Access Control List (ACL): A list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
Application: A software program that runs on your computer. Web browsers, e-mail programs, word processors, and utilities are all applications.
Domains: A domain contains a group of computers that can be accessed and administered with a common set of rules.
Host: A device or program that provides services to some smaller or less capable device or program.
Node: Any system or device connected to a network is also called a node. For example, if a network connects a file server, five computers, and two printers, there are eight nodes on the network.
Packet: A packet is one unit of binary data capable of being routed through a computer network.
Random Access Memory (RAM): Random-access memory (RAM) is a type of storage for computer systems that makes it possible to access data very quickly in random order. The term RAM has become associated with the main memory of computer system.
RS232: RS-232 is a standard for serial communication transmission of data. The standard defines the electrical characteristics and timing of signals, the meaning of signals, and the physical size and pinout of connectors.
Capability: The means or resources available to perform an attack which typically includes attacker expertise, financial resources, and any tools necessary for carrying out the attack (which may include acquisition of target specifics).
Data Obfuscation: Data masking or data obfuscation is the process of hiding original data with random characters or data.
Data Storm: A data storm occurs when a network system is overwhelmed by continuous multicast or broadcast traffic. When different nodes are sending/broadcasting data over a network link, and the other network devices are rebroadcasting the data back to the network link in response, this eventually causes the whole network to melt down and lead to the failure of network communication. There are many reasons a broadcast storm occurs, including poor technology, low port rate switches and improper network configurations. A data storm is also known as a broadcast storm or a network storm.
DMZ: In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub-network that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.
File Transfer Protocol (FTP): A standard network protocol used to transfer computer files from one host to another host over a TCP-based network, such as the Internet. FTP is build on a client-server architecture and uses separate control and data connections between the client and the server.
Flat Network: A flat network is a computer network design approach that aims to reduce cost, maintenance and administration. Flat networks are designed to reduce the number of routers and switches on a computer network by connecting the devices to a single switch instead of separate switches, or by using network hubs rather than switches to connect devices to each other.
Hazard: A medium for information exchange and mutual communication between electromechanical system’s and the user. It allows the user to complete settings through touchable images or keys on the user- friendly window.
Intent: The motive or goal behind a cybersecurity attack.
IPv4: Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol (IP) Internet, and routes most traffic on the Internet. However, a successor protocol, IPv6, has been defined and is in various stages of production deployment.
Kiazen: When used in the business sense and applied to the workplace, kaizen refers to activities that continually improve all functions and involve all employees from the CEO to the assembly line workers.
Opportunity: A set of conditions that need to be met for an adversary to be confident his attack will be successful which is typically related to his level of access to the target and knowledge about the system.
Packing Flooding: Flooding is a simple routing algorithm in which every incoming packet is sent through every outgoing link except the one it arrived on.
Simple Network Management Protocol (SNMP): An “Internet-standard protocol for managing devices on IP networks.” Devices that typically support SNMP include routers, switches, servers, workstations, printers, modern racks, and more.
Six Sigma: A set of techniques and tools for process improvement. It was developed by Motorola in 1986. Today, it is used in many industrial sectors. Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability in manufacturing and business processes.
Trojan: A Trojan horse, or Trojan, in computing is a generally non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm.
Threat: Any person, circumstance, or event with the potential to cause loss or damage to a system. For our discussion, we will consider a person as the main threat actor with regards to a cyber-attack on an ICS. A threat can be either “intentional” (e.g., an individual cracker or criminal organization) or “unintentional” (e.g., the possibility of a computer malfunctioning or a natural disaster happening such as an earthquake, fire, or tornado).
Programmable Logic Controller (PLC): An industrial control system that continuously monitors the state of input devices and makes decisions based upon a custom program to control the state of output devices.
Man-in-the-Middle (MitM) Attack: An attack in computer security that is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Remote Access: The ability to get access to a computer or a network from a remote distance.
Remote Terminal Unit (RTU): A microprocessor- controlled electronic device that interfaces objects in the physical world to a distributed control system or SCADA system by transmitting telemetry data to a master system, and by using messages from the master supervisory system to control connected objects. The ability to get access to a computer or a network from a remote distance. Also referred to as a remote telemetry unit.
Vulnerability: Any weakness in a system that can be exploited by an adversary or caused through an accident. For our discussion, we will focus on those weaknesses that can be exploited by a threat acting intentionally to cause a specific consequence.
Confidentiality: Ensuring that information is accessible only to those authorized to have access.
Consequence: The total amount of loss or damage that can be expected from the successful exploitation of a vulnerability by a threat actor.
Integrity: Maintaining and assuring the accuracy and consistency of data over its entire life cycle. All characteristics of the data including business rules, rules for how pieces of data relate, dates, definitions, and lineage must be correct for data to be complete.
Intelligent Electronic Device (IED): A term used in the electric power industry to describe microprocessor- based controllers of power system equipment, such as circuit breakers, transformers, and capacitor banks.
Wide Area Network (WAN): A geographically dispersed telecommunications network. The term distinguishes a broader telecommunication structure from a local area network (LAN).
Wireless Access Points: A station that transmits and received data and can also serve as the point of interconnection between the wireless network and a fixed wire network.
Wireless Encryption: Wireless encryption, used extensively on wireless networks, is not as robust as the other encryption technologies.
Worm: In a computer, a self-replicating, self- propagating, self-contained program that uses networking mechanisms to spread itself.
Zones: A security zone is a logical grouping of physical, informational, and application assets sharing common security requirements. A security zone has a border, which is the boundary between included and excluded elements.
Wardialing: Wardialing is the practice of using computers to dial a large range of phone numbers looking for modems and access points. Specific IP- enabled Wardialing can use VoIP capabilities, such as Skype, to do robust Wardialing expeditiously.
Whitelist: A list of entities that are considered trustworthy and are granted access or privileges.
Virus: A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.
Denial of Service (DoS) attack: An incident in which a user or organization is deprived of the services of a resource they would normally expect to have.
Defense in Depth: The practice of layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack. This system placed multiple barriers between an attack and your business-critical information resources.
Mission-Critical Systems: This term is synonymous with critical infrastructure. Critical infrastructures are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Server: A dedicated computer in a network which provides files and services that are used by the other computers.
Session Hijacking: A method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the authorized users. Once the user’s session ID has been accessed, the attacker can masquerade as that user and do anything the user is authorized to do on the network.
Stateful Inspection Firewalls: These firewalls include many of the features and functions of the other types of firewalls. They filter at the network layer, determine the legitimacy of the sessions, and evaluate contents of the packets at the application layer. Rather than run proxies, they use algorithms to process data at the application layer. These firewalls look at the state of the packets and analyze the packets against pre-observed activities. They also keep track of valid sessions and protect key assets in the control domain. Because many of the vulnerabilities in ICSs are related to trust between servers and devices, being able to track and react to valid and invalid sessions improves system security.
Secure Hyper Text Transfer Protocol (HTTPS): This secures Web-based HTTP communications.
Secure Shell (SSH): This is a protocol for secure communication over a network. SSH protocol not only provides confidentiality and integrity using encryption, but it also provides authentication to remote devices.
Secure Socket Layer/Transport Layer security (SSL/TLS): This is end-to-end encryption used for Internet bound traffic.
Security by Obscurity: The belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. Hiding account passwords in binary files or scripts with the presumption that “nobody will ever find it” is a prime example of this.
Database: A collection of information that is organized so that it can be easily accessed, management and updated. Dedicated computers that clients connect to that store information and usually have a large amount of RAM and disk drives.
Data Historian: A centralized database located in the control system LAN supporting data archival and data analysis using statistical process control techniques.
Dynamic Host Configuration Protocol (DHCP): A communications protocol that lets network administrators centrally manage and automate the assignment of Internet protocol (IP) addresses in an organization’s network.
Human Machine Interface (HMI): A medium for information exchange and mutual communication between electromechanical system’s and the user. It allows the user to complete settings through touchable images or keys on the user-friendly window.
Router: A device, or in some cases software in a computer, that determines the next network point to which a packet should be forwarded to its destination.
RSA Keys and PKI Certificates: These are types of encryption that use a key assigned to a user or a group of users to authenticate. The RSA key is typically a physical device the user carries with them, and the PKI certificate is attached to their account.
Protocol: The special set of rules that end points in a telecommunication connection use when they communicate. Protocols specify interactions between the communicating entities.
Proxy Gateway Firewalls: These firewalls, often called Application-level gateways, hide resources on the networks they are protecting. They are primary gateways that act as a proxy for the protected resources such as workstations and servers. The proxy-gateway firewalls filter at the application layer of the OSI model and do not allow any connections if there is no proxy available. These firewalls are good for analyzing data inside the application (POST, GET, etc.) as well as collecting data about user activities (logon, admin, etc.). They are gateways and require users to direct their connections to the firewall. They also impact network performance because of the latency caused by processing the proxy requests and analyzing the data. This type of firewall is well suited to separating the business and control LANs as well as providing protection to DMZs and other assets that require application-specific defenses.
Packet Filter Firewalls: This type of firewall analyzes the packets passing through it and either permits or denies passage based on pre-established rules. Packet filtering rules are based on port numbers, protocol IP addresses, and other defined data. Although usually flexible in assigning rules, this type of firewall is well suited for environments where quick connections are required. It is effective for environments, such as ICSs, that need security based on unique applications and protocols.
POLITE mode in Nmap: Polite mode slows down the scan to use less bandwidth and target machine resources.
Pretty Good Privacy (PGP): This encrypts and secures data. Each user creates a public and private key. Public keys are linked to the data (such as a file), and the only people that can decrypt the file are those that hold the corresponding private key.
Open Systems Interconnection (OSI): A standard description or “reference model” for how messages should be transmitted between any two points in a telecommunication network.
Switch: A device that channels incoming data from multiple input ports to the specific output port that will take the data toward its intended destination.
Target Folder: A target folder is the collection of information an attacker uses to tune the attack during the attack lifecycle.
Client: Information resources that provide an interface for users to view and manipulate digital information such as a personal computer or Smartphone.
Conduits: A conduit is a logical grouping of communication assets that protect the security of the channels it contains. Conduits connect two or more zones that share common security requirements. A conduit is allowed to traverse a zone as long as the security of the channels contained within the conduit is not impacted by the zone.
Availability: The proportion of time a system is in a functioning condition. For any information system to serve its purpose, the information must be available when it is needed.
Adversary: A malicious entity whose aim is to prevent the users from achieving their goal.
Basic Input/Output System (BIOS): A standard defining a firmware interface. The BIOS software is build into the PC, and is the first software to run by a PC.
Blacklist: A list of entities that are blocked or denied privileges or access.
Buffer Overflow: Occurs when a program or process tries to store more data I a buffer (temporary data storage area) than it was intended to hold.
Circuit-level Gateways: This type of firewall validates the connection between two hosts before allowing a connection. Traffic is not allowed unless a session is open and valid.
Black Hat Attacker: A “black hat” hacker who “violates computer security for little reason beyond maliciousness or for personal gain” (Moore, 2005). Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are “the epitome of all that the public fears in a computer criminal” (Moore, 2006). Black hat hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network. Black hat hackers also are referred to as the “crackers” within the security industry and by modern programmers. Crackers keep the awareness of the vulnerabilities to themselves and do not notify the general public or manufacturer for patches to be applied. Individual freedom and accessibility is promoted over privacy and security. Once they have gained control over a system, they may apply patches or fixes to the system only to keep their reigning control. Richard Stallman invented the definition to express the maliciousness of a criminal hacker versus a white hat hacker that performs hacking duties to identify places to repair (O’Brien, 2011).
Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender & Company. p. 258.
Moore, Robert (2006). Cybercrime: Investigating High- Technology Computer Crime (1st ed.). Cincinnati, Ohio: Anderson Publishing.
O’Brien, Marakas, James, George (2011). New York, NY: McGraw-Hill/ Irwin. pp. 536–537.
Critical Infrastructure: Critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. –From Section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e))
Data Acquisition Server: The server that provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The DAS, sometimes referred to as a Front-End Processor (FEP) or Input/Output server (IOS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The DAS also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.
Key Resources: Key resources means publicly or privately controlled resources essential to the minimal operations of the economy and government. –From Section 2(9) of the Homeland Security Act of 2002 (6 U.S.C. 101(9))
Kinetic Activity: This is an unexpected, potentially dangerous, movement of equipment by control systems initiated by an operator who believes they are doing the right thing, based on the information on the console in front of them.
Liklihood: The probability of some event occurring.
Information Technology (IT): The technology involving the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data.
Local Area Network (LAN): A group of computers and associated devices that share a common communications line or wireless link. Typically, connected devices share the resources of a single processor or server within a small geographic area such as an office building.
Industrial Control Systems (ICSs): ICS is a generic term that describes any system that manages an industrial process. ICSs control and monitor systems that are used to make, monitor, and move products. The term ICS refers to a broad set of control systems including Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), Process Control System (PCS), Energy Management System (EMS), Automation System (AS), and Safety Instrumented System (SIS).