10-18, 11:00–15:00 (America/New_York), Track 4 (2104B)
Language: English
Pipelines frozen, breweries brought to a standstill: recent incidents prove that a single rogue packet can topple an entire production line. In this four-hour, hardware-first workshop, you’ll wield CompatriOT, a palm-sized “pocket-plant” built for safe yet realistic experimentation. Trace its control traffic, shove the process off balance with live protocol abuse, and craft detection logic to spotlight your own mischief. The session culminates in a lightning CTF, stabilize the plant faster than anyone else, and you’ll walk away with the pocket-plant itself, plus a ready-to-run lab image for post-conference exploration.
CompatriOT - Pocket Plant
A 4-hour industrial-protocol attack & analysis lab
1 · Why This Matters
MITRE has mapped >30 ATT&CK-ICS techniques to Modbus, OPC UA, and S7comm.
Ransomware crews now deliver “logic-lock” payloads that quietly drift processes out of spec before ransom notes appear. This workshop gives you practical muscle memory to catch and reproduce that behaviour on a desk-size range.
2 · Learning Objectives
| # | Outcome you leave with | Real-world tie-in |
|---|---|---|
| 1 | Fast asset mapping of live sensor → address links | IEC 62443 SR 3.1 baseline |
| 2 | Quiet Modbus overwrite that drives a process variable past spec | ATT&CK-ICS T0833, Q2-2025 pipeline case |
| 3 | Covert OPC UA method abuse that drifts flow without alarms | CVE-2024-45231 advisory |
| 4 | Stealth S7 logic swap masking temperature rise | 2024 “Lost Water” incident |
| 5 | Coverage-guided fuzz run with r0fuzz & roadmap to HW breakpoint feedback | Current best practice for deep protocol assurance |
| 6 | Live decode and recovery of an unknown field-bus in a 60-minute CTF | Packet forensics + incident response under stress |
3 · Lab Environment
- Hardware CompaTriOT-OT v2 (Broadcom BCM2710A1, STM32, relay, OLED HMI, simulated process sensor)
- Virtual Machine: Pre-built .ova image with every required tool
- Visuals On-board OLED + lightweight web HMI
Modules & Deliverables
| Clock | Module | Goals |
|---|---|---|
| 00:00 – 00:15 | Boot & Reality Check | Power-on the pocket-plant; confirm sensors, relay, and OLED are live. Compare two recent case-studies to the board’s process so you understand why today’s drills matter. |
| 00:15 – 00:35 | Baseline Capture | Spin up the provided VM, open the live web HMI, and record a short “golden” traffic capture that shows normal pressure-flow-temperature behaviour. This becomes your reference for the rest of the session. |
| 00:35 – 01:05 | Modbus · Silent Pressure Drift | Craft one carefully formed Modbus frame that nudges the pressure set-point upward. Watch the bar creep toward red while dashboards stay calm, proof that register abuse can fly under the radar. |
| 01:05 – 01:35 | OPC UA · Flow Skew | Explore the server’s browse tree, locate an undocumented method, and call it to alter the flow calculation factor. Flow reads “nominal,” but the tank quietly overfills, illustrating method-level abuse. |
| 01:35 – 02:05 | S7 comm · Temperature Mask | Upload a slimmed-down logic block that clamps temperature outputs. Visually everything is “green,” yet the relay works double time—showing how stealthy code swaps hide real-world stress. |
| 02:05 – 02:20 | Break | — |
| 02:20 – 03:00 | r0fuzz Sprint | Combine a generation seed set with high-speed mutation in r0fuzz to hunt edge-case faults in the Modbus handler. You’ll see subtle process glitches before any alert fires, then get a roadmap for adding hardware-breakpoint coverage to boost fuzz depth after class |
| 03:00 – 04:00 | Mystery-Bus CTF | The board reboots running an unknown protocol that destabilises a new “mix-ratio” loop. Reverse the traffic, restore stable readings before the timer expires, and claim the spare CompaTriOT-OT if you finish first. |
| --- |
6 · Prerequisites
- Laptop with admin rights, USB-A/C, Wi-Fi, 10 GB free disk
- Comfortable at a Linux shell
7 · Room Requirements
- Max 30 seats (one board each)
- AC power strips, HDMI projector, 2.4 GHz Wi-Fi or small switch
- Setup time ≈ 15 min
Repos & License
- Firmware / KiCad / labs: https://github.com/traboda/CompatrIoT
- Fuzzer: https://github.com/traboda/r0fuzz
Season Cherian is a hacker-entrepreneur with deep expertise in technical and strategic security across both private and public sectors. As Head of Hardware Security Research at Traboda Cyber Labs, he focuses on OT system security analysis, IoT security, and N-day research. Season mentors India’s top CTF team, bi0s, and is a key organizer of the bi0s meetups. He also speaks and trains at premier conferences including Black Hat, SINCON, SecTor, BSides, and InCTF.
Vivek N J is a seasoned cybersecurity professional with expertise in IoT security, penetration testing, firmware analysis, and reversing. As a Senior Security Engineer at Traboda, he leads the security team in identifying and mitigating risks associated with IoT devices. Additionally, he is a speaker and trainer at premier conferences such as Black Hat, SINCON, and SecTor.