Leveraging AI to Protect OT: Expert Interview Series, Hayley Turner, Darktrace

Are ransomware attacks actually on the rise, or are they just getting more publicity? The unfortunate answer is yes on both counts. In 2020 alone, the FBI’s Internet Crime Complaint Center received 2,474 complaints identified as ransomware with adjusted losses of more than $29.1 million — those numbers are up about 20 and 200%, respectively, from the previous year. So how can companies defend against this surge? One proven way is by leveraging artificial intelligence (AI) to protect industrial environments, said Hayley Turner, director of industrial security at Darktrace.

While most of the recent ransomware attacks have begun by compromising information technology (IT) systems, operational technology (OT) is still very much at risk. Many of these IT attacks, such as the one on Colonial Pipeline, had the unintended consequence of spilling over onto OT systems, but more and more hackers are directly targeting OT systems, as well. In the world of the Industrial Internet of Things and the cloud, a robust cyber defense needs to incorporate both IT and OT. According to Turner, getting IT and OT to work together begins with unifying visibility and unifying the approach to protection across both environments.

“When we’ve got these disparate teams and they’re not communicating particularly well, it leads to missed detections,” Turner said. “One of the ways that we can really enhance and enable that [communication] is by using a shared technology platform so that they’re speaking the same language, they understand the approach, they’ve got that same level of visibility. It really helps in this scenario.”

Detect, respond and contain

In most attacks on IT systems, the main goals should be to detect, respond to and contain the threat in IT before it ever has the opportunity to impact operational systems. To do that, Turner said, companies need to have the expectation that eventually their perimeter will be breached, and ransomware will find its way in. Then, they need to be able to detect and respond to the breach as soon as possible, disrupting the behavior and containing it in real time by leveraging the right technologies.

“The technology platform also needs to be able to have that really finely tuned sense of self and understanding of what’s normal for the environment,” Turner said. “Because if we don’t understand what’s normal when there has been an incident, we don’t always have the confidence to know that we have contained it, that it hasn’t spread further. And if we can understand that the operating environment is continuing to behave as normal, so are most of our IT systems, we can avoid some of those costly and unnecessary manual shutdowns that can be the result of an IT attack.”

Of course, getting IT and OT to work together toward preventing these threats is not an easy task. Culturally, they are very different, and they don’t always understand where the other is coming from.

“Traditionally, for those teams that have looked after operating environments, security hasn’t been a high priority or necessarily a big risk because of that physical separation,” Turner said. “For IT security, OT environments and the focus around availability is completely a new topic. It’s not focused around protecting intellectual property, for example. Culturally, it can be very different, and there can be knowledge gaps and cultural gaps that exist between them.”

Using AI to add meaning and context

Turner and Darktrace are trying to use technology, primarily AI, to break down that IT/OT divide and help protect environments against ransomware. Turner said AI can help add meaning and context to real-world events — OT context for IT security professionals who are charged with looking after an OT environment, and security context to OT professionals trying to grapple with a new cybersecurity requirement. The ultimate goal is to create a shared language and understanding. But the main benefit of using AI, especially in industrial environments, is its ability to handle complexity and unpredictability.

“When we’re talking about ransomware in the industrial environment, it’s obviously a high-stakes situation,” Turner said. “But we’re usually dealing with very complex environments, and the way that ransomware or any sort of cyberattack can present, it’s incredibly varied. We need to leverage technologies that can handle complexity and that can handle unpredictability, that are able to spot these attacks regardless of how they present.”

Turner pointed to three key ways companies can use AI to help address ransomware in this space. First, defenders need to be able to detect early, subtle indicators a change has occurred in their environment. AI can create a sense of normal or a sense of self — how the environment behaves when all is well — so companies can spot the early indicators of an attacker’s presence.

The next step is to reduce the time to meaning. Once something unusual has been spotted, that information needs to get into the security team’s hands in a way that is meaningful and actionable in the shortest amount of time possible. AI can be used to automate a lot of the triage and investigation, adding context and deciding what the change means and what could potentially be done about it.

Lastly, and perhaps most importantly, AI can work at a speed humans just can’t match. Detecting the problem is one thing; companies need to be able to respond to it at a similar speed, especially if it’s in the industrial environment or impacts critical infrastructure.

“If it’s got to that point where it’s executed and the ransomware is running around on the network, even the most well-resourced, dedicated, 24/7 human team, can’t keep up with that speed,” Turner said. “An entire network could be encrypted in a very short space of time. And certainly when we’re talking about OT systems where there’s a lot of fragility, particularly at those lower levels, we need to be able to disrupt it in real time.

“That’s where we need to leverage AI, to be able to make those machine-speed decisions and those machine-speed actions to disrupt illegitimate activity as soon as it presents itself in a way that enables normal business activity to continue. So that if there is a ransomware attack, we can contain it in a way that allows the operations at those lower levels to continue, and it doesn’t have that crisis-level impact.”

What’s next?

Turner said one of the main trends she has seen in the cybersecurity space is that more ransomware is being deliberately written for and targeted against industrial control systems (ICS). EKANS was the first example where there were ICS-specific processes in its kill list, but other ransomware families are emerging that are doing the same thing.

“I think that the targeting will increase, and the level of sophistication around some of that targeting will increase,” Turner warned. “More broadly though, I think we’re going to see a rise in the volume of attackers joining in. It is no longer just the purview of nation-states. Cyber criminals are seeing the incentive. Obviously, there are pressure points around operating environments, particularly around critical infrastructure. There’s a greater likelihood of people giving in to their demands.”

One of the other trends Turner said she has been watching is the increasing likelihood hackers will start to leverage machine learning techniques in their attacks. This development is still in its infancy, but it’s definitely on the near horizon. That could make future attacks much more complicated.

“We know that the know-how, the building blocks to enhance a malware attack with machine learning, to enhance its speed, its stealth, to reduce the likelihood of being detected, a lot of that technology already exists,” Turner said. “As more and more AI research and software becomes available in the public domain, we imagine we’re going to start to see more of that playing out in attacks, which will make them that much more difficult to detect using traditional methodologies.”

Given the prevalence of recent attacks, it can seem like the attackers are well ahead of the people tasked with defending against attacks, but that is to be expected. Attackers usually do have a leg up because they just need to find one way into the environment. Turner said companies looking to enhance their cybersecurity, need to have a shift in mindset.

“We need to accept that eventually a sophisticated or determined attacker will find their way onto the network,” she said. “So looking at what level of visibility, what level of understanding do I have of my systems, and am I in a position to detect and respond immediately if something were to go awry? It’s this concept of cyber resilience, of being prepared to respond.

“So looking at platforms like those that leverage AI, for example, that are able to do a lot of that heavy lifting and that are in a position to spot the attacker, regardless of what they do next. That’s the concept we’re trying to get to is where the defender is on the front foot, because they don’t need to predict what the attacker is going to do next. They can understand what’s normal for them, and therefore they can spot the attacker regardless of how they try to leverage this new hyperconnected environment to disable important systems.”

Check out Part 1 of our interview with Darktrace’s Hayley Turner, where she talks more about how attackers are targeting ICS systems and why critical infrastructure is increasingly under attack. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.




Keep your finger on the pulse of top industry news