ICS-CERT210W Master Glossary

Access Control List (ACL): A list of permissions attached to an object. An ACL specifies which users or
system processes are granted access to objects, as well as what operations are allowed on given objects.

Adversary: A malicious entity whose aim is to prevent the users from achieving their goal.

Application: A software program that runs on your computer. Web browsers, e-mail programs, word
processors, and utilities are all applications.

Availability: The proportion of time a system is in a functioning condition. For any information system to
serve its purpose, the information must be available when it is needed.

Basic Input/Output System (BIOS): Basic Input/Output System (BIOS), also known as System BIOS, is a
standard defining a firmware interface. The BIOS software is built into the PC, and is the first software to
run by a PC.

Black Hat Attacker: A "black hat" hacker who "violates computer security for little reason beyond
maliciousness or for personal gain" (Moore, 2005). Black hat hackers form the stereotypical, illegal
hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a
computer criminal" (Moore, 2006). Black hat hackers break into secure networks to destroy data or
make the network unusable for those who are authorized to use the network. Black hat hackers also are
referred to as the "crackers" within the security industry and by modern programmers. Crackers keep
the awareness of the vulnerabilities to themselves and do not notify the general public or manufacturer
for patches to be applied. Individual freedom and accessibility is promoted over privacy and security.
Once they have gained control over a system, they may apply patches or fixes to the system only to
keep their reigning control. Richard Stallman invented the definition to express the maliciousness of a
criminal hacker versus a white hat hacker that performs hacking duties to identify places to repair
(O’Brien, 2011).

Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender &
Company. p. 258.

Moore, Robert (2006). Cybercrime: Investigating High- Technology Computer Crime (1st ed.). Cincinnati,
Ohio: Anderson Publishing.

O'Brien, Marakas, James, George (2011). New York, NY: McGraw-Hill/ Irwin. pp. 536–537.

Blacklist: A list of entities that are blocked or denied privileges or access.

Buffer Overflow: Occurs when a program or process tries to store more data to a buffer (temporary
data storage area) than it was intended to hold.

Capability: The means or resources available to perform an attack which typically includes attacker
expertise, financial resources, and any tools necessary for carrying out the attack (which may include
acquisition of target specifics).
 ICS-CERT210W Master Glossary

Circuit-level gateways: This type of firewall validates the connection between two hosts before allowing
a connection. Traffic is not allowed unless a session is open and valid.

Client: Information resources that provide an interface for users to view and manipulate digital
information such as a personal computer or Smartphone.

Conduits: A conduit is a logical grouping of communication assets that protect the security of the
channels it contains. Conduits connect two or more zones that share common security requirements. A
conduit is allowed to traverse a zone as long as the security of the channels contained within the conduit
is not impacted by the zone.

Confidentiality: Ensuring that information is accessible only to those authorized to have access.

Consequence: The total amount of loss or damage that can be expected from the successful exploitation
of a vulnerability by a threat actor.

Critical Infrastructure: Critical infrastructure means systems and assets, whether physical or
virtual, so vital to the United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on security, national economic security, national public
health or safety, or any combination of those matters. --From Section 1016(e) of the USA
PATRIOT Act of 2001 (42 U.S.C. 5195c(e))

Data Acquisition Server: The server that provides the interface between the control system LAN
applications and the field equipment monitored and controlled by the control system applications. The
DAS, sometimes referred to as a Front-End Processor (FEP) or Input/Output server (IOS), converts the
control system application data into packets that are transmitted over various types of communications
media to the end device locations. The DAS also converts data received from the various end devices
over different communications mediums into data formatted to communicate with the control system
networked applications.

Database: A collection of information that is organized so that it can be easily accessed, management
and updated. Dedicated computers that clients connect to that store information and usually have a
large amount of RAM and disk drives.

Data Historian: A centralized database located in the control system LAN supporting data archival and
data analysis using statistical process control techniques.

Data Obfuscation: Data masking or data obfuscation is the process of hiding original data with random
characters or data.

Data Storm: A data storm occurs when a network system is overwhelmed by continuous multicast or
broadcast traffic. When different nodes are sending/broadcasting data over a network link, and the
other network devices are rebroadcasting the data back to the network link in response, this eventually
causes the whole network to melt down and lead to the failure of network communication. There are
 ICS-CERT210W Master Glossary

many reasons a broadcast storm occurs, including poor technology, low port rate switches and improper
network configurations. A data storm is also known as a broadcast storm or a network storm.

Defense in Depth: The practice of layering defenses to provide added protection. Defense in depth
increases security by raising the cost of an attack. This system placed multiple barriers between an
attack and your business-critical information resources.

Denial of Service (DoS) attack: An incident in which a user or organization is deprived of the services of
a resource they would normally expect to have.

DMZ: In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter

network) is a physical or logical sub-network that contains and exposes an organization's external-facing
services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an
additional layer of security to an organization's local area network (LAN); an external attacker only has
direct access to equipment in the DMZ, rather than any other part of the network.

Domains: A domain contains a group of computers that can be accessed and administered with a
common set of rules.

Dynamic Host Configuration Protocol (DHCP): A communications protocol that lets network
administrators centrally manage and automate the assignment of Internet protocol (IP) addresses in an
organization's network.

File Transfer Protocol (FTP): A standard network protocol used to transfer computer files from one host
to another host over a TCP-based network, such as the Internet. FTP is built on a client-server
architecture and uses separate control and data connections between the client and the server.

Flat Network: A flat network is a computer network design approach that aims to reduce cost,
maintenance and administration. Flat networks are designed to reduce the number of routers and
switches on a computer network by connecting the devices to a single switch instead of separate
switches, or by using network hubs rather than switches to connect devices to each other.

Hazard: Hazards are considered situations that typically fall into the category associated with safety that
possess inherent and known dangers yielding data based upon predictable behavior (as opposed to
threats which are not predictable).

Host: A device or program that provides services to some smaller or less capable device or program.

Human Machine Interface (HMI): A medium for information exchange and mutual communication
between electromechanical system’s and the user. It allows the user to complete settings through
touchable images or keys on the user-friendly window.

Industrial Control Systems (ICSs): ICS is a generic term that describes any system that manages an
industrial process. ICSs control and monitor systems that are used to make, monitor, and move
products. The term ICS refers to a broad set of control systems including Supervisory Control and Data
 ICS-CERT210W Master Glossary

Acquisition (SCADA), Distributed Control System (DCS), Process Control System (PCS), Energy
Management System (EMS), Automation System (AS), and Safety Instrumented System (SIS).

Information Technology (IT): The technology involving the development, maintenance, and use of
computer systems, software, and networks for the processing and distribution of data.

Integrity: Maintaining and ensuring the accuracy and consistency of data over its entire life cycle. All
characteristics of the data including business rules, rules for how pieces of data relate, dates, definitions,
and lineage must be correct for data to be complete.

Intelligent Electronic Device (IED): A term used in the electric power industry to describe
microprocessor-based controllers of power system equipment, such as circuit breakers, transformers,
and capacitor banks.

Intent: The motive or goal behind a cybersecurity attack.

IPv4: Internet Protocol version 4 (IPv4) is the fourth version in the development of the Internet Protocol
(IP) Internet, and routes most traffic on the Internet.[1] However, a successor protocol, IPv6, has been
defined and is in various stages of production deployment.

Key Resources: Publicly or privately controlled resources essential to the minimal operations of the
economy and government. –From section 2(9) of the Homeland Security Act of 2002 (6 U.S.C. 101(9)).

Kiazen: When used in the business sense and applied to the workplace, kaizen refers to
activities that continually improve all functions and involve all employees from the CEO to the
assembly line workers.

Kinetic Activity: This is an unexpected, potentially dangerous, movement of equipment by control

systems initiated by an operator who believes they are doing the right thing, based on the information
on the console in front of them.

Likelihood: The probability of some event occurring.

Local Area Network (LAN): A group of computers and associated devices that share a common
communications line or wireless link. Typically, connected devices share the resources of a single
processor or server within a small geographic area such as an office building.

Man-in-the-Middle (MitM) Attack: An attack in computer security that is a form of active

eavesdropping in which the attacker makes independent connections with the victims and relays
messages between them, making them believe that they are talking directly to each other over a private
connection, when in fact the entire conversation is controlled by the attacker.

Mission-Critical Systems: This term is synonymous with critical infrastructure. Critical infrastructures are
the assets, systems, and networks, whether physical or virtual, so vital to the United States that their
 ICS-CERT210W Master Glossary

incapacitation or destruction would have a debilitating effect on security, national economic security,
national public health or safety, or any combination thereof.

Node: Any system or device connected to a network is also called a node. For example, if a network
connects a file server, five computers, and two printers, there are eight nodes on the network.

Open Systems Interconnection (OSI): A standard description or “reference model” for how messages
should be transmitted between any two points in a telecommunication network.

Opportunity: A set of conditions that need to be met for an adversary to be confident his attack will be
successful which is typically related to his level of access to the target and knowledge about the system.

Packet: A packet is one unit of binary data capable of being routed through a computer network.

Packet filter firewalls: This type of firewall analyzes the packets passing through it and either permits or
denies passage based on pre-established rules. Packet filtering rules are based on port numbers,
protocol IP addresses, and other defined data. Although usually flexible in assigning rules, this type of
firewall is well suited for environments where quick connections are required. It is effective for
environments, such as ICSs, that need security based on unique applications and protocols.

Packet Flooding: Flooding is a simple routing algorithm in which every incoming packet is sent through
every outgoing link except the one it arrived on.

POLITE mode in Nmap: Polite mode slows down the scan to use less bandwidth and target machine
resources.

Pretty Good Privacy (PGP): This encrypts and secures data. Each user creates a public and private key.
Public keys are linked to the data (such as a file), and the only people that can decrypt the file are those
that hold the corresponding private key.

Programmable Logic Controller (PLC): An industrial control system that continuously monitors the state
of input devices and makes decisions based upon a custom program to control the state of output
devices.

Protocol: The special set of rules that end points in a telecommunication connection use when they
communicate. Protocols specify interactions between the communicating entities.

Proxy gateway firewalls: These firewalls, often called Application-level gateways, hide resources on the
networks they are protecting. They are primary gateways that act as a proxy for the protected resources
such as workstations and servers. The proxy-gateway firewalls filter at the application layer of the OSI
model and do not allow any connections if there is no proxy available. These firewalls are good for
analyzing data inside the application (POST, GET, etc.) as well as collecting data about user activities
(logon, admin, etc.). They are gateways and require users to direct their connections to the firewall.
They also impact network performance because of the latency caused by processing the proxy requests
 ICS-CERT210W Master Glossary

and analyzing the data. This type of firewall is well suited to separating the business and control LANs as
well as providing protection to DMZs and other assets that require application-specific defenses.

Random Access Memory (RAM): Random-access memory (RAM) is a type of storage for computer
systems that makes it possible to access data very quickly in random order. The term RAM has become
associated with the main memory of computer system.

Remote Access: The ability to get access to a computer or a network from a remote distance.

Remote Terminal Unit (RTU): A microprocessor-controlled electronic device that interfaces objects in
the physical world to a distributed control system or SCADA system by transmitting telemetry data to a
master system, and by using messages from the master supervisory system to control connected
objects. The ability to get access to a computer or a network from a remote distance. Also referred to as
a remote telemetry unit.

Router: A device, or in some cases software in a computer, that determines the next network point to
which a packet should be forwarded to its destination.

RSA Keys and PKI Certificates: These are types of encryption that use a key assigned to a user or a group
of users to authenticate. The RSA key is typically a physical device the user carries with them, and the
PKI certificate is attached to their account.

RS232: RS-232 is a standard for serial communication transmission of data. The standard defines the
electrical characteristics and timing of signals, the meaning of signals, and the physical size and pinout of
connectors.

Secure Hyper Text Transfer Protocol (HTTPS): This secures Web-based HTTP communications.

Secure Shell (SSH): This is a protocol for secure communication over a network. SSH protocol not only
provides confidentiality and integrity using encryption, but it also provides authentication to remote
devices.

Secure Socket Layer/Transport Layer Security (SSL/TLS): This is end-to-end encryption used for Internet
bound traffic.

Security by Obscurity: The belief that a system of any sort can be secure so long as nobody outside of its
implementation group is allowed to find out anything about its internal mechanisms. Hiding account
passwords in binary files or scripts with the presumption that "nobody will ever find it" is a prime
example of this.

Server: A dedicated computer in a network which provides files and services that are used by the other
computers.

Session Hijacking: A method of taking over a Web user session by surreptitiously obtaining the session
ID and masquerading as the authorized users. Once the user’s session ID has been accessed, the
attacker can masquerade as that user and do anything the user is authorized to do on the network.
 ICS-CERT210W Master Glossary

Simple Network Management Protocol (SNMP): An "Internet-standard protocol for managing devices
on IP networks". Devices that typically support SNMP include routers, switches, servers, workstations,
printers, mode m racks and more.

Six Sigma: A set of techniques and tools for process improvement. It was developed by Motorola in
1986. Today, it is used in many industrial sectors. Six Sigma seeks to improve the quality of process
outputs by identifying and removing the causes of defects (errors) and minimizing variability in
manufacturing and business processes.

Stateful inspection firewalls: These firewalls include many of the features and functions of the other
types of firewalls. They filter at the network layer, determine the legitimacy of the sessions, and
evaluate contents of the packets at the application layer. Rather than run proxies, they use algorithms to
process data at the application layer. These firewalls look at the state of the packets and analyze the
packets against pre-observed activities. They also keep track of valid sessions and protect key assets in
the control domain. Because many of the vulnerabilities in ICSs are related to trust between servers and
devices, being able to track and react to valid and invalid sessions improves system security.

Switch: A device that channels incoming data from multiple input ports to the specific output port that
will take the data toward its intended destination.

Target Folder: A target folder is the collection of information an attacker uses to tune the attack during
the attack lifecycle.

Threat: Any person, circumstance, or event with the potential to cause loss or damage to a system. For
our discussion, we will consider a person as the main threat actor with regards to a cyber-attack on an
ICS. A threat can be either “intentional” (e.g., an individual cracker of criminal organization) or
“unintentional” (e.g., the possibility of a computer malfunctioning or a natural disaster happening such
as an earthquake, fire, or tornado).

Trojan: A Trojan horse, or Trojan, in computing is a generally non-self-replicating type of malware

program containing malicious code that, when executed, carries out actions determined by the nature
of the Trojan, typically causing loss or theft of data, and possible system harm.

Virus: A computer program that can replicate itself, infect a computer without permission or knowledge
of the user, and then spread or propagate to another computer.

Vulnerability: Any weakness in a system that can be exploited by an adversary or caused through an
accident. For our discussion, we will focus on those weaknesses that can be exploited by a threat acting
intentionally to cause a specific consequence.

Wardialing: Wardialing is the practice of using computers to dial a large range of phone numbers
looking for modems and access points. Specific IP- enabled Wardialing can use VoIP capabilities, such as
Skype, to do robust Wardialing expeditiously.

Whitelist: A list of entities that are considered trustworthy and are granted access or privileges.
 ICS-CERT210W Master Glossary

Wide Area Network (WAN): A geographically dispersed telecommunications network. The term
distinguishes a broader telecommunication structure from a local area network (LAN).

Wireless Access Points: A station that transmits and received data and can also serve as the point of
interconnection between the wireless network and a fixed wire network.

Wireless Encryption: Wireless encryption, used extensively on wireless networks, is not as robust as the
other encryption technologies.

Worm: In a computer, a self-replicating, self-propagating, self-contained program that uses networking

mechanisms to spread itself.

Zones: A security zone is a logical grouping of physical, informational, and application assets sharing
common security requirements. A security zone has a border, which is the boundary between included
and excluded elements.