Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues are raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprise need an efficient way to find vulnerabililties but they might not have budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we made a rare OT targeting , open source adversary emulation tool Scarlet OT as a plugin on MITRE open sourced tool – Caldera. User can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual command in the process.

We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM / Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modulized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow. We use above conclusions to develop Scarlet OT.

Now Scarlet OT is already support 10 common protocols and over 23 techniques on MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have test Scarlet OT on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation and also open source after presentation.

Speaker:

Vic Huang: He is interested in Web/Mobile/Blockchain Security and penetration testing. Vic shared his research on CODE BLUE, REDxBLUE pill, HITB,HITCON,CYBERSEC, Modern web, AIS3,ISIP and so on.