SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsIn industrial environments, the network cable is often the most reliable sensor in the facility. While control systems and PLC logs provide a high-level view of "what" happened, they usually fail to explain the "why" behind intermittent communication drops, command latency, or unexpected physical state changes. When downtime can impact reliability and safety, determining whether a disruption was caused by misconfiguration, equipment fault, or cyber activity requires practitioners to look beyond the application layer and dive into the wire. This session delivers a technical walkthrough of how to use deep packet inspection and structured incident methodologies to pinpoint the root cause of operational failures. Going beyond the basics of packet capture, it explores investigative frameworks for identifying the root cause of industrial reliability issues, whether they are security- or operational-related. Using open-source tools such as tcpdump and Wireshark, along with publicly available AI analysis capabilities, the session demonstrates how to map network anomalies directly to physical operational issues. Three real-world-inspired case studies from power generation, data center, and manufacturing show how these methods and tools uncover root causes in environments where vendor logs, historian data, and SOC monitoring failed to provide answers. Attendees will leave with a repeatable investigative toolkit that links packet evidence to operational impact, enabling them to move beyond reactive cybersecurity triage toward proactive industrial reliability, troubleshooting, and forensic readiness. This talk empowers defenders, engineers, and investigators to use the network wire as a trusted operational source of truth because in ICS, the packets don’t lie.


Markus Mueller is an industrial cybersecurity and operational technology leader and practitioner with 20+ years of experience conducting network-centric investigations and root-cause analysis across critical infrastructure environments.
Read more about Markus Mueller





