No anomaly signals—does that mean no attack, or has the attack already succeeded?

The defense mechanisms appear intact, yet hackers have already infiltrated. How does this happen?

In this session, we will explore real-world cases to reveal how attackers evade detection and operate stealthily in a seemingly ""calm and secure"" environment. When no alarms are triggered, does it truly mean you’re safe? Let’s uncover these hidden risks together!

Taiwan, as an island surrounded by the sea, many people here remain unfamiliar with the concepts of the 'ocean.' There seems to be confusion about how the marine-related tasks connect with IT, OT, AI, and cyber security.

Taiwan Ocean Research Institute (TORI) of NIAR (National Institutes of Applied Research) which belongs to NSTC (National Science and Technology Council), TORI is actively involved in the independent design and development of marine exploration equipment and innovative technologies to meet the research needs of government agencies, academia, and research institutions. At the same time, the institute operates the R/V Legend, the largest research vessel in Taiwan. The primary mission of the R/V Legend is to advance ocean science and technology.

In this presentation, I will share our experiences regarding Governance, Risk Management, Threats, Implementation Strategies, and Future Prospects in cybersecurity. Additionally, I will highlight how marine research, including the R/V Legend, can be integrated with information security across various domains. Our primary objective is to safeguard sensitive and valuable marine data from potential threats while continuing to deliver cybersecurity awareness training to our employees.

For those ambitious threat actors targeting on OT/ICS field, their actions invariably are highly intensity planed to produce successful hacking. By abusing multiple misconfigurations and benign OT-specific nature infrastructure to evade multiple layers of protection, they can stealthily control the factory’s essential assets from IT to OT fields. For example, according to Mandiant’s report, the Russian hacker group, Sandworm, abused OT-level LoTL (Living Off the Land) to disrupt power in Ukraine. The key to success is abusing those OT-specific protocols, techniques, and LOLBins which are difficult to detect as malicious by modern AV/EDR. 

In this research, instead of detecting MALICIOUS, we propose a novel multimodal AI detection, Suspicious2Vec, which archives contextual comprehension on process integrity and suspicious behaviors of OT/ICS benign operation. We use the AI model on large-scale real-world factories, to create a baseline of universal nature OT-specific operating into numerical vectors and success filter in-the-wild anonymous abuse for attacks into malicious.

From July 2023 to July 2024, our experiment whole year to received 2,000,000 data which were detected as unique suspicious techniques by 562+ human-written expert rules. We use the AI model to project those suspicious actions into numerical vectors by well-known word embedding methods, and also model all the suspicious behaviors from the OT + IT malware family from VirusTotal to generate a set of malware templates as neural ASR (Attack Surface Reduction) rules for detection, and success capture 12+ variant OT malware from 52,438 factory program files.

With the rapid development of smart grid technology, the security of Industrial Control Systems (ICS) has become increasingly important. The IEC 61850 protocol, as a key standard in the smart grid, aims to improve automation and interoperability in power systems. However, with its widespread application, IEC 61850 has also exposed various security vulnerabilities, making it a target for potential attackers. This content will explore the application of IEC 61850 in smart grids and the security threats it faces, including known vulnerabilities, attack vectors, and real-world case analyses. Special attention will be given to how these vulnerabilities can be exploited for attacks, and the impact of such attacks on the operation of power systems. Through case studies, the goal is to provide a deeper understanding and to encourage the relevant industries to pay more attention to ICS security, in order to develop effective protective measures and ensure the secure operation of the smart grid.

You may have seen a summary of various attack techniques on MITRE ATT&CK Enterprise. Do you know what are the top 10 ICS metrics that can be exploited?

You might have seen the CWE Top 25, but have you looked at the OT/ICS CWE Top?

We have compiled the top 10 most commonly used techniques (TIDs) in OT and the top 20 software weaknesses (CWE) that occur in OT.

More importantly, during the presentation, we will reveal multiple publicly disclosed ICS vulnerabilities as examples, explaining each vulnerability and exploitation method in a simple and easy-to-understand way, allowing the audience to clearly understand the threats to industrial control systems.