News, news analysis, and commentary on the latest trends in cybersecurity technology.

Why Self-Learning AI Is Changing the Paradigm of ICS Security

By focusing on the organization rather than the threat, AI can identify subtle changes in your digital environment that point to a cyber threat.

Oakley Cox, Director of Analysis, Darktrace

November 9, 2021

5 Min Read

Recent high-profile attacks on gas pipelines, water treatment facilities, and hospitals have demonstrated that cyberattacks can disrupt operational technology (OT) just as effectively as disrupt IT. From maritime and other transportation forming our supply chain, to the energy grids powering our homes, much of the critical infrastructure we rely on every day depends on integrated IT-OT systems. But traditional defenses have not kept pace with the threats.

One reason is because a large number of critical infrastructure organizations still rely on security tools that take an outdated approach to defending against cyberattacks. These legacy tools take a "rear-view mirror" approach, using rules, policies, and historical data to try and predict what the next attack will look like. This retrospective approach fails to protect organizations from the sophisticated and unpredictable threats security teams now face.

Furthermore, as IT and OT systems converge, the fact that traditional OT security defenses focus solely on OT systems means defenders are dealing with significant blind spots. As attackers pivot from system to system, defenders lack the context and visibility needed to identify malicious activity operating across different domains.

For these reasons, forward-thinking organizations managing industrial control systems (ICS) are taking a different approach with self-learning AI technology. Rather than using historical attack data and focusing on the threat, this AI technology learns the business and builds a "pattern of life" across IT and OT, as well as the points at which they converge, without relying on predefined rules and signatures. This way, security teams can detect and respond to cyberattacks as they emerge, regardless of where they are in the environment and how they evolve.

Operational Continuity at (Almost) All Costs
The spring ransomware attack against Colonial Pipeline demonstrates why reliability and operational continuity is so important in critical infrastructure, such as power grids, pipelines, transportation, and healthcare. The prospect of gas shortages due to the compromise and the resulting pipeline shutdown led to dangerous panic buys and long lines at the pumps.

Ensuring continuous operation of critical infrastructure requires safeguarding the availability and integrity of machinery. Alongside this requirement, and often in opposition to it, is the requirement for operational safety. Operational continuity demands that devices remain up and running at all costs, and operational safety demands that humans and the environment be protected at all costs. Many appropriate safety precautions can prevent harmful incidents but can come at the expense of operational continuity. 

This creates a balancing act for those tasked with operating critical infrastructure: managing the risk of cyber disruption with the need to stay operational at all times. More often than not, the conclusive decision is determined by budgets and cost-benefit analyses.

Debunking the ‘Airgap’ Myth
It used to be the belief that organizations should "airgap" OT systems to keep them immune to the risks of connectivity. But this is no longer possible in a digitized world.

The convergence of IT and OT is inevitable. With this, the adoption of devices in the industrial Internet of Things (IIoT) and the depreciation of manual backup systems – effectively protecting OT vulnerabilities – demand a unified approach. Using separate solutions to protect the IT and OT networks is no longer feasible, given the challenges of defending network boundaries and detecting incidents when an attacker pivots from IT to OT. Under time pressure, a security team does not want changes in visibility, detection, language, or interface while trying to determine whether a threat crossed the "boundary" between IT and OT.

Separate solutions can also make detecting an attacker abusing traditional IT attack tactics, techniques, and procedures (TTPs) within an OT network much harder if the security team is relying on a purely OT solution to defend the OT environment. Examples of this include the abuse of IT remote management tools to impact industrial environments, such as in the suspected cyberattack at the Florida water facility earlier this year.

Organizations incorporating AI into their security stacks are having an easier time illuminating activity across IT and OT. Because the technology is self-learning and data-agnostic, it develops an understanding of the entire digital infrastructure, giving security teams unparalleled visibility into all domains and highlighting points of convergence. Whether it’s OT, IT, the cloud, email, or endpoint, AI learns businesses’ environments from the ground up. By taking this holistic approach, the technology can detect and respond to deviations, bridging the gap between systems.

Properly Equipped to React
Siloed and retrospective approaches fall short of the full scope needed to safeguard ICS, neglecting to provide organizations with a complete picture of what’s going on. With traditional tools, security teams suffer from a lack of visibility and understanding of their networks. Assessing the risk is therefore complicated and imprecise, and organizations often end up taking excessive measures to compensate for this deficiency. For example, a risk assessment may decide it is best to shut down all OT operations in the event of a cyberattack in order to avoid a major accident.

This abundance of caution is forced on most operators; those without the ability to immediately confirm the boundaries of a compromise are left unable to take targeted action. Relying on AI technology empowers security teams to overcome this uncertainty and make a confident decision not to shut down operations. With unified protection, including visibility and early detection of zero-days, self-learning AI can contain pre-existing threats to maintain continuous operations.

About the Author

Oakley Cox

Director of Analysis, Darktrace

Oakley Cox is Director of Analysis at Darktrace, based at the Cambridge headquarters. He oversees the defense of critical infrastructure and industrial control systems, helping to ensure that Darktrace’s AI stays one step ahead of attackers. Oakley is GIAC certified in Response and Industrial Defense (GRID), and helps customers integrate Darktrace with both existing and new SOC and Incident Response teams. He also has a Doctorate (PhD) from the University of Oxford.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights