This session tries to answer the question: what is the market for ICS 0days? How much is being paid for what type of vulnerabilities?
At INL, much of Sarah Freeman’s time is spent trying to understand the potential impact of cyber events at the technical level, but also the incentives and motivations for organizations to participate in ICS-focused cyber-attacks. At the its core, these kinds of analyses tend to be influenced by concepts of sophistication, with the starting assumption is that in most cases, a threat actor is unwilling to burn exclusive, sophisticated capabilities, choosing instead to maintain them as strategic weapons for a future engagement.
However, this assessment fails to acknowledge the robust marketplace for vulnerabilities, enabled by entities such as Zerodium, Vupen, and Absolute Zero-Day, among others. The market trends for zero-days can be used not only to inform threat analysis, but also to provide guidance for critical infrastructure owners and others seeking to prioritize defensive actions within the resource constrained environment.