Command and Control Servers have long existed for IT facing networks. They are the central infrastructure which allow adversaries to maintain persistent remote control over compromised systems and orchestrate large-scale cyberattacks. What if adversaries brought these tactics to OT?

This presentation explores the creation of C2 infrastructure specifically for OT Networks, using the OPC UA protocol as the example. We can examine how the OPC UA protocol can be abused to enable covert data exfiltration from airgapped networks, and how we can connect to an OPC UA server to create persistent command channels that blend with legitimate industrial traffic. Through a practical demonstration using Factory I/O and containerized PLCs, this presentation reveals the techniques adversaries could use to maintain covert control over industrial systems while evading traditional security monitoring.