3 × 3 Security Model A model developed to normalize the security challenges within critical infrastructure, using a 3-row, 3-column mapping of critical infrastructure environments addressing asset complexity and capability along with vendor dependency.
Advanced Metering Infrastructure A modern, digital measurement, and communications infrastructure designed to enable more frequent measurements and to provide those measurements to various parties in real or near-real time. The advanced metering infrastructure typically consists of an AMI headend that provides meter data management and communication aggregation to smart meters (see “Smart Meters”).
Advanced Persistent Threat The advanced persistent threat (APT) refers to a class of sophisticated cyber threat designed to infiltrate a network and remains persistent through evasion and propagation techniques. APTs are typically used to establish and maintain an external command and control channel through which the attacker can continuously exfiltrate data.
AMI See Advanced Metering Infrastructure.
AMI Headend A concentration server responsible for managing AMI communications to a defined number of smart meters. The AMI headend typically aggregates messages from a group of deployed smart meters in a neighborhood or service area, to facilitate the communications of the metering infrastructure to inter-related back office systems such as demand-response, remote meter management, billing, etc.
Anti-virus Anti-virus (AV) systems inspect network and/or file content for indications of infection by malware. AV works by comparing file contents against a library of defined code signatures; if there is a match, the file is typically quarantined to prevent infection, at which point the option to clean the file maybe available.
Application Monitor/Application Data Monitor An application content monitoring system which functions much like an intrusion detection system, only performing deep inspection of a session rather than of a packet, so that application contents can be examined at all layers of the OSI model, from low-level protocols (layers 3–4) through application documents, attachments, etc. (layers 5–7). Application monitoring is useful for examining industrial network protocols for malicious content (malware).
Application Whitelisting Application whitelisting (AW) is a form of whitelisting intended to control which executable files (applications) are allowed to operate. AW systems typically work by first establishing the “whitelist” of allowed applications, after which point any attempt to execute code will compared against that list. If the application is not allowed, it will be prevented from executing. AW often operates at low levels within the kernel of the host operating system.
APT See Advanced Persistent Threat.
Asset An asset is any physical or logical object used within an industrial environment possessing either an actual or perceived value.
Attack Surface The attack surface of a system or asset refers to the collectively exposed portions of that system or asset. A large attack surface means that there are many exposed areas that an attack could target, while a small attack surface means that the target is relatively unexposed.
Attack Vector An attack vector is the direction(s) through which an attack occurs, often referring to specific vulnerabilities that are used by an attacker at any given stage of an attack.
Auditd Auditd is the auditing component of the Linux auditing system, responsible for writing audit events to disk.
AV See Anti-virus.
AWL See Application Whitelisting.
Blacklisting (see “Whitelisting”) Blacklisting refers to the technique of defining known malicious behavior, content, code, etc. Blacklists are typically used for threat detection, comparing network traffic, files, users, or some other quantifiable metric against a relevant blacklist. For example, an intrusion prevention system (IPS) will compare the contents of network packets against blacklists of known malware, indicators of exploits, and other threats so that offending traffic (i.e. packets that match a signature within the blacklist) can be blocked.
CIP See Common Industrial Protocol and Critical Infrastructure Protection.
Common Industrial Protocol (CIP) An industrial protocol maintained by ODVA, Inc. CIP defines industrial messaging, command and control capabilities to supported devices. CIP can be transferred over TCP/IP using the EtherNet/IP. CIP is also used in DeviceNet, CompoNet, and ControlNet.
Communication Channel The logical or physical point-to-point or point-to-multi-point data flow between components in one zone to one or more components in another zone.
Compensating Controls The term “compensating controls” is typically used within regulatory standards or guidelines to indicate when an alternative method than those specifically addressed by the standard or guideline is used.
Conduit A logical grouping of communication assets that protect the security of the communication channels it contains is defined by the ISA-62443 standard. This can apply to not only network channels, but also, for example the connection of USB devices (an asset) connected to a USB port (a conduit) on a computer.
Control Center A control center typically refers to an operations center where a control system is managed. Control centers typically consist of SCADA and HMI systems that provide human interaction with industrial/automated processes.
Correlated Event A correlated event is a larger pattern match consisting of two or more regular logs or events, as detected by an event correlation system. For example, a combination of a network scan event (as reported by a firewall) followed by an injection attempt against an open port (as reported by an IPS) can be correlated together into a larger incident: in this example, an attempted reconnaissance and exploit. Correlated events may be very simple or very complex, and can be used to detect a wide variety of more sophisticated attack indicators.
Critical Infrastructure Protection (CIP) Referring to the protection of those networks and systems that maintain or operate critical functions within a society. The term CIP is most well known as one of the NERC reliability standards, NERC CIP, which mandates the cyber security of critical networks and systems as they relate to the reliability of the bulk electric systems (BES) within the power industry.
DAM See Database Activity Monitor.
Data Diode A data diode is a “one-way” data communication device, often consisting of a physical layer unidirectional limitation. Using only one half of a fiber optic “transmit/receive” pair would enforce unidirectional communication at the “physical” layer, while proper configuration of a network firewall could logically enforce unidirectional communication at the “network” layer.
Database Activity Monitor A database activity monitor (DAM) monitors database transactions, including SQL, DML, and other database commands and queries. A DAM may be network or host based. Network-based DAMs monitor database transactions by decoding and interpreting network traffic, while host-based DAMs provide system-level auditing directly from the database server. DAMs can be used for indications of malicious intent (e.g. SQL injection attacks), fraud (e.g. the manipulation of stored data), and/or as a means of logging data access for systems that do not or cannot produce auditable logs.
Database Monitor See Database Activity Monitor.
DB004D Database Monitor. See Database Activity Monitor.
DCS See Distributed Control System.
Deep Packet Inspection This is a process of inspecting a network packet all the way to layer 7 (application layer) of the OSI model. That is, past datalink, network or session headers to inspect into the payload of the packet. Deep packet inspection is used by most intrusion detection and prevention systems (IDS/IPS), newer firewalls, and other security devices within common IT networks, but due to the protocols involved, it is an emerging technology within the ICS networks.
Demand-Response System A system wherein the consumer of electricity is able to interact with the grid to control how and when electricity is distributed.
Distributed Control System An industrial control system deployed and controlled in a distributed manner, such that various distributed control systems or processes are controlled individually. Components within a DCS are typically connected via local area networks (LAN). See also: Process Control System, Supervisory Control and Data Acquisition and Industrial Control System.
Distributed Generation Distributed energy generation facilities that are used to feed power into the grid, to facilitate localized supply in remote areas or areas of high demand.
Distribution SCADA SCADA systems designed to control and supervise automation systems used in distribution networks. See Supervisory Control and Data Acquisition.
Distribution System The grid infrastructure responsible for delivering electricity to the end consumer, typically over lower voltages and shorter distances than the transmission system.
DPI See Deep Packet Inspection.
Electronic Security Perimeter An electronic security perimeter (ESP) refers to the demarcation point between a secured enclave, such as a control system, and a less trusted network, such as a business network. The ESP typically includes those devices that secure that demarcation point, including firewalls, IDS, IPS, industrial protocol filters, application monitors, and similar devices.
Enclave A logical grouping of assets, systems and/or services that defines and contains one (or more) functional groups. Enclaves represent network “zones” that can be used to isolate certain functions in order to more effectively secure them.
Energy Management System Systems responsible for analyzing energy quality and quantity on transmission or distribution lines in order to provide load management, prevent over- or undercurrent, swing, or other common line conditions.
EMS See Energy Management System.
Enumeration Enumeration is the process of identifying valid identities of devices and users in a network, typically as an initial step in a network attack process. Enumeration allows an attacker to identify valid systems and/or accounts that can then be targeted for exploitation or compromise.
ESP See Electronic Security Perimeter.
Ethernet/IP Ethernet/IP is a real-time Ethernet protocol supporting the common industrial protocol (CIP), for use in industrial control systems.
Ettercap Ettercap is a network sniffer designed for Man-in-the-Middle attacks.
Event An event is a generic term referring to any datapoint of interest, typically alerts that are generated by security devices, logs produced by systems and applications, alerts produced by network monitors, etc.
Fault A fault in electrical transmission and distribution typically refers to any abnormal flow of electrical current. Faults can occur due to any number of causes, including grounds, phase imbalance, overcurrent, undercurrent, swing, etc.
Fault Management System A computing system design to monitor and manage electrical faults, to facilitate the prediction of faults before they occur, and the location and remediation of faults that have occurred. Fault management systems may be standalone systems or part of a broader energy management system. Fault management systems typically interface with SCADA and field devices, as well as crew management and response systems.
Field Devices Field devices are those devices deployed “in the field” within the transmission, distribution, and metering infrastructures. Field devices consist of remote terminal units, programmable logic controllers and intelligent electronic devices, for example: reclosers, PMUs, Volt/VAR units, smart meters, etc.
Flame Flame, or flamer, is a common name for (and one of the modular components within) the Skywiper malware. See Skywiper.
Function Code Function codes refer to various numeric identifiers used within industrial network protocols for command and control purposes. For example, a function code may represent a request from a master device to a slave device(s), such as a request to read a register value, to write a register value, to restart the device.
Gauss Gauss is one of several recent examples of sophisticated, modular malware. While Gauss presents several similarities to Stuxnet, Gauss has primarily targeted financial and banking data.
GOOSE Generic object oriented substation events are messages defined within IEC 61850, typically transported as an Ethernet multi-cast between entities within a substation so that multiple devices can subscribe to published data, typically concerning device or relay status, measurements, etc.
HAN See Home Area Network.
HEMS See Home Energy Management System.
HIDS Host IDS. A host intrusion detection system detects intrusion attempts via a software agent running on a specific host. A HIDS detects intrusions by inspecting packets and matching the contents against defined patterns or “signatures” that indicate malicious content, and produce an alert.
HIPS Host IPS. A host intrusion prevention system detects and prevents intrusion attempts via a software agent running on a specific host. Like a HIDS, a HIPS detects intrusions by inspecting packets and matching the contents against defined patterns or “signatures” that indicate malicious content. Unlike a HIDS, a HIPS is able to perform active prevention by dropping the offending packet(s), resetting TCP/IP connections, or other actions in addition to passive alerting and logging actions.
HMI A human machine interface (HMI) is the user interface to the processes of an industrial control system. An HMI effectively translates the communications to and from PLCs, RTUs, and other industrial assets to a human-readable interface, which is used by control systems’ operators to manage and monitor processes.
Home Area Network A network of energy management devices, digital consumer electronics, signal-controlled or enabled appliances, and applications within a home environment that is on the home side of the electric meter. It can also be considered as a home-based LAN, but it connects more than just computers. HAN specifications include Zigbee, HomePlug, Z-Wave, and Wireless M-Bus (a wireless variant of M-Bus).
Home Energy Management System A home energy management system (HEMS) provides a console or portal, typically web based, with which a home owner can monitor and manage their home energy consumption.
Host A host is a computer connected to a network, that is a cyber asset. The term differs from an asset in that hosts typically refer to computers connected to a routable network using the TCP/IP stack—i.e. most computers running a modern operating system and/or specialized network servers and equipment—where an asset refers to a broader range of not only the digitally connected physical devices, but also the logical data they possess.
IACS Industrial Automation Control System. See Industrial Control System.
IAM See Identity Access Management.
ICCP See Inter-control Center Communication Protocol.
ICS See Industrial Control System.
Identity Access Management Identity access management refers to the process of managing user identities and user accounts; related user access and authentication activities within a network; and a category of products designed to centralize and automate those functions.
IDS Intrusion detection system. Intrusion detection systems perform deep packet inspection and pattern matching to compare network packets against known “signatures” of malware or other malicious activity, in order to detect a possible network intrusion. IDS operates passively by monitoring networks either in-line or on a tap or span port, and providing security alerts or events to a network operator.
IEC See International Electrotechnical Commission.
IEC 61850 IEC 61850 is a standard for substation automation providing requirements for general functionality as well as system and project management, communication requirements for functions and device models, configuration language for communication in electrical substations related to IEDs, basic communication structure, specific communication service mappings, conformance testing.
IEC 62351 An International Electrotechnical Commission cyber security standard developed to ensure the secure communication and messaging of substation devices using 60870, 61850, etc.
IED See Intelligent Electronic Device.
IEEE C37.118 The IEEE standard for synchrophasors for power systems, which defines standard methods of time synchronization and messaging between multiple phasor measurement units.
IHD See In-home Device.
Industrial Automation and Control System See Industrial Control System.
In-home Device Any smart device in a home, typically communicating via a home area network (HAN) to a home energy management system (HEMS).
Industrial Control System An industrial control system (ICS) refers to the systems, devices, networks and controls used to operate and/or automate an industrial process. Two common forms of ICS include DCS and SCADA. See also: distributed control system and supervisory control and data acquisition.
Intelligent Electronic Device An intelligent electronic device (IED) is an electronic component—such as a regulator, circuit control—that has a microprocessor and is able to communicate, typically digitally using a fieldbus, real-time Ethernet, or other industrial protocols.
Inter-control Center Communication Protocol The Inter-control center communication protocol (ICCP) is a real-time industrial network protocol designed for wide area intercommunication between two or more control centers. ICCP is an internationally recognized standard published by the International Electrotechnical Commission (IEC) as IEC 60870-6. ICCP is also referred to as the Telecontrol Application Service Element 2 or TASE.2.
International Electrotechnical Commission The International Electrotechnical Commission (IEC) is an international standards organization that develops standards for the purposes of consensus and conformity.
International Organization for Standardization The International Organization for Standardization (ISO) is a network of standards organizations from over 160 countries, which develops and publishes standards covering a wide range of topics.
IPS Intrusion Prevention System. Intrusion protection systems perform the same detection functions of an IDS, with the added capability to block traffic. Traffic can typically be blocked by dropping the offending packet(s) or by forcing a reset of the offending TCP/IP session. IPS works in-line and therefore may introduce latency.
ISO See International Organization for Standardization.
Load A quantification, over time, of the amount of electric power delivered (supply) or required (demand).
Log A log is a file used to record activities or events, generated by a variety of devices including computer operating systems, applications, network switches and routers, and virtually any computing device. There is no standard for the common format or structure of a log.
Log Management Log management is the process of collecting and storing logs for purposes of log analysis and data forensics, and/or for purposes of regulatory compliance and accountability. Log management typically involves collection of logs, some degree of normalization or categorization, and both short-term storage (for analysis) and long-term storage (for compliance).
Log Management System A system or appliance designed to simplify and/or automate the process of log management. See also Log Management.
Master Station A master station is the controlling asset or host involved in an industrial protocol communication session. The master station, sometimes called a master terminal unit (MTU), is typically responsible for timing, synchronization, and command and control aspects of an industrial network protocol.
Metasploit Metasploit is a commercial package, used for penetration testing in exploiting specific system vulnerabilities.
Microgrids Self-sustained generation and distribution infrastructures often used by large campuses, industrial facilities, or government or military facilities where isolation and reliability are important, and where high voltage transmission from the bulk power system may be logistically impractical.
Modbus Originally developed in 1979 as a serial protocol by Modicon (now Schneider Electric), the Modbus protocol is used for intercommunication between industrial control assets. Modbus is a flexible master/slave command and control protocol available in several variants including Modbus ASCII, Modbus RTU, Modbus TCP/IP, Modbus over TCP/IP, and Modbus Plus.
Modbus ASCII A serial-based Modbus variant that uses ASCII characters rather than binary data representation.
Modbus Plus A Modbus extension that operates at higher speeds, which remains proprietary to Schneider Electric.
Modbus RTU A serial-based Modbus variant that uses binary data representation.
Modbus TCP/IP A Modbus variant that operates over TCP/IP by taking only the protocol data unit (PDU) and encapsulating this in an IP packet. The checksum is generated as part of the encapsulation process.
Modbus over TCP/IP A Modbus variant that operates over TCP/IP by taking the entire Modbus RTU application data unit (ADU) including checksum and encapsulating this as a payload in a IP packet.
NAC See Network Access Control.
NERC See North American Electric Reliability Corporation.
NERC CIP The North American Electric Reliability Corporation reliability standard for Critical Infrastructure Protection.
Network Access Control Network access control (NAC) provides measures of controlling access to the network, using technologies such as 802.1X (port network access control) to require authentication for a network port to be enabled, or other access control methods. NAC may also include additional security measures that include pre-connect health assessment and mitigation, and post-connect access flow control.
Network Layer Protocol Protocols for routing of messages through a complex network. Most modern industrial fieldbus protocols and SCADA protocols usually contain a network layer (e.g. IP address).
Network Whitelisting (see Whitelisting).
NIDS Network IDS. A network intrusion detection system detects intrusion attempts via a network interface card, which connects to the network either in-line or via a span or tap port.
NIPS Network IPS. A network prevention detection system detects and prevents intrusion attempts via a network-attached device using two or more network interface cards to support inbound and outbound network traffic, with optional bypass interfaces to preserve network reliability in the event of a NIPS failure.
NIST The National Institute of Standards and Technology. NIST is a non-regulatory federal agency within the United States Department of Commerce, whose mission is to promote innovation through the advancement of science, technology, and standards. NIST provides numerous research documents and recommendations (the “Special Publication 800 series”) around information technology security.
Nmap Nmap or “Network Mapper” is a popular network scanner, enumeration and fingerprinting tool distributed under GNU General Public License GPL-2 by nmap.org.
North American Electric Reliability Corporation The North American Electric Reliability Corporation is an organization that develops and enforces reliability standards for and monitors the activities of the bulk electric system (BES) power grid in North America including the United States (excluding Alaska and Hawaii), Canada, and parts of Mexico.
NRC See Nuclear Regulatory Commission.
Nuclear Regulatory Commission The United States Nuclear Regulatory Commission (NRC) is a five-member presidentially appointed commission responsible for the safe use of radioactive materials including but not limited to nuclear energy, nuclear fuels, radioactive waste management, and the medical use of radioactive materials.
OSSIM OSSIM is an Open Source Security Information Management project, whose source code is distributed under GNU General Public License GPL-2 by AlienVault. See Security Information Management.
Outage Management System An outage management system is a computing system that utilizes transmission and distribution measurements to isolate the cause(s) and location(s) of outages, to help coordinate field crews and incident response teams.
PCS Process Control System. See Distributed Control System and Industrial Control System.
Pentest A Penetration Test. This is a method for determining the risk to a network by attempting to penetrate its defenses. Pentesting combines vulnerability assessment techniques with evasion techniques and other attack methods to simulate a “real attack” but attempted to exploit discovered vulnerabilities.
PDC See Phase Data Concentrator.
Phasor Data Concentrator A phasor data concentrator aggregates synchronized phasor measurements from multiple distributed phasor measurement units to enable analysis of over line quality and condition within transmission and distribution systems.
Phasor Measurement Unit A phasor measurement unit measures voltage and current of electricity throughout transmission and distribution systems. Synchronization of PMU measurements (i.e. “Synchrophasor Measurement”) is used to obtain an accurate image of line condition throughout the grid at any given time.
Physical Layer Protocol Protocols for transmitting raw electrical signals over the communications channel. Deals with transmission physics such as cabling, modulation, and transmission rates (e.g. copper, fiber optic, VHF, GSM, satellite, WiMax).
PMU See Phasor Measurement Unit.
PLC See Programmable Logic Controller and Power Line Communications.
Process Control System See Distributed Control System and Industrial Control System.
Profibus Profibus is an industrial fieldbus protocol based on a serial-bus physical layer defined by IEC standard IEC-61158/IEC-61784-1. profibus supports two application layer protocols: distributed peripheral (DP) and process automation (PA).
Profinet Profinet is an implementation of Profibus designed to operate in real time over industrial Ethernet.
Programmable Logic Controller (PLC) A programmable logic controller (PLC) is an industrial device that uses a logical representation of input coils and output relays in combination with programmable logic in order to build a automated control logic. PLCs commonly use relay ladder logic (RLL) to read inputs, compare values against defined set points, perform logical operations (e.g. “and,” “or,” etc.) and (potentially) write to outputs.
Power Line Communications (PLC, alternate meaning) A communication mechanism using the power lines themselves to transmit digital communications relevant to Smart Grid systems.
Protection Protection refers to circuit breakers, fuses, reclosers, and other devices designed to trip a system to prevent a safety or reliability risk in the event of a fault.
Recloser A recloser is a device within the distribution system designed to automatically reopen a circuit that may have tripped due to a fault, to enable a degree of resiliency within the distribution system and minimize the need for the deployment of field crews to address momentary faults such as surges.
Remote Terminal Unit A remote terminal unit (RTU) is a device combining remote communication capabilities with programmable logic for the control of processes in remote locations. These devices are typically designed to support low communication bandwidth, high latency, and often lower power consumption requirements.
Resilience The ability of a system to accommodate significant changes in its environment by taking extraordinary actions to maintain acceptable system performance.
Risk Assessment The process of identifying and evaluating risks to the organization’s operations (including mission, functions, image, or reputation), the organization’s assets or individuals by determining the likelihood of occurrence, the resulting impact, and additional countermeasures that would mitigate this impact.
Risk Mitigation The actions used to reduce the likelihood and/or severity of an event.
Risk Tolerance The risk an organization is willing to accept.
RTU See Remote Terminal Unit.
SCADA See Supervisory Control and Data Acquisition.
SCADA-IDS SCADA aware intrusion detection System. An IDS system designed for use in SCADA and ICS networks. SCADA-IDS devices support pattern matching against the specific protocols and services used in control systems, such as Modbus, ICCP, DNP3, and others. SCADS-IDS are passive and are therefore suitable for deployment within a control system, as they do not introduce any risk to control system reliability.
SCADA-IPS SCADA aware intrusion prevention system. An IPS system designed for use in SCADA and ICS networks. SCADA-IPS devices support pattern matching against the specific protocols and services used in control systems, such as Modbus, ICCP, DNP3, and others. SCADA-IPS are active and can block or backlist traffic, making them most suitable for use at control system perimeters. SCADA-IPS are not typically deployed within a control system for fear of a false-positive disrupting normal control system operations.
Security Assessment A comprehensive process that not only looks for host and asset vulnerabilities, but also analyzes internal processes and procedures, system configuration, testing, usage, etc. that could potentially result in a “system” being compromised or attacked.
Security Audit A process that occurs on a recurring basis that evaluates the currently level of security provided by a system against a predetermined set of criteria, such as a compliance standard like NERC CIP.
Security Assurance Level The measure of confidence that computer systems and data are free from vulnerabilities, either intentionally designed computer components or accidently inserted at any time during its lifecycle and that the computer systems function in the intended manner.
Security Event Management See Security Information and Event Management.
Security Information Management See Security Information and Event Management.
Security Information and Event Management Security information and event management (SIEM) combines security information management (SIM or log management) with security event management (SEM) to provide a common centralized system for managing network threats and all associated information and context.
Security Testing See Security Assessment.
SEM See Security Information and Event Management.
Set Points Set points (SP) are defined values signifying a target metric against which automated control can operate. For example, a set point may define a high temperature range, or the optimum pressure of a container, etc. By comparing set points against sensory input also known as a process value (PV), automated controls can be established. For example, if the temperate in a furnace reaches the set point for the maximum temperature ceiling, reduce the flow of fuel to the burner.
SIEM See Security Information and Event Management.
SIM See Security Information and Event Management.
Situational Awareness Situational awareness is a term used by the National Institute of Standards and Technology (NIST) and others to indicate a desired state of awareness within a network in order to identify and respond to network based attacks. The term is derivative of the military command and control process of perceiving a threat, comprehending it, making a decision, and taking an action in order to maintain the security of the environment. Situational awareness in network security can be obtained through network and security monitoring (perception), alert notifications (comprehension), security threat analysis (decision making), and remediation (taking action).
Skywiper A complex cyber threat also known as flame or flamer.
Smart Grid An intelligent and automated evolution of energy generation, delivery and consumption designed to make energy more cost effective and efficient.
Smartlisting A term referring to the use of both blacklisting and whitelisting technologies in conjunction with a centralized intelligence system such as a SIEM in order to dynamically adapt common blacklists in response to observed security event activities. See also: whitelisting and blacklisting.
Smart Meter An intelligent meter that measures utility (electricity, water, or gas) consumption by the end user can communicate measurements and status back to supporting systems within the Smart Grid, such as demand response systems, distribution management, and home energy management systems (HEMS).
Step-down Transformer A step-down transformer converts high-voltage energy to low voltage energy, so that it is more suitable for distribution over shorter distances and to homes or businesses. See Transformer.
Step-up Transformer A step-up transformer converts low voltage energy to high voltage energy, so that it is more suitable for transmitting large amounts of energy over longer distances. See Transformer.
Stuxnet An advanced cyber attack against an industrial control system, consisting of multiple zero-day exploits used for the delivery of malware that then targeted and infected specific industrial controls for the purposes of sabotaging an automated manufacturing process.
St****t A censored representation of “Stuxnet,” is widely regarded as the first cyber attack to specifically target an industrial control system.
Substation A substation, or “yard,” refers to a nexus point within or between generation, transmission, and distribution systems. A substation typically converges or diverges multiple lines while providing power conditioning and protection. Transmission substations refer to substations where high-voltage transmission lines aggregate, while distribution substations refer to substations where lower voltage distribution lines aggregate.
Substation Automation Substation automation refers to the communication within and between substation devices design to automatically perform load and line management in response to real-time grid measurements and conditions.
Supervisory Control and Data Acquisition Supervisory control and data acquisition (SCADA) refers to the systems and networks that communicate with industrial control systems to provide data to operators for supervisory purposes, as well as control capabilities for process management.
Swing Swing refers to oscillations in electrical conditions (active power, reactive power, voltage, phase, etc.), resulting in instabilities that typically predicate an impending fault and could cause a generation plant or transmission line to trip.
Synchrophasor A synchrophasor is a device designed to synchronize real-time electrical measurement throughout a distributed grid. Synchronization is typically performed using global positioning systems (GPS) according to the IEEE C37.118 synchrophasor protocol. See Phasor Measurement Unit and Phasor Data Concentrator.
Transformer A transformer is a device that transfers electrical energy from one circuit to another and converts it from one voltage to another, typically via the use of coils (inductive coupling conductors).
Transmission SCADA A supervisor control and data acquisition (SCADA) system tailored for use within energy transmission substations and lines.
Transmission System The system of high-voltage energy delivery is designed to move large amounts of data over long distances, such as between towns and regions. Transmission systems consist of transmission lines and transmission substations.
Unidirectional Gateway A network gateway device that only allows communication in one direction through specific use of physical layer technology, such as a data diode. See also Data Diode.
User Whitelisting The process of establishing a “whitelist” of known valid user identities and/or accounts, for the purpose of detecting and/or preventing rogue user activities. See also: Application Whitelisting.
VA See Vulnerability Assessment.
Volt/VAR A device designed to measure active (voltage) and reactive (voltage-ampere, or “VAR”) within the grid.
Vulnerability A vulnerability refers to a weakness in a system that can be utilized by an attacker to damage the system, obtain unauthorized access, execute arbitrary code, or otherwise exploit the system.
Vulnerability Assessment The process of scanning networks to find hosts or assets, and probing those hosts to determine vulnerabilities. Vulnerability assessment can be automated using a vulnerability assessment scanner, which will typically examine a host to determine the version of the operating system and all running applications, which can then be compared against a repository of known software vulnerabilities to determine where patches should be applied.
Whitelists Whitelists refer defined lists of “known good” items: users, network addresses, applications, etc. typically for the purpose of exception-based security where any item not explicitly defined as “known good” results in a remediation action (e.g. alert, block). Whitelists contrast blacklists, which define “known bad” items.
Yard See Substation.
Zone A zone refers to a logical boundary or enclave containing assets of like function and/or criticality, or share a logical and/or physical relationship with one another (i.e. location), for the purposes of facilitating the security of common systems and services. Zone separation is one of the principal methodologies of the ISA-62443 security standard. See also: Enclave.
ZigBee A suite of specifications by the ZigBee Alliance, defining network and communication standards for building automation, smart energy, home automation, and other systems, many of which are relevant to the Smart Grid, smart metering, home area Networks, and home energy management systems (HEMS).