BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//bsides-exeter-2026//speaker//WHLL9U BEGIN:VTIMEZONE TZID:GMT BEGIN:STANDARD DTSTART:20001029T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:GMT TZOFFSETFROM:+0100 TZOFFSETTO:+0000 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T020000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:BST TZOFFSETFROM:+0000 TZOFFSETTO:+0100 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-bsides-exeter-2026-EKSVGQ@pretalx.com DTSTART;TZID=GMT:20260425T122000 DTEND;TZID=GMT:20260425T130000 DESCRIPTION:Operational Technology (OT) environments face a critical parado x: sophisticated attacks like TRITON\, CRASHOVERRIDE\, and INCONTROLLER ro utinely target multiple facilities\, yet operators remain blind to cross-s ite attack patterns due to privacy regulations\, competitive secrecy\, and lack of trust. The current "share after detection" model—where threat i ntelligence is exchanged only after a breach is confirmed—creates a dead ly information asymmetry: attackers see the entire battlefield while defen ders fight isolated skirmishes.\nThis talk introduces a framework that fli ps the paradigm to "share to detect": enabling multiple OT sites (refineri es\, power plants\, water utilities) to collaboratively identify globally significant threats before individual sites recognize them as attacks\, al l without exposing sensitive operational data\, process telemetry\, or eve n revealing which facility discovered which threat.\nUsing software "hunte r agents" deployed at historian databases and SCADA systems\, the system l everages commutative encryption and secure multi-party computation to answ er the question: "Is this weird PLC behavior I'm seeing actually a coordin ated attack happening across our industry?"—without any site learning wh at "weird" looks like at competitor facilities.\nWe'll demonstrate how an alliance of sites can collectively validate that a suspicious Modbus comma nd sequence appearing at 15% local prevalence at your site is actually a g lobal IoC appearing at 87% of participating refineries—triggering immedi ate coordinated defense—while mathematically guaranteeing that Site A ne ver learns Site B's process parameters\, alarm rates\, or asset inventory. \n\nAttendees will learn:\n- Why traditional threat intel sharing fails in OT environments\n- The cryptographic primitives enabling secure threat ar tifact exchange\n- How to deploy autonomous threat hunting agents in ICS h istorian infrastructure\n- Real-world attack scenarios where collaborative detection provides 10-100x faster response DTSTAMP:20260501T070549Z LOCATION:Seminar Room 1 SUMMARY:Share to Detect: Breaking the Privacy Deadlock in OT Threat Intelli gence - Ahmed Elmesiry\, Ofir Manor URL:https://pretalx.com/bsides-exeter-2026/talk/EKSVGQ/ END:VEVENT END:VCALENDAR