Industrial Control Cyber Security Europe Conference | Cyber Senate industrial control critical infrastructure cyber security conference

Results from Analyzing Real-World ICS Malware in an ICS Network Sandbox

TRITON and CrashOverride showed us the potential of autonomous, purpose-built malware that enumerates and subsequently hijacks ICS devices using their native protocols. What if we could detonate ICS-specific malware in an “ICS Network Sandbox” that detects and analyzes purpose-built ICS malware before it even gets deployed? Current malware sandboxing technologies are designed for IT protocols and devices rather than OT protocols and devices; as a result, ICS-specific malware such as TRITON is undetected because IT malware sandboxes are unable to flag ICS-specific activities such as OPC scanning, overwriting of PLC configuration files, calls to ICS-specific libraries and ports, etc. CyberX’s research team has built ICS-aware malware analysis sandbox that simulates a complete ICS execution environment in a virtual or offline state, and also instruments the execution environment to detect ICS-specific behavior. During this session, we’ll describe the results of analyzing known ICS malware (Stuxnet, Industroyer, TRITON)  in the sandbox as well as data we’ve collected about the prevalence of ICS-specific malware “in the wild.” Attendees will learn about ICS malware characteristics and ICS attack vectors so they can be better prepared to detect and respond to ICS security incidents in the future.


We will also address these issues on our 5th annual Industrial Control Cyber Security USA conference in Sacramento on Sept 18/19th. Please join us

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.


Newsletter Text

Stay Up To Date On Everything The Cyber Senate Is Doing. Click Here To Sign Up For Our Newsletter Today!