OT Glossary

A physical device that "acts" on some part of a physical process. In industrial systems, actuators (like motors, valves, or switches) receive commands (often from a controller) to adjust physical processes (e.g. opening a valve or turning a robot arm).

A (near mythical) network security measure where a system or network is physically isolated, with no direct connection to other networks. A true air-gapped OT system has no wired or wireless links to IT networks, reducing risk of remote cyber-attack. However, data (and possibly malware) almost always traverses the air gap via other means like USB and laptops.

AKA application whitelisting - A security approach that permits only pre-approved (trusted) software to run on a system and blocks everything else. In OT, allow-listing is used instead of traditional antivirus because industrial systems benefit from only allowing known-good applications and blocking new, unknown program. This strategy helps prevent malware execution, though it requires maintaining the list and doesn’t stop in-memory or script-based attacks.

Advanced persistent threat - A stealthy and sophisticated threat actor (often nation-state or well-funded group) that gains unauthorized, persistent access to a system and remains undetected for a long period. In OT environments, APTs often target critical infrastructure to gain the capability to cause harm to an unfriendly nation in case a physical war breaks out.

In ICS security context, any device, system, or component that has value and needs protection. This can range from physical equipment (PLCs, RTUs, sensors, etc.) to software and data. Asset inventory refers to the process of cataloging all these devices in an OT network. 

Building Automation and Control Network

A protocol for building automation systems. It’s widely used to allow HVAC, lighting, access control, fire detection, and other building systems to communicate and interoperate, even if they are from different manufacturers. 

Bulk electric system

Basically refers to the larger power grid as a whole. This abbreviation is used in the NERC CIP regulations.

Building management system or BAS (Building automation system)

This is the control system found in large buildings (offices, campuses, etc.) that monitors and controls the building’s electrical and mechanical equipment. A BMS oversees things like heating/cooling (HVAC), lighting, elevators, and security systems to maintain comfort and efficiency. 

Blowout preventer - Safety device in the oil&gas industry to prevent the release of oil and gas while drilling.

A term describing an existing industrial facility or system that is already in operation (often with legacy equipment). Brownfield projects involve upgrading or securing an established OT environment, which can be challenging due to older technology in place. (Contrast with Greenfield, a brand-new installation built from scratch.) Securing a brownfield ICS often means dealing with legacy systems that weren’t designed with cybersecurity in mind.

Common Industrial Protocol

A family of protocols including EtherNet/IP, DeviceNet, and ControlNet. CIP provides a common language for devices (from various vendors) to share data and commands in an industrial network, but is most popular with Rockwell/Allen Bradley devices.

Cybersecurity and Infrastructure Security Agency
A U.S. government agency responsible for cybersecurity, infrastructure protection, and emergency communications. In the ICS world, CISA (which includes what used to be ICS-CERT) provides alerts, advisories, and support for protecting critical infrastructure control systems.

A fundamental concept in process control where a sensor, controller, and actuator work together to regulate a physical process. In a closed-loop system, a sensor measures a process variable (like temperature), the controller compares it to a desired setpoint, and if there’s a difference it sends a command to an actuator to correct it. This loop continuously “feeds back” so the process stays on target. (Example: a thermostat (sensor/controller) measuring room temperature and turning a heater (actuator) on/off to maintain the set temperature.)

A system that manages, commands, or regulates the behavior of other devices or systems using control loops (with sensor, actuator, and controller). An industrial control system controls an industrial-scale process.

Centre for Protection of National Infrastructure

UK government organization kind of like the US CISA organization, focused on the security of national infrastructure.

Cyber-physical systems

Integrated systems that have both computational (cyber) and physical components, tightly interconnected. An industrial robot, a smart grid, or an autonomous vehicle are examples of CPS: they involve sensors and actuators interacting with the physical world, guided by software and networking. ICS and OT systems are prime examples of CPS, where a cyber attack can have real-world kinetic impact.

(unidirectional gateway)

A hardware-based cybersecurity device that allows data to flow in only one direction. It’s used in OT environments to connect highly sensitive networks to external systems (like sending plant data to a corporate network) without any possibility of data coming back into the secure zone. Not always practical if remote access is needed.

Distributed control system

A control system commonly used in large, continuous industrial processes (like chemical plants, oil refineries, power generation). In a DCS, control intelligence is distributed throughout the plant across multiple controllers rather than centralized. These controllers (often networked PLCs or dedicated DCS controllers) autonomously run different parts of the process, all coordinated by supervisory software. DCS systems typically span an entire building (as opposed to a single machine or a large geographic area).

A security strategy that employs multiple layers of defense to protect a system. In ICS security, this means implementing a combination of physical security, network segmentation, firewalls, intrusion detection, strict user access controls, etc., so that if one layer fails, others still provide protection. For example, even if a firewall is breached (outer layer), an ICS might still be safe thanks to an internal allow-list. 

An industrial network protocol used for connecting simple industrial devices (sensors, actuators) to a PLC. It’s essentially the Common Industrial Protocol (CIP) running over a CAN (Controller Area Network) bus. DeviceNet was widely used for device-level networking (particularly in automotive manufacturing) to reduce complex wiring. It’s slower and more limited compared to EtherNet/IP, and largely legacy now.

Demilitarized zone

A network segment that acts as a buffer zone between two networks of different trust levels, often between an internal OT network and external IT or internet. An Industrial DMZ (or IDMZ) is commonly set up between the plant control network and the corporate IT network. It hosts servers (like historians, remote access jump hosts, etc.) that need to communicate with both sides. The idea is to tightly control and inspect traffic between OT and IT, reducing direct exposure of critical control systems.

Distributed network protocol

A communication protocol primarily used in SCADA systems for utilities (electric, water, wastewater). DNP3 is used to exchange data between control centers, RTUs, and IEDs over long distances. It’s especially common in North America for electric power distribution. DNP3 is robust against unreliable links and supports time-stamping of data, but it was not originally designed with strong security (it has since been updated with optional encryption/authentication features).

(European Network and Information Security Agency) now known as European Union Agency for Cybersecurity

It is an agency of the European Union with a mission to improve the overall cybersecurity of all member states of the EU. They achieve this by setting regulations for member states, as well as publishing helpful resources.

The ubiquitous networking technology used for LANs (Local Area Networks). In OT, Ethernet has become common at higher levels of control systems (like connecting PLCs, HMIs, and SCADA servers), gradually replacing older serial links. Standard Ethernet (IEEE 802.3) wasn’t originally designed for real-time industrial needs, but newer standards and industrial protocols (Profinet, EtherNet/IP) have adapted it for factory use. 

ENIP

Confusingly, the "IP" here stands for Industrial Protocol, not Internet Protocol like you might think. It is the version of CIP encapsulated by Ethernet. This allows PLCs, drives, sensors, etc., particularly in Allen-Bradley/Rockwell ecosystems, to communicate on an Ethernet network for real-time control. 

Engineering workstation

A computer (often a PC) used by engineers to configure, program, and troubleshoot ICS devices like PLCs, DCS controllers, or RTUs. The EWS typically runs vendor-specific software (for example, PLC programming tools or HMI configuration suites) and is usually connected to the control network. Because it can change the behavior of the process (by downloading new logic or settings), an engineering workstation is a high-impact asset to secure – an attacker who compromises it could alter the process. It’s often only used by authorized control engineers and may sit in the control room or engineering office. To maintain compatibility with legacy equipment, it can be running obsolete Windows versions.

A design principle where if a system fails, it does so in a way that defaults to a safe condition. For example, a fail-safe valve might close (shutting off flow) if power is lost, to prevent an uncontrolled process. In OT, fail-safe mechanisms ensure that if something goes wrong, whether a component fails or communication is lost, the process will shut down or revert to a state that avoids harm to people, environment, or equipment. (Contrast with fail-secure, where on failure a system locks in a secure state, like a door locking during a power outage – but in industrial control, fail-safe is usually about safety.)

A general term for equipment on the plant floor or in the field that interacts directly with the physical process. Field devices include sensors (which measure things like temperature, pressure, flow) and actuators (like valves, motors, relays). They often connect to controllers (PLC/RTU) via I/O modules or fieldbus networks. 

A category of industrial network protocols designed for connecting field devices (sensors/actuators) to controllers, usually in a daisy-chain or bus topology (as opposed to each device having a direct wire to the controller). Examples include Profibus, Foundation Fieldbus, DeviceNet, and Modbus. 

A network security device (software or hardware) that monitors and filters network traffic based on predefined security rules. In an ICS environment, firewalls are used to segment networks (for instance, between the corporate IT network and the OT network, or between control levels) and to restrict traffic to only what’s needed. They can range from simple devices allowing only specific IP/port combinations, to more advanced ones that understand industrial protocols (industrial next-gen firewalls that can, say, allow Read commands but block Write commands to a PLC).

In OT, this often means a device or software that connects and translates between different networks or protocols. For example, a protocol gateway might connect a Modbus device to a Profibus network, translating data so both sides understand. Or a gateway could link an isolated control network to a plant DMZ network (with tight security controls). Essentially, whenever two parts of the system that “speak different languages” need to communicate, a gateway is the intermediary that makes it possible (while ideally keeping things secure and compatible).

Generic object-oriented substation event protocol

A communication model part of the IEC 61850 standard (power systems). GOOSE messages are a mechanism for very fast, event-driven communication in electrical substations (for example, to trip breakers or signal alarms). They are multicast messages that can convey a change of state (like “Breaker open!”) with extremely low latency, replacing old hard-wired inter-relays. While this term is power-industry-specific, it’s good to know since modern substations now use GOOSE over Ethernet to react to faults in milliseconds.

Opposite of Brownfield. It describes a new project or facility built from scratch, on a metaphorical “green field” with no constraints from legacy equipment. A greenfield ICS deployment can design security and modern architectures in from the start (a luxury not always present in brownfield sites). For example, a brand-new factory with all new control systems and network infrastructure is a greenfield deployment, and the engineers have free rein to choose the latest technologies and best practices.

Highway addressable remote transducer

A protocol used in process industries that allows digital communication with instruments over the same wires as analog signals. Many analog field instruments (like pressure transmitters) use a 4-20 mA signal to indicate value, but with HART, they can also superimpose a digital signal on top of that current loop. This lets operators or control systems talk to the device, reading diagnostics, setting ranges, etc., without extra wiring. Think of HART as giving your “dumb” analog sensor a way to speak up and say more than just its measurement, all over the existing cable.

Hazard and operability study

A structured approach for examining a process or system to identify potential hazards and operability problems. In industrial contexts, a HAZOP is done by a team brainstorming “what if” scenarios for each part of a process (e.g. “What if valve X fails closed?”) to foresee what could go wrong. While HAZOP itself is a process safety technique (ensuring the process is designed safely), it’s increasingly being adapted to consider cybersecurity (e.g. what if a hacker did X). 

A specialized database system for time-series data in industrial environments. A historian continuously collects and stores chronological data from the process, things like temperatures, pressures, flow rates, equipment statuses, etc., often at high frequency. These databases are optimized for time-stamped data and for rapid retrieval of trends. They’re crucial for analysis, troubleshooting, and regulatory reporting in industrial operations.

Human machine interface - Visually represents the current state of a process, typically providing operators some way to interact with the process as well (change set points, open/close valves, start/top equipment...).

A decoy system or server set up to attract attackers, so their techniques can be studied. In OT, a honeypot might mimic a PLC or a SCADA server to lure in would-be intruders. Researchers deploy ICS honeypots that emulate vulnerable control systems to see how attackers behave when they think they’ve found an exposed power plant or factory. The honeypot has no real control over a process. It’s a trap, and any interaction with it is by definition suspicious, since legitimate users wouldn’t normally be there.

A major ICS vendor known for DCS and process control systems (Experion), as well as building automation. 

Industrial automation and control systems

Basically the same thing as ICS. It is the acronym formally used by the IEC 62443 standards to refer to the collection of personnel, hardware, software, and processes involved in controlling industrial automation.

Industrial control system

General term for control systems controlling industrial-scale processes with sensors, actuators, and controllers. It includes SCADA, DCS, PLC, and BAS.

Industrial control system cyber emergency response team

Formerly a stand-alone entity under the US Department of Homeland Security, ICS-CERT is now integrated into CISA. It’s a group that focuses on industrial control system security: issuing advisories on vulnerabilities, helping with incident response for critical infrastructure, etc. 

Intrusion detection system

 A security tool that monitors network or system activity for malicious or abnormal behavior and raises alerts. In ICS, an IDS often means a network intrusion detection appliance watching the control network traffic (possibly with ICS protocol awareness) to detect things like unusual commands or known malware signatures. A related tool is an IPS (intrusion prevention system) that can take some action to stop the attack in addition to alerting.

An international standard for substation automation and communication in the power industry. IEC 61850 defines how Intelligent Electronic Devices (IEDs) in electrical substations communicate with each other in real-time. It introduced high-speed mechanisms like GOOSE (for protective relaying) and standard object models for substation equipment.

A series of international standards (originating from ISA-99) for ICS security. IEC 62443 provides a comprehensive framework for securing industrial automation and control systems, including guidance on processes and technical requirements for components and systems. It covers everything from how to segment networks into zones and conduits, to secure product development for control system vendors, and continuous maintenance. If someone references “62443 compliance” or “ISA/IEC 62443”, they’re talking about following these best practices for OT security.

Intelligent electronic devices

A smart device typically found in power grid environments that are monitoring some physical measurement and capable of performing some basic automated actions, like breaking open the circuit.

Industrial Internet of things

Refers to IoT technologies (sensors, connectivity, analytics) applied in industrial contexts. IIoT involves networks of smart devices and sensors in factories, energy grids, etc., that collect and share data for monitoring and optimization. Examples: wireless vibration sensors on motors feeding data to cloud analytics for predictive maintenance; or smart meters and smart grid devices in utilities. The IIoT concept often ties into Industry 4.0 and digital transformation: essentially using internet-connected devices to make industrial operations more intelligent and efficient. (It also expands the attack surface of OT networks, hence the security concern around it.)

Incident response

The process and team for handling cybersecurity incidents. In an OT scenario, Incident Response means the procedures to follow when a control system is suspected of being compromised or attacked. This could involve isolating affected systems (without unintentionally halting the plant), investigating malware on an HMI, coordinating with operations to safely shut down if needed, and recovering systems. IR in ICS has the added complexity of potential safety and process impacts. Many organizations create an IR plan specific to their ICS, and some have a designated ICS-CERT or similar partnership for expertise. Having an IR plan ensures you’re not scrambling without a clue when something bad happens in your OT network.

Information technology

Technology dealing with information systems, data processing, business applications, and enterprise networks. This is the office/corporate side like emails, databases, websites, user workstations, etc. IT is typically concerned with confidentiality and integrity of data, and uses standard protocols (TCP/IP, HTTP, etc.) and enterprise software (ERP, cloud services). It’s often contrasted with OT (Operational Technology), which deals with the control of physical processes. While IT manages your company’s data and communications, OT runs the plant or factory. The convergence of the two (IT/OT integration) is a hot topic as companies want to funnel production data to IT systems for analysis, while keeping the production safe.

The growing integration and interconnection between information technology (IT) systems and operational technology (OT) systems. Traditionally, OT systems were isolated and used proprietary tech, and IT was separate. Now, companies want real-time production data in their IT analytics, and OT systems are adopting more standard IT components (like PCs, Windows, Ethernet). IT/OT convergence brings efficiencies and data-driven operations (predictive maintenance, etc.), but also means OT systems become exposed to IT-style cyber threats. 

A dedicated, secure computer through which users must connect to access a different security zone. In OT, a jump host (or jump server) is often placed in the DMZ as a controlled point for remote access into the control network. Operators or vendors first remote into the jump host (which is hardened and monitored), then from there connect to the OT devices (HMIs, PLCs). The idea is to funnel all external access through one chokepoint that can be managed (with multifactor auth, logging, limited tools). This reduces the risk of direct remote connections into sensitive ICS and provides an audit trail of who did what.

Malware or a tool that records keystrokes on a compromised machine, often to steal credentials. In an OT setting, a keylogger could be used on an engineering workstation or HMI PC to capture operator logins or even capture the sequence of actions taken. This is one way attackers in the past have stolen operator credentials to pivot and issue rogue commands on control systems. Keyloggers can be hardware devices or software, and are notoriously sneaky. 

Cyber kill chain

A model describing the stages of a cyber attack, from initial reconnaissance to actions on objectives. The term comes from military usage (stopping an attack by breaking the chain at any stage). In ICS security, you might hear about the “ICS kill chain” which adapts these stages to control system scenarios (like initial penetration, then moving into control network, then manipulating process). The Lockheed Martin kill chain stages (Recon, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions) or the MITRE ATT&CK framework can be considered in analyzing how an attacker might systematically progress to sabotage a physical process. The takeaway: thinking in kill-chain terms helps defenders put in controls to interrupt the adversary early (e.g., catch them in the reconnaissance or delivery phase before any damage is done).

A programming language for PLCs. It represents logic in a form resembling an electrical schematic of relay circuits (which kind of looks like a ladder with rungs and rails). Each rung defines a logical operation: contacts (inputs) on the left that simulate relay contacts, and coils (outputs) on the right. Ladder logic is popular because it’s very intuitive for engineers with electrical backgrounds. It’s part of the IEC 61131-3 standard languages for PLCs (along with others like Functional Block Diagram, Structured Text). 

Any older computer or control system that remains in use despite its age, often because it still does its job, but which typically has outdated hardware or software. In OT, legacy systems are very common, including Windows NT or XP machines running HMI software, or a PLC from the 1990s that’s still controlling a boiler. These systems often cannot be easily patched or may not support modern security, making them vulnerable. But replacing them can be expensive or risky to operations. So, they live on, sometimes isolated or wrapped in additional protective controls. A legacy ICS component might use old protocols, have serial interfaces, or run an OS long out of support, posing a security and maintenance challenge.

Shorthand for the levels of the Purdue Model (see “Purdue Model”). In Purdue (which defines a reference architecture for ICS networks), Level 0 is the physical process (sensors/actuators), Level 1 is basic control (the controllers like PLCs), Level 2 is area supervisory control (HMIs, local supervision), Level 3 is site operations (plant SCADA servers, historians, engineering workstations), and Levels 4-5 are IT systems. People often refer to “Level 1 devices” (meaning the controllers) or “Level 3 network” (meaning the control network zone with servers). It’s basically a way to delineate where a device sits in the hierarchy from physical process up to business network.

Layer of protection analysis

A risk assessment method used in process safety to evaluate if there are sufficient independent protection layers to mitigate hazards. Each “layer” could be a safety instrumented function, an alarm with operator action, or a relief device, etc. The analysis calculates the risk reduction and whether it meets tolerable levels. In OT context, you might hear this in relation to SIS design. LOPA results help determine what Safety Integrity Level (SIL) a safety function needs. It’s not directly a cybersecurity term, but as with HAZOP, it’s part of the safety-minded culture in industrial operations. (And conceptually, you can think of defense-in-depth in security as a kind of layered protection like LOPA aims for in safety.)

Generic term for any malicious software

Manufacturing execution system

Software system that monitors, tracks, and optimizes production on the plant floor. An MES sits between the real-time control layer (PLC/SCADA) and the business systems (ERP). It handles workflows such as scheduling production orders, tracking batches/lots, managing recipes, logging genealogy of products, and providing KPIs for manufacturing. 

Multifactor authentication

Using more than one method to verify a user’s identity when logging into a system. In OT, MFA is increasingly recommended for remote access or critical logins (like an engineer remoting into a plant network or logging into a SCADA host). It typically means combining something you know (password) with something you have (token or smart card) or something you are (fingerprint). 

Man-in-the-middle

An attack where the adversary secretly intercepts and possibly alters communications between two devices. In an ICS context, a MitM could mean an attacker in the network between an HMI and a PLC, eavesdropping on or even modifying control commands or sensor values. For instance, they could report normal readings to operators while actually sending dangerous commands to a process. Many ICS protocols lack authentication, making MitM easier (the attacker can pose as the PLC to the HMI and vice versa). Defenses include encryption/authentication of communications (when available) and network segmentation to make it hard for an intruder to get in that middle position.

A specialized version of the MITRE ATT&CK framework focusing on adversary tactics and techniques in industrial control environments. MITRE ATT&CK is a globally accessible knowledge base of cyber adversary behavior, and the ICS variant maps out how attackers specifically target ICS/OT (for example, techniques like Manipulation of Control, Spoof Reporting Message, etc.). This framework helps defenders understand potential attacker methods (like “replay attack on protocol” or “ICS-specific ransomware”) and to ensure detection and response capabilities for each stage. It’s basically a reference of “what bad guys do in ICS” organized systematically.

One of the most common and simplest communication protocol in ICS, originally developed in 1979 for Modicon PLCs (now Schneider Electric). Modbus is used for transmitting data between devices; it’s a request-response (master/slave) protocol. There are two main flavors: Modbus RTU (runs over serial lines like RS-485) and Modbus TCP (runs over TCP/IP networks). It’s considered a de facto standard because so many vendors implemented it and it’s openly published. However, Modbus has no built-in security (no encryption or authentication), which means it’s easy to use and integrate, but also easy to snoop or spoof.

Message queuing telemetry transport

Lightweight protocol for Internet of Things devices, including Industrial IoT. It uses a publish subscribe model, typically with simple devices publishing data to a cloud broker, and then analytics platforms subscribing to that data.

Mean time between failure

The average time between failures of a system. Historically helpful for maintenance planning, but could be helpful for ICS security.

Mean time to repair

How long on average it takes to fix something that broke. Historically used for maintenance planning, may also be helpful for planning incident response for OT cyberattacks

Network access control

A technology to restrict device access to a network based on identity or compliance. In practice, NAC often means only devices with certain credentials or security posture can connect (like 802.1X port authentication, where a switch only lets a device onto the network if it provides the right certificate or credentials). In OT, NAC can be used to prevent unauthorized laptops from plugging into a control network port. However, NAC solutions can be tricky in ICS (older devices may not support fancy auth, and you don’t want to accidentally lock out a critical asset), so they are used with care.

(North American Electric Reliability Corporation) NERC (Critical Infrastructure Protection) CIP

Set of cybersecurity and reliability standards and regulations for the US power grid.

Dividing a network into smaller parts (segments or zones) to control traffic flow and enhance security. In an ICS, segmentation is key: for example, isolating the control network from the business network, and further segmenting within control (keeping the safety system on a separate subnet, or each production line in its own VLAN). By doing this, even if one segment is compromised, the others are not immediately affected. Segmentation can be done physically or logically (via VLANs, firewalls, routers). It limits broadcast domains and limits an attacker’s ability to move laterally. A common guideline is to segment according to levels of the Purdue Model and by function (safety, control, DMZ, etc.). Good segmentation is like having watertight compartments in a ship: a breach in one doesn’t sink the whole ship.

A software framework (by Tridium) widely used in building automation and some industrial settings to integrate various devices and protocols. It’s known for the Niagara Fox protocol which is used by Niagara stations to communicate. If you’re dealing with building management systems, you often encounter Niagara; it allows different building subsystems (HVAC, lighting, security) to be unified. From a security perspective, Niagara nodes have had vulnerabilities and the Fox protocol is often exposed on the public Internet.

The National Institute of Standards and Technology Cybersecurity Framework

A framework by NIST for improving cybersecurity risk management. While not OT-specific, it’s widely applied to ICS/OT environments. It comprises six functions – Govern, Identify, Protect, Detect, Respond, Recover – to organize security efforts. Many organizations use the NIST CSF as a common language to evaluate and improve the security of their control systems.

NIST Special Publication 800-82 "Guide to OT Security"

It provides detailed guidance on how to secure ICS, covering typical architectures (like Purdue model levels), threats, vulnerabilities, and recommended security controls for ICS environments. It’s a go-to document for best practices, and many other standards reference its content. 

A concept from security (not ICS-specific): ensuring that a party in a communication cannot deny the authenticity of their signature on a document or a message that they originated. In OT, this might come into play with logging and forensics: ensuring actions (like a command to change a setpoint) are traceable to a user and cannot be refuted. Digital signatures and audit logs contribute to non-repudiation. It’s less talked about than confidentiality, integrity, availability in ICS, but it’s one of those classic infosec principles.

OLE for Process Control

Old name for what is now simply OPC Classic. This is a set of standards/protocols originally based on Microsoft OLE/COM technology for data exchange between industrial software applications. An OPC Server would talk to devices (like PLCs) and expose their data in a standard way, so different client software (HMIs, historians) could all access it uniformly. OPC Classic includes specs like DA (Data Access), HDA (Historical Data Access), A&E (Alarms & Events). It was huge for interoperability but being COM/DCOM-based, it had all the Windows quirks (and DCOM security issues). It’s largely been succeeded by OPC UA, but many legacy systems still use OPC DA servers to bridge devices and software.

Open process communication unified architecture

The modern evolution of the OPC standard, redesigned to be platform-independent, robust, and secure. OPC UA is a communication protocol that allows various industrial devices and software to share data in a unified way. It is more commonly found at the higher levels of the network and can use a binary TCP format or HTTPS format. Unlike OPC Classic, it’s not tied to Windows COM, and it includes built-in security (encryption, authentication). 

The person (or people) who monitor and control the industrial process using the ICS. Operators sit in the control room or at local panels, keep an eye on HMI screens, acknowledge alarms, start and stop equipment, and adjust setpoints as needed to keep things running smoothly. They are the human-in-the-loop of an ICS.

(Open source intelligence) Essentially just gathering information about a target from public sources. Could include Google, Shodan, social media, or ship tracking websites.

Operational technology

Technology dealing with physical operations, including ICS, SCADA, DCS, and PLCs. Compared to Information technology dealing only with data and information.

Programmable Logic Controller - a ruggedized embedded computing device that is continuously reading sensor data, executing its control logic program, and updating physical outputs based on that program.

Remote telemetry unit - Device typically found in remote locations to aggregate data from that specific area of a SCADA network. May have some very basic programmable functionality

Basically thinking ahead about what could go wrong with your system and figuring out how to stop it before it happens.