Utility Cybersecurity: Culture Comes First

It’s a date those in the energy sector know well: August 14, 2003. On that day, more than 50 million people in eight states and portions of Canada lost power when a high-voltage line in Ohio softened, sagged, and brushed against some trees. The fault, combined with a cascading series of technical issues, caused the largest blackout in North American history.

A mission-critical communications system supplier must have controls and policies in place at both the corporate and product level that vigorously protect intellectual property and product data. Within the communication system itself, internal data must be secured, whether stored locally or when exchanged between two or more distributed devices within a network. Confidentiality safeguards for a mission-critical communication system provider should include:

• Logical control—enforcing authentication and identification policies that restrict unauthorized access, including stringent password policies, well-defined role-based access, and network segregation/isolation where required.
• Physical access control—preventing unauthorized access to secure development facilities and critical equipment necessary for core business operations, including two-factor building access controls and datacenter authentication, visitor log management, video surveillance, and secure/locked equipment cabinets.
• Secure data exchange—utilizing secure transfer protocols and controlled credentials during utility/supplier data exchanges, including secure remote access to customer networks, software/patch releases via Secure File Transfer Protocol sites, and login credentials with link expiration.
• System data encryption—preventing unauthorized penetration of critical communication systems via secure access and data transport, including encryption during password transmit/store, external interface encryption (Advanced Encryption Standard, Data Encryption Standard, and enhanced privacy), and key management.
• Identity assurance—granting permission access only to authorized administrators and users, including assignment of unique user credentials, secure Windows Active Directory, and central distributor user management.
• Secure intra-system communication—using secure protocols (Secure Shell/Secure File Transfer Protocol, Hypertext Transfer Protocol Secure/Secure Sockets Layer) to strengthen against packet snooping and potential hacking.

Part I: Conclusion

It’s evident to utility executives, operators, regulators, and related stakeholders that the Northeast blackout of 2003, or an event like it, could be repeated in history. The difference today is that such a cascading series of events could be set in motion not due to human error, extreme weather, aging equipment, or load/generation imbalances, but rather due to hackers inserting malware into a system and gaining operational access.

Accountability in the utility sector is high—NERC’s 15-minute reliability standard in its 2018 glossary is a relatively short period of time to fully recover an electric control center communications system that has been degraded or otherwise rendered unavailable. What’s more, NERC-CIP regulated utilities are required to report downtime that exceeds 15 minutes, including documentation explaining the reason for the interruption. Such reporting opens up the entity to auditing of its day-to-day operations and scrutiny of protocols in place to protect integrity and availability. Any lack of reliability can cause not only a major outage, but also imposes serious safety risks to personnel and the public. With safety as a top priority for utility companies, cybersecurity standards should be both comprehensive and robust.

For this reason, many utilities are now treating mission-critical electric control center communication systems as protected cyberassets, deploying the same reliability standards already in place for bulk power transmission equipment, systems, and facilities. As previously noted in the Ponemon Institute study, 68% of U.S. oil and gas security risk managers reported their operations had at least one security compromise within the last year. With this as the backdrop, a paradigm shift that incorporates communication systems within the electronic security perimeter is both prudent and strategic. By employing tighter operational standards, procedures, and protocols (as defined and required by NIST and NERC-CIP), and by requiring missioncritical communication system business partners to do the same, utility companies can build a future-looking strategy against cyberattacks, whether launched externally or internally. Such a strategy helps protect utilities from stiff NERC civil penalties, as well as difficult-to-measure tolls against a utility’s brand and shareholder value.

¹ U.S.-Canada Power System Outage Task Force. (2004). Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations. https://energy.gov/oe/downloads/blackout-2003-final-report-august-14-2003-blackout-united-states-and-canada-causes-and
² Energy Policy Act of 2005, Pub. L. No. 109-58, 119 Stat. 594 (2005).
³ Federal Energy Regulatory Commission. “FERC Approves Settlement $25 Million Fine for FPL’s 2008 Blackout.” October 8, 2009. http://www.nerc.com/FilingsOrders/us/FERCOrdersRules/FERC%20Press%20Release.pdf
⁴ BTB Security. Cyber Crime: Then and Now. https://www.btbsecurity.com/images/PDFs/BTBAnniversaryInfographic.pdf
⁵ Ponemon Institute. The State of Cybersecurity in the Oil & Gas Industry: United States (2017). http://news.usa.siemens.biz/sites/siemensusa.newshq.businesswire.com/ files/press_release/additional/Cyber_readiness_in_Oil__Gas_Final_4.pdf
⁶ Forrest, C. “DHS, FBI Warn of Cyberattacks Targeting Energy Infrastructure, Government Entities.” TechRepublic. October 23, 2017. https://www.techrepublic.com/article/dhs-fbi-warn-of-cyberattacks-targeting-energy-infrastructure-government-entities/
⁷ NERC. Security Guideline for the electricity Sector: Identifying Critical Cyber Assets (2010). http://www.nerc.com/docs/cip/sgwg/Critcal_Cyber_Asset_ID_V1_Final.pdf
⁸ NERC. Glossary of Terms Used in NERC Reliability Standards. (2018) http://www.nerc.com/files/glossary_of_Terms.pdf
⁹ WECC. CIP-002-5.1 FAQ from WECC Entities: What can I do to...? (2016) https://www.wecc.biz/_layouts/15/WopiFrame.aspx?sourcedoc=/Administrative/14%20CIP%20v5%20FAQ%20from%20WECC%20Entities%2003%2022%2016%20Baugh.pdf&action=default&DefaultItemOpen=1
¹⁰ NERC. Quarterly Workplan Update. (2017) http://www.nerc.com/comm/CIPC/Agendas%20Highlights%20and%20Minutes%202013/CIPC%20Presentations.pdf
¹¹ NIST. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0. (2014) https://www.nist.gov/sites/default/files/documents/smartgrid/NIST-SP-1108r3.pdf

Utility Cybersecurity: Shut Back Doors to Critical Operational Systems

Cyberattacks on utilities are becoming more frequent, more successful, and more dangerous. While utilities have some of the most sophisticated and effective cybersecurity measures and protocols in place and update them frequently, they also face significant and proven vulnerabilities posed by third-party vendors.

Systems Security

While the task is daunting and there are many areas for concern, there are multiple, achievable ways to provide systems with secure operating environments. This paper identifies some of the energy-focused ones for consideration.

Application Security

Applications, especially web applications, are vulnerable to cyberattacks. The primary problem with an insecure application usually lies in the roots of the software development foundation and process. That’s why utilities should expect their mission-critical communication system vendors to participate in an ongoing audit and compliance process for their systems. A vendor that has participated in vulnerability testing, penetration testing, black-box testing, or white-box testing has a proven level of due diligence.

Before procuring an application, energy companies should request NERC-CIP, NIST 800-53, and other relevant security compliance or certification accreditation. Without knowing the status of the application source code and pre-existing vulnerabilities, software defects, and logical flaws, the organization opens their network infrastructure for potential exploitation.

Additionally, utilities should review and use standards that are accepted and instituted for application security such as the Open Web Application Security Project (OWASP). This project is an open, worldwide security community dedicated to enabling organizations to develop, purchase, and maintain applications and application programming interfaces (APIs) that can be trusted. The following page provides an overview of OWASP’s Top 10 Application Security Risks, as produced in December 2017, with the general causes for each risk.⁷

OWASP’s Top 10 Application Security Risks

OWASP developed this list to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. This guidance and these basic techniques will help protect against high-risk problem areas.

To this extent, application development frameworks, such as the OWASP-developed Software Application Maturity Model (SAMM), have been developed, instituted, and implemented by many software and systems companies over the past few years, providing a guide for software security strategy, evaluation, and measurement. System and application security, however, must be an ongoing process, not a destination. There is no bulletproof solution to completely protect or isolate systems and applications from being compromised by threat actors. To better manage and protect systems and applications, it is essential to examine governance and administrative policies, operational and technical risks, and implemented controls. With a good foundation and understanding of risk and control management, organizations can better protect, mitigate, and manage cybersecurity risks.

Above all, the implementation of a comprehensive security ecosystem starts with a paradigm shift throughout the organization, from senior officers to end users. Without proper management support and a culture of continuous improvement that includes ongoing security awareness training, organizations will struggle and likely fail to defend their systems and applications.

The internal and regulatory pressure to protect systems and applications is already enormous. As the public learns more about emerging threats and vulnerabilities, they put on more pressure for an urgent response. Businesses and organizations then push vendors and manufacturers to quickly develop security patches and hotfixes to protect or mitigate system and application holes and exploitations. While the urgency is real, it’s easy to overreact in such an environment, resulting in quickly developed solutions that can cause adverse impacts on hardware and software. Software repairs require testing and review of the patches themselves. Installing these software components quickly can, and often does, lead to other software, hardware, and system deficiencies and weaknesses that are open to unforeseen compromise. Therefore, it’s important for utilities to follow a methodical development, testing, and implementation process, such as the OWASP-based SAMM, to mitigate the introduction of any other potential vulnerabilities.

Part II: Conclusion

The DHS and FBI have reminded the energy industry that it continues to be a prime target for cyberattacks. Hackers have proven that, under the right circumstances, they can find a path into staging targets, gather info, and move on to intended targets. And they’re relentless in their efforts to break through any barriers erected to keep them out.

With this as the backdrop, it’s fair to say a utility’s cybersecurity posture is only as strong as its weakest link. With third-party suppliers and vendors increasingly being used as staging targets, they have the potential to become this weak link unless they are fully vetted and can demonstrate they are able to meet cybersecurity requirements for systems and applications. Consider this: All it takes for a serious breach is for a hacker to learn the password of a vendor’s employee who has access to the system. And there are, unfortunately, many other opportunities.

All energy organizations and vendors must protect and defend their technologies, systems, applications, and communications with even more vigor, imagination, intelligence, and resources than the hackers who are attempting to break in. From the smallest suppliers to industry leaders, all systems and applications must be protected and secured starting with how they are built, transported, and installed through how they are used, maintained, and updated. The focus must be on all mission-critical systems and applications, including those used for communications.

¹ United States Computer Emergency Readiness Team, Alert (TA18-074A), “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors (2018). https://www.us-cert.gov/ncas/alerts/TA18-074A
² “Dragonfly: Western energy sector targeted by sophisticated attack group,” Symantec blog, October 20, 2017. https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
³ “Dragonfly: Western Energy Companies Under Sabotage Threat,” Symantec blog, June 30, 2014. https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat-energetic-bear
⁴ U.S. Federal Energy Regulatory Commission, Order No. 850, Supply Chain Risk Management Reliability Standards (2018). https://www.ferc.gov/whats-new/comm-meet/2018/101818/E-1.pdf?csrt=15773227531081670129
⁵ North American Electric Reliability Corporation, CIP-013-1, Cyber Security – Supply Chain Risk Management (2017). https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf
⁶ National Institute of Standards and Technology, Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, (2015). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf
⁷ “Category: OWASP Top Ten Project,” Open Web Application Security Project (2017). https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Top 10 is free to use and licensed under the Creative Commons Attribution-ShareAlike 4.0 license: https://creativecommons.org/licenses/by-sa/4.0/

Transforming Your Utility’s Tech Partners into Cybersecurity Allies

Utilities rely on numerous third-party vendors to support core business functions, including command center and dispatching communications. What this means in practical terms is that effective cybersecurity management is no longer the responsibility of a single organization.

Communications and Systems Security

Utilities can start with mission-critical communications and systems security postures and understand the requirements needed to create and deploy good and practical security for equipment, components, and operational activities. Connection paths and exchanges of information all require a focus on identifying and protecting critical information that can become compromised or altered.

System-Level Security Evaluations

It’s important for utilities to know that third-party vendors have evaluation criteria for all applications in both a developmental and operational environment to ensure systems, network functions, and computing machines operate optimally.

Security Testing

Vulnerability management is critical to the security and operations for all cyber- based systems and starts by understanding the cybersecurity assets and where they reside—both physically and logically.

Security Baselines

Once a new system is implemented, utilities need a reference for the system operations, maintenance, and security staff to compare the current status and operation to; this reference is typically known as the security baseline.

Operations and Maintenance for Applications

Once utilities deploy systems and applications, they should continue efforts to maintain the security status while in operation. The first and primary focus for a utility should be on system and application patch management.

Part III: Conclusion

The DOE’s energy cybersecurity plan succinctly outlines three overarching areas of concern, which underscores the need for utilities to work collaboratively with government agencies, third-party vendors, and industry associations to mount a comprehensive defense for systems and applications implemented by utilities to support core business functions:

• “Energy owners and operators have integrated advanced digital technologies to automate and control physical functions to improve performance and adjust to a rapidly changing generation mix. This has created a larger cyber attack surface and new opportunities for malicious cyber threats.
• The frequency, scale, and sophistication of cyber threats have increased, and attacks have become easier to launch. Nation-states, criminals, and terrorists regularly probe energy systems to actively exploit cyber vulnerabilities in order to compromise, disrupt, or destroy energy systems. Growing interdependence among the nation’s energy systems increases the risk that disruptions might cascade across organizational and geographic boundaries.
• In response, the government and private sector continue to increase their spending on cybersecurity operations and maintenance. Despite improving defenses, it has become increasingly difficult for energy companies to keep up with growing and aggressive cyber attacks.”⁵

The cyberbasics of system and application patching, managing communication and system-level connections, and testing everything that can be evaluated is without doubt more important than ever for those charged with overseeing a utility’s internetworked systems.

¹ Brooks, Michael, “Experts Urge Utilities to Train, Collaborate on Cybersecurity,” RTO Insider, December 10, 2018. https://www.rtoinsider.com/federal-energy- posluicmy-mit-cybersecurity-107607/
² National Cybersecurity Center of Excellence, National Institute of Standards and Technology (NIST) Special Publication 1800-7, Situational Awareness for Electric Utilities, (2017). https://www.nccoe.nist.gov/projects/use-cases/situational-awareness
³ U.S. Department of Energy, Office of Electricity Delivery & Energy Reliability, Multiyear Plan for Energy Sector Cybersecurity, (2018). https://www.energy.gov/sites/ prod/files/2018/05/f51/DOE%20Multiyear%20Plan%20for%20Energy%20Sector%20Cybersecurity%20_0.pdf
⁴ Hay Newman, Lily, “Equifax officially has no excuse,” WIRED, September 14, 2017. https://www.wired.com/story/equifax-breach-no-excuse/
⁵ U.S. Department of Energy, “Multiyear Plan for Energy Sector Cybersecurity.”

Glossary of Terms

Active Directory authentication

Microsoft® based access control application that facilitates user acceptance onto the system or computer.

Application programming interfaces (APIs)

Application software designed to allow for the interexchanging of data and commands between applications and programs.

“Black box” testing

The process of evaluating the performance of a system or application without knowing the underlying operating characteristics of the system being tested.

Blue team

An organizational component designed to assist the operations staff in determining the best approaches to cybersecurity by evaluating the components in operation.

Bulk Electric System (BES)

As defined by the North American Electric Reliability Corporation (NERC), this is comprised of all transmission elements operated at 100 kV or higher, as well as real power and reactive power sources connected at 100 kV or higher.

BES cybersystem

One or more cyberassets logically grouped together to perform a reliability task for a functional entity.

Checksum

A digital number representation of the sum of the stored or transmitted data used for the purposes of ensuring the data has not been altered.

CIP-013-1

The NERC standard designed to mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES cybersystems.

Clustering

The process of connecting different computers together in a unique method so these devices will work together as a single system.

Configuration control board (CCB)

The organizational entity that oversees and manages changes to network components, devices and applications when a system is in an operational environment.

Corporate cybersecurity council

Typically, the oversight board in an organization or corporation tasked with management and governance of the cybersecurity activities in the organization.

Cross-site scripting (XSS)

A type of computer security vulnerability typically found in web applications.

Cyberasset

Programmable electronic devices, including the hardware, software and data in those devices.

Cybersecurity

The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.

Cybersecurity ecosystem

The full spectrum of organizational activities, manpower, applications and networks within the cybersecurity area.

Cybersystem

Internetwork information system, including all hardware and software.

Device access control

A security technique that regulates who or what can view or use resources in a computing environment.

DevOps

A methodology of software and application development by which developers and operations staff work together during the development lifecycle.

DOE Multiyear Plan for Energy Sector Cybersecurity

Department of Energy guide produced in March 2018, designed to improve the cybersecurity of the U.S. energy system.

Dragonfly

Nickname of a cyberespionage group focused on electrical providers and management organizations.

Dynamic application security testing (DAST)

A method of testing application software while it is running by, typically, applying a wide range of inputs and evaluating the results.

Encryption

The process of converting plain text data into unknown and unreadable data to ensure confidentiality.

Energy Independence and Security Act of 2007

Signed into law on Dec. 19, 2017, with an aim to move the U.S. toward greater energy independence and security.

Equifax data breach of 2017

A data breach, suffered by the credit reporting organization, which released 146 million credit reports to an undisclosed group through an unpatched web application.

Federal Energy Regulatory Commission (FERC)

A U.S. government independent agency that regulates the interstate transmission of electricity, natural gas and oil.

FERC Order No. 829

Outlines reliability standards concerning supply chain risk management for industrial control system hardware, software and computing and networking services associated with BES operations.

Firewall

A network flow component that manages data traffic and delivery, and provides edge protection, based upon specific requirements and specifications.

Firmware

Specialized software developed to run the CPU of a computer.

Generation, transmission and distribution of power

The full scope of the delivery of electrical power for consumer consumption.

Hashing algorithm

A mathematical formula designed to convert variable length input files or data streams into fixed length output as a means of ensuring data integrity.

Identity assurance

The concept of the trustworthiness of a user’s identity when signing into a computing device.

Industrial control system (ICS)

Computing systems designed to monitor and control physical processes in many different industries and sectors.

Information security operations center (ISOC)

An entity focused exclusively on information assets and their security.

Injection flaws

Vulnerabilities that allow cyberattackers to insert malicious code in another system using an application.

Insecure deserialization

A vulnerability that occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon its deserialization.

Intended targets

The final devices or machines that contain information desired by cyberattackers.

Intrusion detection and prevention

The process by which network devices monitor and identify malicious or suspect actions taking place on the network.

Local domain

The closest management of connected devices and computers to each other with similar activities or roles.

Logical control

Software safeguards to protect an organization’s systems, including user identification and passwords, authentication, and access/authority levels.

Malware

Malicious software often designed to corrupt or steal user data.

MD5

A hashing algorithm used for integrity verification and protection of data.

Minimum security baselines (MSB)

Standards for all systems on your network, ensuring that they meet a set of minimum requirements in order to avoid putting your entire network at risk.

Mission-critical communications system

The most important system for accomplishment of data and/ or voice activities during operational activities.

National Institute of Standards and Technology (NIST)

U.S. government agency responsible for developing and providing the recommended standards and guidelines for computer security, cybersecurity and privacy for all agencies and departments.

National Vulnerability Database (NVD)

A listing maintained by the U.S. government of all known deficiencies, flaws or identified weaknesses in software, hardware, applications, operating systems software and databases in a public forum.

Network monitoring solution

A tool or system that constantly monitors a computer network for slow or failing components and notifies the network administrator in case of outages or other trouble.

Network path and traffic flow

The connections and directions taken by data packets as they traverse the network to get to their destination.

NIST 800-53

The NIST Special Publication (SP) that lists all available security and privacy controls for implementation in computing systems and applications.

NIST 1800-7A

The NIST SP that focuses on the situational awareness activities for electrical utilities.

NIST Cybersecurity Framework (CSF)

A policy framework of computer security guidance for how U.S.-based private sector organizations can assess and improve their ability to prevent, detect and respond to cyberattacks.

NIST National Cybersecurity Center of Excellence (NCCoE)

A U.S. government organization that helps coordinate public and private resources for risk mitigation strategies.

North American Electric Reliability Corporation (NERC)

A not-for-profit international regulatory authority overseeing the bulk electricity risk posture for most of North America.

North American Electric Reliability Corporation Critical Infrastructure Protection standards (NERC-CIP)

A set of requirements designed to secure the assets required for operating North America’s bulk electric system.

Open Web Application Security Project (OWASP)

A non-profit organization focused on improving software security.

Parallel processing

The practice of simultaneously breaking up and running program tasks on multiple microprocessors to expedite processing.

Patch management

The process used for identifying, evaluating and applying security patches to operating systems and applications in a structured and systematic manner.

Penetration testing

The practice of emulating malicious outside attacks as a means of evaluating potential ways to breach a network.

Phishing

A technique used by hackers where an email is sent that appears to be from a legitimate organization in order to obtain sensitive information such as passwords or account numbers.

Physical access control

The management of people entering and exiting a room, building or facility.

Plan of Action and Milestones (POA&M)

U.S. government process for fixing and repairing identified deficiencies in systems and operations that place an organization at risk.

Ponemon Institute

A security research institution, founded in 2002, that primarily focuses on data protection and emerging information technologies.

Ports

The network address of a transmission connection through which data is transported.

Protocols

A set of rules for network communications based on the criteria of the data to be sent or received.

Red Team

An organizational component designed to test operational security by attempting to penetrate the system from outside.

Requests for proposals (RFPs)

A contract document that delineates the methodology and process to meet the requirements of a proposed project.

Risk Management Framework

A guide developed by NIST to manage risks to organizations and agencies in an ongoing and continuous manner.

RJ-45 ports

The connection ports used to provide connections between customer devices and telephone company wiring.

Role-based access control (RBAC)

A method of access control whereby all access is managed via standard roles rather than by individual identities.

Secure data exchange

The process by which data flows between users and computers in a confidential manner.

Secure intrasystem communication

The activity of ensuring the confidentiality of data flowing within a system while being transmitted and received.

Security baselines

Refers to the current security structure of the system or application as designed and implemented.

Security Incident Response Team (SIRT)

The corporate organization with the responsibility to respond to and fix incidents that can have an adverse impact upon the organization and its operations.

Security Operations Center (SOC)

The corporate department tasked with monitoring and responding to cybersecurity events, incidents and response efforts.

Security patch

Software code developed to fix deficiencies and weaknesses in deployed software applications and programs.

Services

The various types of activities delivered by computing devices.

Simple Network Management Protocol (SNMP) Manager

The SNMP-based application that monitors a group of SNMP- capable devices on a computer network.

SNMP Agent

An application/interface that can be enabled or installed to provide SNMP connectivity from an SNMP manager. Data is sent via the SNMP protocol back to the SNMP manager, providing health of the device such as resource utilization, issuing SNMP traps as alarms identifying anomalies in operation, and allowing for polling of a device if maintained communication isn’t available.

Software Application Maturity Model (SAMM)

An OWASP-developed open framework used to implement strategies for software security around organizational risks.

Software development life cycle (SDLC)

The organizational program used to manage and direct the development of systems, applications and components as they are implemented with the organization, covering all areas from conception to system retirement and disposal.

Source code control management

The process of managing and controlling modifications or alterations to basic software code.

SP 800-161

The NIST Special Publication that focuses on supply chain risk management practices for agencies and organizations.

Staging targets

The intermediate devices or machines compromised during a cyberattack as a means to access the intended target.

Statement of work (SOW)

A contract document that specifies the exact requirements and deliverables to be developed in support of the project.

Static application security testing (SAST)

A method of source code analysis that looks for logic or coding flaws in software prior to compiling the code into a program.

Supplier business continuity plan

The organizational plan for handling interruption of business activities of service providers and suppliers.

Survivability

The concept of maintaining operations in a hostile or corrupt operating environment.

System data encryption

The process of using cryptography on data to maintain its confidentiality during use.

Threat agent protection

The concept of preventing and interrupting the actions and activities of potential malicious perpetrators – also known as threat agents.

Trojan horse

A type of software that carries a malicious payload inside other software that appears normal.

Universal Serial Bus (USB)

A connection-based communications protocol used on hardware, computers and devices.

User acceptance testing

The final gauge of a new application or system, used to ensure that it meets the needs and requirements of the intended user.

Utility sector control systems

Operational technology systems used to monitor and control physical devices, assets, and processes, including ICS.

Virus

A malicious program that infects machines and computers as a means of attack on the data held on the machine.

VMware

A publicly traded software company that originated the computer process of virtualization.

Vulnerability management

The organizational program for identifying, managing and repairing the various weaknesses and flaws identified in software and hardware in an organization.

VxWorks

A real-time operating system used in embedded systems.

Web-application firewalls (WAFs)

Application-based software components used to manage and control incoming data that uses internet-based protocols of delivery.

“White box” testing

The process of evaluating the performance and design of a system or application using known and understood processes.

Worm

A type of virus which is self-propagating and needs no user action once a computer is infected.

XML External Entities (XXE)

An application that accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor – making a system vulnerable to attacks.

Additional Resources

NISTIR 7298, rev. 3 – Glossary of Key Information Security Terms (2019)

https://csrc.nist.gov/publications/detail/nistir/7298/rev-3/final

CNSSI-4009 CNSS Glossary – Committee on National Security Systems Glossary (2015)

https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf

NIST Special Publication 800-37, rev. 2 Risk Management Framework for Information Systems and Organizations (2018)

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Framework for Improving Infrastructure Cybersecurity v. 1.1 (2018)

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Avtec and the Avtec logo are trademarks or registered trademarks of Avtec. ScoutTM is a trademark of Avtec. Inc.

Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a contractual relationship.