ICS/OT Cybersecurity & AI: Considerations for Now and the Future (Part II)

In ICS/OT Cybersecurity & AI: Considerations for Now and the Future (Part I) we addressed when AI could be applied to ICS cybersecurity and control system environments. We also recommended a prioritized approach to ICS security controls regarding where and when AI best fits. Here is a recap of blog part 1, with additional context for us to consider as we head into part 2.

Top Questions About AI in ICS/OT: We addressed common questions, noting that AI is not an immediate priority for most ICS environments at their current maturity levels, as it requires specific skills and will augment mature teams rather than replace human roles. Maturing organizations are best to fully implement immediate prioritized practical ICS specific controls first, with a well-established ICS trained cybersecurity human team, as detailed in the Five ICS Cybersecurity Critical Controls.

Challenges and Considerations for AI When It’s Time for ICS: When implementing AI for ICS/OT defense and engineering, teams face challenges like data quality, AI skills gaps, and potential AI model accuracy issues. After completing the Five ICS Cybersecurity Critical Controls, success with AI requires high-quality data, skilled AI administrators, and a good understanding of the impact on safety and operations when AI fails.

AI Integration in ICS/OT: With proper skillsets in place, AI can be deployed and leveraged in ICS/OT cybersecurity to help improve threat detection, incident response, vulnerability management, and resilience, where responsible human oversight is crucial.

By embracing AI judiciously and in conjunction with human expertise (who have IT, ICS/OT security, and engineering knowledge), organizations can harness its transformative power with assigned additional resources, while ensuring the robustness and resilience of their critical infrastructure systems.

ICS AI Case Study

For this blog, we will take a brief look at how an electric substation, for example, may wish to consider leveraging AI, for both engineering and ICS cybersecurity functions. The assumption is the electric facility has a well-established ICS cybersecurity team that:

1. Prioritize safety and engineering operations
2. Enable human defenders who understand IT security
3. Understand specific ICS/OT security and how engineering systems operate
4. Track and understand adversary attack tradecraft for control systems

AI in Cybersecurity for Electric Power Systems

Electric power facilities, like many other critical infrastructure environments, face unique cybersecurity challenges due to the important nature of their operations, and that they are vastly different from IT. AI could play a role in addressing some of these challenges as follows.

1.Enhanced Threat Detection and Response: AI algorithms now built into ICS-specific tools, like ICS-aware SIEMs and ICS protocol-aware network visibility tools, can analyze vast amounts of data from various sources within the control system. For example, most can passively, safely, provide visibility into ICS-specific protocol network traffic, industrial control system instructions, engineering equipment logs (PLCs, RTUs, IEDs, protection control relays, etc.), and operational metrics from data historians to identify potential cyber threats.

Example: A power utility could deploy these ICS-aware security controls to monitor control system network traffic for unusual activities such as unexpected data flows between control devices like HMI <-> PLCs, communications to/from historians, engineering workstations <-> PLCs etc. For instance, an abnormal communication pattern between an engineering workstation and production PLCs and/or active safety systems could be flagged  as a potential indicator of unauthorized changes or potential logic manipulation, living off the land attacks, or other unauthorized control device access. A human needs to be in the loop here – leveraging AI and these tools as just that - a tool - to detect and help analyze, not automatically blocking instructions in networks traffic without human oversight. By detecting anomalies early, or patterns indicating an attack or pre-position of attack tools, AI can alert ICS specific trained security team members in near real-time, allowing for fast, coordinated, and safe responses to threats within the control system network. It is very important to acknowledge the fact that IT and ICS/OT are not the same. So, standard IT actions such as dropping suspected traffic or default ‘block’ concepts are NOT recommended, with or without AI for ICS environments. False positives commonly impede and disrupt safety and engineering operations.

2. Predictive Threat Analysis: AI can assist in predicting potential future threats based on historical attack data, sector specific threat intelligence, and attack trends in a particular region. This predictive capability enables organizations to proactively adjust their cybersecurity posture, such as by changing network controls or updating security protocols before an attack occurs.

Example: AI can be used to analyze ICS threat intelligence from past cyber incidents and forecast future threats by recognizing patterns in attack vectors and techniques and critical assets that are deployed. For example, historical data shows a trend of phishing attacks targeting the administrative credentials of control system operators in traditional IT networks, then leveraging valid accounts to attempt to pivot from IT into the ICS environment (which makes up approximately 40% of threats to ICS environments). With this information in mind, AI can be used to predict potential threats using this and other already observed vectors, where the organization can then take pre-emptive measures such as reinforcing access controls across network boundaries, proper (secure) remote access, engineering specific security awareness training, and dedicated ICS threat hunting activities.

3. Vulnerability Management and Prioritization: AI can help prioritize vulnerabilities by assessing their potential impact on the organization's control systems, considering factors like engineering device criticality, exposure level which is much difference than in traditional IT networks, and historical exploitation data. This enables a more strategic approach to patch management inside of ICS that focus on risk and priorities safety. An ICS specific risk-based approach reduces risk practically and aligned with scheduled engineering maintenance windows, ICS security patching reduces unnecessary engineering downtime. This approach does require humans to setup and tune AI modeling engines.

Example: In a scenario of a production power system substation, AI tools that analyze vulnerability and asset inventory data could be used to detect a vulnerability in a critical protection control relay that could disrupt power distribution if exploited. Further, it could prioritize this critical asset over a less critical asset, ensuring that patching or workaround efforts are focused where they matter most - based on ICS specific threat intelligence, based on device criticality to the overall ICS and engineering process. A power system in this example.

AI for Engineering and Preventative Maintenance

AI usage extends beyond cybersecurity, offering benefits to engineering and maintenance for electric power operations, as an example. Here’s how:

1. Predictive Maintenance: AI can analyze data from sensors and monitoring systems, in lower levels of the Purdue Model within power generation, transmission and distribution systems, to help predict when maintenance may be required for equipment. By identifying potential failures before they occur, AI can help engineering teams plan and schedule maintenance activities proactively, reducing unplanned outages and extending the life of critical engineering equipment.

Example: AI algorithms can analyze vibration data from turbines or temperature readings from transformers to predict when maintenance could be needed. For instance, if setup correctly and securely managed, a specific AI model may help detect a gradual increase in vibration frequency in a turbine, indicating that a bearing is likely to fail sooner than expected. This predictive insight allows maintenance teams to first verify the data is accurate, then schedule repairs during planned outages. This planned approach reduces downtime and maintenance costs, avoiding the need to react to unexpected breakdowns.

2. Process Optimization: AI may be able to enhance the efficiency of power generation by analyzing real-time operational data and identifying optimization opportunities. This can include adjusting energy usage, minimizing losses, and fine-tuning operational parameters to improve overall output and stability.

Example:  In a combined-cycle power plant, AI can analyze data from heat recovery steam generators, gas turbines, and cooling systems. For instance, AI might recommend operating turbines at a slightly reduced load during high ambient temperatures to lower cooling demand, resulting in reduced fuel consumption without sacrificing power output. This type of predictive adjustment can lead to significant cost savings and improved plant efficiency.

NOTE: Control system sensor data, historian data, other control system data, and security logs should be stored in a secure location with appropriate access control lists protecting it. And this data must be protected on trusted networks.

NOTE: Control system sensor data, historian data, other control system data, and security logs should be processed in a way and in a location as not to distribute production control system processes. And this data must be protected on trusted networks. See additional resources on securing AI here: https://www.sans.org/ai/

Conclusion

In conclusion, integrating AI into ICS/OT cybersecurity and engineering processes presents electric power organizations (and other ICS operations) with opportunities for enhanced efficiency, resiliency, and safety. AI's capabilities in threat detection, predictive maintenance, and process optimization can modernize control systems and improve operations - when caution and prioritization is appropriately applied.

To realize these benefits, organizations must ensure that they have skilled personnel, high-quality data sets and managed AI models, and an understanding of AI's limitations and potential impact or inaccuracies that may occur. With thoughtful planning and responsible human oversight, AI can be a transformative tool, augmenting existing ICS cybersecurity and engineering teams within ICS/OT environments. As AI continues to evolve, it's essential for organizations to stay informed, leverage expert guidance, put safety and engineering first, always, and equip their established teams with the necessary resources to navigate this complex landscape effectively, at the right time.

Level-Up to Leverage AI

See the following to help equip you and your team(s) with the right training and resources to mitigate risks and vulnerabilities to the rapid introduction of AI in the world.

• Webcast: SANS AI Cybersecurity Forum: Insights from the Front Lines
• Course: ICS418: ICS Security Essentials for Managers
• Course: AIS247: AI Security Essentials for Business Leaders
• Course: SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
• Course: ICS515: ICS Visibility, Detection, and Response teaches how to set up, deploy, and maintain ICS-specific network visibility and incident response from a tactical perspective. These are two of the critical ICS-specific controls among the SANS Five ICS Cybersecurity Critical Controls mentioned earlier.
• A full list of AI resources here: https://www.sans.org/ai/

NOTE: The title image for this blog part 2 was created by AI, and it got it wrong… (again!). As we’ve seen in this blog, AI can be leveraged, with a cautious approach, to help augment a team and technologies currently in place. AI must continue to be validated as we go.

About the Author

Dean is the CEO and Principal Consultant of ICS Defense Force and brings over 20 years of technical and management experience to the classroom. He has worked in both Information Technology and Industrial Control System (ICS) Cyber Defense in critical infrastructure sectors such as telecommunications, electric generation, transmission, distribution, and oil & gas refineries, storage, and distribution, and water management. Dean is an ambassador for defending industrial systems and an advocate for the safety, reliability, and cyber protection of critical infrastructure. His mission as an instructor is to empower each of his students, and he earnestly preaches that “Defense is Do-able!” Over the course of his career, Dean’s accomplishments include establishing entire ICS security programs for critical infrastructure sectors, successfully conducting industrial-grade incident response and tabletops, ICS digital forensics, and ICS/OT Cybersecurity assessments across multiple sectors. As a SANS Principle Instructor, Dean teaches ICS515: ICS Visibility, Detection, and Response, is a co-author of the SANS Course ICS418: ICS Security Essentials for Managers and an author of SANS ICS Engineer Technical Awareness Training. Dean is a member of the SANS GIAC Advisory Board and holds many cybersecurity professional certifications including the GICSP, GRID, GSLC, and GCIA, as well as the CISSP®, and holds a BS in computer science. When not in the field, Dean spends tine chasing icebergs off the coast of Newfoundland on a jetski, or writing electric 80s inspired synthwave music in his band Arcade Knights.