Glossary

With a subject as complex as industrial security, it is almost impossible to know every technical term. The following glossary provides quick answers to any questions you may have about these terms.

A

Access control list (ACL)

List of all access permissions for a particular resource

Access protection

Measures that authorize or limit access to plant elements according to business and security aspects.

Anti-virus software (virus scanners)

A program for identifying and eliminating malware on computer-based systems and in networks

Authentication

Process of verifying the identity of a user, process, or device. It is often a prerequisite for access to resources of an information system.

Authenticity

Genuineness of an object

Authorization

Access right to system resources

B

Backdoor

Covert, undocumented method for accessing a computer system. A backdoor is a potential security risk.

Bot

Short for “robot”; a program used for specific tasks, such as sending spam messages or sending an endless number of data packets in denial-of-service attacks.

Botnet

A large group of infected computers that can be used to mount coordinated attacks.

Boundary protection

A method for protecting an industrial control system (ICS) and for separating it from office IT systems and the Internet.

Bounds checking

Check to determine whether input parameters are within expected bounds. Helps to prevent buffer overflows.

Buffer overflow

If more data are transferred to an input interface than the input buffer holds, this may cause data in other areas to be overwritten. Attackers use this method to crash a system or to introduce malicious code and take over control of the system.

C

Certificate revocation list (CRL)

List of certificates that the certification authority classifies as no longer valid.

Certification authority (CA)

Institution that is regarded by one or more users as trustworthy for creating and assigning public key certificates.

Computer emergency response team (CERT)

A group of IT security experts that evaluates current and potential security incidents and publishes prompt warnings and countermeasures.

Configuration control

Monitoring of hardware, firmware, software, and documentation in order to protect the system from non-permissible changes before, during, and after system implementation.

Control center

A central location according to ISA-99 from which a resource group is managed. Industrial infrastructures typically use one or more control centers to monitor and coordinate operation. In more complex plants, these are generally linked via a WAN (Wide Area Network). A control center includes the SCADA host computer, the associated operator displays, and auxiliary systems such as archive servers.

Control network

Security-critical networks that connect multiple control devices or operator control facilities of automation systems. A control network can be subdivided into multiple zones. At the same time, a company can have multiple control networks.

Control server

A server on which the overall control system is installed – typically a commercially available application for a DCS or SCADA system.

Control system

A system for targeted specification of certain variables. Control systems include SCADA systems, DCSs, PLCs, and other forms of industrial instrumentation and controls.

Countermeasures

Actions, devices, procedures, or other measures that reduce the vulnerability of control systems.

Cyber attack

Malicious, unauthorized access to networks, computers, and controllers, the objective of which is to steal, modify, or delete data or manipulate processes.

D

DCS, distributed control system

A control system whose distributed elements are connected for overall operation. Distributed process control systems are mostly used for continuous processes, such as oil refining, chemical production, and papermaking. However, they are also used in batch processes (manufacturing, packaging, and shipping of mechanical goods).

Defense-in-depth

Defense-in-depth is a graduated protection concept for computer networks. If one protection mechanism does not succeed, others can thwart the attack at another location.

Denial of service (DoS)

The attempt to prevent authorized access to a resource or to limit the operability of a system.

Digital signature

A type of electronic signature that guarantees the identity of a person or device or the integrity of data.

Directory traversal

Directory traversal is a security gap that arises when invalid directory paths are input. While they typically occur with web applications, all application types can be affected. Directory traversals result when an application uses external inputs to create a file or a directory name. If the application involved has not taken suitable precautions, protected content can be accessed by inputting control characters.

DMZ (demilitarized zone)

A demilitarized zone (DMZ) – also called a perimeter network – is a network area located between the network to be protected and an external network (usually the Internet). DMZs enable the configuration of a shell-type security model in which they act as intermediaries between the two networks. They guarantee secure transfer from a secure source to an unsecure destination, or vice versa.

DNS cache poisoning

Manipulation of data of a domain name server so that users calling up one web site are redirected to another fraudulent site.

E

Ethernet

The most commonly used LAN technology to combine multiple devices into a network.

F

Firewall

According to ISA-99, a firewall is an integral part of the connection between two networks and regulates the data communication between them. A firewall can be either an application installed on a suitable computer or a separate device that forwards or rejects data packets in a network. It enables or blocks access to certain ports based on defined rules.

Fuzzing or FuzzTesting

A test method for software that analyzes the input behavior using random data. This method attempts to run code by providing random parameters (so-called fuzz) outside the usual area. In this way, it is possible to identify points in the program code that do not correctly process input data outside the expected area.

H

Hacktivism

Politically or ideologically motivated vandalism, e.g., in the form of manipulated websites.

Hardening

Security measures that reduce the number of possible attack points of a system.

Honeypots

Devices or techniques designed to detect and monitor malicious code and to track its activities in a secure environment.

I

ICS-CERT

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) concentrates on security aspects of control systems. It collaborates closely with the US-CERT to analyze and respond to incidents that are relevant to control systems.

Identification

Verification of the identity of a user, process, or device; typically required for access to resources of an IT system.

Identity provider

Device that sets up, maintains, and manages identities.

Identity theft

Generating a false identity using stolen identification data (e.g., name, date of birth, address, etc.).

Incident

A situation that endangers confidentiality, integrity, or availability of data, systems, or security guidelines. These can be caused intentionally or by accident.

Incident response plan

A defined procedure for detecting, reacting to, and limiting the possible damage from cyber attacks.

Industrial automation and control system (IACS) or industrial control system (ICS)

The combination of personnel, hardware, and software as a whole that can influence secure and reliable operation of industrial processes.

Industrial security

Industrial security describes measures to increase the industrial security standards of a plant for protection against cyber attacks and unauthorized access to overall control systems, industrial controls, and PC-based systems of the plant.

Information asset

Knowledge or data that is valuable to a company

Information security

Guarantee of confidentiality, integrity, and availability of information

Information security event

Identified system, service, or network incident that indicates a possible violation of information security or a loss of control.

Information security management system (ISMS)

Part of the higher-level management system, the aim of which is to ensure information security in every respect.

Information security risk

Probability that a vulnerability in the IT infrastructure and plant infrastructure will be exploited and cause damage to the company.

Integrity (data integrity)

The certainty that data have not be modified by unauthorized persons. Data integrity pertains to the storage, processing, and transport of data.

Intrusion detection system (IDS)

A security function that monitors networks and systems and looks for unauthorized accesses in order to issue timely warnings.

Intrusion prevention system (IPS)

A system that detects unauthorized intrusions and attempts to defend against them.

IPSec

Short for “IP security”; a group of protocols that were developed by the Internet Engineering Task Force for the purpose of supporting exchange of data packets at the IP level. IPSec is an essential component of VPNs. It provides two types of encryption: transport and tunnel. The transport mode encrypts only the payload and not the header. The more secure tunnel mode encrypts both the header and the payload. At the receiving end, an IPsec-capable device encrypts every packet.

ISA-99

ISA-99 is an international committee that specifies cyber security standards.

IT security

Protection of non-physical, computer-related goods such as software applications, process programs, and personnel data

K

Key logger

Program for covert recording of keyboard inputs. It is used to intercept passwords.

L

Least privileges

The principle that authorizations for certain functions are only granted to those who actually need them. Thus, many users may be authorized to query a database without also being granted permission to delete entries.

Logic bomb

A malicious program that is executed only under certain conditions, .e.g, deletion of data records if the name of an employee is no longer listed on the payroll.

M

MAC address

A globally unique identification number for each network-capable device.

Malicious code

see Malware

Malware

A program that is installed covertly on a computer and that jeopardizes the confidentiality, integrity, and availability of data and applications on this computer.

Man-in-the-middle (MitM) attack

An attack on authentication processes in which the attacker is positioned between the requester and the authentication point, thus allowing the attacker to intercept and manipulate the data communication.

N

Network segmentation

Division of a network into subnets, each of which represents a network segment or network layer. Network segmentations can increase the performance and security of networks.

P

Password

A character string consisting of letters, numbers, and other symbols that a user uses to identify himself/herself or to gain access to a system.

Patch

Software used to eliminate known problems.

Patch management

Measures for providing, checking, and installing multiple patches on multiple computers

Payload

Unauthorized activities of a malware

Penetration test

Test of the vulnerability of computer systems using hacker tools

Pharming

Redirection of data traffic from one website to another through interventions in the domain name system (e.g., as a result of DNS cache poisoning).

Phishing

The attempt to obtain confidential access information of a user. E-mails that appear to be authentic are used to lure users to a website where they are requested to enter their access data.

Port

The physical and/or logical interface of computers via which they communicate with other devices.

Port scanning

Automated examination of a computer with the goal of finding open ports and thus possible attack points.

Private key

A cryptographic key that is used in combination with a public key to decrypt and encrypt data. In contrast to the public key, the private key is kept secret.

Programmable logic controller (PLC)

User-programmable controls - as opposed to hard-wired controls - that are used as the core for implementing industrial automation systems.

Protocol

A set of specifications (e.g., formats, procedures) that regulate the communication between devices.

Protocol analyzer

Software or a device that analyzes communication within a network in order to check its operability.

Public key

A cryptographic key that is used in combination with a private key to decrypt and encrypt data. In contrast to the private key, the public key is not kept secret.

Public key certificate

A data record that identifies a person or application uniquely. It contains the public key and is digitally signed by a trustworthy institution.

Public key infrastructure

A framework that enables issuing, managing, and revoking of public keys.

R

Role-based access control (RBAC)

Role-based access control is one in which certain functional roles, and thus certain authorizations, are assigned to the users of a computer or network.

Rootkit

A collection of programs that a hacker uses to disguise his attack and to obtain administrator rights for a computer or a network.

S

SCADA

Supervisory control and data acquisition; refers to the monitoring and controlling of technical processes using a computer system

Scavenging

Searching discarded lists, source codes, and storage media for passwords and access information

Security cells

The subdivision of an industrial network into individual, well-organized, and maintainable segments produces so-called secure automation cells. The cells are structured as logical segments based on spatial or functional aspects. They are protected with all required safety functions and operate fully autonomously. The data traffic and personnel traffic between the cells are subject to clearly defined controls and are monitored.

Security incident

One or more undesired and unexpected events that can interfere with company operation or jeopardize information security.

Security incident management

Procedures for detecting, announcing, and reacting to security incidents

Social engineering

A non-technical attack on the security structure. Attempt to obtain critical access data from employees through false pretenses.

Spoof

Forgery of an authorization for the purpose of executing unauthorized actions.

Spyware

Covertly installed software for collecting information about the user, the computer, or the associated company.

SQL injection

The attempt to gain control over a computer by transferring special characters to an SQL application on the computer.

Stuxnet

Stuxnet is a malware that appeared publicly for the first time in July 2010 and operates using zero day exploits, stolen certificates, and other components. It attacks Windows PCs on which a particular Siemens automation software is installed. After successful infection of the PC, Stuxnet attempts to obtain information about the system and to download blocks of code to the PLC. Stuxnet is directed toward very specific plant configurations.

Further information on Stuxnet

T

Trojan

A computer program that provides functions that appear to be useful but that also contains malicious functions, e.g., utilization of the authorization of the calling system part.

Trusted channel

A secure communication channel for data communication between two security zones

U

US-CERT

A project between the U.S. Department of Homeland Security and public and private institutions with the goal of protecting the Internet infrastructure of the United States. US-CERT coordinates the national defense against cyber attacks.

V

Virtual private network (VPN)

An encrypted connection of computers or networks via the Internet. It enables exchange of confidential data over public networks.

Virus

Software with functions that are normally malicious and goal of which is to infect other programs or systems. Viruses typically require an interaction of the user to disseminate. This distinguishes the computer virus from the computer worm, which is able to disseminate on its own.

W

Wardriving

Systematic search for wireless access points in which a person drives past houses and buildings while using a notebook to scan for unsecured WLANs. To goal is to gain unauthorized access to a computer or a plant controller.

Whitelisting

A measure that uses a positive list to limit access to certain resources and to prevent execution of unknown programs. Its main purpose is to protect computers and networks from malware and to prevent unnecessary wasting of resources.

A whitelist lists all applications that are permitted to be executed by a user or administrator. Before an application is started, a check is made to determine if it is on the list. An integrity check (using hash codes, for example) ensures that the application is in actuality the released application and not another program with the identical name.

Worm

A program that runs independently and can replicate itself in networks. Its dissemination ties up resources. Functionally speaking, worms may contain malicious code. It is typical for worms to have a more or less aggressive dissemination function that they can executed without a user.

Z

Zero day attacks

A zero day attack is an attack that exploits previously unknown security gaps (so-called zero day exploits).