Glossary
Browse the IADC Lexicon alphabetically or by category. Get comprehensive definitions of drilling industry terms.
Adversary
Definition(s)
Adversary
An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. From: DHS Risk Lexicon Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsAdversary
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities Sample Usage: Al-Qaeda is an adversary of the United States. Annotation:- An adversary can be hypothetical for the purposes of training, exercises, red teaming, and other activities.
- An adversary differs from a threat in that an adversary may have the intent, but not the capability, to conduct detrimental activities, while a threat possesses both intent and capability.
Canadian Standards Association
Any individual, group, organization, or government that conducts activities detrimental to an operator’s assets or has the intention and capability to conduct such activities. Note: An adversary can include political and terrorist groups, criminals, disgruntled employees, and private interests; an adversary can also include site insiders, site outsiders, or the two acting in collusion. (Source: Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries). Source: Canadian Standards Association, Z246.1-09, Security management for petroleum and natural gas industry systems, August 2009, Regional StandardsAdvanced Persistent Threat
Definition(s)
Advanced Persistent Threat
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). From: NIST SP 800-53 Rev 4 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsActive Content
Definition(s)
Active Content
Software that is able to automatically carry out or trigger actions without the explicit intervention of a user. Adapted from: CNSSI 4009 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsActive Attack
Definition(s)
Active Attack
An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations. Adapted from: IETF RFC 4949, NIST SP 800-63 Rev 1 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsAccess Control Mechanism
Definition(s)
Access Control Mechanism
Security measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility. Adapted from: CNSSI 4009 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsAccess Control
Definition(s)
Access Control
A process by which entry into and internal movement within a facility is managed. Source: API RP 781 Security Plan Methodology for the Oil and Natural Gas Industries.1st Ed. September 2016. Global StandardsAccess Control
The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities. Adapted from: CNSSI 4009 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsAccess Control
Means to ensure that access to assets is authorized and restricted based on business and security requirements. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global StandardsAccess Control
Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy [11]. Source: ANSI/ISA–99.00.01–2007, Security for Industrial Automation and Control Systems, Part 1: Terminology, Concepts, and Models, 29 October 2007. National StandardCanadian Standards Association
The control of persons, vehicles, and materials through entrances and exits of a restricted area.- Note: Access control is an aspect of security that often utilizes a combination of electronic and hardware systems and specialized procedures to control and monitor movement into, out of, and within a restricted area. Access to various areas might be limited to place or time or a combination of both.
Identity and Access Management
Definition(s)
Identity and Access Management
The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities. Adapted from: CNSSI 4009 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsIdentity and Access Management
The methods and processes used to manage subjects and their authentication and authorizations to access specific objects. Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsAccess and Identity Management
Definition(s)
Access and Identity Management
The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities. Adapted from: CNSSI 4009 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsWorker
Definition(s)
Worker
person performing one or more activities to achieve a goal within a work system (2.2) [SOURCE: ISO 26800:2011, 2.11, modified — synonym “operator” omitted]. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsWorker
person performing one or more activities to achieve a goal within a work system (2.2) [SOURCE: ISO 26800:2011, 2.11, modified — synonym “operator” omitted]. Source: ISO 6385:2016, Ergonomics principles in the design of work systems, Third Edition, September 2016. Global StandardsWeak Signal
Definition(s)
Weak Signal
A concept referring to the process of scanning for discontinuities, observations or pieces of data that may provide early warnings or signs of change. In an OMS context, weak signals can provide early indicators of potential safety, health, environmental, social or security issues, including unforeseen risks, control weaknesses or a degradation in performance. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsValue Chain
Definition(s)
Value Chain
Interlinked activities of the company, suppliers, customers and other stakeholders that convert inputs into beneficial outputs (i.e. products). Mapping a company's value chain can support understanding of risks and help set boundaries when considering impacts of activities. For an oil and gas company, the value chain refers to the full lifecycle of its products, including the processes of extraction, production, refining, marketing, consumption and disposal/recycling. Stakeholders in the input side of the value chain include suppliers and contractors- the "supply chain". Stakeholders in the output side include the "customer chain", which may include resellers, retailers and consumers. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsThreat
Definition(s)
Threat
An indication, circumstance, or event with the potential to cause the loss of or damage to an asset. Threat can also be defined as the capability and intent of an adversary to undertake actions that would be detrimental to critical assets.
Source: API RP 781 Security Plan Methodology for the Oil and Natural Gas Industries.1st Ed. September 2016. Global StandardsThreat
A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society. Extended Definition: Includes an individual or group of individuals, entity such as an organization or a nation), action, or occurrence. Adapted from: DHS Risk Lexicon, NIPP, CNSSI 4009, NIST SP 800-53 Rev 4. Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsThreat
A security vulnerability/risk resulting from an informed intent (such as terrorism) to inflict harm or loss. Threats are controlled through protective countermeasures (barriers) to minimise vulnerability and risk exposure. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsThreat
Potential cause of an unwanted incident, which may result in harm to a system or organization. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global StandardsThreat
Threat is defined as any indication, circumstance, or event with the potential to cause loss of, or damage to, an asset. It can also be defined as the intention and capability of a threat to undertake actions that would be detrimental to valued assets. Sources of threats may be categorized as: criminals (e.g. white collar, cyber, organized, opportunists); activists (pressure groups, single-issue zealots); terrorists (international or domestic); disgruntled personnel.
Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global StandardsThreat
Any indication, circumstance, or event with the potential to cause the loss of or damage to an asset. Threat can also be defined as the capability and intent of a threat to undertake actions that would be detrimental to critical assets. Threat encompasses any individual, group, organization, or government that conducts activities or has the intention and capability to conduct activities detrimental to critical assets. A threat could include intelligence services of host nations, or third-party nations, political and terrorist groups, criminals, rogue employees, cyber criminals, and private interests.
Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global StandardsThreat
Potential cause of an unwanted incident, which may result in harm to a system, individual or organization NOTE Adapted from ISO/IEC 27000:2009. Source: ISO/IEC 27032:2015, Information technology — Security techniques — Guidelines for cybersecurity, First Edition, July 2012. Global StandardsThreat
Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. Sample Usage: Analysts suggested that the greatest threat to the building was from specific terrorist attacks. Annotation: Threat as defined refers to an individual, entity, action, or occurrence; however, for the purpose of calculating risk, the threat of an intentional hazard is generally estimated as the likelihood of an attack (that accounts for both the intent and capability of the adversary) being attempted by an adversary; for other hazards, threat is generally estimated as the likelihood that a hazard will manifest. THREAT SHIFTING *: Definition: response of adversaries to perceived countermeasures or obstructions, in which the adversaries change some characteristic of their intent to do harm in order to avoid or overcome the countermeasure or obstacle Sample Usage: Installing barriers around only one of several neighboring government buildings may result in threat shifting, where the adversaries will target one of the remaining unprotected buildings. Annotation:- Threat shifting can occur in one or more of several domains: the time domain (e.g., a delay in attack or illegal entry to conduct additional surveillance, etc.), the target domain (selecting a different, less-protected target), the resource domain (adding resources to the attack in order to reduce uncertainty or overcome countermeasures), or the planning/attack method domain (changing the weapon or path, for example, of the intended attack or illegal entry).
- Threat shifting is commonly cited as a reason for countermeasure failure or ineffectiveness – particularly in the case of target shifting. For example, when police occupy one street corner, the drug dealers simply go a few blocks away. This assumes that threat-shifting is frictionless for the adversary, which frequently is the case.
- However, threat shifting is not always frictionless for the adversary – and therefore can be of some value to the defenders. The adversaries may delay their attack, consume additional resources, undertake complexity, expose themselves to additional counter-surveillance and counter-terrorism scrutiny, and/or shift to a less consequential target.
- Threat shifting can, in some cases, increase risk by steering an adversary to an attack that is more likely to succeed or of greater consequence.
Threat
The intention and capability of an adversary to undertake actions that will be detrimental to people, the environment, assets, and economic stability.
Source: Canadian Standards Association, Z246.1-09, Security management for petroleum and natural gas industry systems, August 2009, Regional Standards