - predecessor to TLS encryption protocol.

Higher consequences of OT security failures compared to IT security failures, including potential safety hazards and environmental damage.

Voluntary guidelines and best practices developed by organizations like ISO, ISA, IEC, IEEE, and NIST providing recommendations for designing, implementing, and securing systems. Compliance optional but demonstrates due diligence.

Modern satellite internet constellation providing global broadband coverage using advanced VSAT technology and low earth orbit satellites.

Sophisticated malware campaign targeting Siemens industrial control systems, particularly uranium enrichment centrifuges. First widely-documented cyber weapon designed for physical destruction, demonstrating feasibility of sophisticated control system attacks.

Subdivision of larger domain name, typically organizing different services or sections of websites (e.g., mail.example.com, www.example.com).

Card used in cellular systems identifying and authenticating users on cellular networks, storing subscriber information.

High-level monitoring and control performed from central location (control room) over multiple field controllers or remote sites, typically via SCADA systems.

Centralized control system architecture designed for monitoring and controlling geographically dispersed assets such as oil wells, water pumps, or electrical substations from central control rooms.

Cyber attack method targeting less-secure supply chain elements to gain access to primary targets, including compromising software or hardware during development or manufacturing processes.

Any unusual behavior or activity potentially indicating security threats, including both malicious actions and innocent mistakes.

NASA's first geosynchronous satellite communication system (Syncom 1-3) that transmitted 1964 Olympics coverage, demonstrating feasibility of geosynchronous satellite communications.

Standard protocol for message logging in IP networks, enabling centralized log collection from network devices, servers, and security systems for monitoring and analysis. Essential for security event correlation and incident investigation.

Digital twin modeling larger, complex environments such as entire facilities or interconnected processes, enabling analysis and optimization at systems level.

Company combining components from multiple OEM vendors into complete, functioning control system by programming controllers, building networks, creating HMIs, and conducting acceptance testing.

Discussion-based exercise simulating security incidents or emergencies in low-risk environment, allowing teams to practice response procedures and identify gaps without impacting operational systems.

High-level objectives or organizational categories representing strategic goals attackers pursue during campaigns against industrial systems. In MITRE ATT&CK framework, tactics serve as primary organizational structure.

Behavioral patterns and methods used by threat actors to plan, execute, and sustain cyber attacks, providing insights for defensive planning and threat hunting. Reference MITRE ATT&CK Matrix.

Configuration system mapping field device addresses to HMI display elements, including scaling parameters, alarm limits, and display characteristics.

Practice of unauthorized individuals following authorized personnel through secure entrances without proper authentication.

Transmission Control Protocol - reliable internet communication protocol providing guaranteed delivery through acknowledgments and retransmission.

Command-line packet analyzer enabling capture and analysis of network traffic with better performance than GUI-based tools for high-volume industrial networks.

Transmission Control Protocol/Internet Protocol - fundamental communication protocol suite of internet and most networks.

Legitimate remote access software that can be misused by attackers to maintain persistent access to compromised systems.

Constraints in OT environments preventing many automated security approaches used in IT systems, requiring greater human involvement and specialized approaches.

Specific methods or approaches adversaries employ to achieve tactical objectives. Each tactic in MITRE ATT&CK framework contains multiple techniques representing different ways of accomplishing same strategic goal.

Natural process by which secure systems become vulnerable over time as new attack techniques emerge, operating systems evolve, and security configurations appropriate for older systems become inadequate for newer environments.

Automated remote measurement and transmission of data from distant sources to receiving equipment for monitoring purposes, common in utility and pipeline operations.

Security awareness practice of acknowledging and greeting unknown individuals within ten feet, making eye contact, and asking helpful questions about their purpose and authorization.

Activity of identifying vulnerabilities, software bugs, or security flaws in systems using automated tools or manual approaches. Exploratory in nature, looking for unknown problems.

Independent assurance functions, typically internal audit teams, providing independent validation of security controls and reporting directly to executive leadership and boards. See also: Three Lines of Defense.

External companies providing communication services, creating dependencies requiring management in industrial applications.

Potential source of danger or harm to organizational assets, including malicious actors, natural disasters, system failures, or human errors that could exploit vulnerabilities.

Individual, group, or organization responsible for cyber attacks, ranging from individual hackers to sophisticated nation-state sponsored groups with varying motivations and capabilities.

Governance model identifying operational management (first line), risk management/compliance (second line), and independent assurance/audit (third line) as distinct roles in organizational risk management.

Systematic methodology for OT security testing progressing from external penetration testing to internal penetration testing to ICS vulnerability assessment, mirroring real-world attack patterns.

Unpowered network tap device providing passive network monitoring capability without requiring external power sources, named for appearance.

Transport Layer Security - cryptographic protocol providing secure communications over networks, successor to SSL.

Methodology for ICS vulnerability assessment starting with systems at highest network architecture level and working down toward field devices, following same path external attackers would take.

Example of OT efficiency where sensors and algorithms dynamically adjust signal timing based on real-time traffic conditions and historical patterns.

Combined transmitter and receiver component in VSAT outdoor unit for bidirectional satellite communication.

Portable devices such as laptops, smartphones, USB drives, and tablets brought into operational environments from external networks, potentially carrying malware infections.

Device within sensors converting physical measurements into standardized electrical signals for transmission to control systems.

U.S. federal agency responsible for transportation security, including cybersecurity guidelines for critical transportation infrastructure.

Encryption algorithm applying DES cipher three times to each data block, commonly offered by VSAT providers for secure transmission. Now considered legacy encryption.

Command-line network protocol analyzer for capturing and analyzing network traffic. In industrial environments, helps understand communication patterns and identify valuable transmitted information.

Principle that organizations should control both ends of encrypted communication tunnels to maintain security and prevent unintended data exposure.

Popular Linux distribution based on Debian, widely used in security tools, development environments, and increasingly in industrial applications. Often paired with GNU Radio for wireless security analysis.

User Datagram Protocol - fast but unreliable internet communication protocol without guaranteed delivery, often used for real-time industrial communications where speed is critical.

Modern version of OPC addressing security and platform limitations through built-in encryption, authentication, single-port communication, and platform independence.

Standard interface for connecting devices to computers, commonly exploited in attacks due to automatic device recognition and trust relationships.

Radio frequency bands (900 MHz, 2.4 GHz, 5.6 GHz, 6 GHz) available for public use without requiring specific authorization, similar to private IP address ranges in networking.

Wireless communication system operating in frequency bands designated for general use without requiring specific government licenses, typically using spread spectrum technology.

Network using basic layer 2 switches without configuration logic that only forward traffic to intended ports, providing no security features or management capabilities.

In oil and gas industry, exploration and production phases, occurring offshore or onshore.

Security discipline confirming security specifications and controls have been properly implemented, typically involving code reviews, configuration audits, or formal inspections against established standards.

Satellite communication technology using relatively small satellite dishes (typically less than 3 meters) to provide communication capabilities for remote locations.

Network segmentation technology allowing logical separation of network traffic while using same physical infrastructure, improving security and network management.

Secure connection encrypting data transmitted over insecure networks, providing privacy and security for communications. VPN tunnels create encrypted pathways between endpoints.

Virtual Network Computing - remote desktop access protocol allowing graphical remote control of systems.

Voice over Internet Protocol - technology enabling voice communications over IP networks.

Memory losing stored information when power removed, used for high-speed program execution and real-time data processing in PLCs.

Compression and optimization techniques improving virtual private network performance over high-latency connections like satellite links.

Encrypted communication pathway created by VPN technology, protecting data confidentiality and integrity as it traverses untrusted networks. Organizations should control both tunnel endpoints.

Variable Speed Drive - electronic devices controlling speed and torque of electric motors in industrial applications, enabling energy efficiency and process optimization.

Weakness, flaw, or deficiency in system design, implementation, or configuration that could be exploited by threats to cause harm to organizational operations or assets.

Systematic approach to identifying security defects in systems and opportunities to improve security configurations, typically using automated tools and manual techniques to catalog potential security issues.

Software combining port scanning with vulnerability database correlation to identify specific security weaknesses. Can be disruptive to industrial control systems not designed for scanning traffic.

Real-time operating system commonly used in embedded industrial control devices, providing deterministic performance for critical applications.

Wide Area Network - network spanning large geographic areas connecting multiple local networks.

Attack technique systematically dialing phone numbers to identify modems and other remote access systems that could provide unauthorized network access.

Practice of searching for wireless networks while moving in vehicle, bicycle, or on foot. Enables comprehensive coverage of large facilities and helps map geographic distribution of wireless signals.

Ability of OT systems to identify and eliminate sources of waste through continuous monitoring and process optimization.

Critical infrastructure using OT systems to monitor water quality, control treatment processes, and ensure safe drinking water for communities.

Penetration testing approach where organizations provide comprehensive information about target environments to reduce safety risks while enabling deeper security evaluation.

Wireless Fidelity - wireless local area network technology based on IEEE 802.11 standards.

Nonprofit organization formed 1999 to maintain wireless networking standards and ensure interoperability between vendors.

Wireless audit platform used for network penetration testing and security research, capable of conducting various wireless attacks including SSID cloning and client exploitation.

Security protocols designed to secure wireless networks. WPA3 represents current standard with enhanced encryption and security features, while earlier versions have known vulnerabilities making them less suitable for security-sensitive environments.

Network security standard designed to simplify connection of devices to wireless networks. While convenient, WPS has known security vulnerabilities making it unsuitable for long-term wireless security in industrial environments.

Commercially available USB spectrum analyzer device from MetaGeek enabling RF spectrum analysis when connected to laptop computers, commonly used for wireless site surveys and interference analysis.

Worldwide Interoperability for Microwave Access - broadband wireless communication standard providing long-range connectivity.

Obsolete wireless security protocol providing weak encryption easily compromised. Should never be used in modern deployments.

Specialized security assessment identifying and evaluating all wireless technologies deployed in industrial environments, including Wi-Fi, spread spectrum communications, and wireless I/O systems.

Industrial wireless communication systems connecting remote sensors and actuators to control systems, often using protocols like ISA 100.11A or proprietary RF systems.

Wireless mesh network communication protocol designed for process automation applications. Built on proven HART protocol foundation, enabling wireless communication between field devices and control systems using 802.15.4 radio technology.

Network protocol analyzer allowing users to capture and analyze network traffic in real-time. Used both by attackers to understand network communications and defenders to monitor network activity.

Wireless Local Area Network - wireless network connecting devices within limited area.

Wi-Fi Protected Access - wireless security protocol developed as WEP replacement, quickly superseded by WPA2 due to vulnerabilities.

Wi-Fi Protected Access 2 - wireless security protocol using AES encryption, current minimum security standard for industrial wireless networks.

Wi-Fi Protected Access 3 - latest wireless security protocol with enhanced encryption and protection against brute-force attacks, recommended for new deployments.

Wi-Fi Protected Setup - simplified connection method with known security vulnerabilities.

Wireless RouTer - networking device with customizable firmware capabilities, often used as platform for security tools.

Example of receive-only satellite service delivering audio content to mobile receivers in vehicles, demonstrating one-way satellite broadcasting.

Extensible Markup Language - format for storing and transporting structured data in human-readable text format.

Directional antenna providing focused signal transmission and reception in specific direction, typically used in point-to-point wireless communications requiring long range. Named for inventor Hidetsugu Yagi.

Early wireless attack platform based on modified router firmware, predecessor to more advanced tools like WiFi Pineapple.

Vulnerability in software or hardware unknown to vendor and for which no patch or fix is available, providing attackers advantage until discovered and remediated.

Attack taking advantage of previously unknown vulnerabilities for which no patches or protective measures exist, providing attackers temporary advantage before defenses can be developed.

Wireless communication standard based on 802.15.4 enabling low-power, low-data-rate communication between devices in mesh network topology. Commonly used in industrial sensor networks, smart lighting, and IoT applications due to low power consumption and self-healing network capabilities.

In Purdue Model, defined security area where devices with similar trust levels, functions, and security requirements reside. Zones separated by controlled conduits managing communication between zones.