Glossary

Vocabulary used in IIA documentation.

4Rs. Response, Resolution, Reliability, Resilience. PERA+‘s criteria for placing applications at the right level. Response time tolerances loosen and resolution requirements coarsen as data moves up.

ACS. Automation and Control Systems. The domain where data acts on or controls a physical process. Governed by SRP. The line between ACS and IT is drawn by the criticality of the data - its time sensitivity and its relationship to the physical process - not by network topology, org chart, or vendor label.

Attestation. Independent observation that checks whether prevention is actually working. The architecture commits to the property; how it’s done is operator concern.

Boundary contract. A data contract at every connection that exits the ACS. Bilateral: the ACS side commits to what it produces; the upstream side commits to connectivity, authentication, ack, response time, capacity, and incident response. A RACI matrix names accountable parties for every failure mode.

The box / The unit. Shorthand for secure edge gateway. Used in informal contexts; secure edge gateway is the formal term.

CIA. Confidentiality, Integrity, Availability. The model for information - records, historical by nature. Governs IT systems and ACS data once it has crossed the boundary and become information. Not the right model for ACS itself; ACS is governed by SRP.

CIAD. Control and Information Architecture Diagram. PERA+‘s conceptual block diagram. IIA uses CIADs for reference deployments.

CIND. Control and Information Network Diagram. PERA+‘s network detail diagram with SL1–SL4 annotations.

Consumer. Whoever receives information published by a secure edge gateway. Either another gateway at broader scope (the fractal case) or an authorized external system. Both connect to the gateway’s outbound interface; neither reaches back in.

Data contract. Explicit description of a communication on the box or across its boundaries - what data, in what direction, under what conditions, with what authentication. Communication without a contract is prevented or flagged. Boundary contracts are the bilateral case at every connection that exits the ACS.

Data diode. Hardware unidirectional optical link with no return path. Sits between the inside box and the outside subscriber. Buys SL4 by physics: nothing the outside box receives can travel back to the inside.

Distributed (not federated). IIA is a distributed mesh of identical units under one operator. Not a federation of independent parties exchanging data by treaty.

Fractal. A box at the head of every zone. Inside the zone is control system data governed by SRP; at the box, it becomes information governed by CIA and goes outward. Devices inside can be any security level - the security boundary is at the gateway, not at every device. Same unit at every zone; only scope changes. A central historian is a gateway at broader scope, not a different system.

IEC 62443 / ISA-99. Industrial cybersecurity standard. ISA-99 is the ISA committee that produces what publishes internationally as IEC 62443. Defines security levels SL1–SL4 and foundational requirements FR1–FR7. IIA aligns with ISA-99 / IEC 62443 and targets SL3 in software-only mode, SL4 in two-box mode with hardware data diode.

Inside box. In the two-box mode, the unit on the ACS side. Publishes outbound across the diode to the outside subscriber. Never directly reachable from outside the zone.

ISA-95. The IT↔ACS data model standard, especially for process industries. IIA aligns with ISA-95: Enterprise → Site → Area → Work Center → Work Unit is the IIA zone hierarchy, reversed leaf-first for DNS. IIA doesn’t enforce ISA-95 schema at the edge; schema modeling lives upstream.

Managed Trust. PERA’s name for the ACS side of the boundary. Every device and process is known, identified, and accountable to operations. The box terminates Zero Trust on the IT side and begins Managed Trust on the ACS side.

Outside box / outside subscriber. In the two-box mode, the unit on the IT side. Receives data from the inside box across the diode and is what consumers connect to. Compromise of the outside box can’t reach the inside box: physics, not policy. “Outside subscriber” is the role-precise name; “outside box” is the shorthand.

PERA+. Reference architecture maintained by Gary Rathwell at Entercon (pera.net), CC BY-SA 4.0. Defines hierarchical levels, zone boundaries, the 4Rs. IIA aligns with PERA+ and adopts: the 4Rs, CIAD/CIND diagrams, Zero Trust ↔ Managed Trust, and “secure interfaces, not integration.”

RACI matrix. In a boundary contract, the named parties for every failure mode. Responsible, Accountable, Consulted, Informed.

SAIC. Safety, Availability, Integrity, Confidentiality. PERA’s extension of CIA with Safety in front. Right for IT systems that touch safety-critical information - historians, audit stores, regulator-facing dashboards. Doesn’t govern the ACS itself.

Secure edge gateway. The unit at the head of every zone. Control system data inside (SRP), information outward (CIA). The only path into the zone from outside. Same at every zone; only scope changes. Two physical realizations: single-box (SL3, the floor) and two-box + diode (SL4, the ideal). See Two-Box Method.

Security Level (SL1–SL4). IEC 62443’s grading of cybersecurity capability. Software-only mode targets SL3 (segmentation + authentication + audit). Two-box mode reaches SL4 by hardware data diode and physical one-way separation. SL3 does not require unidirectional flow - that’s the SL4 promise.

Sovereignty. The unit is the complete system for its zone and works with no upstream link. Sovereignty isn’t isolation: adjacent gateways can know about each other without becoming dependent. Awareness is fine; dependency isn’t.

SRP. Safety, Reliability, Performance. The model for physical action and physics. Governs the ACS substrate. Reliability and Performance are properties of the physical system; Safety is what the system protects. After Robert Radvanovsky at Infracritical (srpmodel.infracritical.com).

Two-Box Method. Physical ACS/IT segmentation using two boxes and a hardware data diode. John Rinaldi and Gary Workman, The Everyman’s Guide to EtherNet/IP Network Design (Real Time Automation, 2022, ISBN 9798839986152). IIA generalizes the pattern in software at SL3 and deploys natively into it at SL4.

Zero Trust. PERA’s name for the IT side of the boundary. Every action is unauthenticated until proven. The box terminates Zero Trust on the IT side and begins Managed Trust on the ACS side.

Zone. The unit of industrial operation, per IEC 62443. The unit of IIA deployment: a box per zone.

The five principles

Self-sufficiency. Every zone contains its own essential services - DNS, DHCP, SMB, FTP, NTP, data collection, storage, monitoring, visualization, security. Not provided by IT. Not leased, delegated, or shared. No zone depends on upstream connectivity to function. Connectivity is additive, never structural. If the link drops, nothing changes on site.

Selective admission. Default closed. External attack surface reduced to as few hardened, defined endpoints as possible. Access is granted deliberately, specifically, and revocably. If you can avoid letting anyone in, you do.

Narrative control. The zone is the authority on what it shares, if it shares anything at all. If data leaves, it’s pushed outward. Nothing reaches back in. The zone decides what leaves, in what form, on what schedule, and to whom. Manufacturing Operations controls the boundary. If providing the data would compromise control, the data doesn’t leave.

Boundary enforcement. Functional areas are separated by walled zones. The only paths between them are controlled conduits. Boundaries are enforced - software or hardware - and monitored the same way a process boundary is monitored: continuously, with alarms on deviation.

Contractual binding. Every conduit between zones is governed by an explicit contract: what data, in what direction, under what conditions, with what authentication. No implicit trust. No ambient access. The contract is the setpoint. Traffic outside the contract is a deviation, and deviations are rejected.

The three hard constraints

Never interfere with the process. Observe and report. Don’t act on the process. Don’t inject, modify, or command. The automation cell is sovereign. Monitor the boundary; don’t cross it.

Control signal priority is absolute. Real-time control traffic always beats information traffic. AI, historian, reporting, analytics - all information-domain, all secondary. Not a preference. A traffic engineering requirement. If information traffic contends with control traffic, information traffic is dropped.

Observe, never intercept. Data collection is passive. Copy, never intercept. Mirror, never inline. Never in the path of control system traffic. See what passes by, take a copy. Don’t insert into the flow, don’t modify packets in transit, don’t add latency to control communications.