ICS/OT Cybersecurity & AI: Considerations for Now and the Future (Part I)

So, an artificial intelligence (AI) engine told me, “AI refers to computer systems that can perform tasks requiring human intelligence. AI is divided into Narrow AI, designed for specific tasks, and General AI, which mimics human-like intelligence. Techniques like machine learning and deep learning enable AI to learn from datasets provided to AI engines. AI is applied across multiple industries, driving innovation and societal transformation.”

Yes, AI tools and technologies are here to stay, in many sectors, and we have the opportunity to embrace it, (with caution). For industrial control systems/operational technology (ICS/OT), that does not mean we all go home and let the control system run and secure itself with AI engines. Tactical decisions made by an AI engine to action security defenses inside control system environments, where safety is the main mission, is not likely something that will replace the ICS/OT security and engineering teams right now. The application of AI for the purpose of augmenting existing cybersecurity workflows to defend critical infrastructure is a conversation for right now.

AI Benefits in ICS/OT Cybersecurity

There are clear benefits to the appropriate use of AI, but it requires caution and setting proper expectations. The integration of Al for ICS/OT cybersecurity in facilities can:

• Enhance threat detection
• Inform industrial incident response capabilities
• Prioritize vulnerability management
• Contribute to engineering resilience against evolving cyber threats

A responsible implementation of AI requires AI-specific skilled resources, tools, and the answer to the very first question that should be asked: “What problems can we solve with AI in ICS/OT Cybersecurity?”

Regardless of whether AI is used in ICS/OT cybersecurity or not, the ICS/OT cybersecurity program still requires that 1) safety and engineering operations are prioritized to enable human defenders who 2) understand IT security, 3) understand specific ICS/OT security and how engineering systems operate, and 4) track and understand adversary attack tradecraft for control systems.

Let’s dive deeper into this.

Manage and Plan for a Response to AI in ICS Now

There's an entire section and leadership lab in one of our SANS ICS courses, ICS418: ICS Security Essentials for Managers, where we teach how to use forecasting to get ahead of technology trends for ICS. AI is a perfect example of a trending technology you can use in ICS418. And there are so many more we discover and walk through in class. ICS418 also teaches existing and new leaders how to embed themselves into engineering team meetings and fully understand engineering system requirements. This allows cybersecurity leaders to be informed on how technology, including AI, can positively (or negatively) impact operations.

Let’s briefly look at how we can map AI as a technology trend, a risk, and a benefit to engineering environment protection. First, identify what matters most to the business in a control system industry. The ICS network and engineering systems is the business. So, how can AI improve efficiencies in engineering and ICS cybersecurity in these areas below? *This requires a full understanding of the priorities from your VP of engineering and executive team, first. Some areas to consider include:

• Safety
• Profitability
• Reliability
• Resilience
• Compliance
• Productivity
• Performance
• Availability
• Engineering Intellectual Property Protection

Etc.

The exercise below will help you map your potential, current, and desired states using AI as a technology trend to consider, embrace, plan for, and manage its related risks in ICS.

The Current State represents your current understanding and adaptation of AI, or not, towards its use in your ICS/OT cybersecurity or engineering workflows, today.

Potential State 1 represents one potential future scenario: For example, AI is in the early adoption stages for your control system cybersecurity program. There is a potential for minor workflow improvements, but also a challenge obtaining trained ICS security resources and ICS specific technologies, let alone the infrastructure and trained AI-specific resources.

Potential State 2 represents another potential future scenario: For example, AI is being deployed by vendors or internal employees currently in your environment, but the infrastructure, models, and accuracy are not up to a trusted or accurate level. This leads to increased unnecessary risk to engineering operations, ineffective cyber defenses creating false positives, and poor decisions for engineering system maintenance tasks that could lead to lost time or safety impacts.

Desired State 1 represents an ideal outcome within the next 6-12 months for AI in ICS. It could be that an internal ICS security team is established and trained on ICS security. Simultaneously, AI trends and technology continue to be monitored, fully researched, and aligned with potential engineering system use cases.

Desired State 2 represents an ideal outcome within the following 12-24 months for AI in ICS. It could be that AI is adopted and phased into existing workflows to augment engineering and ICS/OT cybersecurity workflows for improved efficiencies with a dedicated ICS security and engineering resource(s).

ICS and AI in the Field: Top Questions and Answers

With my firm ICS Defense Force, I perform ICS/OT security assessments, incident response tasks, and incident response tabletop exercises across multiple critical infrastructure sectors, globally. This practical field experience allows me to meet with security teams, engineering staff, and leadership.

The latest threats and technology trends are always a topic for discussion. AI included. In fact, I’ve recently completed ICS security assessments and threat hunting exercises across oil and gas, water management, and electric power sectors. In all those cases I tested and leveraged AI safely. Here are some of the most common questions and answers I get about ICS/OT cybersecurity and AI in the field.

Q: Given the threats to critical infrastructure today, is AI the first thing, or even in the top 5 things, to implement immediately to protect the critical infrastructure systems we all rely on to sustain our modern way of life?

A: No, (but it depends, a little). Most organizations today, based on the SANS 2023 ICS Cybersecurity Survey, are spending cybersecurity funds and effort over the next 18th months on:

a. Obtaining network visibility: ICS/OT-specific network traffic visibility for ICS/OT protocols and commands, and

b. Detection of threats entering the ICS through a common vector(s): Transient device threat detection and threats coming through IT networks into ICS/OT networks, (which accounts for nearly 40% of ICS compromises today). However, with additional resources, infrastructure, setup, and tuning etc., AI could augment and assist with select aspects of implementing some of these prioritized security tasks with moderate efficiency improvements.

Q: When is a good time to implement the use of AI to assist in ICS/OT cybersecurity, either passively or actively?

A: If a facility currently has an established ICS security team, and given the current threat landscape to ICS/OT; critical infrastructure, leaders, and practitioners can best prioritize the full implementation of, at the least, the SANS Five ICS Cybersecurity Critical Controls as rapid as possible. Then, consider how to source, deploy, monitor, secure, maintain, and tune AI infrastructure for their ongoing ICS or engineering program.

Q: Will AI take my job?

A: Unlikely, but it is likely that those who understand how to (and how not to) apply AI to meet the engineering and ICS/OT specific security needs will be the humans tasked with modern cybersecurity defenses for ICS/OT environments.

Q: What question should I ask first when considering how AI can help with ICS/OT Cybersecurity?

A: As facilities and engineering leadership consider how ICS/OT can be used in their control systems, a great first question to ask before implementation is, “What problems can we solve with AI in ICS cybersecurity to reduce impacts to safety and reliability, before, during, or after industrial cyber incidents?”

Q: Will the implementation of AI require AI-specific skill sets?

A: Yes. Specific AI infrastructure setup knowledge, including hands-on skills and subject area/sector knowledge is required to do things like, but not limited to, installing, securing, training, and maintaining AI engines and models to be of use.

AI in ICS/OT: Top Challenges and Considerations

Here are some uses, challenges, and considerations when considering the use of AI for ICS/OT cybersecurity and engineering workflows.

Risk to ICS/OT Operations When Using AI

• Cybersecurity Risks: Integrating AI into ICS/OT increases the complexity of the systems, potentially exposing new vulnerabilities for cyberattacks, and in some cases, the potential for false positives to disrupt engineering operations. Ensuring the security of AI algorithms, models, dataset locations, and their detection-only capability is essential.
• Data Quality and Availability: AI systems require high-quality and comprehensive data sets to function effectively and be accurate and correct! In some industrial environments, collecting this data can be challenging due to older equipment or proprietary systems.
• Skills Gap: The specialized knowledge required to implement and manage AI in ICS/OT environments can be a barrier. Training for existing personnel is available (see resources and development points below) and hiring new talent with the right skills would be necessary. It is important to also note, there may be higher priority items inside engineering and ICS security that would provide higher return on investment than undertaking AI at this time. This depends greatly on a facilities’ current ICS specific security maturity.
• Reliability and Trust: Like data quality and availability above, relying on AI for critical decisions in industrial environments requires a high level of trust in the technology. Ensuring the reliability of AI decisions is crucial for acceptance and adoption of the technology and its related risks.

ICS/OT Cybersecurity AI Use Cases

• Anomaly Detection: AI algorithms can analyze vast amounts of threat data from ICS/OT networks to identify unusual patterns or behaviors that could indicate potential cyber threats or malfunctions. This would be an obvious aid to an existing ICS security team’s workflow.
• Threat Detection: AI-powered systems can continuously monitor network traffic and identify known and potential emerging threats based on detected changes, helping to detect cyber-attacks in near real-time. This would be an obvious aid to an existing ICS security team’s workflow. It would be wise to resist a shift to allow AI to actively block (automated response or change) network activity and engineering software functionality that could be flagged as a false positive. That is, the AI engine could cause a legitimate engineering or safety event from being carried out as intended by operators or programmable logic controls, etc., if it got something wrong or was not 100% accurate.

Engineering AI Use Cases

• Predictive Maintenance: Large data sets from sensors and machinery can be processed by AI engines to enable proactive maintenance by helping predict when equipment could fail.
• Process Optimization: AI can optimize processes by analyzing operational steps to help identify inefficiencies and recommend improvements that may lead to increased productivity, reduced energy consumption, and improved product quality in manufacturing, power generation, and refining processes.

In conclusion, for managers and leaders overseeing ICS/OT industrial control system environments, it's imperative to understand that ICS is the business. ICS defenders would do well to navigate the evolving landscape of AI technology with both optimism and caution. While AI holds immense potential to revolutionize engineering practices and bolster cybersecurity defenses for critical infrastructure, it must be approached with a keen awareness of its potential impacts on safety and operational reliability and with the appropriate (risk-based) priority and resources.

It's crucial to acknowledge AI will not replace human decision-making for ICS/OT cybersecurity defense or engineering at this time. Rather, it could be leveraged by a well-established and trained ICS security team to augment their ICS specific security technology, workflows, assessments, etc., as a supplementary tool. Areas where AI can be safely integrated into engineering industrial control system networks may include passive anomaly and threat detection, suggestive predictive engineering equipment maintenance schedules, and threat hunting hypothesis generation.

By embracing AI judiciously and in conjunction with human expertise (who have IT, ICS/OT security, and engineering knowledge), organizations can harness its transformative power with assigned additional resources, while ensuring the robustness and resilience of their critical infrastructure systems. More to come on ICS and AI. Stay connected, stay tuned.

Additional AI Resources and Professional Development

See the following to help equip your role and team(s) with the right training and resources to mitigate the risks and vulnerabilities to the rapid introduction AI into the world.

• Webcast: SANS AI Cybersecurity Forum: Insights from the Front Lines
• Course: ICS418: ICS Security Essentials for Leaders helps build critical infrastructure ICS/OT cybersecurity teams and leaders. This course empowers those stepping into an ICS leadership role for the first time, those leading IT security now also tasked with ICS security, and those stepping up to take the charge to manage cybersecurity risk from inside engineering departments.
• Course: ICS515: ICS Visibility, Detection, and Response teaches how to set up, deploy, and maintain ICS-specific network visibility and incident response from a tactical perspective, that are two of the critical ICS-specific controls among the SANS Five ICS Cybersecurity Critical Controls.
• Course: AIS247: AI Security Essentials for Business Leaders
• Course: SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
• Find a full list of resources here.

Be sure to check out Part II of this series, ICS/OT Cybersecurity and AI: Considerations for Now and the Future, here.

For more insights into leveraging AI to augment existing ICS security workflows, download the SANS Strategy Guide: ICS Is the Business.