2025-12-13 –, Workshop Room 1
Monitoring is often seen as the silver bullet for ICS security—but how effective is it really? In this interactive lab, you’ll launch realistic attacks with CALDERA against a live industrial setup and evaluate detections across EDR, logs, and network tools. Discover OT blind spots and walk away with a clear methodology to test and improve monitoring.
Security monitoring is often promoted as the cornerstone of Industrial Control System (ICS) defense, but how effective is it against real adversaries?
Participants will gain access to a cloud-hosted, browser-based VM preloaded with CALDERA, the open-source adversary emulation framework. The cyber range includes a Windows SCADA and engineering station with EDR, PLCs from two different vendors, and centralized log and network monitoring—creating a realistic environment to explore both IT and OT attacks.
Guided exercises begin with simulating credential theft and lateral movement on Windows workstations, then progress to PLC reconnaissance and manipulation using ICS protocols such as S7 and OPC-UA. Advanced scenarios showcase how custom CALDERA plugins can modify PLC logic, disguise attacks, and highlight gaps where IT-centric tools fail to provide coverage.
Throughout the lab, detections are mapped against MITRE ATT&CK for ICS, giving participants a structured way to evaluate monitoring effectiveness. The session concludes with a defensive checklist and guidance on extending these exercises into tabletop assessments.
No prior ICS experience is required—just a laptop with a browser. Attendees leave with a repeatable methodology to assess and strengthen their own monitoring deployments.
Arnaud Soullié is a Senior Manager at Wavestone, a global consulting company. For 15 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He has spoken at numerous security conferences on ICS topics: BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON... He is also the creator of the DYODE project, an open source data diode aimed at ICS. He has been teaching ICS cybersecurity trainings since 2015.