OT environments will increasingly use artificial intelligence, which will also help them counter security attacks amidst a human skills shortage but also expect an escalation in AI-driven security attacks, according to a company executive.
With the increased use of artificial intelligence technologies in IT and OT environments, these algorithms are increasingly having to defend against complex and interconnected risks, said Chris Thomas, vice president of Darktrace Industrial, in the opening address of the Critical Security for Critical Assets World (CS4CA) 2021 event. As these technologies are adopted in critical functions, it potentially leads to grave consequences, including physical harm, as autonomous cyber-physical systems emerge, he added.
“AI is going to be necessary for the defense too,” Thomas said. Artificial intelligence will also enhance the visibility and anomaly detection to pick out unique events and incidents that can hit organizations in real-time.
The World Economic Forum in a report, “Future Series: Cybersecurity, emerging technology and systemic risk,” identified that the first generation of AI-enabled offensive tools is already emerging and there is growing evidence of AI being used by attackers. AI is expected to drive systemic changes in the cybersecurity landscape and will impact four key challenges in cybersecurity in the near future. The challenges include increased sophistication of attackers, asymmetry, increasing the attack surface or digitalizing operations, and balancing risk and operational enablement.
The second virtual edition of the CS4CA 2021 kicked off Thursday, bringing together senior professionals from the oil and gas, energy, renewables, chemical, utilities, mining, water, power and maritime industries, in addition to academics and government representatives, organized by QG Media.
Thomas addressed the evolving challenges of securing ICS (industrial control systems), including digitized OT, exponential connections to industrial IoT, expanding internet-connected supply chains, while looking into how artificial intelligence could be the answer. He looked into how AI is being used to defend in adversarial OT environments.
The ICS threat landscape has faced a resurgence of ransomware this year, Thomas said. “It has done significant damage to organizations and many are ill-equipped to respond as quickly as needed for that type of aggressive attack. With the remote workforce, the insider threat has taken on several new dimensions with people going remote, going over cloud, using more SaaS. This has become worse with the cloud opening up new risks from the insiders and data leaving what traditionally would have been protected by the network parameters,” he added.
There are also employee errors to be concerned around misconfiguration, and operational considerations are a significant thing to keep in mind, he said. Attackers have become quite sophisticated and learned how to go slow and quiet, and virtually blend in over a period of time, ranging from nation-states to well backed criminal organizations, and are well funded, and have access to resources, according to Thomas.
“This means that AI is going to start being used by these adversaries, and they are going to use them to optimize their attacks, becoming more targeted, becoming easier to deploy,” Thomas said. “So overall things are going to get more aggressive, and with the emerging skills gap that we are seeing in the industry, things like machine learning and AI are going to be what’s necessary to step up to this task.”
The current frameworks require operators of the malware to manually trigger their functions and this will continue to evolve in the future, to the point where AI is able to be constantly learning and once it gets its foot inside, it’s going to be able to determine when to execute as against when to require any kind of command and control (C2), or anything of that nature, Thomas said.
The market is currently witnessing offensive AI attacks, self-propagating malware, AI-driven reconnaissance and unique C2 tactics, state-sponsored attackers that leverage zero-day attacks and AI to come after critical assets, and almost indistinguishable from legitimate activity, according to Thomas.
“The most striking progression is the shift from bestowed malware designed to hit OT like Stuxnet and Havex, to the use of commodity malware and the ability to just append the small OT specific module,” Thomas said. A slight tweak to the commodity malware is very effective against OT devices, and that has really opened the door to this sort of niche market, and this has allowed malware such as WannaCry to find their way into OT environments, which is a very difficult thing to deal with, he added.
The legacy tools typically found in the OT environment consist of first-generation security tools which are retrospective, static and siloed, according to Thomas. The battlefield emerges inside the cloud, corporate and industrial networks, with the attacks moving at machine speed, he pointed out.
“Even in isolation, AI is proving to be very helpful in providing the visibility and anomaly detection to pick out these bestowed and unique events and incidents that can hit these types of organizations,” Thomas said. Many of the attacks are moving at machine speed, which humans struggle with due to limited resources and skills shortage. “Human teams by nature are overwhelmed with the legacy tools. So we need to find a way to put machine learning to the task,” he added.