AI and ML: Enhancing cybersecurity to protect critical manufacturing

Learn how artificial intelligence and machine learning are becoming indispensable tools for cybersecurity professionals battling sophisticated threats targeting industrial control systems and digital factories.

Vulnerabilities like outdated software, unpatched systems, and unsecured IoT devices can be exploited by cybercriminals. These risks include data breaches, intellectual property theft, and costly downtime or operational disruptions. The impacts and consequences of these cyber incidents can be severe, leading to financial losses, public outrage, reputational damage, and compromised safety. Robust cybersecurity measures help protect critical devices, maintain production integrity and continuity, and safeguard sensitive information.

For instance, 2024 saw a ~70% increase in ransomware activity in the manufacturing community, with over 900 incidents reported and the average instance costing over $1 million.

With the stakes so high, it’s imperative that cybersecurity practitioners learn to use AI and ML to improve their readiness, enhance their defenses, and mitigate the impacts on their systems.

Let’s look at the different uses of AI and ML and how they can improve various cybersecurity technologies and techniques. Here’s a timeline-centric approach to how these modern tools can help detect threats, respond to and mitigate the impact of any instances, and better prepare to defend against future threats.

Different uses of AI and ML in improving industrial cybersecurity

Detecting cyberthreats

Starting with detection, it’s important to know how this area of cybersecurity has evolved. Until recently, cyber professionals looked for yesterday’s attacks. For example, traditional antivirus (AV) methods had historically functioned like this:

• AV companies discovered a new virus
• They analyzed the virus and determined the payload of infected file(s)
• Then, they “hashed” the infected files and included that hash in the next signature file (which went out the following day or week)

But, unless and until someone submitted a sample, antivirus engineers couldn’t alert their programs that (for example) “EncryptAllYourStuff.exe” was a virus. Eventually, this migrated to heuristics — which was better at recognizing patterns and catching malware that had, for example, changed the file name to “EncryptAllYourStuff_2.exe” — but it was still fuzzy and ineffective at best.

Today, most top OT detection firms can, in real-time or near real-time, detect threats based on model and behavior characteristics. These are built by gleaning information from customer data (thousands or tens of thousands of customers) that is being aggregated, summarized, and analyzed in the cloud by sophisticated ML algorithms. The insights gathered are then pushed back to the customers’ detection systems.

For instance, consider a malware group that begins a discovery campaign against companies in the food and beverage industry — where a particular PLC is prevalent — to probe for vulnerabilities. By analyzing network data pushed up from their customer bases, AI and ML can rapidly identify when a particular port or protocol, which was never hit before, has been hit. Or they can see that a particular traffic pattern (arp, ping, TCP Syn with an “urgent” flag) is now visible across several hundred customers. This activity is immediately noted as suspicious, allowing customers to clearly see it’s a threat indicator and potential breach attempt and mitigate the threat. 

It’s interesting to note that the prevalence of managed Ethernet switches supporting port mirroring/spanning have greatly facilitated the ability to analyze network traffic in real time. This technology has been a great enabler of AI and ML, working as the pipeline through which data flows and populates the Big Data pools utilized by AI and ML.

Responding to cyberthreats and migrating impact

One of the biggest factors determining an incident’s severity is dwell time — the time between initial breach to detection and remediation. The longer a cyber enemy has some level of access within your system, the more intel they can gather and the more severe damage they can cause. Often, there are clues in various access, system, and event logs of an active breach. However, these logs are large, noisy, and often crowded with non-events. They are also generally uncorrelated and often siloed, scattering clues among different logs on different servers, monitored by different users. The consequence? Dwell time in the OT environment averaging ~10 weeks! This is an area where AI can especially shine, as it’s able to ingest the millions of inputs and quickly learn and correlate data that would otherwise be overlooked.

AI adds the context and can unravel the timing and chain of events, providing human cybersecurity professionals with the knowledge needed to detect a breach and begin to respond. Consider the malicious Stuxnet worm’s legendary attack on Iran’s nuclear program. Intruders had months of dwell time in the system — but the system didn’t have AI’s compute or correlation power to reveal that centrifuges were failing the same way, with similar timing, after an operator connected to — and infected — various PLCs. At the least, AI could have reduced the time to detection, and with the power of ML analyzing data from the overall cybersecurity community, could have greatly reduced time to contain and time to remediate.

Preparing to defend against future cyberattacks

For the final phases of restoration and ongoing mitigation, AI and ML prove how efficiency in processing big data, context discovery, and pattern detection can simplify the lives of operators and cybersecurity professionals by ensuring containment and remediation are complete, eradicating the breach before they spend significant time and money rebuilding architecture and spinning up the line.

In the early 2000s, a European manufacturer suffered a significant malware incident. They spent a thousand labor hours and millions of dollars re-imaging impacted workstations in their plant. Within a week of restarting production, the company was down again. They neglected to close all the OS vulnerabilities in their workstation image and were hit by the same malware, using the same attack vector. It was a costly and embarrassing mistake — one that could have been avoided with the power of AI verifying their work and the soundness of their remediation.

AI and ML can provide the insights needed to ensure an attack doesn’t recur, ensuring the vulnerabilities exploited are closed or mitigated. AI is already used in tools like SBOMs to help OT security practitioners ensure that closed vulnerabilities aren’t overlooked in other parts of their software environment or product supply chain.

In addition to the technical ways AI and ML can assist in cybersecurity on the manufacturing floor, there are a few non-technical aspects to the improvements they provide. By simplifying, offloading, and automating security operations, AI allows cyber professionals to stay on top of sprawling environments. As IIoT (Industrial Internet of Things) and digitalized, uber-connected factories become the norm, the sheer number of devices needing protection is growing exponentially. As this attack-surface explodes, it’s simply uneconomical to sufficiently scale the human element of cybersecurity without a significant lift from AI. In fact, there’s a whole category of AI-enabled products — SOAR (Security Orchestration Automation and Response) products — that better address the increasing size, scope, and complexity of growing network environments by providing, honing, and executing hundreds of playbooks based on cybersecurity inputs.

Challenges and risks to consider

This article would be incomplete without acknowledging some general challenges with AI and ML, particularly how they relate to OT cybersecurity. First, to truly reap AI and ML benefits, you must implement them across your sensitive and proprietary data. For example, you’re allowing AI (and the platform on which it runs) to ingest all your network data, security alerts, operations information, etc. This creates privacy concerns and raises the danger of sophisticated actors (including hostile foreign entities) compromising your AI platform and gaining the keys to the kingdom — your entire security and even production operation. Or worse, like the Iranian nuclear operators who trusted their PLCs and were decimated by this trust, a compromised ML system could be manipulated to learn false insights or an AI manipulated to give malicious instructions. This is a big risk and necessitates working with mature and qualified partners.

Second, it’s important to remember AI and ML are emerging and imperfect technologies. They make mistakes, they have biases, and their output is tied to their input and training. It’s crucial for organizations to be aware of these shortcomings and put checks and balances into place to ensure issues of privacy, biases, over-reliance, and mistakes are detected and addressed.

In conclusion, the rapidly expanding capabilities of artificial intelligence and machine learning are leveling up the tools used by human cybersecurity practitioners and operators, improving their efforts to protect the manufacturing floor. By assisting in the detection, response, and mitigation of threats — and making OT cybersecurity better, faster, and more efficient — it’s clear that the role of AI and ML will only expand.

Learn more about AI and ML uses and benefits in RS Expert Advice

Related articles

• Harnessing AI and ML for predictive maintenance
• Overcoming discrete manufacturing challenges with digitalization
• RS Case Study: Empowering operational efficiency in discrete manufacturing
• Traceability 4.0 for Industry 4.0

Looking for more? Search for topics on our Expert Advice page.