ICS Cybersecurity: Using AI in Operational Technology Security

Updated on May 7, 2019

Recent headlines have been abuzz with ICS experts warning of grid vulnerability to hacking. Digital threat actors have become exceptionally skilled at infiltrating every type of computer network. Industrial Control Systems (ICS) are no different: While ICS networks were generally thought to be more secure due to not communicating outside of the corporate network or on the internet, attackers have managed to compromise them and steal valuable production data.

Some of the most effective tools for ICS cybersecurity are the emerging technologies in Machine Learning and Artificial Intelligence. By combining real-time data monitoring with orchestration and automated response, AI/ML solutions are proving their value when compared to legacy systems and human-intervention driven response times.

A Real-World Example of Using AI for ICS Network Security

At the 2017 Black Hat Europe conference, security research firm CyberX demonstrated how data exfiltration was possible from a supposedly air-gapped ICS network. By delivering a payload of specific ladder logic code into Programmable Logic Controllers, the attack was programmed to send out copies of data through encoded radio signals which can be received by AM radios and analyzed by special-purpose software. As the communication channel is outside the TCP/IP stack, there is no encryption to safeguard the data once it’s captured.

How does AI respond to this threat? In this case, Machine Learning can be used to craft an algorithm which establishes a “normal” state and monitors traffic and configurations to compare against that state. This baseline can include network traffic, equipment settings, and even the source code of PLCs. With its continuous heartbeat checks, the algorithm can detect when the system deviates from the baseline and immediately alert security staff of the change.

Another real-world example involving operational technology security comes very recently from the ransomware attack on Norsk Hyrdo, one of the world’s largest aluminum producers based in Norway. The ransomware infected multiple systems across the organization in a number of locations.The company’s production environments were forced to stop production or change to manual systems. The ransomware supported the changing of administrator passwords, and as the majority of servers were under the same domain, the attack could spread more rapidly than if there had been a combination of network segmentation and separately administered domains. In the case of Norsk, an AI cybersecurity layer would have been able to spot irregularities in system access and lockdown channels before the hackers could manipulate the permissions.

AI and ICS Cybersecurity: Adding Value to Existing Systems

Where does AI fit into your existing ICS network security program? You already have the ICS equipment sectioned off on its own VLAN(s), firewalled, monitored, and protected by IDS/IPS, SIEMs, and other security tools. Where does it make sense to insert AI/ML into the equation?

The biggest advantage of implanting an AI solution for ICS cybersecurity is its real-time response and orchestration. AI tools don’t need to wait for security staff to make a decision. They don’t see a black and white picture of firewall rules which often miss malware traffic flying under the radar, masquerading as “normal” network signals. Machine algorithms can detect abnormal data exchanges and immediately respond to the threat, long before a SOC resource would be alerted. Some AI offerings can even monitor devices that don’t communicate over TCP/IP, creating powerful visibility into non-networked equipment.

A particularly interesting tool to protect industrial control systems is Cyberbit’s ScadaShield, a layered solution to provide full stack ICS network detection, visibility, smart analytics, forensics and response. ScadaShield performs continuous monitoring and detection across the entire attack surface for both IT and OT components and can be combined with SOC automation to trigger workflows that accelerate root cause identification and mitigation.

Large-scale processes operating at critical power generation, electrical transmission, water treatment, and refining sites, as well as major manufacturing plants are more at risk than ever.  The good news is that new developments in Artificial Intelligence and Machine Learning have created new ways to protect these systems and improve ICS cybersecurity.

If you haven’t already done so, this is a good time to consider adding an AI/ML solution to your security perimeter to take your prevention and response times to the next level. Click here to contact us if you would like to learn more about artificial intelligence in cyber security.