DEF CON 29 ICS Village - Dan Gunter - Consider the Data Source

Protecting industrial control systems involves a variety of challenges, from low tolerance of downtime to requiring a very deliberate combination of approaches and tools to ensure the integrity and availability of the environment. These environmental challenges can often stovepipe our thoughts around how we can respond to threats to control systems in making us think that one source of data is the only option. In this talk, we will consider the strengths and weaknesses of different data sources to include network and host sources. Using data from MITRE Engenuity's recent ICS ATT&CK evaluation, we will talk about known attacker TTPs, how to detect TTPs, and how to improve the chance of adversary detection by diversifying data sources. As collecting and processing more data is both a technical and staffing challenge, we will discuss how analysis can scale without requiring a significant resource increase.