Listen to this Post

Introduction:
The recent confluence of the BSidesICS and S4x26 conferences in 2026 has provided the cybersecurity community with a critical roadmap for the year ahead. As highlighted by industry leaders and attendees, the discussions pivoted sharply from theoretical risk to the practical implementation of securing Operational Technology (OT). With the integration of Artificial Intelligence into critical infrastructure and the perennial challenge of disaster recovery, these events underscored that the human element and community-driven knowledge sharing remain the bedrock of industrial cybersecurity. This article synthesizes the core technical takeaways, offering a hands-on guide to the tools, configurations, and mindsets discussed on the main stage and in the hallways.
Learning Objectives:
- Objective 1: Understand the operational failure modes of AI in grid operations and how to implement “responsible adoption” guardrails.
- Objective 2: Execute a phased approach to OT Disaster Recovery (DR) planning, including network segmentation validation and backup integrity testing.
- Objective 3: Identify and mitigate common misconfigurations in ICS environments that were highlighted during S4x26 PoC demonstrations.
You Should Know:
- The “NoStrike” Approach: Hardening AI/ML Pipelines for OT
Discussions, particularly Remy Stolworthy’s talk on AI in Electric Grid Operations, moved beyond hype to the gritty reality of failure modes. In OT, an AI hallucination isn’t a funny chatbot error; it can cause physical instability. The core concept is ensuring AI does not disrupt essential functions. This requires a “NoStrike” environment for AI models before they touch the SCADA stack.
Step‑by‑step guide: Implementing a Shadow Mode for AI Inference
Before deploying any AI model for load balancing or anomaly detection, you must run it in a shadow mode to compare its decisions against human operators without actually executing them.
- Network TAP Setup: Deploy a network Test Access Point (TAP) on the SPAN port of your OT switch connecting the RTU to the control server.
– Linux Command (to verify traffic mirroring): `tcpdump -i eth0 -w pre_ai_baseline.pcap` (Run this on the analysis server to ensure you are capturing the live OT traffic).
2. Model Input Sanitization: Create a wrapper script that validates all inputs going into the AI model against a predefined schema of allowable grid states.
– Python Snippet (Conceptual Guardrail):
def validate_grid_state(voltage, frequency):
if voltage < 110 or voltage > 130: Example bounds for a 120V system
log_failure("Voltage out of bounds", voltage)
return False Reject input, fallback to rule-based engine
return True
3. Output Arbitration: Configure the AI model to output to a “dead” database or a log file only. The actual control signals must still originate from the legacy, deterministic control logic.
– Windows Command (to monitor the log): `Get-Content -Path “C:\OT_AI_Shadow\output.log” -Wait` (Use this to tail the log in real-time to see what the AI would have done).
2. OT Disaster Recovery: Beyond Backups to Orchestration
Michael Hoffman and Saltanat Mashirova’s discussion on Disaster Recovery highlighted that in OT, DR is not just about restoring data, but restoring physics. A rushed recovery can cause power surges or mechanical stress. The focus was on compartmentalized recovery.
Step‑by‑step guide: Validating an OT DR Plan with Network Segmentation
1. Map Critical Paths: Identify the “crown jewels” (e.g., the PLC controlling a turbine) and the Level 3 (Site Operations) and Level 2 (Supervisory) systems it depends on.
2. Test Network Isolation First: Before attempting to restore the PLC, ensure the recovery VLAN is properly segmented from the production network to prevent a “clean” recovery from being re-infected.
– Linux Command (from a recovery jump box): `ping -c 4
` (If the ping succeeds when it shouldn't, your isolation is broken. The result should be <code>100% packet loss</code>). 3. Restore from Immutable Backups: Verify the integrity of your backup before deployment. - Linux Command (checksum verification): `sha256sum ot_plc_backup_v1.2.bin > checksum.txt` (Compare this checksum against the one generated immediately after the backup was created to ensure it hasn't been tampered with). 4. Simulate Load: After restoring a virtualized HMI, simulate network load to ensure it can handle peak polling requests from field devices without crashing again. - Windows PowerSHell (using Pester for basic load simulation): You can script a loop that sends repeated queries to the HMI's API endpoint to test stability before reconnecting live hardware. <ol> <li>Vulnerability Exploitation and Mitigation in the PoC Pavilion The S4x26 PoC Pavilion featured live demonstrations of attacks on industrial gear. A common theme was the exploitation of "DCOM" and "OPC" services left exposed internally. Attackers are moving away from hacking the PLC directly and instead compromising the Engineering Workstations that manage them.</li> </ol> <h2 style="color: yellow;">Step‑by‑step guide: Hardening the Engineering Workstation (Windows Focus)</h2> <ol> <li>Audit DCOM Permissions: DCOM is frequently used for OPC communication but is notoriously insecure if left default.</li> </ol> - Windows Command (launch DCOM config): `dcomcnfg` - Navigate to Component Services -> Computers -> My Computer -> DCOM Config. - Locate the OPC Server application, right-click -> Properties -> Security. - Change "Launch and Activation Permissions" from "Default" to "Custom" and restrict it to only specific service accounts, not `Everyone` or <code>Authenticated Users</code>. <h2 style="color: yellow;">2. Disable Unnecessary Services: Reduce the attack surface.</h2> <ul> <li>Windows PowerShell (as Admin): `Get-Service -Name Remote | Stop-Service -Force` (Be extremely careful here. Do not stop core services. This is an example for disabling unnecessary remote registry access if it is not required for engineering tasks. Always validate in a test environment first).</li> </ul> <ol> <li>Application Allow-listing: Ensure only approved engineering software (e.g., Rockwell, Siemens software) can execute.</li> </ol> - Windows Command (using AppLocker via Local Security Policy): `secpol.msc` -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules. Create a rule that allows `%PROGRAMFILES%\Rockwell Software\` and denies everything else. <h2 style="color: yellow;">4. API Security in the Converged IT/OT World</h2> As the lines blur, APIs are becoming the new attack vector in OT. Discussions highlighted that modern "Smart" OT devices expose REST APIs that are often protected by default credentials. <h2 style="color: yellow;">Step‑by‑step guide: Auditing an OT Device's API</h2> <ol> <li>Discover the API Endpoints: Use a tool like Postman or a simple curl command to map the API.</li> </ol> - Linux Command (to fetch the API documentation, often exposed at predictable paths): [bash] curl -k -X GET https://[bash]/api/v1/swagger.json -H "Accept: application/json" This might reveal all endpoints, parameters, and authentication methods.
2. Test for Injection: If the API accepts a parameter to query data (e.g., ?sensor_id=1), test for command injection.
– Linux Command (conceptual test): `curl -k -X GET “https://
/api/v1/data?sensor_id=1; ls"` - If the device returns a directory listing instead of sensor data, it is vulnerable to command injection. 3. Implement Rate Limiting: Protect the API from being overwhelmed by a bot or a faulty sensor polling too fast. This is often configured on the web server or API gateway sitting in front of the OT device (e.g., Nginx, HAProxy). <h2 style="color: yellow;">5. The Human Firewall: Training and Certification Paths</h2> Tony Moukbel’s profile highlights the importance of certifications, while Sasha Mullins Lassiter’s post emphasizes the community. The technical skills are useless without a trained workforce. The industry is converging on specific certifications for OT roles. <ul> <li>Pathway: For IT professionals moving into OT, the consensus is to start with foundational knowledge (like SANS ICS) and then specialize.</li> <li>Practical Training Command: Setting up a home lab with virtualized PLCs (using CODESYS or OpenPLC) is essential.</li> <li>Linux Command (to run OpenPLC on Ubuntu for practice): [bash] sudo apt update sudo apt install git python3 python3-pip git clone https://github.com/thiagoralves/OpenPLC_v3.git cd OpenPLC_v3 sudo ./install.sh This installs the runtime, allowing you to practice ladder logic and security controls locally.
What Undercode Say:
- Key Takeaway 1: AI in OT must be treated as a “co-pilot,” not an “autopilot.” The community consensus from S4x26 is that strict input validation and shadow mode testing are non-negotiable before any AI touches grid operations.
- Key Takeaway 2: Disaster Recovery in OT is a physics problem, not just a data problem. The focus must shift from “restoring files” to “orchestrating a safe sequence of power-ups” to avoid catastrophic physical stress on machinery.
The underlying analysis from these conferences is clear: the ICS/OT community is maturing. The “hallway track” conversations about failed recoveries and AI hallucinations are more valuable than any vendor pitch. The industry is recognizing that while technology like AI offers new capabilities, it introduces failure modes we are only beginning to understand. The emphasis on certifications and training (GSEC, GICSP) shows a collective effort to professionalize the field, moving it away from tribal knowledge and toward standardized, repeatable, and safe engineering practices. The sentiment of unity and shared experience, as highlighted by Saltanat Mashirova and Mike Holcomb, remains the strongest defense against adversaries targeting critical infrastructure.
Prediction:
Within the next 18 months, regulatory bodies like NERC or national cybersecurity centers will begin mandating “AI Impact Assessments” for critical grid operations, mirroring the “shadow mode” validation processes discussed at S4x26. Furthermore, we will see a rise in “DR Orchestration” platforms specifically designed for OT, moving beyond generic IT backup solutions to handle the sequential and timing-based recovery requirements of industrial processes.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Chromecowgirl Bsidesics – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


