Abstract:

In 2016, CrashOverride was discovered, and it was the only malware that year that could be reasonably called ICS Malware. 8 years later, we now have ICS Aware ransomware, as well as other ICS-capable threats, like FuxNet, FrostyGoop, COSMICENERGY, and more. Throughout that timeframe, Dragos Intel has had to think about what constitutes an ICS threat and when to apply the moniker of ICS Malware to a sample. Do we count ransomware as ICS Malware? Do we count malware that targets an ICS Vendor's IT network? What about malware with no related event? Or weirder, malware where we don't even have source code?

In this talk, I'll recount a small history of the Dragos Intel team and how our understanding of ICS Malware has grown over the years. I'll cover the samples Dragos considers ICS Malware, what they have in common, and how these commonalities led us to our current definitions of ICS Malware and ICS Threats. I'll then show how we apply that process to known ICS malware, as well as malware that doesn't quite make the cut.