One of the biggest hurdles to maintaining strong industrial cybersecurity practice isn’t finding the right technology to keep attackers out; it’s controlling the human factor. As the threat landscape matures and hackers become savvier — and especially as factors like 5G networks and artificial intelligence (AI) start coming into play — it’s getting harder for humans to keep up. That’s why, said David Masson, director of enterprise security at Darktrace, it’s so important to start supplementing your human and technological cyber defenses with AI.
The last time Industrial Cybersecurity Pulse talked to Masson, he spoke of the fragility of operational technology (OT) and how these often older systems can struggle with complexity and ambiguity. AI can help supplement human security teams because it does a much better job handling complexity. According to Masson, AI can do things faster, at greater scale and can handle sophistication in a way human beings just can’t.
“When you come across an OT organization, there’s an awful lot of strange things going on in there,” Masson said. “There’s an awful lot of sophistication. There’s an awful lot of complexity, to the point where it almost looks like chaos to the human mind. The great thing about AI is AI welcomes chaos. It can find pattern and order within chaos. It can act at scale. It can act at speed. And we’re talking machine speed, faster than a human being can think.”
An ounce of prevention
While OT networks are already sophisticated, Masson said they’re only going to get more so. Unfortunately, the threat that’s being thrown at them is moving in the same direction, and it’s already overwhelming the human security teams tasked with preventing it.
“You cannot keep up with the worldly threat. It’s just too much, too fast, too complex. It’s better to focus on your business rather than the breach.”
“At the moment, there’s an asymmetry between what you’re trying to defend — increasingly complicated and hard to understand — and what you’re trying to defend it against — increasingly complicated and hard to understand,” Masson said. “AI can handle that all for you.”
But Masson is clear this is not about replacing human beings; it’s about augmenting them and giving them a fair chance in the fight. The goal is to implement technologies that can handle and support both OT and information technology (IT) teams. If those teams aren’t working together, Masson said, it can lead to gaps, and those gaps are exactly what threat actors are looking to exploit.
“Humans are definitely still in the loop here,” Masson stressed. “What you’re actually doing is using AI to do the heavy lift that humans will struggle to do.”
Cybersecurity should be about prevention, not response. The idea behind deploying AI to protect IT and OT networks is not to have the cyberattack happen in the first place. In fact, once the hack has happened, it’s already too late. This has become clear with the spate of recent ransomware attacks. By the time a company’s files are encrypted and ransomed, the criminals have already been sitting undetected in those networks for a long, long time, and the damage was already done. It’s like the old axiom from Benjamin Franklin: An ounce of prevention is worth a pound of cure.
“So many other products out there kind of focus on the big, bad world outside,” Masson said. “You’re going to go mad if you try and do that because you cannot keep up with the worldly threat. It’s just too much, too fast, too complex. It’s better to focus on your business rather than the breach. If you focus on the business and you use an AI to understand how you are, then you can see change in real time. And as I’ve said, you can get on it and then actually avoid the breach from happening.
“That’s pretty much the kind of view we’re going to have to take in the future — actually focus on defense rather than trying to keep up with the big, bad world out there.”
Critical national infrastructure
The kind of threat that’s “out there” has become clear, with critical national infrastructure increasingly under attack. Recent hits on the Colonial Pipeline, JBS and other companies have prompted the federal government to take significant action in hardening national cyber defenses. This threat is nothing new, however; America and Western liberal democracies have been under heavy cyberattack for years now. Recent publicity and awareness has encouraged the U.S. to take a stronger hand, especially in a case like the Microsoft Exchange server attack.
“What’s become obvious is organizations are either not patching or they’re struggling to patch,” Masson said. “We’ve actually seen the FBI go to court, get court warrants, and gone in and patched it for organizations themselves, and then told them afterward that they’ve done that. It was quite an interesting intervention on behalf of government that I can’t think of having ever seen before.”
Of course, there are positives and negatives to that kind of government intervention. The positives are that it gets done and vulnerabilities get patched. The downside is that the government can’t — and shouldn’t be expected to — do it all for private industry. According to Masson, 85% of critical national infrastructure is in private hands. The government simply doesn’t have the resources to protect at that scale. If companies expect the cavalry to show up and manage their cybersecurity every time, the danger is that some may take their foot off the gas when it comes to protecting themselves. The recent executive order and other initiatives from the Biden administration have exhorted companies to focus on their cyber defenses for the good of the nation.
If protecting the national interest isn’t enough to motivate private companies, Masson said there is another incentive: the bottom line.
“It’s the right thing to do,” he said, “if you’re running OT and it’s part of critical national infrastructure, you really should be playing your role as a taxpayer and making your country safer and all the rest of it.
“But at the same time — and just to get it down to the nuts and bolts, the nitty-gritty — if you don’t protect your organization, there’s a good chance production will be halted. If production is halted, then that’s it. The business isn’t working, you’re not making any money, salaries aren’t being paid, taxes aren’t getting paid and things aren’t happening. So there’s a genuine self-interest, never mind a national interest, in… really trying to protect your OT.”
In Part 1 of our interview with Darktrace’s David Masson, he discussed why OT is worth protecting and the complexities of securing these “fragile” systems. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.