Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience

Organizations across the industrial cybersecurity space are constantly dealing with challenges including software breaches, hardware vulnerabilities, supply chain compromises, and zero-day exploits. These cyber-threats often stem from adversarial attackers, including state-sponsored hackers, specifically targeting critical infrastructure installations, manufacturing facilities, and utility systems, posing substantial risks to their operational continuity and data protection. 

These cybersecurity-related challenges have proven that companies must invest in robust measures, such as network monitoring, threat intelligence, and employee training, to safeguard their critical assets and maintain operational resilience in the face of evolving cyber threats.

To navigate this challenging environment, organizations must remain vigilant by staying abreast of the latest global regulations, standards, and compliance requirements. They also need to enhance supply chain security within industrial settings, adopt secure-by-design principles, and leverage generative AI (artificial intelligence) to fortify security measures in industrial environments. Understanding the potential advantages and obstacles associated with implementing these strategies is crucial for effectively safeguarding critical assets.

The role of supply chain security has time and again proven to be a critical aspect of modern industrial operations. With increased interconnectivity, securing the supply chain is more important than ever for maintaining the integrity and resilience of industrial processes. Organizations are increasingly called upon to incorporate secure-by-design/default principles into their frameworks to build a strong defense against emerging threats. This proactive approach is essential for safeguarding sensitive data and critical infrastructure.

Critical infrastructure environments face threats from the adoption of generative AI to enhance industrial security. While these technologies offer automation for threat detection and response, promising improved efficiency and adaptability, their implementation presents challenges. Alongside the potential benefits of generative AI, there exist obstacles when it comes to implementation and integration, including ethical considerations and the requirement for skilled personnel are key factors to be carefully examined.

Researchers have disclosed that the main offensive use cases of AI-assisted attacks encompass exploit development, social engineering, and information gathering, while defensive scenarios involve crafting code for threat hunting, articulating reverse-engineered code in plain language, and extracting insights from threat intelligence reports.

Extensive research has focused on automatic exploit generation and fusion with human vulnerability discovery, necessitating specialized expertise. Modern AI tools now accept basic natural language as input. Consequently, organizations have begun witnessing initial malware instances generated with ChatGPT’s aid. Although this capability has not been employed for OT attacks thus far, its eventual utilization is inevitable.

In the initial segment of this series, Industrial Cyber engaged with industrial cybersecurity executives to assess technological advancements and industry developments within the industrial sector. The discussions delved into managing escalating geopolitical tensions in industrial cybersecurity, bridging the talent diversity gap, exploring the evolving responsibilities of industrial CISOs, and looking into proactive strategies for ongoing risk management in industrial cybersecurity.

The executives provide a comprehensive review of the latest developments in global regulations, standards, and compliance impacting the industrial sector, evaluating whether these measures adequately address cybersecurity risks.

Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), told Industrial Cyber that regulation, standards, and compliance will never be sufficient for the task. “The nature of these activities is to remediate risk from previously known activities, and adversaries are always innovating faster than these tools can keep up. There is a role for regulations, standards, and compliance in creating an understood floor—as opposed to an undefined pit—in cybersecurity, but they will always lag cybersecurity risk.” 

He added that messaging desired outcomes and incentivizing innovation and initiative will be needed to manage the gap. 

“Recent updates in global regulations, standards, and compliance affecting the industrial sector have been significant, with numerous initiatives launched to enhance cybersecurity across various industries,” Jonathon Gordon, directing analyst at TP Research, told Industrial Cyber. “These regulations and standards are part of a global effort to tighten cybersecurity measures in response to the increasing number and sophistication of threats, particularly those targeting operational technology and in particular critical infrastructure.” 

Gordon highlighted that while these measures significantly enhance the cybersecurity posture of industrial entities, their impact often depends on implementation fidelity, ongoing updates to keep pace with evolving threats, and the specific cybersecurity landscape of each sector. “Continuous evaluation and adaptation of these frameworks are necessary to address the dynamic nature of cyber threats effectively.”

He added that the most effective regulations are developed in collaboration with industry bodies and experts, focusing on addressing real-world threats rather than merely adding another layer of compliance.

“In the United States, there has been little movement in this area, though I am looking forward to the White House’s push for reporting requirements in critical infrastructure,” Mike Holcomb, a cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor, told Industrial Cyber.  “As Rob Lee has highlighted in recent talks, the ICS/OT cyber security community has little visibility into the attacks occurring in our industrial networks.  We need more information on what is occurring, data which helps us have more effective discussions during our ICS/OT risk assessments – moving from qualitative guessing games to quantitative discussions with hard data,” he added. 

The executives assess supply chain security’s crucial role in industrial settings and explore how organizations can implement secure-by-design/default principles to strengthen cybersecurity resilience.

Bristow pointed out that procurement timelines and projected lifespans for industrial equipment are significantly longer than for IT equipment. “Secure-by-design/default principles are critically needed, but even if implemented universally today, they may not be prevalent in fielded equipment for 10 years. Critical risk from supply chains today is more acute along the lines of vendor remote access connections and supply chain integrity attacks like Solarwinds or Havex (which targeted ICS vendors in 2014). Best practices to overcome common weaknesses are known and published.” 

He added that organizations should continue to advocate for the use of these secure-by-design principles as industries, as customers, leveraging the buying power of the group, to help make these enhancements more consistent in industrial products.  

Supply chain security plays a critical role in industrial settings by ensuring that all elements of the design, manufacturing, and delivery process are protected from cyber threats,” Gordon said. “This is particularly vital for industries that rely heavily on interconnected and digital systems where vulnerabilities can have cascading effects across the entire supply chain.”

Gordon added that organizations can enhance cybersecurity resilience by implementing secure-by-design/default principles. “This involves integrating cybersecurity into the product design and development processes to minimize the security burden on end-users and shift responsibility towards manufacturers. This strategy entails creating a security-focused decision base, modeling systems with cybersecurity in mind, and making informed security decisions throughout the design process.”

“Furthermore, the importance of transparency and accountability cannot be understated, requiring an executive-level commitment to enforce these principles,” according to Gordon. “Organizations are encouraged to build resilience by leveraging a controls framework and applying it consistently across IT and OT environments. Achieving secure-by-design and secure-by-default products also requires a reevaluation of legacy systems, appropriate budget allocations for security improvements, and a collaborative approach between vendors and operators.”

Additionally, Gordon noted that adopting frameworks such as Software Bill of Materials (SBOMs) and Vulnerability Exploitability Exchange (VEX) is essential for managing and communicating the security posture of components throughout the supply chain transparently. “These tools help organizations understand and mitigate the risks associated with software and hardware components used in their operations, ultimately leading to more secure industrial environments.”

Holcomb identified that supply chain security is important in ICS/OT, as well as in IT, and yet can be one of the most (if not the most) difficult types of threat to protect against. “Implementing secure-by-design principles can help, but is not considered a silver bullet. Operating entities need to practice the fundamentals of cyber security like secure network architecture, network security monitoring, and incident response so that in the event of an incident (whether from the supply chain or not), the organization can respond in a timely manner, reducing the damage to the site, its production capability and its asset owner,” he added.

The executives assess how generative AI can be utilized to bolster security in industrial settings, exploring both the potential advantages and obstacles linked to its integration.

Bristow observed that generative AI is used to automate tasks, reduce error, and aid decision-making. “In an industrial environment, the potential benefits of generative AI include ensuring safety procedures are properly followed, improving product output quality, or helping operators and engineers negotiate complex or time-sensitive decisions thoughtfully and logically,” he added. 

He pointed out that some of the current challenges of implementing generative AI in industrial environments include quality and accuracy issues associated with its training and the nature of the generative AI itself. “From a regulatory and legal perspective, these uncertainties may slow or limit where generative AI is allowed to be implemented in high-risk functions and applications until an upper-confidence level is achieved.”

Gordon said that it is essential to recognize both its potential benefits and the challenges it introduces. “Generative AI significantly improves threat detection and prevention by learning from data in real-time, which allows for proactive security measures and enhances operational efficiency. However, it’s crucial to acknowledge that the same technology can be used to develop sophisticated cyberattacks, creating a dual-use dilemma that organizations need to manage carefully,” he added.

Gordon added that the effective implementation of generative AI in cybersecurity depends heavily on the quality of data and the integration of AI technologies into existing systems, which can be complex and require significant resources. “Therefore, while generative AI presents a powerful tool for advancing cybersecurity, it also demands a balanced approach to fully harness its capabilities and mitigate potential risks. Organizations must remain vigilant and adaptable to both leverage these advancements and protect against the evolving landscape of threats.”

“We’re still just at the beginning of exploring how GenAI can help enhance cyber security so it’s exciting to realize, even as it has been tremendously helpful and effective today, that it is only getting better,” Holcomb said. “GenAI acts as a force multiplier, allowing individuals to accelerate their job functions and tasks, whether as a security analyst performing network analysis of ICS/OT security alert data in a SOC or an engineer designing a site and can use GenAI to understand how to build cyber security controls into that initial design. It’s exciting to think of what is to come!”   

At the same time, Holcomb warns “We have to realize that GenAI is also a force multiplier for the attackers. And that the attackers are ALWAYS ahead of the defenders. Unfortunately, I do not see GenAI changing this.”