OT Glossary
Not sure what a term or acronym means? You’re in the right place. This glossary is your go-to guide for understanding the key terms and acronyms used in OT cybersecurity. Whether it's a protocol, standard, or security concept, we’ve broken it down to help make your training smoother and more approachable. Looking for a term we don't have? Let us know!
Special | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ALL
M |
|---|
MalwareGeneric term for any malicious software | |
MFAMultifactor authentication Using more than one method to verify a user’s identity when logging into a system. In OT, MFA is increasingly recommended for remote access or critical logins (like an engineer remoting into a plant network or logging into a SCADA host). It typically means combining something you know (password) with something you have (token or smart card) or something you are (fingerprint). | |
MITMMan-in-the-middle An attack where the adversary secretly intercepts and possibly alters communications between two devices. In an ICS context, a MitM could mean an attacker in the network between an HMI and a PLC, eavesdropping on or even modifying control commands or sensor values. For instance, they could report normal readings to operators while actually sending dangerous commands to a process. Many ICS protocols lack authentication, making MitM easier (the attacker can pose as the PLC to the HMI and vice versa). Defenses include encryption/authentication of communications (when available) and network segmentation to make it hard for an intruder to get in that middle position. | |
MITRE ATT&CK for ICSA specialized version of the MITRE ATT&CK framework focusing on adversary tactics and techniques in industrial control environments. MITRE ATT&CK is a globally accessible knowledge base of cyber adversary behavior, and the ICS variant maps out how attackers specifically target ICS/OT (for example, techniques like Manipulation of Control, Spoof Reporting Message, etc.). This framework helps defenders understand potential attacker methods (like “replay attack on protocol” or “ICS-specific ransomware”) and to ensure detection and response capabilities for each stage. It’s basically a reference of “what bad guys do in ICS” organized systematically. | |
ModusOne of the most common and simplest communication protocol in ICS, originally developed in 1979 for Modicon PLCs (now Schneider Electric). Modbus is used for transmitting data between devices; it’s a request-response (master/slave) protocol. There are two main flavors: Modbus RTU (runs over serial lines like RS-485) and Modbus TCP (runs over TCP/IP networks). It’s considered a de facto standard because so many vendors implemented it and it’s openly published. However, Modbus has no built-in security (no encryption or authentication), which means it’s easy to use and integrate, but also easy to snoop or spoof. | |
MQTTMessage queuing telemetry transport Lightweight protocol for Internet of Things devices, including Industrial IoT. It uses a publish subscribe model, typically with simple devices publishing data to a cloud broker, and then analytics platforms subscribing to that data. | |
MTBFMean time between failure The average time between failures of a system. Historically helpful for maintenance planning, but could be helpful for ICS security. | |
MTTRMean time to repair How long on average it takes to fix something that broke. Historically used for maintenance planning, may also be helpful for planning incident response for OT cyberattacks | |