U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Secure Architecture Design Definitions

Backup Control Center
Return to Secure Architecture Design Page

The backup control center is a redundant control system that mirrors the primary control center system. The backup control center provides parallel or redundant communications with the remote IO areas and allows a complete transfer of control from the primary control system to the backup system in the event of emergency or planned operations without losing emergency operational control and monitoring capability for the associated process systems.

Documentation
Control System Applications Server
Return to Secure Architecture Design Page

This server is the control system data communications traffic routing controller for the control system applications. It formats the data into proper formats for transmission to the various applications and enforces communications priorities on the data communications. Advanced or special data processing applications are located on this server.

Documentation
Control System Authentication DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The control system authentication DMZ is used for providing corporate network user authentication for internal control system network access.

Documentation
Control System Authentication Server
Return to Secure Architecture Design Page

Authentication servers are servers that provide authentication services to users or other systems. Users and other servers authenticate to such a server, and receive cryptographic tickets. These tickets are then exchanged with one another to verify identity.

Authentication is used as the basis for authorization (determining whether a privilege will be granted to a particular user or process), privacy (keeping information from becoming known to non-participants), and non-repudiation (not being able to deny having done something that was authorized to be done based on the authentication).

The control system authentication DMZ is used for providing external or Internet user authentication for corporate network access.

Documentation
Control System Business Communications DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The control system business communications DMZ is often used for providing external ICCP data communications services to other business entities external to the control system network users.

Documentation
Control System Configuration Server
Return to Secure Architecture Design Page

This server is used to configure, store, assess and populate applications data to other computers on the control system network that are associated with the vendor control system applications.

Documentation
Control System Data Acquisition Server
Return to Secure Architecture Design Page

The server that provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The DAS, sometimes referred to as a Front-End Processor (FEP) or Input/Output server (IOS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The DAS also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Control System Database DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The DB DMZ is used for providing corporate or control system database access as required by users. The DB is configured to protect the control system from various types of attacks originating in the external networks.

Documentation
Control System Database Server
Return to Secure Architecture Design Page

The function of the database server is to provide various database services to the control system applications. The application control system point database information is located on this computer as well as the system configuration database information.

Associated Attack Methodologies

  • Back Door Through Internet
  • SQL Injection Attack
Documentation
Control System Engineering Workstation
Return to Secure Architecture Design Page

The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.

Associated Attack Methodologies

  • Cross-site Scripting Attack
Documentation
Control System External Business Communication Server
Return to Secure Architecture Design Page

The external business communications server is used to provide control system data communications between the control system network and external business entities that share operational status, control and business information. A standard protocol used primarily in SCADA applications is the Inter-Control Center Communications Protocol (ICCP per IEC60870-6 TASE.2)

Documentation
Control System Firewall
Return to Secure Architecture Design Page

In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. A firewall is also called a Border Protection Device (BPD). A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.

Proper configuration of firewalls demands skill from the administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Cross-site Scripting Attack
  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Control System Historian
Return to Secure Architecture Design Page

A centralized database located in the control system LAN supporting data archival and data analysis using statistical process control techniques.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Control System HMI Computers
Return to Secure Architecture Design Page

In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common:

  • Graphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor.
  • Web-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program.

The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI).

The system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Cross-site Scripting Attack
  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Control System LAN
Return to Secure Architecture Design Page

The local area network that connects all of the vendor and add-on networked equipment that comprises the control system applications. This includes the network equipment such as switches, routers, IDS, firewalls and other equipment used to complete the control system LAN.

Associated Attack Methodologies

  • Cross-site Scripting Attack
Documentation
Control System MODEM Pool
Return to Secure Architecture Design Page

A modem is a device or program that enables a computer to transmit data over telephone or cable lines. Computer information is stored digitally, whereas information transmitted over telephone lines is transmitted in the form of analog waves. A modem converts between these two forms. A "modem pool" is a group of modems. A control system modem pool allows information to be transferred between the centralized part of a control system the field located controllers and input/output devices.

Documentation
Control System Security DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The Security DMZ is used for providing external controlled access to services used by external personnel to the control system network control system equipment to ensure secure application of system updates and upgrades.

Documentation
Control System Security Server
Return to Secure Architecture Design Page

A computer that provides a compartmentalized interface to manage most of the control system security monitoring and configuration applications.

Documentation
Control System Telephony Firewall
Return to Secure Architecture Design Page

Consider the telephony firewall to be the equivalent of the corporate Internet firewall for Public Switched Telephone Network (PSTN) connections. A telephony firewall is designed to protect a telephone exchange or PBX by reporting on a variety of attacks, commonly referred to as phreaking, the PSTN equivalent of a hacking. The telephony firewall is normally placed between the PSTN and modem; however it can be located on either or both sides of the PBX depending on security needs. It can provide voice-level capabilities similar to the data-level capabilities of network firewalls in use today. It can be configured to report on a variety of attacks ranging from misuse, such as if a pre-set threshold of particular calls is exceeded, to attacks against the exchange such as wardialing, where many telephone extensions are called in order to solicit information about the end user device.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Cross-site Scripting Attack
  • Man-in-the-Middle Attack
  • SQL Injection Attack
Documentation
Control System Web Server DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The Control System Web DMZ is used for providing various web server services to corporate users accessing data in the CS Web DMZ.

Documentation
Control System WWW Server
Return to Secure Architecture Design Page

The WWW server or Web server can mean one of two things:

  1. A computer that is responsible for accepting HTTP requests from clients, which are known as Web browsers, and serving them Web pages, which are usually HTML documents and linked objects (images, etc.).
  2. A computer program that provides the functionality described in the first sense of the term.

Associated Attack Methodologies

  • Cross-site Scripting Attack
Documentation
Corporate Authentication DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The corporate authentication DMZ is used for providing corporate network user authentication for internal control system network access.

Documentation
Corporate Authentication Server
Return to Secure Architecture Design Page

Authentication servers are servers that provide authentication services to users or other systems. Users and other servers authenticate to such a server, and receive cryptographic tickets. These tickets are then exchanged with one another to verify identity.

Authentication is used as the basis for authorization (determining whether a privilege will be granted to a particular user or process), privacy (keeping information from becoming known to non-participants), and non-repudiation (not being able to deny having done something that was authorized to be done based on the authentication).

The corporate authentication DMZ is used for providing external or Internet user authentication for corporate network access.

Corporate Business Servers
Return to Secure Architecture Design Page

Servers located in the corporate LAN providing various network access to group accessed applications for personnel on the corporate network.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Corporate Business Workstations
Return to Secure Architecture Design Page

Computers located in the corporate LAN providing various office, business and engineering functions typically accessed by individual users.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Cross-site Scripting Attack
  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Corporate CS DB/Historian
Return to Secure Architecture Design Page

A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.

Associated Attack Methodologies

  • SQL Injection Attack
Documentation
Corporate DNS DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The DNS DMZ is used for providing external or Internet DNS services to corporate users.

Documentation
Corporate DNS Server
Return to Secure Architecture Design Page

The Domain Name System or Domain Name Server (DNS) is a system that stores information associated with domain names in a Distributed database on networks. The domain name system (Domain Name Server) associates many types of information with domain names, but most importantly, it provides the IP address associated with the domain name. It also lists mail exchange servers accepting e-mail for each domain. In providing a worldwide keyword-based redirection service, DNS is an essential component of contemporary Internet use.

DNS is useful for several reasons. Most well known, the DNS makes it possible to attach hard-to-remember IP addresses (such as 207.142.131.206) to easy-to-remember domain names (such as "wikipedia.org") Humans take advantage of this when they recite URLs and e-mail addresses. Less recognized, the domain name system makes it possible for people to assign authoritative names, without needing to communicate with a central registrar each time.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
Documentation
Corporate eMail DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The eMail DMZ is used for providing email server and routing services to corporate users.

Documentation
Corporate eMail Server
Return to Secure Architecture Design Page

The term "Email Server" is used to denote equipment used to route email and act as a mail server, by storing email and supporting client access using various protocols.

Corporate Firewall
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The eMail DMZ is used for providing email server and routing services to corporate users.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Cross-site Scripting Attack
  • Man-in-the-Middle Attack
  • SQL Injection Attack
Documentation
Corporate FTP DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The FTP DMZ is used for providing FTP server services to internal and external corporate users.

Documentation
Corporate FTP Server
Return to Secure Architecture Design Page

FTP or File Transfer Protocol is a commonly used protocol for exchanging files over any network that supports the TCP/IP protocol (such as the Internet or an intranet). There are two computers involved in an FTP transfer: a server and a client. The FTP server, running FTP server software, listens on the network for connection requests from other computers. The client computer, running FTP client software, initiates a connection to the server. Once connected, the client can do a number of file manipulation operations such as uploading files to the server, download files from the server, rename or delete files on the server and so on. Any software company or individual programmer is able to create FTP server or client software because the protocol is an open standard. Virtually every computer platform supports the FTP protocol. This allows any computer connected to a TCP/IP based network to manipulate files on another computer on that network regardless of which operating systems are involved (if the computers permit FTP access). There are many existing FTP client and server programs, and many of these are free.

Corporate LAN
Return to Secure Architecture Design Page

Computers located in the corporate LAN providing various office, business and engineering functions typically accessed by individual users.

Documentation
Corporate Telephony Firewall
Return to Secure Architecture Design Page

Consider the telephony firewall to be the equivalent of the corporate Internet firewall for Public Switched Telephone Network (PSTN) connections. A telephony firewall is designed to protect a telephone exchange or PBX by reporting on a variety of attacks, commonly referred to as phreaking, the PSTN equivalent of a hacking. The telephony firewall is normally placed between the PSTN and modem; however it can be located on either or both sides of the PBX depending on security needs. It can provide voice-level capabilities similar to the data-level capabilities of network firewalls in use today. It can be configured to report on a variety of attacks ranging from misuse, such as if a pre-set threshold of particular calls is exceeded, to attacks against the exchange such as wardialing, where many telephone extensions are called in order to solicit information about the end user device.

Associated Attack Methodologies

  • Back Door Through Access Point
  • Back Door Through Internet
  • Cross-site Scripting Attack
  • Man-in-the-Middle Attack
  • SQL Injection Attack
Documentation
Corporate Web Application Servers
Return to Secure Architecture Design Page

A computer that provides corporate and external user access to web-enabled business applications information.

Associated Attack Methodologies

  • Man-in-the-Middle Attack
  • OPC/DCOM Attack
  • SQL Injection Attack
Documentation
Corporate Web Server
Return to Secure Architecture Design Page

The term Web server can mean one of two things:

  1. A computer that is responsible for accepting HTTP requests from clients, which are known as Web browsers, and serving them Web pages, which are usually HTML documents and linked objects (images, etc.).
  2. A computer program that provides the functionality described in the first sense of the term.
Corporate Web Server DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The Corporate Web Server DMZ is used for providing various web server services to corporate and external Internet users.

Documentation
Corporate Wireless Access Points
Return to Secure Architecture Design Page

These are wireless devices used for remotely communicating with network systems. Examples include using a personal digital assistant (PDA) to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access LAN system.

Associated Attack Methodologies

  • Back Door Through Access Point
Documentation
Corporate Wireless DMZ
Return to Secure Architecture Design Page

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The Wireless Access Point DMZ is used for segmenting access to and from the wireless access points network(s) connected to it for access to internal and external users users.

Documentation
Field Controller/RTU/PLC/IED
Return to Secure Architecture Design Page

Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications.

Documentation
Field Wireless Access Points
Return to Secure Architecture Design Page

These are wireless devices used for remotely communicating with network systems and are typically located in remote field locations (e.g. substation, remote field equipment). Examples include using a personal digital assistant (PDA) to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access LAN system components. In a field configuration this includes connecting to IED, PLC, RTU and other devices for purposes of configuration, troubleshooting or control.

Associated Attack Methodologies

  • Back Door Through Access Point
Documentation
Remote Business Peers
Return to Secure Architecture Design Page

Business, vendor and other partners who utilize data from and provide data to a control system using common protocols and communications mediums.

Documentation
Back to Top