Companies and governments alike are now facing a cybersecurity threat the likes of which the world has never seen. It’s bigger, faster and more sophisticated, which has the potential to overwhelm the humans tasked with defending it. At the same time, the operational technology (OT) systems that power critical infrastructure are also getting exponentially more sophisticated. So how can defenders level the playing field and prevent some of these cyberattacks from happening. One potential solution is artificial intelligence (AI), says David Masson, director of enterprise security at Darktrace.
In mid-June, Masson sat down with us to discuss how AI can help protect OT systems, why AI is not designed to replace humans and how the government has stepped in to help harden national cybersecurity (including in some unconventional ways). This is a transcript of Part 2 of his Expert Interview Series installment with Industrial Cybersecurity Pulse. It has been edited for clarity.
ICS Pulse: In our previous conversation, we talked a little bit about the fragility of OT systems and the trouble that these often-older systems can have handling complexity and ambiguity. Your company, Darktrace, does a lot with AI. How can AI get integrated into manufacturing or critical infrastructure, and how can that help to solve these problems?
David Masson: The great thing about AI is it can do things faster, at greater skill and can handle sophistication that human beings just can’t do. We can’t actually handle that. When you come across an OT organization, there’s an awful lot of strange things going on in there. There’s an awful lot of sophistication. There’s an awful lot of complexity, to the point where it almost looks like chaos to the human mind. The great thing about AI is AI welcomes chaos. It can find pattern and order within chaos. It can act at scale. It can act at speed, and we’re talking machine speed, faster than a human being can think. And it can deal with sophistication. Let’s be honest about it: Never mind IT but OT networks are already very sophisticated, and they’re just going to get increasingly sophisticated. But AI can handle that when it comes to trying to understand what you’ve got, and that’s great news.
The other great news about AI is, when we’re looking at the threat that OT faces, it’s now a case of there’s too much of it, it’s too sophisticated — and, again, getting increasingly sophisticated — and it’s now moving at machine speed. So it’s actually already overwhelming your human security teams, but, again, AI can handle that for you. Whereas at the moment, there’s an asymmetry between what you’re trying to defend — increasingly complicated and hard to understand — and what you’re trying to defend it against — increasingly complicated and hard to understand. AI can handle that all for you.
One thing I really want to emphasize here is, this is not about replacing human beings. This is about augmenting human beings. It’s about giving them a fair chance in the fight and actually putting the advantage back in the hands of the defender.
ICSP: Who should own this implementation of AI into these systems? Is this an IT initiative, an OT initiative or a little bit of both?
Masson: It will depend on the organization. Some organizations find themselves in a bit of a dichotomy where they have engineers running the OT and IT running the security. They should actually have a separate cybersecurity team on the IT side. Sometimes you have a bit of a problem there because they really don’t understand each other. For the organization, you need to be bringing in technology that’s going to handle both of those and support both of those human teams, because to do otherwise, it’s just going to lead to gaps. And as I’ve said many times before, where there’s a gap, threat actors will exploit that.
ICSP: With so many attacks recently on critical infrastructure, from the food and beverage sector to oil and gas, how can AI step in and help prevent some of these cyberattacks?
Masson: You actually said the right word there when you said the word “prevent.” The whole idea about deploying technology like AI to protect your IT and your OT is to actually not have the hack happen in the first place. To be honest with you, by the time the hack has happened, it’s already too late. What we keep discovering with ransomware is, by the time they’ve actually encrypted whatever it is — and by the way, you can encrypt an OT network — you discover they’ve actually already been on there for a long, long time, and nobody saw them at all. The damage had already been done before the actual real damage gets done.
But with AI, you can see change in real time and get on to whatever’s happening in an early stage and actually stop it. You can actually use AI to then physically stop it. So many other products out there focus on the big, bad world outside, and I’m going to say you’re going to go mad if you try and do that because you cannot keep up with the worldly threat. It’s just too much, too fast, too complex. It’s better to focus on your business rather than the breach.
If you focus on the business and you use an AI to understand how you are, then you can see change in real time. And as I’ve said, you can get on it and then avoid the breach from actually happening. That’s pretty much the kind of view we’re going to have to take in the future — actually focus on defense rather than trying to keep up with the big, bad world out there.
ICSP: With the fragility of OT systems and their inability to deal with complexity, AI seems like it can help take the onus off those systems and off the humans that are that are charged with protecting those systems.
Masson: Yeah, but let’s be clear about when we say “take the onus off.” Humans are definitely still in the loop here. What you’re actually doing is using AI to do the heavy lift that humans will struggle to do. The heavy lift in terms of just configuring AI to work out what you’ve actually got to try and protect. You know that old NIST (National Institute of Standards and Technology) thing about “identify and protect”? You can get AI to do that for you, and then allowing AI to handle the threat that you’re trying to face and do the heavy lift and, as I say, support human beings.
ICSP: The U.S. government recently has taken steps to try to harden national cyber defense, with a new executive order and some guidelines on pipeline security. Why has that kind of federal intervention become necessary?
Masson: It’s a very interesting point. America and, indeed, all Western liberal democracies have been under heavy cyberattack for many, many years now. Some people might be thinking, “Well, maybe the Colonial Pipeline was the straw that broke the camel’s back.” But governments have been moving toward some kind of action for quite some time. In the case United States, you’ve now actually got your 100-day sprint. You’ve got your executive orders that are actually trying to do something about this.
We’ve also seen a point — a really interesting issue just recently — where we had the Microsoft Exchange server attack, which, by the way, to everybody who’s out there, is still happening, OK. It hasn’t gone away. It’s not being patched properly, and what’s become obvious is organizations are either not patching or they’re struggling to patch. We’ve actually seen the FBI go to court, get court warrants, and gone in and patched it for organizations themselves, and then told them afterward that they’ve done that. It was quite an interesting intervention on behalf of government that I can’t think of having ever seen before.
ICSP: Playing devil’s advocate, can you walk us through both the positives and negatives of that kind of government intervention into private industry?
Masson: Well, the positive is that it gets done. A major vulnerability in your organization gets patched, and it’s done. The downside is government can’t do this all. Critical national infrastructure in America, as indeed in Canada, 85% of it is in private hands, and government just doesn’t have the resources to protect 85% of critical national infrastructure. So you can’t expect the cavalry to turn up and do it for you every time. It’s just not going to be possible.
The other downside is that some organization might just take the view, “Well, we don’t have to really worry about this anymore. You know, the Bureau will come along, or the Feds at some point, and do it for us.” But that’s really not going to happen. And despite the incentives, some organizations may just take their foot off the gas a little bit there when it comes to protecting themselves. You will have seen in parallel with what the government in the USA has done, you will see increasing exhortation from the federal government telling private industry, “You’ve got to protect yourself. You have got to do it.”
ICSP: You mentioned that the response in Canada, where you are, was a little bit different than the response in the U.S. to the idea of the FBI going in and making those patches on their own.
Masson: It’s something that hasn’t happened in Canada, but what we have seen … was the head of the Canadian Centre for Cyber Security, which is the open, public-facing part of the CSC, which is our equivalent of the NSA (National Security Agency), we saw the head of it actually on TV — I don’t want to say that he was imploring, but he was asking people to go and patch. I think the reason he was doing that was because people aren’t patching, so he was actually on TV asking people to do it. At the moment up here in Canada, we’re at the “asking people to do it” stage.
ICSP: What responsibility does private industry have in strengthening national security, not only for their own businesses but in helping protect critical infrastructure?
Masson: Two issues, really. One, it’s the right thing to do. If you’re running OT and it’s part of critical national infrastructure, you really should be playing your role as a taxpayer and making your country safer and all the rest of it. But at the same time, and just to get it down to the nuts and bolts, the nitty gritty, if you don’t protect your organization, there’s a good chance production will be halted. If production is halted, then that’s it. The business isn’t working, you’re not making any money, salaries aren’t being paid, taxes aren’t getting paid and things aren’t happening. So there’s a genuine self-interest, never mind a national interest, in … really trying to protect your OT.