Purple Teaming ICS Networks

August 10, 2019 2:30 PM

Penetration testing helps organizations to quickly identify gaps in their security and detection capabilities that a real-world adversary could use to compromise a targeted environment. The most successful assessments are always the ones in which you can fully engage the customer in your activities. Some in the cybersecurity industry refer to this as Purple Teaming (Red team + Blue team = Purple team). In ICS, the capabilities of the Blue team can vary wildly depending on the level of maturity of the organization. Some customers we work with are able to detect our attacks in real-time and we work with them to fine-tune their ICS detection capabilities. Other customers lack capabilities and are interested in finding as many problems as possible in an effort to secure remediation budget. These teams often join our red team and help provide insider information to maximize our findings. At the very least, constant communication with the customer about what activities are going on and setting the expectation up front that they will be part of the assessment and critical to its success is very important. Customers (usually) understand their network far better than we possibly could within the span of a 1-week engagement, so recruiting them into your penetration testing team is very important. Customers enjoy the experience of taking an adversarial view of their own network and the opportunity to learn from ICS penetration testing experts. Building trust and a stronger customer relationship is often a byproduct of assessment work. In my presentation, I will share some stories about our experience performing assessments and penetration tests against the ICS networks of fortune 500 companies (names have been changed to protect the innocent) and empathize the importance of a collaborative approach to ICS assessments rather than an adversarial one.

Speaker Information

Panelist Information

Austin Scott


Austin Scott, (GICSP, CISSP, OSCP) is a Principal in the Dragos Threat Operations Center (TOC) team and is focused on performing assessments, penetration tests and red teams within industrial control networks. Prior to Dragos, Austin worked as part of the industrial cybersecurity team at Sempra and as an industrial cybersecurity consultant at Accenture. Austin is a published author with two books on PLC Programming: Learning RSLogix 5000 – PACKT Publishing - ISBN 9781784396039 - 2015 PLC Programming RSLogix 5000 - PACKT Publishing - ISBN 1849698449 – 2013 Austin is a SANS Cybersecurity Difference Maker (2015) winner for his industrial cybersecurity contributions. In August 2018, Austin and his teammate won the DEF CON ICS Village HACK THE PLAN(E)T capture the flag competition and were awarded the DEF CON Black Badge.