ICS attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. When looking at the situation from a defender's perspective, nothing could be further from the truth. Attacking and potentially taking down an ICS network requires - and probably operates best - via permutations of 'pen tester 101' actions combined with some knowledge of the environment and living off the land.
In this talk, we will explore some concrete ICS attack examples to explore just what is needed to breach and impact this environment. More importantly, using malware and data captured from recent attacks - specifically TRISIS and CRASHOVERRIDE - we'll see how the attackers 'messed up' their attacks and why a more simplified and direct approach to achieving offensive goals would not only be more effective, but likely far more difficult for defenders to catch as well. To close the conversation, we'll explore what defensive measures can be applied - and are necessary - to detect and stop such attacks in their tracks.