2026-04-10 –, Workshops
Monitoring is often seen as the silver bullet for ICS security, but how effective is it really? In this interactive lab, you will launch realistic attacks with CALDERA against a live industrial setup and evaluate detections across EDR, logs, and network monitoring tools. Discover OT blind spots and walk away with a clear methodology to assess and improve monitoring.
Security monitoring is often promoted as the cornerstone of Industrial Control System (ICS) defense, but how effective is it against real adversaries?
Participants will gain access to a cloud-hosted, browser-based VM preloaded with CALDERA, the open-source adversary emulation framework. The physical cyber range includes a Windows SCADA and engineering station with EDR, PLCs from two different vendors, and centralized log and network monitoring, creating a realistic environment to explore both IT and OT attacks.
Guided exercises begin with simulating a malicious remote user using malware and disabling security solutions, then progress to PLC reconnaissance and manipulation using ICS protocols such as Modbus, S7 and OPC-UA. An advanced scenario will also highlight how custom detection logic can be implemented in PLC & SCADA.
Throughout the lab, adversaries and detection capabilities are mapped against MITRE ATT&CK for ICS, giving participants a structured way to evaluate monitoring effectiveness. The session concludes with a defensive checklist and guidance on extending these exercises into tabletop assessments.
No prior ICS experience is required—just a laptop with a browser. Attendees leave with a repeatable methodology to assess and strengthen their own monitoring deployments.
Arnaud Soullié is a Senior Manager at Wavestone, a global consulting company. For 15 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He has spoken at numerous security conferences on ICS topics: BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON... He is also the creator of the DYODE project, an open source data diode aimed at ICS. He has been teaching ICS cybersecurity trainings since 2015.
Juliette Barbier is a Senior Consultant at Wavestone, a global consulting company. She specializes in industrial cybersecurity, with a strong focus on detection strategies and solutions for ICS environments. She has worked on implementing detection capabilities and getting the most of network-based detection solutions. Curious and enthusiastic, she enjoys putting detection theory to the test against real-world adversaries and operational constraints.