OT Glossary

Demilitarized zone

A network segment that acts as a buffer zone between two networks of different trust levels, often between an internal OT network and external IT or internet. An Industrial DMZ (or IDMZ) is commonly set up between the plant control network and the corporate IT network. It hosts servers (like historians, remote access jump hosts, etc.) that need to communicate with both sides. The idea is to tightly control and inspect traffic between OT and IT, reducing direct exposure of critical control systems.

Distributed network protocol

A communication protocol primarily used in SCADA systems for utilities (electric, water, wastewater). DNP3 is used to exchange data between control centers, RTUs, and IEDs over long distances. It’s especially common in North America for electric power distribution. DNP3 is robust against unreliable links and supports time-stamping of data, but it was not originally designed with strong security (it has since been updated with optional encryption/authentication features).

(European Network and Information Security Agency) now known as European Union Agency for Cybersecurity

It is an agency of the European Union with a mission to improve the overall cybersecurity of all member states of the EU. They achieve this by setting regulations for member states, as well as publishing helpful resources.

The ubiquitous networking technology used for LANs (Local Area Networks). In OT, Ethernet has become common at higher levels of control systems (like connecting PLCs, HMIs, and SCADA servers), gradually replacing older serial links. Standard Ethernet (IEEE 802.3) wasn’t originally designed for real-time industrial needs, but newer standards and industrial protocols (Profinet, EtherNet/IP) have adapted it for factory use. 

ENIP

Confusingly, the "IP" here stands for Industrial Protocol, not Internet Protocol like you might think. It is the version of CIP encapsulated by Ethernet. This allows PLCs, drives, sensors, etc., particularly in Allen-Bradley/Rockwell ecosystems, to communicate on an Ethernet network for real-time control. 

Engineering workstation

A computer (often a PC) used by engineers to configure, program, and troubleshoot ICS devices like PLCs, DCS controllers, or RTUs. The EWS typically runs vendor-specific software (for example, PLC programming tools or HMI configuration suites) and is usually connected to the control network. Because it can change the behavior of the process (by downloading new logic or settings), an engineering workstation is a high-impact asset to secure – an attacker who compromises it could alter the process. It’s often only used by authorized control engineers and may sit in the control room or engineering office. To maintain compatibility with legacy equipment, it can be running obsolete Windows versions.

A design principle where if a system fails, it does so in a way that defaults to a safe condition. For example, a fail-safe valve might close (shutting off flow) if power is lost, to prevent an uncontrolled process. In OT, fail-safe mechanisms ensure that if something goes wrong, whether a component fails or communication is lost, the process will shut down or revert to a state that avoids harm to people, environment, or equipment. (Contrast with fail-secure, where on failure a system locks in a secure state, like a door locking during a power outage – but in industrial control, fail-safe is usually about safety.)

A general term for equipment on the plant floor or in the field that interacts directly with the physical process. Field devices include sensors (which measure things like temperature, pressure, flow) and actuators (like valves, motors, relays). They often connect to controllers (PLC/RTU) via I/O modules or fieldbus networks. 

A category of industrial network protocols designed for connecting field devices (sensors/actuators) to controllers, usually in a daisy-chain or bus topology (as opposed to each device having a direct wire to the controller). Examples include Profibus, Foundation Fieldbus, DeviceNet, and Modbus. 

A network security device (software or hardware) that monitors and filters network traffic based on predefined security rules. In an ICS environment, firewalls are used to segment networks (for instance, between the corporate IT network and the OT network, or between control levels) and to restrict traffic to only what’s needed. They can range from simple devices allowing only specific IP/port combinations, to more advanced ones that understand industrial protocols (industrial next-gen firewalls that can, say, allow Read commands but block Write commands to a PLC).