OT Glossary

Man-in-the-middle

An attack where the adversary secretly intercepts and possibly alters communications between two devices. In an ICS context, a MitM could mean an attacker in the network between an HMI and a PLC, eavesdropping on or even modifying control commands or sensor values. For instance, they could report normal readings to operators while actually sending dangerous commands to a process. Many ICS protocols lack authentication, making MitM easier (the attacker can pose as the PLC to the HMI and vice versa). Defenses include encryption/authentication of communications (when available) and network segmentation to make it hard for an intruder to get in that middle position.

A specialized version of the MITRE ATT&CK framework focusing on adversary tactics and techniques in industrial control environments. MITRE ATT&CK is a globally accessible knowledge base of cyber adversary behavior, and the ICS variant maps out how attackers specifically target ICS/OT (for example, techniques like Manipulation of Control, Spoof Reporting Message, etc.). This framework helps defenders understand potential attacker methods (like “replay attack on protocol” or “ICS-specific ransomware”) and to ensure detection and response capabilities for each stage. It’s basically a reference of “what bad guys do in ICS” organized systematically.

One of the most common and simplest communication protocol in ICS, originally developed in 1979 for Modicon PLCs (now Schneider Electric). Modbus is used for transmitting data between devices; it’s a request-response (master/slave) protocol. There are two main flavors: Modbus RTU (runs over serial lines like RS-485) and Modbus TCP (runs over TCP/IP networks). It’s considered a de facto standard because so many vendors implemented it and it’s openly published. However, Modbus has no built-in security (no encryption or authentication), which means it’s easy to use and integrate, but also easy to snoop or spoof.

Message queuing telemetry transport

Lightweight protocol for Internet of Things devices, including Industrial IoT. It uses a publish subscribe model, typically with simple devices publishing data to a cloud broker, and then analytics platforms subscribing to that data.

Mean time between failure

The average time between failures of a system. Historically helpful for maintenance planning, but could be helpful for ICS security.

Mean time to repair

How long on average it takes to fix something that broke. Historically used for maintenance planning, may also be helpful for planning incident response for OT cyberattacks

Network access control

A technology to restrict device access to a network based on identity or compliance. In practice, NAC often means only devices with certain credentials or security posture can connect (like 802.1X port authentication, where a switch only lets a device onto the network if it provides the right certificate or credentials). In OT, NAC can be used to prevent unauthorized laptops from plugging into a control network port. However, NAC solutions can be tricky in ICS (older devices may not support fancy auth, and you don’t want to accidentally lock out a critical asset), so they are used with care.

(North American Electric Reliability Corporation) NERC (Critical Infrastructure Protection) CIP

Set of cybersecurity and reliability standards and regulations for the US power grid.

Dividing a network into smaller parts (segments or zones) to control traffic flow and enhance security. In an ICS, segmentation is key: for example, isolating the control network from the business network, and further segmenting within control (keeping the safety system on a separate subnet, or each production line in its own VLAN). By doing this, even if one segment is compromised, the others are not immediately affected. Segmentation can be done physically or logically (via VLANs, firewalls, routers). It limits broadcast domains and limits an attacker’s ability to move laterally. A common guideline is to segment according to levels of the Purdue Model and by function (safety, control, DMZ, etc.). Good segmentation is like having watertight compartments in a ship: a breach in one doesn’t sink the whole ship.

A software framework (by Tridium) widely used in building automation and some industrial settings to integrate various devices and protocols. It’s known for the Niagara Fox protocol which is used by Niagara stations to communicate. If you’re dealing with building management systems, you often encounter Niagara; it allows different building subsystems (HVAC, lighting, security) to be unified. From a security perspective, Niagara nodes have had vulnerabilities and the Fox protocol is often exposed on the public Internet.