Using Machine Learning to Protect OT: Expert Interview Series, Richard Robinson, Cynalytica

The last calendar year has been defined by cyberattacks. They’ve hit everyone from businesses to oil pipelines to hospitals, often bringing operations to a standstill and having far-reaching implications on society at large. When we talk about protecting these systems, most people are thinking about information technology (IT), but operational technology (OT) needs to be much more than an afterthought. So how can we protect these often-older, legacy assets from serious attack, and what role can things like machine learning (ML) and artificial intelligence (AI) play?

Legacy OT assets

“There are several steps organizations can take to help protect legacy OT assets,” said Richard Robinson, chief executive officer of Cynalytica Inc. in the United States and director of Cynalytica International in the United Kingdom. He recommends starting by implementing a zero-trust security model and restricting access to the OT network, both remote and physical. Companies need to ensure that all of their users understand their roles in the environment and that internal and external operators have appropriate access only to the necessary assets and data. From there, companies should log and monitor everything they can, along with updating and patching where and when possible.

“It becomes a little more complicated in the OT space, especially the legacy environment if you don’t have the ability to do firmware updates, or the operating systems are just out of maintenance period and it becomes too expensive,” Robinson said. “Being able to proactively monitor those environments and patch (when available) vulnerabilities is absolutely critical. Also applying network segmentation. We hear this a lot, but if you can segment your legacy network, that’s the thing that you can do to help protect it. And then the traditional kind of IT stuff: Use reliable antivirus and firewalls.”

Another suggestion Robinson makes is to employ a network monitoring tool for serial communications versus Transmission Control Protocol/Internet Protocol (TCP/IP) — if your legacy environment is running and using that type of environment. By using a serial network tool to monitor, you can tap serial communications directly from the legacy control systems. Of course, it’s essential to do this safely and securely so you do not introduce a new threat vector or the potential of an operational disruption. That also gives you the ability to monitor data in real time, and monitor your upstream and downstream communications.

“The benefits that you now get by being able to do that is, you can now monitor for anomalous communications,” Robinson said. “It gives you the ability to baseline your normal communications, too, so you can start to get a historical view and baseline of that environment. From that, you can configure alerts when communications deviate from those baselines. And by doing this and being able to monitor those serial communications, it will enable you to detect cyber-physical attacks as well as operational misconfigurations early off of the wire.”

The business case for cybersecurity

While that is an excellent security case, one of the problems many companies have is making the business case for cybersecurity. For good cyber hygiene to take hold throughout an organization, it’s essential to have buy-in from the C-suite and board so you can secure a sizeable cybersecurity budget.

One of the things that often derails this discussion, according to Robinson, is the cyber tool debate, which makes it difficult to establish a quantifiable value proposition. When you’re talking about an OT environment, something is generally being produced, and cybersecurity alone doesn’t add value to that process.

“You have to be able to, with the data that you have, transform that into actionable operational intelligence, where you can demonstrate a value proposition,” Robinson said. “And with that, you’re able to monitor now so you can extend the life of that product, where you don’t have to do a rip and replace. That’s one value proposition.”

“Another one is if a company has mandated that they’re going on their digital transformation path, that you have a tool that can capture that data securely that’s a cost-effective tool, meaning that you don’t have to go add a whole bunch more expertise around data science, data analytics or cybersecurity, which just increases that cost.”

Artificial intelligence, machine learning

One of the best ways to get out of that cyber tool debate is to enlist ML and AI, according to Robinson. If ML and AI can be properly implemented and used within the legacy environment, it allows companies to capture and analyze operational data to identify issues and opportunities such as process efficiencies and optimizations for better predictability and resilience of the operational environment.

“The cyber tool debate is absolutely killing us,” Robinson said. “I talked to someone from one of the leading consulting companies, and they said almost three-quarters of digital transformation efforts that involved OT environments are wrapped around the axle. They’re just absolutely dead in the water because of the tool debate. And these IT problems, it doesn’t add value to the OT operations.”

By safely and securely capturing raw data and using machine learning, organizations can learn more about the often-complex operational environments and the processes that are operating there. Much of this data has not historically been exposed to or analyzed by operators simply because they’re not capturing it, and it’s very complex. Leveraging ML within legacy OT properly lets companies identify those operational return on investments that establish a real, repeatable, quantifiable value proposition to then make best justification for digital transformation.

“You’re effectively baking cybersecurity into the tool, but the conversation is around return on investments and being able to apply machine learning to identify those operational efficiencies and be more predictive in the maintenance and the operations of that environment,” Robinson said. “Those are easy things that, again, the C-suite can get their head wrapped around. And then they’ll make those investments. It’s much easier to get resources appropriated when you can do this versus having the cyber tool debate.”

Check out Part 1 of our interview with Cynalytica’s Richard Robinson, where he discussed the difficulty of protecting legacy OT assets and how to integrate OT into an organization’s digital transformation efforts.

Check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.




Keep your finger on the pulse of top industry news