Cybersecurity Roundtable: The future of AI in OT security

Courtesy: CFE Media and Technology

Cybersecurity Insights

  • The supply chain is under attack, and while artificial intelligence (AI) might be helpful, it’s not the end-all be-all. It can help automate simple tasks, but it struggles with complex tasks like correlation.
  • The term “AI” is overused right now because it has become a buzzword in marketing departments and the C-suite. Often, AI is used interchangeably with statistics.
  • Some of the major issues that will define the next era of industrial cybersecurity are supply chain attacks and asset inventory.

The last year in cybersecurity has shown the inherent risks in the software supply chain, with major attacks like SolarWinds impacting public and private institutions globally. As artificial intelligence (AI) becomes more of a factor in industrial cybersecurity, we wanted to determine what role it would play in defending supply chains and other networks. CFE spoke with leading experts for this week’s Industrial Cybersecurity Pulse Roundtable discussion on the future of AI and why the words might be a little overused right now.

Once again, joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, are Ron Brash, vice president of technical research and integrations at aDolus Technology; Eric Byres, chief technology officer (CTO) and a board member at aDolus Technology; and Dino Busalachi, CTO and co-founder of Velta Technology.

This discussion has been edited for clarity.

ICS Pulse: What is the role of automation in protecting supply chains and other systems. Does that seem like it’s going to be the future — trying to automate these defenses and using artificial intelligence (AI)?

Ron Brash: Well, [that’s a] loaded question. I’m on the anti-AI wagon generally because most of it is statistics and not AI. I think in tandem with a good asset management system, with things like VEX and their siblings SBOMs, there will be something that can do a lot of correlation to a product and the vulnerabilities. It might even be able to tell you other things about that device that maybe you should be concerned [about] or not.

It’s going to be really hard to automate the impact of devices because you can have the same device performing two totally different functions. One function might be very critical, and the other one turns off a light switch in Eric’s office. I don’t care about Eric. He can be in the dark, but the one that controls the fire suppression system, I really want that one to get the most attention, as it should, because their functions are very, very different.

Eric has a cellphone and hopefully a flashlight, but the fire suppression is probably the most important thing that would be in a facility in most cases. So I think automation will help, but the problem is correlating events to each other. There are problems correlating network-related events to system events that are happening on a system or ones that are tunneled through each other so it comes in over a remote terminal session onto a box. It’s hard to see what’s going on in that box and correlating that to a PLC (programmable logic controller) all of a sudden going offline.

In theory, it’s very doable. Have I seen it yet happen in practice to the extent that I think an operator could manage that? No, I have not seen that yet to this date. For a trained individual that knows those facilities, that watches those systems in real time on a very regular basis versus once a quarter, I think it could be done and I think it will be done. But the last thing you want to do is just generate all these useless alerts. What happens? Those technologies get put in the closet and forgotten about and never purchased again. They were a waste of security money.

Work can be done. I think it will be able to enable and to help, but I don’t think we’re at a sufficient place in time, especially when process information has not been included in that decision process.

Dino Busalachi: Right. And you’re going to have OT (operational technology) people that will struggle with something that they think changed their process without their touch on it. The other thing I would say is what they think they know about their environment is usually not entirely true based on the things that we find, whether it’s accessing the environment stuff, having access to the internet, finding plants that have put in their own internet connection, hotspots in their environment that somebody put in there. It’s just amazing what goes on inside of these plants, especially if you’ve got a plant that’s very busy — maybe some start-up activity going on, brownfield, greenfield expansion, lifecycle replacement. Most manufacturers constantly have some activity going on.

There’s engineering trailers and construction trailers on site because there’s that amount of work going on inside these facilities. Just constant activity. People coming and going all day every day. It’s amazing. I can go into 10 clients, and eight of them will let me bring my laptop in and plug it right into their network. And not just up at some IT (information technology) network where they scan it down on the plant floor; right in the middle of their manufacturing facility.

Eric Byres: I’m not quite as glum as Ron is on AI, but I do think the term gets misused and Ron nailed it. Because marketing departments like the word AI, it tends to be massively overused. Particularly if you’ve ever tried to go for funding, you have to use the words AI and blockchain when you’re pitching to investors. I do believe there’s more and more useful applications for machine learning, AI techniques and, Ron’s nailed it, correlation. People don’t correlate things well fast enough. People don’t read things well enough [or] fast enough. One of the simple AI projects we’ve got going is reading vulnerability notices, using machines to do it, looking up what the products are and then letting you know whether that AI notice or vulnerability notice applies to your facility.

It’s not fancy AI. I don’t want a human being to read all this paper when I could get it interpreted quickly. Until we get rid of the PDFs and go for something like VEX, I think we’re going to be seeing that a lot. We see it even just sorting out lookups into the national vulnerability database. All sorts of correlation and analysis techniques can help. A little AI can help them go a long way, but it’s not the be-all end-all. It’s not going to save us.

ICSP: What’s the one thing in industrial cybersecurity you wish more people were paying attention to right now? What do you think will define this next era?

Byres: I think the supply chain is what we’re going to have to watch because it’s what the bad guys are watching. They’re going, “Hey, this is a party. If we want to do ransomware, if we want to do nation-state attacks, if we want to get a foothold into all the U.S. government agencies, we’re going to use a supply chain attack.” I’m very confident that the bad news for the next decade is what we are going to do to secure the software supply chain of OT, of IT, of everything that’s got this in it.

Busalachi: Asset inventory is the No. 1 thing that most clients are after right now. The work that we initially start off with, that’s what they’re after is the asset inventory, trying to determine what do I have in my environment that I don’t know and what is its posture? What is it doing? That’s No. 1.

Risk would come in right behind that. We’re starting to see a lot of pushback from the whole regulation conversation and cover from the government. State and local insurance instill a lot of pressure on some of these groups, such as non-critical infrastructure. And now you’ve got TSA that’s taken on a role to the rail and in pipelines. That’s going to be a new role for them. That’ll be interesting to see how that goes, but I’m going to go with asset inventory.

Brash:  Common sense. But if common sense was so common, we’d all have it, right? I think we need to include supply chain and developers. We need to start thinking about where stuff comes from and what ends up in the result. Then, how do we have to deal with what’s in the result afterward? There are multiple pieces there, and we need to be logically and deeply thinking about all of these pieces. We need to change the way that we do business, the way that we look at products, the way we look at technology and the way that we need to run businesses, especially if we’re considering keeping the lights on and keeping water flowing and all the fundamental human needs, regardless of what country you’re in. All of that needs to change, and we need to start being more proactive in our purchases as well as our current investments in upgrading.




Keep your finger on the pulse of top industry news