ICSQuartz: Scan Cycle-Aware and Vendor-Agnostic Fuzzing for Industrial Control Systems
Corban Villa
Network and Distributed System Security (NDSS) Symposium 2025 · Day 2 · Fuzzing 1
In this compelling talk at the NDSS Symposium, Corban Villa from the moment lab at NYU Abu Dhabi presented "ICSQuartz," a novel fuzzing framework designed to enhance the security of Industrial Control Systems (ICS). The research addresses the critical need for robust vulnerability detection in the Programmable Logic Controllers (PLCs) that form the backbone of essential infrastructure like power plants and water treatment facilities. With the increasing convergence of operational technology (OT) and information technology (IT), these systems are now exposed to a broader spectrum of sophisticated cyber threats, necessitating advanced security mechanisms.
AI review
Solid, original research from an undergraduate that actually moves the needle on ICS fuzzing — scan cycle-aware mutation strategies, whitebox instrumentation via a modified open-source compiler, and a real CVE to show for it. The first known Structured Text CVE and a confirmed compiler bug are concrete artifacts that validate the claims.