Scarlet OT – OT Adversary Emulation for Fun and Profit


August 25, 2023




Track 1

Since 2010 with Stuxnet causing substantial damage to the nuclear program of Iran, ICS security issues have been on the rise.

Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters, which need strong background knowledge in several fields. To solve this problem, we made a rare OT targeting, open source adversary emulation tool we call Scarlet OT as a plugin on MITRE open source tool – Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.

We summarize the experience of reviewing traffic from over 20 factories and analyzing 19 MITRE defined ICS malwares, and PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malware  changes from single protocol targeting to those with modularized, multiple protocol support. The actions in malware can be summarized as 4 stages of attack flow.

Scarlet OT already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix, which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks that haven’t been used by any malware (yet). We have tested Scarlet OT on real life oil, gas, water, and electric power devices with protocol simulations for SCADA developers and honeypots. We will have a demo in this presentation and also open source Scarlet OT after the talk.