2026-04-10 –, Track 2
Command and Control Servers have long existed for IT facing networks. They are the central infrastructure which allow adversaries to maintain persistent remote control over compromised systems and orchestrate large-scale cyberattacks. What if adversaries brought these tactics to OT?
This presentation explores the creation of C2 infrastructure specifically for OT Networks, using the OPC UA protocol as the example. We can examine how the OPC UA protocol can be abused to enable covert data exfiltration from airgapped networks, and how we can connect to an OPC UA server to create persistent command channels that blend with legitimate industrial traffic. Through a practical demonstration using Factory I/O and containerized PLCs, this presentation reveals the techniques adversaries could use to maintain covert control over industrial systems while evading traditional security monitoring.
As OT environments become increasingly connected, the security assumptions that protected air-gapped systems are eroding. This presentation examines how adversaries can adapt IT-based Command and Control techniques to operational technology networks, with a specific focus on abusing the OPC UA protocol.
We'll explore the technical mechanics of creating covert C2 channels with OPC UA communications, demonstrating how legitimate industrial protocols can be weaponized for data exfiltration and persistent control. Using a simulated industrial environment with Factory I/O and containerized PLCs, attendees will see firsthand how these attacks operate within realistic OT contexts.
Topics include:
Fundamental differences between IT and OT C2 infrastructure requirements
OPC UA protocol structure and abuse opportunities
Techniques for blending malicious traffic with legitimate industrial communications
Detection challenges / defensive considerations.
James Sabin is a security researcher specializing in OT adversary emulation and industrial control systems networking. Currently completing his degree in Cybersecurity and Digital Forensics at the University of the West of England, he focuses on ICS/OT protocol analysis and the development of open-source tools for operational technology security research.