SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsDefenders of industrial control systems are often focused to respond late in the attack lifecycle, after adversaries have already reached sensitive operational environments. This session presents findings from Palo Alto Networks’ OT Threat Research Lab based on large-scale analysis of 2023/2024/2025 security telemetry collected from more than 61,000 firewalls inspecting industrial application traffic. Using App-ID–based classification, we identified OT protocols and applications traversing network enforcement points and analyzed exploit signatures, exploited vulnerabilities, malware samples, and malicious infrastructure observed at the network edge. Rather than focusing solely on confirmed incidents or post-impact forensics, this research examines early, highly observable behaviors associated with industrial protocol misuse and exploitation attempts. By correlating current firewall telemetry with long-term historical attack patterns derived from predictive analysis models and prior OT incident research, the study identifies recurring sequences of precursor activity that consistently appear before operational impact. When mapped to the MITRE ATT&CK® Matrix for Industrial Control Systems (ICS), these observations highlight persistent capability exposure and repeatable behavioral patterns that can be used to anticipate likely adversary progression. While network-based telemetry alone does not establish adversary intent or asset-specific opportunity, it provides defenders with actionable insight into where early detection and predictive reasoning are most effective. This talk challenges traditional OT security assumptions that detection priority occurs deep inside the environment. Instead, it demonstrates how edge-based visibility, when combined with predictive analysis, enables a shift from purely passive monitoring to safety-aware active defense, allowing organizations to identify, prioritize, and respond to likely attack paths earlier. Attendees will leave with practical guidance on how to apply network edge telemetry, protocol-aware inspection, ATT&CK mapping, and predictive insights to strengthen OT SOC workflows and improve defensive decision-making in environments where PLCs, RTUs, and other industrial assets are present.


Adam is the Head of OT Threat Research at Palo Alto Networks since 2022, with over 15 years of OT and IT experience. He's a publisher with SANS, IEEE, and other conferences, focusing on securing critical infrastructure, finding vulnerabilities, and developing best practices.
Read more about Adam Robbie





