Industrial 4.0 IOT/OT Security, Threat Detection and Mitigating Cyber Impact on Safety Systems
Wednesday, September 19 • 11:40am - 12:10pm
Results from Analyzing Real-World ICS Malware in an ICS Network Sandbox

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
TRITON and CrashOverride showed us the potential of autonomous, purpose-built malware that enumerates and subsequently hijacks ICS devices using their native protocols. What if we could detonate ICS-specific malware in an "ICS Network Sandbox" that detects and analyzes purpose-built ICS malware before it even gets deployed? Current malware sandboxing technologies are designed for IT protocols and devices rather than OT protocols and devices; as a result, ICS-specific malware such as TRITON is undetected because IT malware sandboxes are unable to flag ICS-specific activities such as OPC scanning, overwriting of PLC configuration files, calls to ICS-specific libraries and ports, etc. CyberX's research team has built ICS-aware malware analysis sandbox that simulates a complete ICS execution environment in a virtual or offline state, and also instruments the execution environment to detect ICS-specific behavior. During this session, we'll describe the results of analyzing known ICS malware (Stuxnet, Industroyer, TRITON)  in the sandbox as well as data we've collected about the prevalence of ICS-specific malware "in the wild." Attendees will learn about ICS malware characteristics and ICS attack vectors so they can be better prepared to detect and respond to ICS security incidents in the future.

avatar for Daniel Shugrue

Daniel Shugrue

Senior Director, Industrial Cybersecurity, CyberX

Wednesday September 19, 2018 11:40am - 12:10pm PDT
Citizen Hotel 926 J Street Sacramento, California 95814