Andrew Ginter of Waterfall Security Solutions speaks on Embedding Malware in ICS Protocols. His conclusion is this is harder than one thinks. The easier solution might be to use the SQL server, web server, ftp server, or other commonly exploited protocols that ICS applications integrate.
Fair warning – the second half of the session gets a bit commercial on his/Waterfall’s view on why unidirectional security solves ICS security challenges.