This glossary contains definitions of cybersecurity terms and concepts found throughout the resources that comprise NARUC’s Cybersecurity Manual. It also contains terms that public utility commissions may encounter during engagements with utilities on the topic of cybersecurity.
Definitions contained in this glossary are from authoritative sources. They are gathered here for ease of use. Many definitions are cited verbatim; however, some have been paraphrased or adapted for clarity and conciseness. Links to original sources are included.
The Cybersecurity Glossary is a “living document.” This means that new cybersecurity terms and concepts will be added to reflect the advancement of cybersecurity risk management and technology over time.
A list of notable cybersecurity incidents is included at the end of the glossary. These incidents are often cited in cybersecurity literature, articles, blogs, webinars, and workshops and are included in this glossary for that reason. Presented in chronological order, the list also reflects the increasingly targeted nature of threats to the nation's critical infrastructure.
Cybersecurity Terms
|
Term |
Definition |
Source |
|---|---|---|
|
Access Control
|
The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances). |
|
|
Access Control List (ACL)
|
A list of permissions associated with an object (e.g., computer hardware or software or a gate that provides ingress and egress to a physical facility). The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. |
|
|
Advanced Persistent Threat (APT) |
An adversary that possesses sophisticated levels of expertise and significant resources used to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (1) pursues its objectives repeatedly over an extended period of time; (2) adapts to defenders’ efforts to resist it; and (3) is determined to maintain the level of interaction needed to execute its objectives. |
|
|
After-Action Report (AAR) |
Summary of key post-exercise evaluation information, including the exercise overview and analysis of objectives and core capabilities. It is developed in conjunction with an improvement plan, which identifies specific corrective actions, assigns them to responsible parties, and establishes target dates for their completion. The lead evaluator and exercise planning team draft the AAR. |
|
|
All-Hazards |
A threat or an incident, natural or manmade, that warrants action to protect life, property, the environment, and public health or safety, and to minimize disruptions of government, social, or economic activities. It includes natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical infrastructure. |
Presidential Policy Directive / PPD-21
|
|
Attestation |
The validation of all aspects of a computer or system that relate to its safe, secure, and correct operation. |
|
|
Authentication |
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources. |
|
|
Authorization |
Verifying a user’s permissions (after a user has been authenticated) for accessing certain resources or functionality. |
|
|
Availability |
Ensuring timely and reliable access to and use of information. Resiliency objectives extend the concept to refer to point-in-time availability (i.e., the system, component, or device is usable when needed) and the continuity of availability (i.e., the system, component, or device remains usable for the duration of the time it is needed). With confidentiality and integrity, availability is considered part of the CIA Triad, which represents the three most crucial components of information security. |
|
|
Bandwidth |
The amount of information that can be passed through a communication channel in a given amount of time, usually expressed in bits per second. |
|
|
Bitcoin |
An electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. |
|
|
Blacklist |
A list of entities that are blocked or denied privileges or access. |
|
|
Black Sky Hazard/Event |
A catastrophic event that severely disrupts the normal functioning of critical infrastructures in multiple regions for long durations. |
|
|
Black Start |
The restoration of a power station without reliance on the external power transmission system. Black start capabilities are often provided by small co-located diesel generators used to start larger generators, which in turn start the main power station generators. |
|
|
Blockchain |
Tamper-resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation, no transaction can be changed once published. |
|
|
Botnet |
A collection of computers compromised by malicious code and controlled across a network. (See Command and Control.) The word botnet is a combination of the words robot and network. |
|
|
Boundary Protection |
Monitoring and control of digital communications at the external perimeter of an information system to prevent and detect malicious and other unauthorized communications, using devices such as proxies, gateways, routers, firewalls, guards, and encrypted tunnels. Also referred to as perimeter protection. |
|
|
Bulk Electric System (BES) Cyber Asset |
A Cyber Asset that, if rendered unavailable, degraded, or misused, would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. |
|
|
Command and Control (C&C or C2) network |
A network of computers infected with malware that allows them to issue directives to other digital devices. C&C servers can create powerful networks of infected devices capable of carrying out distributed denial-of-service (DDoS) attacks, stealing data, deleting data or encrypting data in order to carry out an extortion scheme. A malicious network under a C&C server's control is called a botnet and the network nodes that belong to the botnet are sometimes referred to as zombies. |
|
|
Compensating Control |
A cybersecurity control employed in lieu of a recommended control that provides equivalent or comparable control. See Cybersecurity Controls. |
|
|
Confidentiality |
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. With integrity and availability, confidentiality is considered part of the CIA Triad, which represents the three most crucial components of information security. |
|
|
Connectivity |
The minimum number of nodes or links whose removal results in losing all paths that can be used to transfer information from a source to a sink. |
|
|
Contingency |
The unexpected failure or outage of a system component, such as a generator, transmission line, circuit breaker, switch, or other electrical element. |
|
|
Credential |
Information passed from one entity to another to establish the sender’s access rights or to establish the claimed identity of a security subjective relative to a given security domain. |
|
|
Critical Assets |
Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the bulk electric system. |
|
|
Critical Electric Infrastructure Information (CEII) |
Information related to or proposed to critical electric infrastructure,
|
|
|
Critical Infrastructure |
The assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof. |
|
|
Cryptocurrency |
A digital currency used as a medium of exchange, similar to other currencies. However, unlike other currencies, cryptocurrency operates independently of a central bank and uses encryption techniques and blockchain technology to secure and verify transactions. Examples include Bitcoin, Litecoin, Monero, Ethereum, and Ripple. |
|
|
Cyber Asset |
Programmable electronic devices, including the hardware, software, and data in those devices. |
|
|
Cyber Attack |
An attempt to infiltrate information technology systems, computer networks, or individual computers with a malicious intent to steal information, cause damage, or destroy specific targets within the system. |
|
|
Cyber Information Sharing and Collaboration Program (CISCP) |
A program of the U.S Department of Homeland Security that enables actionable, relevant, and timely unclassified information exchange through trusted public-private partnerships across all critical infrastructure sectors. |
|
|
Cyber Kill Chain |
A theory developed by Lockheed Martin that identifies the various stages of a cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C&C, and Actions on Objectives. Applying the theory helps cybersecurity professionals recognize and counteract attacks to protect their organization’s assets. |
|
|
Cyber Mutual Assistance Program |
A framework to provide emergency cyber assistance within the electric power and natural gas industries. The program is composed of industry cyber experts who can provide voluntary assistance to other participating entities in advance of, or in the event of, a disruption of electric or natural gas service, systems, and/or IT infrastructure due to a cyber emergency. |
|
|
Cyber Security Incident Response Teams (CSIRTs) |
A group of experts that assesses, documents, and responds to a cyber incident so that a network can not only recover quickly, but also avoid future incidents. |
|
|
Cybersecurity |
The ability to protect or defend the use of cyberspace from cyber attacks. |
|
|
Cybersecurity Capability Maturity Model (C2M2) |
A model that helps organizations—regardless of size, type, or industry—evaluate, prioritize, and improve their own cybersecurity capabilities. |
|
|
Cybersecurity Controls |
The management, operational, and technical methods, policies, and procedures—manual or automated—(i.e., safeguards or countermeasures) prescribed to protect the confidentiality, integrity, and availability of a system and its information. |
|
|
Cybersecurity Incident
|
An event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. A cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. |
|
|
Cybersecurity Risk Information Sharing Program (CRISP) |
A public-private data sharing and analysis platform that facilitates the timely bi-directional sharing of unclassified and classified threat information among energy sector stakeholders. |
|
|
Cyberspace |
A global domain within the information environment consisting of the interdependent network of IT and ICS infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. |
|
|
Darknets |
Private, distributed file sharing networks where connections are made only between trusted peers. Darknets are distinct from other distributed networks as sharing is anonymous (i.e., IP addresses are hidden). |
|
|
Defense-in-Depth |
Cybersecurity strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. |
|
|
Denial of Service (DoS) |
A cyber attack that occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. A denial-of-service floods the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible. |
|
|
Distributed control system (DCS) |
Control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit. |
|
|
Electronic Security Perimeter (ESP) |
The logical border surrounding a network to which systems are connected. |
|
|
Energy Assurance |
An array of activities that support a robust, secure, reliable, and resilient energy infrastructure. These include energy emergency planning, preparedness, mitigation, and response |
|
|
Encryption |
Cryptographic transformation of data (called “plaintext”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption,” which is a transformation that restores encrypted data to its original state. |
|
|
Endpoint Protection/Security |
A security approach that focuses on locking down endpoints—individual computers, phones, tablets, and other network-enabled devices—in order to keep networks safe. |
|
|
Exploit |
A piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. |
|
|
Firewall |
A network security device that monitors incoming and outgoing network traffic and helps screen out hackers, viruses, and worms that try to reach a computer over the Internet. A firewall can be hardware, software, or both. |
|
|
Firmware |
A software program or set of instructions programmed on a hardware device. It provides the necessary instructions for how the device communicates with the other computer hardware. |
|
|
Fusion Centers |
Primary focal points within the state and local environment for the receipt, analysis, gathering, and sharing of threat-related information among Federal, State, Local, Tribal, and Territorial (SLTT) partners. They provide interdisciplinary expertise and situational awareness to inform decision-making at all levels of government. Fusion centers are owned and operated by State and Local entities with support from federal partners. |
|
|
Gateway |
An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks. |
|
|
Homeland Security Information Network (HSIN) |
A trusted network for homeland security mission operations to share sensitive but unclassified information. Federal, state, local, territorial, tribal, international and private sector homeland security partners use HSIN to manage operations, analyze data, send alerts and notices, and share the information they need to do their jobs and help keep their communities safe. |
|
|
Honeypot
|
A trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. |
|
|
Human-Machine Interface (HMI) |
The hardware or software through which an operator interacts with a controller. An HMI can range from a physical control panel with buttons and indicator lights to an industrial PC with a color graphics display running dedicated HMI software. |
|
|
Identity-Based Access Control |
Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user), where access authorizations to specific objects are assigned based on user identity. |
|
|
Impact |
Damage to an organization’s mission and goals due to the loss of confidentiality, integrity, or availability of system information or operations. |
|
|
Indicators of Compromise (IOC) |
Forensic artifacts of an intrusion. |
|
|
Industrial Control System (ICS) |
A general term that includes several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), Programmable Logic Controllers (PLC) and others often found in industrial and critical infrastructure sectors. An ICS consists of combinations of control components that act together to achieve an industrial objective. |
|
|
Industrial Control Cyber Emergency Response Team (ICS-CERT) |
Operates within the Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC) to reduce risks to industrial control systems used within and across all critical infrastructure sectors. ISC-CERT collaborates law enforcement agencies and the intelligence community and coordinates efforts among Federal, State, local, and tribal governments and control systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. |
|
|
Information Security |
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability. |
|
|
Information Sharing and Analysis Center (ISAC) |
Sector-specific, member-driven organizations formed by critical infrastructure owners and operators to share information between government and industry. |
|
|
Information System (IS)
|
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Note: information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.) |
NRECA / Cooperative Research Network |
|
Information Technology (IT) |
The technology involving the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data. |
|
|
InfraGard |
A partnership between the FBI and members of the private sector. The InfraGard program provides a vehicle for seamless public-private collaboration that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. |
|
|
Integrity |
Guarding against improper information modification or destruction; includes ensuring the non-repudiation and authenticity of information. With confidentiality and availability, integrity is considered part of the CIA Triad, which represents the three most crucial components of information security. |
|
|
Intelligent electronic device (IED) |
Any device incorporating one or more processors with the capability to receive or send data/control from or to an external source (e.g., electronic multifunction meters, digital relays, controllers). |
|
|
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standards |
Standards that represent global consensus on a solution to a particular issue. They provide requirements, specifications, guidelines or characteristics to ensure that materials, products, processes and services are safe to use and fit for their purpose. Whenever possible, requirements are expressed in terms of performance rather than design or descriptive characteristics. |
|
|
Internet Protocol (IP)
|
Standard method for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. |
|
|
Interoperability
|
The ability of systems, units, or forces to provide services to and accept services from other systems, units, or forces, and to use the services so exchanged to enable them to operate effectively together. |
|
|
Joint Information Center (JIC) |
A central location to facilitate operation of the Joint Information System (JIS) during and after an incident. The JIC enhances information coordination, reduces misinformation, and maximizes resources by co-locating Public Information Officers (PIOs) as much as possible. |
|
|
Joint Information System (JIS) |
An incident response structure that can be leveraged for developing and delivering coordinated interagency messages, executing public information plans and strategies, advising an Incident Commander concerning public affairs issues, and controlling rumors and inaccurate information. |
|
|
Key Logger |
A program designed to record the sequence of keys pressed on a computer keyboard. Such programs can be used to obtain passwords or encryption keys and thus bypass other security measures. |
|
|
Least Privilege |
The principle that users and programs should only have the necessary privileges to complete their tasks. |
|
|
Malware |
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. Examples include viruses, worms, and Trojan horses, spyware and some forms of adware. |
|
|
Management Controls |
The security controls for IT and ICS that focus on the management of risk and security. |
|
|
Man-In-The-Middle (MitM) |
A type of cyber attack where an interloper inserts him- or herself between two communicating devices, without either side knowing. |
|
|
National Cybersecurity and Communications Integration Center (NCCIC) |
The cyber defense, incident response, and operational integration center of the U.S. Department of Homeland Security. The NCCIC’s mission is to reduce the risk of systemic cybersecurity and communications challenges by serving as a national hub for cyber and communications information, technical expertise, and operational integration, and by operating a 24/7 situational awareness, analysis, and incident response center. |
|
|
National Institutes of Standards and Technology (NIST) |
A federal agency within the U.S. Department of Commerce. NIST's mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is also responsible for establishing computer- and information technology-related standards and guidelines for federal agencies to use. |
|
|
NIST Cybersecurity Framework (NIST CSF) |
A voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity risk. |
|
|
Need to Know |
Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties. |
|
|
Network (computer network) |
A network of data processing nodes interconnected for the purpose of data communication. |
|
|
North American Electric Reliability Corporation |
A not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the bulk electric grid in North America. |
|
|
NERC Critical Infrastructure Protection (NERC CIP) |
A set of requirements designed to secure cyber assets required for operating North America's bulk electric system. |
|
|
Operational Controls |
The security controls for IT and ICS, implemented and executed primarily by people (as opposed to systems). |
|
|
Operational Technology (OT) |
Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms. |
|
|
Packet |
The sequence of binary digits transmitted and switched as a composite whole. |
|
|
Phishing |
An attempt to trick people into divulging sensitive information such as usernames, passwords, or credit card numbers. Phishing is carried out by email, over the phone, or using a website. The motives are generally to steal money or a user’s identity. |
|
|
Physical Security Perimeter (PSP) |
The physical border surrounding locations in which BES cyber assets, BES cyber systems, or electronic access control or monitoring systems reside, and for which access is controlled. |
|
|
Personally Identifiable Information (PII) |
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media. |
|
|
Potential Impact |
The loss of confidentiality, integrity or availability that might have: 1) a limited adverse effect; 2) a serious adverse effect; or 3) a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. |
|
|
Privileged User |
A user that is authorized (and therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform. |
|
|
Programmable Logic Controller (PLC) |
A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as input/output control, logic, timing, counting, communication, and data and file processing. |
|
|
Protected Critical Infrastructure Information Program (PCII) |
A DHS-specific information protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data. |
|
|
Ransomware |
A malicious form of software that locks a computer or files and requires money be paid to get the decryption code to unlock the device or the file. |
|
|
Red Team/Blue Team |
A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture (i.e., the Red Team). The objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment |
|
|
Remote Access |
Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet) |
|
|
Remote Access Trojan (RAT) |
A malicious program that runs invisibly on host computers and permits an intruder to gain access and control from afar. Many RATs mimic legitimate functionality but are designed specifically for stealth installation and operation. |
|
|
Resilience |
The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. |
Presidential Policy Directive / PPD-21
|
|
Risk |
The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. |
|
|
Risk Management |
The process of controlling risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security and privacy state of the information system. |
|
|
Risk severity |
A combination of the likelihood of a damaging event actually occurring and the assessed potential impact on the organization’s mission and goals if it does occur. |
|
|
Role-based access control |
Access permission based on users’ roles and typically reflect the need to perform defined functions within an organization. A given role may apply to a single individual or to several individuals. |
|
|
Sandbox |
A system that allows an untrusted software application to run in a highly controlled environment where the application’s permissions are restricted. In particular, an application in a sandbox is usually restricted from accessing the file system or the network. |
|
|
Sensitive Information |
Information of which the loss, misuse, unauthorized access or modification could adversely affect the organization, its employees or its customers. |
|
|
Significant Cyber Incident |
A cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. |
|
|
Social Engineering |
Psychological manipulation of people into divulging sensitive information or performing certain actions. |
|
|
Sunshine Laws
|
Open government laws that foster an informed citizenry by providing the public access to government documents and meetings. |
|
|
Supervisory Control and Data Acquisition (SCADA) |
A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated. |
|
|
Supply Chain |
Linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer. |
|
|
Technical Controls |
Security controls for IT and ICS implemented and executed primarily through mechanisms contained in hardware, software, or firmware. |
|
|
Threat |
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), resources, and other organizations through an IT and ICS via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. |
|
|
Threat Actor/Agent |
An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. |
|
|
Traffic Light Protocol (TLP) |
A set of designations used to ensure that sensitive information is shared appropriately. It employs four colors to indicate expected sharing boundaries by the recipient(s). RED: information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. AMBER: information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. GREEN: information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. WHITE: information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. |
|
|
United States Computer Emergency Readiness Team (US-CERT) |
A partnership between the U.S. Department of Homeland Security and the public and private sectors, established to protect the nation's internet infrastructure. US-CERT coordinates defenses against and responses to cyber attacks across the nation. |
|
|
Virus |
A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. |
|
|
Vulnerability |
A specific weakness in an information system, system security procedures, internal controls, or implementation that a threat source could exploit. |
|
|
Watering Hole Attack |
A security exploit where the attacker infects websites frequently visited by members of a targeted group being attacked, with a goal of infecting a computer used by one or more of the targeted group members when they visit the infected website. |
|
|
Whitelist |
A list of entities considered trustworthy and granted access or privileges. |
|
|
Worm |
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. |
|
|
Zero-Day Attack/Exploit |
An attack that exploits a previously unknown hardware, firmware, or software vulnerability. |
|
|
Zero Trust |
A security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. |
Notable Cybersecurity Incidents
|
Timeline of Significant Cybersecurity Related Events and Incidents |
||
|
Date |
Event/Incident |
Description |
|
March 2007 |
Aurora was the demonstration of a control system software vulnerability that could be exploited to physically destroy power grid equipment. Specifically, researchers at Idaho National Labs used a virus to manipulate systems that controlled a diesel generator. The test involved opening and closing circuit breakers in a manner that resulted in an out-of-synchronism or out-of-phase condition. This condition placed stress upon the mechanical components of rotating equipment in the generator, causing that equipment to fail before protection relays could respond. [1] Comprehensive mitigation techniques include protection and control, electronic and physical security, monitoring, training, risk assessment, and information protection. [2] |
|
|
June 2010 |
Stuxnet |
Stuxnet is a sophisticated computer worm that exploited multiple zero-day software vulnerabilities to infect computers and spread. Its purpose was to cause real-world physical effects. Specifically, Stuxnet targeted centrifuges used to produce enriched uranium, which powers nuclear weapons and reactors. [3] |
|
April 2013 |
Metcalf Incident |
The Metcalf incident refers to a physical attack on a 500kV electric substation in Metcalf, Calif. During the attack, multiple individuals outside the substation reportedly shot at the HV transformer radiators with .30 caliber rounds, causing them to leak cooling oil, overheat, and become inoperative. [4] |
|
June 2014 |
Havex |
Havex is a remote access trojan (RAT) that was part of a widespread espionage campaign targeting ICS across numerous critical infrastructure industries, including energy. Researchers attributed the campaign to a hacking group referred to as “Dragonfly” and “Energetic Bear,” since linked to Russian Intelligence Services. [5] In March 2022, the US DOJ indicted 4 Russian nationals in connection with this attack.[21] Users were infected with Havex via watering hole attacks. Once installed, the malware collected data about the ICS environment and reported back to the attackers via C&C servers. This attack suggests that the attackers had direct interest in controlling ICS environments. [6],[7]
|
|
December 2015 |
Cyber Attack on the Ukrainian Power Distribution Grid |
On December 23, 2015, a coordinated cyber attack was launched on three electricity distribution companies (oblenergos) in Ukraine, during which attackers remotely controlled SCADA distribution management systems, causing power outages to approximately 225,000 customers for three hours.[8] The attacks required the companies to move to manual operations in response.[9] This attack was the first known instance of using malware to generate a real-world power outage.[10] The attacks were linked to a Russian group known as Sandworm. [11] |
|
December 2016 |
CRASHOVERRIDE/ Industroyer |
CRASHOVERRIDE/Industroyer is a first-of-its-kind, ICS-tailored malware framework designed and deployed to attack electric grids. It leverages knowledge of grid operations and ICS network communications to cause impact.[12] CRASHOVERIDE/Industroyer was used in a cyber attack that de-energized a transmission-level substation in Kiev, Ukraine, on December 17, 2016. The attack was similar to one against three Ukrainian electric distribution companies in 2015, which rendered substation devices inoperable and prevented engineers from remotely restoring power. Researchers suggests that components in the CRASHOVERIDE/ Industroyer malware are far more advanced than the malware used in the 2015 attack. [13],[14],[15] ICS security firm Dragos, Inc. tracked the adversary behind CRASHOVERRIDE/Industroyer to Electrum, a hacker group with direct ties to the Russian Sandworm team.[16] |
|
November 2017 |
TRITON/TRISIS |
Triton/TRISIS is malware that targets Schneider Electric Triconex Safety Instrumented System (SIS) controllers. A SIS is an autonomous control system that monitors industrial processes and detects and prevents dangerous physical events. For example, a SIS will safely shut down rotating machinery when a dangerous condition is detected. Each SIS in unique. [17],[18] Triton/TRISIS is the first ever publicly known ICS-tailored malware to target safety instrumented systems. [19] It was discovered when cybersecurity firm Mandiant responded to a cyber incident at a critical infrastructure organization in the Middle East. The malware appears to have been deployed manually after a threat actor familiar with the proprietary Triconex system gained remote access to a SIS engineering workstation and attempted to reprogram the SIS controllers, inadvertently causing the automatic shutdown of the associated industrial process. The attacker may have been attempting to develop the capability to cause physical damage to the organization's equipment. [20] In March 2022, the U.S DOJ indicted an individual in connection with this event.[21] |
|
December 2020 |
Solarwinds |
Solarwinds, an IT management and monitoring firm, was compromised by a highly skilled threat actor who gained access to its network and planted malware into a component of SolarWind’s Orion software.The compromised software was distributed to SolarWinds customers via an automatic update platform used to push out new software updates.The malware allowed access to victims’ networks, permitting the attackers to harvest information and perform other malicious activity. FireEye, a leading cybersecurity firm, discovered the Solarwinds supply chain hacking campaign on December 8, 2020, when it found it had been attacked and security monitoring tools stolen. Evidence suggests the compromise took place earlier, likely March 2020. More than 18,000 public and private sector companies were victims of the Solarwinds supply chain attack. The attack has been linked to Russian state actors.22,23,24 |
|
May 2021 |
Colonial Pipeline |
On May 7, 2021, the Colonial Pipeline Company proactively shut down its pipeline system in response to a ransomware attack. The attack disrupted fuel supplies to the U.S. Southeast. Service was restored and product delivery recommenced on May 13, 2021. The FBI confirmed that Darkside ransomware caused the compromise. Attackers were able to get into the system by stealing a single password to a legacy Virtual Private Network (VPN) system that did not have multifactor authentication in place. |
[2] https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6452_MythReality_MZ_20110217_Web2.pdf?v=20181015-210359.
[3] https://www.csoonline.com/article/3218104/malware/what-is-stuxnet-who-created-it-and-how-does-it-work.html.
[10] https://arstechnica.com/information-technology/2017/01/the-new-normal-yet-another-hacker-caused-power-outage-hits-ukraine/.
[14] https://arstechnica.com/information-technology/2017/06/crash-override-malware-may-sabotage-electric-grids-but-its-no-stuxnet.
[17] https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html.
[20] https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html.
[21] https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical