The cybersecurity community loves a good terminology fight, and the ICS (if that is the right term) security community niche is no different. A recent and predictable raging discussion on a popular email list on a single term is the latest example. It’s not surprising given a large percentage of this community comes from a technical field where the proper use of terms is essential to successful operations and safety.

The broader, more inclusive terms are the ones that cause the most problems. For example:

  • Is there a difference between ICS and OT, or are they interchangeable? (I see them use interchangeably)
  • Are non-industrial control systems part of ICS? (Common usage says yes)
  • Where is the line between IIoT and ICS? (This may not yet be decided)

This does not mean that terminology is static. In the early 00’s we saw the term SCADA used for all control systems. This was technically incorrect enough to lead to the creation of the catch all term industrial control systems (ICS) to replace it as the broadly used term late in the decade. In the 10’s the term Operations Technology (OT) caught on because it so easily enabled the IT v. OT discussions. IoT and IIoT are also new broad terms from the 10’s.

At some point a term can reach a tipping point. A point where it is so widely used with a generally agreed upon meaning that it is counterproductive to progress to fight the term. Counterproductive even if the term is not correct or as precise as those who know the topic best would want. Arguing over the term no longer is helpful to improving communication.

A personal example of a term I fought against reaching the tipping point is “Cyber Hygiene”. If cyber hygiene was a small set of tasks that everyone should do I might be able to get behind the term. Its common use is as a synonym for the full set of good security practices, and does not distinguish between the practices that will greatly reduce risk from minor risk reduction practices. It is a one size fits all, do everything set of security practices. Everyone should practice “hygiene” so there is a shame and blame aspect if an asset owner consciously decides to be non-hygienic in any way.

I fought the use and definition of cyber hygiene for about two years and gave up last year. It had reaching the tipping point and was a commonly understood way to refer to good cybersecurity practices. I still push back on prioritizing cyber hygiene, using that now widely accepted term. From a limited resources and an efficient risk reduction criteria, it only makes sense in the most mature ICS security programs .

Terminology should aid communication. If there is general acceptance and understanding of a term then it is almost always a waste of time to try to change it. Adopt it and use your energy on something more productive.


One last thought …

Consultants and others who visit many asset owners will run across incorrectly used terminology. I’ve had asset owners who refer to their ICS as the SCADA system even though it is not a SCADA system. Guess what term I use when talking to them and in the report … SCADA. It is the term that will help communications and achieve the objectives of the project. Or I could spend a lot of time trying to convince everyone in the organization who has been calling the system SCADA for the last two decades that they are wrong and should use a different term.

Terminology’s purpose is to improve communication.