Group Purchasing
Group Purchasing

Packets Don’t Lie: Leveraging Incident Response Processes to Solve Operational Downtime

Packets Don’t Lie: Leveraging Incident Response Processes to Solve Operational Downtime (PDF, 2.51MB)Last updated: 09 Jun, 2026
Presented by:
Markus Mueller
Markus Mueller

In industrial environments, the network cable is often the most reliable sensor in the facility. While control systems and PLC logs provide a high-level view of "what" happened, they usually fail to explain the "why" behind intermittent communication drops, command latency, or unexpected physical state changes. When downtime can impact reliability and safety, determining whether a disruption was caused by misconfiguration, equipment fault, or cyber activity requires practitioners to look beyond the application layer and dive into the wire. This session delivers a technical walkthrough of how to use deep packet inspection and structured incident methodologies to pinpoint the root cause of operational failures. Going beyond the basics of packet capture, it explores investigative frameworks for identifying the root cause of industrial reliability issues, whether they are security- or operational-related. Using open-source tools such as tcpdump and Wireshark, along with publicly available AI analysis capabilities, the session demonstrates how to map network anomalies directly to physical operational issues. Three real-world-inspired case studies from power generation, data center, and manufacturing show how these methods and tools uncover root causes in environments where vendor logs, historian data, and SOC monitoring failed to provide answers. Attendees will leave with a repeatable investigative toolkit that links packet evidence to operational impact, enabling them to move beyond reactive cybersecurity triage toward proactive industrial reliability, troubleshooting, and forensic readiness. This talk empowers defenders, engineers, and investigators to use the network wire as a trusted operational source of truth because in ICS, the packets don’t lie.

SANS ICS Security Summit 2026