IIOT, ICS & SCADA Security Glossary

As a way of supporting the ICS/SCADA security community, the CyberX team has compiled a list of regularly-used terms as they apply to the world of IIoT, ICS and SCADA cybersecurity.

Air-Gap

Until not long ago, Operational Networks were considered air-gapped. Based only on proprietary technologies, with no connectivity, the air-gap kept the network isolated and secure. The adoption of new technologies for the IIoT, machine learning, artificial intelligence and connectivity, means that operational networks, no longer operate as separated siloes, the notion of a secure, air-gapped network, has actually, been revoked.

BlackEnergy / Black Energy

In 2014 (approximately) a specific user group of BlackEnergy attackers began deploying SCADA-related plugins to victims in the ICS (Industrial Control Systems) and energy markets around the world. This indicated a unique skillset, well above the average DDoS botnet master.

BlackEnergy 3 / Black Energy 3

In May 2015 CyberX published a report following extensive research of the BlackEnergy 3 malware. In the report CyberX reveals that its research team has found indicators that the attackers behind BlackEnergy 3 aim to perform data exfiltration from ICS Networks.

BlackEnergy attack / Black Energy attack

The DHS/FBI released a report in December 2016, in which they said “Russians launched attacks on “critical infrastructure entities” in the US and “conducted damaging and/or disruptive cyber-attacks” on critical infrastructure networks in other countries using BlackEnergy and other malware.

BlackEnergy cyber attack / Black Energy cyber attack

Attackers believed to be operating out of Russia used a combination of social engineering and malware to breach SCADA systems and disrupt power for roughly 230,000 Ukrainians.

The two main pieces of malware used in this attack were the remote access Trojan known as BlackEnergy and KillDisk, a plugin designed to destroy files and make systems inoperable.

Blackenergy Malware / Black Energy Malware

BlackEnergy is a Trojan that is used to conduct DDoS attacks, cyber espionage and information destruction attacks.

Blackenergy Ukraine / Black energy Ukraine

The Black Energy hacker group that targeted the Ukraine in 2015, causing a power outage in the country are in 2016 targeting Ukrainian banks. The Ukrainian government accused Russia of being involved in the attack, but further analysis revealed that the BlackEnergy malware was not directly responsible for the outages.

BugDrop

A sophisticated cyber espionage operation focused primarily within Ukraine reportedly uses malware that leverages Dropbox to exfiltrate stolen data, including conversations recorded by infected computers’ audio microphones.

CyberX Discovers Large-Scale Cyber-Reconnaissance Operation Targeting Ukrainian Organizations. CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

CPS

A cyber-physical system (CPS) is a mechanism controlled or monitored by computer-based algorithms, tightly integrated with the internet and its users. In cyber-physical systems, physical and software components are deeply intertwined, each operating on different spatial and temporal scales, exhibiting multiple and distinct behavioral modalities, and interacting with each other in a myriad of ways that change with context. Examples of CPS include smart grid, autonomous automobile systems, medical monitoring, process control systems, robotics systems, and automatic pilot avionics.

Crash Override

Crash override, also referred to as “Industroyer” is a malicious code that was purposefully developed to attack industrial networks and cause damage to physical systems. In a research published in June 2017, researchers claim that during the attack on the Ukraine power grid in December 2016, the malware was used and was programmed to include the ability to “speak” directly to grid equipment and send commands, including commands to the controls used to switch the power on and off. Another thing worth noting is that the malware was not developed for a specific attack and can relatively easily be adapted to attack other power grids, anywhere.

Cyberwarfare

Cyberwarfare involves the use and targeting of computers and networks in warfare. It involves both offensive and defensive operations pertaining to the threat of cyberattacks, espionage and sabotage. There has been controversy over whether such operations can duly be called “war”. Nevertheless, nations have been developing their capabilities and engaged in cyberwarfare either as an offender, victim, or both.

Cybersecurity and SCADA attacks

The importance of SCADA security has been getting attention as we see more and more successful attacks on SCADA control systems in industrial networks and critical infrastructure. Cyber-adversaries have the necessary resources to launch more sophisticated SCADA ICS attacks, including ransomware attacks that were until recently considered less interesting to cyberattackers. The business impact can include costly production outages, catastrophic safety failures, and environmental release of hazardous materials leading to potential compliance violations and lawsuits.

DCS

A distributed control system (DCS) is a computerized control system for a process or plant, in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control. This is in contrast to non-distributed control systems that use centralized controllers; either discrete controllers located at a central control room or within a central computer. The DCS concept increases reliability and reduces installation costs by localizing control functions near the process plant, but enables monitoring and supervisory control of the process remotely.

Distributed control systems first emerged in large, high value, safety critical process industries, and were attractive because the DCS manufacturer would supply both the local control level and central supervisory equipment as an integrated package, thus reducing design integration risk. In the discussion of DCS vs SCADA it should be noted that today, the functionality of SCADA and DCS systems are very similar, but DCS tends to be used on large continuous process plants where high reliability and security is important, and the control room is not geographically remote.

Dragonfly

Dragonfly malware infected hundreds of business computers in an often successful attempt to collect information on industrial control systems across the United States and Europe. The attack was performed in an orchestrated manner over an extended period of time and used infection methods that were difficult to detect and thwart. The malware collected information vital to the operation of the impacted systems across the energy and pharmaceutical sectors.

Elipse SCADA

Elipse Software is a Brazilian industrial automation software producer whose main activities are designing and selling software for HMI/SCADA projects and interfaces for many types of applications. It was founded in 1986 in Porto Alegre, Brazil. Its four Brazilian branches are located in the cities of São Paulo, Rio de Janeiro, Curitiba and Belo Horizonte. It also has an international branch in Taiwan.

General Electric / GE SCADA

General Electric (GE) is an American multinational conglomerate corporation incorporated in New York and headquartered in Boston, Massachusetts. As of 2016, the company operates through the following segments: Aviation, Current, Digital, Energy Connections, Global Research, Healthcare, Lighting, Oil and Gas, Power, Renewable Energy, Transportation, and Capital which cater to the needs of Financial services, Medical devices, Life Sciences, Pharmaceutical, Automotive, Software Development and Engineering industries.

“iFIX is the industrial automation system of choice for many applications, ranging from common HMI, as simple as manual data entry and validation, to complex SCADA, such as batch, filtration, and distributed alarm management.”

Havex

Havex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C&C) server. The C&C server can deploy payloads that provide additional functionality. F-Secure and ICS-CERT identified and analyzed one payload that enumerates all connected network resources such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system resources within the network. The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.

HMI

A human-machine interface (HMI) is the user interface that connects an operator to the controller for an industrial system. Industrial control systems (ICS) are integrated hardware and software designed to monitor and control the operation of machinery and associated devices in industrial environments, including those that are designated critical infrastructure. An HMI includes electronic components for signaling and controlling automation systems.

Some HMIs also translate data from industrial control systems into human-readable visual representations of the systems. Through the HMI, an operator can see schematics of the systems and turn switches and pumps on or off, for example, or raise or lower temperatures. HMIs are usually deployed on Windows-based machines, communicating with programmable logic controllers (PLC) and other industrial controllers.

The accessibility of HMIs poses a risk for ICS security. The systems themselves have long been considered secure from malware because they were not connected to the Internet. In some cases, administrators have deliberately disabled security mechanisms.

Ignition SCADA

Ignition is an Integrated Software Platform for SCADA systems released by Inductive Automation in January 2010. It is based on an SQL Database-centric architecture. Ignition features cross platform web based deployment through Java Web Start technology. The Ignition platform has three main components: the Ignition Gateway, the Designer, and runtime clients. Independent modules provide separate functionality in any or all of the platform components. Ignition SCADA modules provide features such as: Real-Time Status Control, Alarming, Reporting, Data Acquisition, Scripting, Scheduling, MES, and Mobile support.

Industrial Automation

Industrial automation deals primarily with the automation of manufacturing, quality control and material handling processes. General purpose controllers for industrial processes include Programmable logic controllers, stand-alone I/O modules, and computers. Industrial automation is to replace the decision making of humans and manual command-response activities with the use of mechanized equipment and logical programming commands. One trend is increased use of Machine vision to provide automatic inspection and robot guidance functions, another is a continuing increase in the use of robots. Industrial automation is simply done at the industrial level.

Industrial Control System (ICS)

Industrial control system (ICS) is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.

Industrial control system (ICS) is a general term that encompasses several types of control systems and associated instrumentation used in industrial production technology, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures.

Industrial Control System (ICS) Devices

Industrial control systems (ICS) devices are part of what comprises ICS networks. They can be hardware pieces that are part of the network and field devices that remotely connect to the network. In many cases, these devices were not originally designed with security in mind and can therefore be more vulnerable. In today’s reality, where connectivity is part of industrial networks and remote, electronic control of physical equipment and sensors is enabled, devices such as PLCs, HMIs, RTUs, CPS and others, are easy prey to new cyber threats.

Industrial cybersecurity

This field in cybersecurity has been getting many headlines following multiple successful cyberattacks. Successful cyberattacks, such as the destruction of a German steel mill in 2015, the attacks that caused power outages in the Ukrainian power grid during both 2015 and 2016, and the malware infestation at the Gundremmingen nuclear plant in April 2016, are real-world examples of industrial cybersecurity incidents that have had major consequences on cyber-physical systems.

Industrial Protocols

Industrial protocols, also referred to as SCADA protocols or ICS protocols are communication network protocols used for process or industrial automation, building automation, substation automation, automatic meter reading and vehicle automation applications. Protocols include: Ethernet/IP, Profinet, DNP3, MODBUS, ICCP, TCP/IP, ICMP, DNS, BACnet and many more.

Industroyer / CrashOverride / Crash Override

Industroyer (also referred to as Crashoverride or Crash Override) is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a part of Kiev off power for one hour and is considered to have been a large-scale test. Industroyer is the first ever known malware specifically designed to attack electrical grids.

KillDisk

KillDisk is a destructive malware that gained notoriety as a component of the successful attack performed by the BlackEnergy group against the Ukrainian power grid in December 2015. More recently, ESET researchers detected planned cyber-sabotage attacks against a number of different targets within Ukraine’s financial sector. Since then, KillDisk attack campaigns have continued, aimed at several targets in the maritime transport sector.

A new variant of KillDisk was developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang. The Sandworm gang is responsible for a string of attacks in the United States during 2014 that compromised industrial control system (ICS) and SCADA networks using a variant of the BlackEnergy malware. According to a December 2014 alert from the DHS, this “sophisticated malware campaign” compromised human-machine interfaces (HMIs) at a number of US companies. HMIs are used to control critical industrial processes such as power generating equipment and chemicals production.

M2M

Machine-to-machine (M2M) communications is used for automated data transmission and measurement between mechanical or electronic devices. The key components of an M2M system are: Field-deployed wireless devices with embedded sensors or RFID-Wireless communication networks with complementary wireline access includes, but is not limited to cellular communication, Wi-Fi, ZigBee, WiMAX, wireless LAN (WLAN), generic DSL (xDSL) and fiber to the x (FTTx).

M2M communication security threats and the increased attack surface in ad-hoc and sensor networks has urged the development of technology for preventing attack incidents and for tackling system failures.

NERC CIP

The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system.

Network Visibility

Network Visibility is a technology that builds on the concepts and capabilities of Deep Packet Inspection (DPI), Packet Capture and Business Intelligence (BI). It examines, in real time, IP data packets that cross communications networks by identifying the protocols used and extracting packet content and metadata for rapid analysis of data relationships and communications patterns.

Operational Incidents

An incident that leads to an industrial process to deviate from normal operation. Be it due to a cyber-attack, a maintenance issue or a tampering attempt, knowing about an incident ad-hoc, after the damage is done, with no ability to prevent it and no real indication of what has caused it, is the biggest challenge of industrial operations teams.

OT Network / Operational Technology Network

An Operational Technology network, is comprised of computers (hardware and software) that monitor or modify physical processes or states of a system, in critical infrastructure and industrial facilities.

PLC

A programmable logic controller (PLC), or programmable controller is an industrial digital computer which has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis.

They were first developed in the automobile industry to provide flexible, ruggedized and easily programmable controllers to replace hard-wired relays and timers. Since then they have been widely adopted as high-reliability automation controllers suitable for harsh environments. A PLC is an example of a “hard” real-time system since output results must be produced in response to input conditions within a limited time, otherwise unintended operation will result.

Predictive Maintenance (PdM)

Predictive maintenance techniques are designed to help determine the condition of in-service equipment in order to predict when maintenance should be performed. This approach promises cost savings over routine or time-based preventive maintenance, because tasks are performed only when warranted.

Rockwell Automation

Rockwell Automation, Inc. (NYSE: ROK), is an American provider of industrial automation and information products. Brands include Allen-Bradley and Rockwell Software.

Headquartered in Milwaukee, Wisconsin, Rockwell Automation employs over 22,000 people and has customers in more than 80 countries worldwide. The Fortune 500 company reported $6.35 billion in sales during fiscal 2013.
“Rockwell Automation, the world’s largest company dedicated to industrial automation and information, makes its customers more productive and the world more sustainable. Rockwell Automation markets a multitude of products including: Industrial control products, DCS, HMI, PLC, sensors and more.”

RTU

A Remote Terminal Unit is a microprocessor-controlled electronic device that interfaces objects in the physical world to a distributed control system or SCADA system by transmitting telemetry data to a master system, and by using messages from the master supervisory system to control connected objects. Other terms that may be used for RTU is remote telemetry unit or remote telecontrol unit.

SCADA – What Does SCADA Stand For?

The SCADA acronym stands for Supervisory control and data acquisition (SCADA), a control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management, but uses other peripheral devices such as programmable logic controllers and discrete PID controllers to interface to the process plant or machinery. The operator interfaces which enable monitoring and the issuing of process commands, such as controller set point changes, are handled through the SCADA supervisory computer system. However, the real-time control logic or controller calculations are performed by networked modules which connect to the field sensors and actuators.

The SCADA concept was developed as a universal means of remote access to a variety of local control modules, which could be from different manufacturers allowing access through standard automation protocols. In practice, large SCADA systems have grown to become very similar to distributed control systems in function, but using multiple means of interfacing with the plant. They can control large-scale processes that can include multiple sites, and work over large distances. It is one of the most commonly-used types of industrial control systems, however there are concerns about SCADA systems being vulnerable to cyberwarfare/cyberterrorism attacks.

SCADA EMS

An energy management system (EMS) is a system of computer-aided tools used by operators of electric utility grids to monitor, control, and optimize the performance of the generation and/or transmission system.

SCADA Engineer – SCADA Jobs

SCADA Engineers manage the SCADA data, they design, program and implement industrial controls and data points. SCADA jobs often require from engineers analytical and problem- solving skills.

SCADA Training

More and more control system / SCADA engineers are seeking SCADA security training in order to develop cybersecurity skills they need in order to address the new reality of cyberattacks targeting industrial facilities and critical infrastructure. SANS Institute is one of the establishments offering such training courses.

Schneider Electric

Schneider Electric SE is a French multinational corporation that specializes in energy management and automation solutions, spanning hardware, software, and services. Native of France, the company is headquartered in Rueil-Malmaison and is also based at the World Trade Center of Grenoble with offices throughout the world. A Fortune Global 500 company, Schneider Electric is publicly traded on the Euronext Exchange and is a component of the Euro Stoxx 50 stock market index. In FY2016, the company posted revenues of about €25 billion.

“Citect SCADA is a reliable, flexible and high performance Supervisory Control and Data Acquisition (SCADA) software solution for industrial process customers.”

Siemens SCADA

“In factory automation as well in infrastructure applications, Siemens SCADA systems are redefining efficiency. Both SIMATIC WinCC Professional and WinCC V7 for operational management as well as SIMATIC WinCC Open Architecture for applications with highly customer-specific adaptation requirements support international standards and platforms.”

Situational Awareness

Situational awareness or situation awareness (SA) is the perception of environmental elements and events with respect to time or space, the comprehension of their meaning, and the projection of their status after some variable has changed, such as time, or some other variable, such as a predetermined event. It is also a field of study concerned with understanding of the environment critical to decision-makers in complex, dynamic areas from aviation, air traffic control, ship navigation, power plant operations, military command and control, and emergency services such as fire-fighting and policing; to more ordinary but nevertheless complex tasks such as driving an automobile or riding a bicycle.

State Machine

A finite-state machine (FSM) or finite-state automaton (FSA, plural: automata), finite automaton, or simply a state machine, is a mathematical model of computation. It is an abstract machine that can be in exactly one of a finite number of states at any given time. The FSM can change from one state to another in response to some external inputs; the change from one state to another is called a transition. A FSM is defined by a list of its states, its initial state, and the conditions for each transition.

The behavior of state machines can be observed in many devices in modern society that perform a predetermined sequence of actions depending on a sequence of events with which they are presented. Examples are vending machines, which dispense products when the proper combination of coins is deposited, elevators, whose sequence of stops is determined by the floors requested by riders, traffic lights, which change sequence when cars are waiting, and combination locks, which require the input of combination numbers in the proper order.

A state machine model or a state machine pattern is a behavioral software design pattern that implements a state machine in an object-oriented way.

Stuxnet

Stuxnet is a malicious computer worm, first identified in 2010, that targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program. The software was designed to erase itself in 2012 thus limiting the scope of its effects. The worm is believed by many experts to be a jointly built American-Israeli cyberweapon, although no organization or state has officially admitted responsibility. Anonymous American officials speaking to The Washington Post claimed the worm was developed during the Bush administration to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents.

The difference between PLC and SCADA

PLC is an actual hardware device used to read field sensors (physical signal), and deliver the controlled output. SCADA is the software that is interfaced to the PLC, in order to monitor, control and acquire data from remote locations.

Vulnerability Assessment

A procedure designed to reveal hidden IIoT and ICS vulnerabilities such as industrial malware, vulnerable firewall rules, weak authentication, unauthorized remote access, and undocumented devices in the entire networks in OT networks.

Wonderware SCADA

Wonderware is a brand of industrial software sold by Schneider Electric. Wonderware was part of Invensys plc, and Invensys plc was acquired in January 2014 by Schneider Electric. Invensys plc. was formed in 1999 by the merger of BTR plc and Siebe plc, and Wonderware was acquired by Siebe plc in 1998.

Wonderware software is used in diverse industries, including: Automotive Assembly, Facilities Management, Food and Beverage, CPG, Mining and Metals, Power, Oil and Gas, Chemicals, Energy, and Water and Wastewater.

“Wonderware InTouch SCADA is award-winning HMI visualization software that empowers customers to achieve their quest for operational excellence.”