Ten years ago, at S4x12, we sprang Project Basecamp on the world and showed the scope and impact of insecure by design and vulnerable PLCs and Level 1 devices. So it is only fitting that S4x22 has some bleeding edge Purdue Model Level 1 security sessions. It begins with:

Project Basecamp Redux

  • I’ll kick off the new, 600 seat Stage 2 with 15 minutes on what has and has not improved in PLC security in the last ten years. There are some glimmers of hope, and there are some vendors that seem to be stuck in 2012.
  • Then Reid Wightman, who led Project Basecamp, will spend 30 minutes on what Basecamp 2.0 testing would look like. Vendors don’t worry. He will not be announcing new vulnerabilities/insecure by design issues. Reid will outline more advanced testing that needs to be done.


  • PLC EDR: Model Checking of Logic – – I’ve been hunting for PLC endpoint detection and protection ideas since S4x19. So I’m thrilled that Roberto Bruttomesso will show a model-checking approach that uses a translation of Rockwell’s Ladder Diagrams into an equivalent formal model, on which a set of automatic analysis can be performed. These analysis include checking for logic equivalence and automated test generation, offering benefits in critical environments for detecting malicious or unexpected code behaviors. This research suggests that the use of static analysis techniques for PLC programs needs to be further pushed in order to obtain more secure and reliable programs.
  • PLC Library To Detect Attacks – – Gloria Cedillo will show specific detection examples where a combination of code libraries, secure routines, and the establishment of alarming on the HMI can be developed using examples from Top 20 PLC Secure Coding Practice and other monitoring and operational functions.


  • The Race To Native Code Execution On PLCs – – Sharon Brizinov will get into the technical details, PLC architecture, MC7+ intermediate language, and lower-level native machine code, of how he did this on a Siemens S7-1500 PLC. This allows for unrestricted and undetectable code execution on the S7-1500.


  • Introducing A Digital Forensics and Incident Response Framework for Embedded OT Systems – – Daniel Kapellmann Zafra will show Mandiant’s “DFIR Framework for Embedded Systems” that will be released concurrently. This framework explains how to leverage native functionality built into OT devices and other commonly available tools to help asset owners prepare incident response efforts.

Two of the four Autobahn Training Sessions on Monday, Jan 24th are also PLC/Controller Security Related

  1. Top 20 PLC Security Coding Practices – – Vivek Ponnada and Dirk Rotermund will take 90 minutes and break the top 20 into categories, show examples from the Top 20 in real world situations, and help you figure out how you can best introduce and integrate these practices into your company.
  2. Digital Forensics and Incident Response (DFIR) for PLCs – – Glen Chason and Ken Proska will show how Mandiant does this and some of the new tools being released for public use. This is a longer, more in depth version of the 30 minute introduction on Stage 2.