OT Glossary

Network access control

A technology to restrict device access to a network based on identity or compliance. In practice, NAC often means only devices with certain credentials or security posture can connect (like 802.1X port authentication, where a switch only lets a device onto the network if it provides the right certificate or credentials). In OT, NAC can be used to prevent unauthorized laptops from plugging into a control network port. However, NAC solutions can be tricky in ICS (older devices may not support fancy auth, and you don’t want to accidentally lock out a critical asset), so they are used with care.

(North American Electric Reliability Corporation) NERC (Critical Infrastructure Protection) CIP

Set of cybersecurity and reliability standards and regulations for the US power grid.

Dividing a network into smaller parts (segments or zones) to control traffic flow and enhance security. In an ICS, segmentation is key: for example, isolating the control network from the business network, and further segmenting within control (keeping the safety system on a separate subnet, or each production line in its own VLAN). By doing this, even if one segment is compromised, the others are not immediately affected. Segmentation can be done physically or logically (via VLANs, firewalls, routers). It limits broadcast domains and limits an attacker’s ability to move laterally. A common guideline is to segment according to levels of the Purdue Model and by function (safety, control, DMZ, etc.). Good segmentation is like having watertight compartments in a ship: a breach in one doesn’t sink the whole ship.

A software framework (by Tridium) widely used in building automation and some industrial settings to integrate various devices and protocols. It’s known for the Niagara Fox protocol which is used by Niagara stations to communicate. If you’re dealing with building management systems, you often encounter Niagara; it allows different building subsystems (HVAC, lighting, security) to be unified. From a security perspective, Niagara nodes have had vulnerabilities and the Fox protocol is often exposed on the public Internet.

The National Institute of Standards and Technology Cybersecurity Framework

A framework by NIST for improving cybersecurity risk management. While not OT-specific, it’s widely applied to ICS/OT environments. It comprises six functions – Govern, Identify, Protect, Detect, Respond, Recover – to organize security efforts. Many organizations use the NIST CSF as a common language to evaluate and improve the security of their control systems.

NIST Special Publication 800-82 "Guide to OT Security"

It provides detailed guidance on how to secure ICS, covering typical architectures (like Purdue model levels), threats, vulnerabilities, and recommended security controls for ICS environments. It’s a go-to document for best practices, and many other standards reference its content. 

A concept from security (not ICS-specific): ensuring that a party in a communication cannot deny the authenticity of their signature on a document or a message that they originated. In OT, this might come into play with logging and forensics: ensuring actions (like a command to change a setpoint) are traceable to a user and cannot be refuted. Digital signatures and audit logs contribute to non-repudiation. It’s less talked about than confidentiality, integrity, availability in ICS, but it’s one of those classic infosec principles.