Our new SANS research takes you inside the minds & methods of modern adversaries. Get the report ›

13th B-Sides Las Vegas - ICS Security Assessments 101 or How da Fox I Test Dis?

We have seen many ICS attacks both in the news and in several talks at security conferences. They show how ICS protocols are insecure by default and how we can mess with control components so easily. However, from a consulting point of view, are we really asking our ICS clients to let us mess with their critical infrastructure just to show what we already know?

In this talk, I’ll show how we can scope and address an ICS security engagement aligned with the industry’s needs. I’ll talk about real-world planning, attack surface identification, exploitation, and reporting from the understanding of what is giving value to our ICS clients. To keep things spicy, I’ll also include short demos to better show what we can do for each assessment type and yea some exploitation as well.


Yael Basurto

About the author, Yael Basurto

Security Consultant II

Yael Basurto is a Bishop Fox security consultant. He specializes in offensive security and has a varied background in security assessments for different industries such as financial, government, retail, hotel, and mining. He has performed penetration testing for network, web, and mobile applications, and red teaming for financial and critical control infrastructure. Yael is also a security conference enthusiast, co-organizig Security BSides CDMX, and has presented at the DEF CON Recon Village, BSides events, and HackFest.

More by Yael

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.