Bsides Exeter 2026

Operational Technology (OT) environments face a critical paradox: sophisticated attacks like TRITON, CRASHOVERRIDE, and INCONTROLLER routinely target multiple facilities, yet operators remain blind to cross-site attack patterns due to privacy regulations, competitive secrecy, and lack of trust. The current "share after detection" model—where threat intelligence is exchanged only after a breach is confirmed—creates a deadly information asymmetry: attackers see the entire battlefield while defenders fight isolated skirmishes.
This talk introduces a framework that flips the paradigm to "share to detect": enabling multiple OT sites (refineries, power plants, water utilities) to collaboratively identify globally significant threats before individual sites recognize them as attacks, all without exposing sensitive operational data, process telemetry, or even revealing which facility discovered which threat.
Using software "hunter agents" deployed at historian databases and SCADA systems, the system leverages commutative encryption and secure multi-party computation to answer the question: "Is this weird PLC behavior I'm seeing actually a coordinated attack happening across our industry?"—without any site learning what "weird" looks like at competitor facilities.
We'll demonstrate how an alliance of sites can collectively validate that a suspicious Modbus command sequence appearing at 15% local prevalence at your site is actually a global IoC appearing at 87% of participating refineries—triggering immediate coordinated defense—while mathematically guaranteeing that Site A never learns Site B's process parameters, alarm rates, or asset inventory.

Attendees will learn:
- Why traditional threat intel sharing fails in OT environments
- The cryptographic primitives enabling secure threat artifact exchange
- How to deploy autonomous threat hunting agents in ICS historian infrastructure
- Real-world attack scenarios where collaborative detection provides 10-100x faster response