CYBERSECURITY FAQ

How Is AI Used in OT/ICS Cybersecurity?

CYBERSECURITY FAQs

How Is AI Used in OT/ICS Cybersecurity?

Artificial intelligence and machine learning (AI/ML) are shaping every aspect of our lives faster than we can assimilate. Cybersecurity is no exception; in fact, it’s a shining example of how AI/ML can be leveraged for both offense and defense — and be an attractive target itself.

Thanks to reduced barriers to entry for would-be cybercriminals, AI/ML-enabled cyberattacks are on the rise, including phishing, deepfakes and distributed denials of service (DDoS). Polymorphic malware and advanced persistent threats (APTs) use AI to generate new variants of successful malware and evade rules and signatures.

 On the defenders’ side, the need to rapidly analyze and correlate vast amounts of data from dozens of sources presents a prime use case for AI and ML. These superhuman capabilities are accelerating nearly every aspect of cyber defense including asset inventory and intelligence, behavior baselining, anomaly and threat detection, event correlation, risk prioritization and noise reduction. Together they have the potential to eliminate the need for Tier 1 SOC analysts and other junior positions altogether.  

AI-assisted cybersecurity for industrial environments leverages all of these capabilities, arguably to a greater degree: there’s more to protect and the stakes of an attack are often higher. You’re dealing with control systems and physical processes that have thousands of configurable process variables, all potentially exploitable. And you have legacy components that are insecure by design, with limited opportunities to patch. Without AI, it would be impossible to evaluate the volume of network communication and process variable data in a typical industrial network, and certainly not fast enough to prevent harm if a serious threat was detected.

Here’s how AI and ML are being leveraged in the Nozomi Networks platform to protect industrial environments and critical infrastructure. 

Baselining Normal Behavior with AI and ML

Industrial environments typically have huge volumes of network communication and process variable data comprising their attack surface.While efficient, signature-based detection only works to identify known threats (such as documented CVEs), and only if the indicators are easily observable and quickly identifiable as a potential match. The only way to detect unknown threats, including zero-days as well as operational anomalies that may pose risk, is to rapidly analyze data collected from sensors throughout the environment to discern deviations from the baseline.

When first deployed in your environment, the Nozomi Network sensors operate in learning mode to automatically discover your industrial network in real time, including its components, connections and topology. By monitoring device communications down to process level variables, the platform creates an accurate internal representation of each physical process in the network, identifying every phase and the correlation between network devices, process variables and phases. From these representations, it creates detailed profiles of the expected behavior of every device at each stage in the process. 

So far, this learning process is pure behavioral baselining based on observations. The Nozomi Networks platform also employs Adaptive Learning, which adds asset intelligence describing known asset behavior (see below), to enrich profiles and reduce false positives. This combination of behavior-based detection informed by known asset behavior is essential for detecting zero-day exploits in particular. 

The platform also uses Dynamic Learning to conduct a statistical process control analysis of the network and discard behavior beyond one standard deviation, which shouldn’t be considered normal. Learning parameters can be manually configured to generate only the alerts that you really need to see to safeguard your environment and avoid overload.

Once baselines are established, the platform is switched to active mode, using heuristics and behavioral analytics to constantly monitor the environment. The result is rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities. This information can be used to prevent, contain or mitigate cyber threats and process incidents before significant damage can occur. 

Alerts point analysts and operators to suspicious events and activities that deviate from established baselines, while filtering out benign anomalous activity below established thresholds. For example, If a device in an industrial process starts dropping 10 packets over time, that’s not a big deal.If the same process starts dropping hundreds of packets, that’s something to investigate.   

AI-Enriched Asset Inventory with Asset Intelligence

 Industrial and critical infrastructure networks typically contain thousands of OT devices from hundreds of vendors, as well as IoT devices, that monitor and control processes. Creating an accurate, up-to-date inventory of OT and IoT assets and keeping track of them, along with important context information, is foundational for maintaining cyber and operational resilience, managing vulnerabilities and prioritizing mitigation. It can’t be done manually. You need an automated asset management solution. 

The Nozomi Networks platform uses a variety of network, endpoint, remote and wireless sensors to automatically discover assets as they connect to the network, collecting and validating detailed context attributes. It then continuously monitor sthem, watching for suspicious changes that could indicate a cyber incident or process anomaly. Sensor-derived OT and IoT device profiles are further enriched with additional detailed asset information from our Asset Intelligence feed to deliver a near 100% accurate asset inventory that is always up to date.  

The Nozomi Asset Intelligence database leverages data collected from millions of OT, IoT and IT devices to determine when to generate alerts on anomalous behavior, reducing the amount of alerts caused by benign anomalous behavior by knowing when “new” or “different” is not a risk. It uses attributes and behaviors that are visible in your network, such as MAC addresses and protocols used by your assets, and compares them against device behaviors and performance of known devices in the database. When a match is found, the attributes and behaviors of the known device are added to your device profile. The result is asset classification that is up to 50-70% more accurate, which helps simplify vulnerability management and reduce false positive alerts within your environment.

 

Asset profile enriched with AI-assisted Asset Intelligence, with customizable risk scoring

 

AI-Assisted SOC Efficiencies

The burnout rate for security operations center (SOC) team members is notoriously high, owing to heavy workloads, understaffing, limited automation and alert fatigue. The critical shortage of skilled cybersecurity professionals, especially in specialties like OT security, would be dire if AI and ML weren’t tailor-made to help security teams do more with less. They automate the time-consuming tasks of reviewing, correlating and prioritizing network, asset and alert data to provide meaningful insights into real threats and how to address them. Activities that previously took a team of people a week to do can now be handled by one person in day if not offloaded entirely to AI/ML.                

Vantage IQ in Nozomi Networks' cloud-based AI/ML engine. Its deep neural networks identify activity patterns in network data and present prioritized insights based on instantly correlated alerts, supported by root cause information for streamlined investigation and efficient remediation.

 

Prioritized risks uncovered by Vantage IQ, with recommended remediation steps.

The Vantage IQ engine continuously analyzes your environment, correlating risks and conditions to surface things you probably should investigate but may not have the time to. It presents these insights in a constantly refreshed list, prioritized by importance, without anyone having to write a query. When these insights are addressed regularly, the result is less noise in your environment coming from configuration changes and other items that are easy to overlook — but also easy to fix.

Artificial intelligence and machine learning (AI/ML) are shaping every aspect of our lives faster than we can assimilate. Cybersecurity is no exception; in fact, it’s a shining example of how AI/ML can be leveraged for both offense and defense — and be an attractive target itself.

Thanks to reduced barriers to entry for would-be cybercriminals, AI/ML-enabled cyberattacks are on the rise, including phishing, deepfakes and distributed denials of service (DDoS). Polymorphic malware and advanced persistent threats (APTs) use AI to generate new variants of successful malware and evade rules and signatures.

 On the defenders’ side, the need to rapidly analyze and correlate vast amounts of data from dozens of sources presents a prime use case for AI and ML. These superhuman capabilities are accelerating nearly every aspect of cyber defense including asset inventory and intelligence, behavior baselining, anomaly and threat detection, event correlation, risk prioritization and noise reduction. Together they have the potential to eliminate the need for Tier 1 SOC analysts and other junior positions altogether.  

AI-assisted cybersecurity for industrial environments leverages all of these capabilities, arguably to a greater degree: there’s more to protect and the stakes of an attack are often higher. You’re dealing with control systems and physical processes that have thousands of configurable process variables, all potentially exploitable. And you have legacy components that are insecure by design, with limited opportunities to patch. Without AI, it would be impossible to evaluate the volume of network communication and process variable data in a typical industrial network, and certainly not fast enough to prevent harm if a serious threat was detected.

Here’s how AI and ML are being leveraged in the Nozomi Networks platform to protect industrial environments and critical infrastructure. 

Baselining Normal Behavior with AI and ML

Industrial environments typically have huge volumes of network communication and process variable data comprising their attack surface.While efficient, signature-based detection only works to identify known threats (such as documented CVEs), and only if the indicators are easily observable and quickly identifiable as a potential match. The only way to detect unknown threats, including zero-days as well as operational anomalies that may pose risk, is to rapidly analyze data collected from sensors throughout the environment to discern deviations from the baseline.

When first deployed in your environment, the Nozomi Network sensors operate in learning mode to automatically discover your industrial network in real time, including its components, connections and topology. By monitoring device communications down to process level variables, the platform creates an accurate internal representation of each physical process in the network, identifying every phase and the correlation between network devices, process variables and phases. From these representations, it creates detailed profiles of the expected behavior of every device at each stage in the process. 

So far, this learning process is pure behavioral baselining based on observations. The Nozomi Networks platform also employs Adaptive Learning, which adds asset intelligence describing known asset behavior (see below), to enrich profiles and reduce false positives. This combination of behavior-based detection informed by known asset behavior is essential for detecting zero-day exploits in particular. 

The platform also uses Dynamic Learning to conduct a statistical process control analysis of the network and discard behavior beyond one standard deviation, which shouldn’t be considered normal. Learning parameters can be manually configured to generate only the alerts that you really need to see to safeguard your environment and avoid overload.

Once baselines are established, the platform is switched to active mode, using heuristics and behavioral analytics to constantly monitor the environment. The result is rapid detection of anomalies, including cyberattacks, cyber incidents and critical process variable irregularities. This information can be used to prevent, contain or mitigate cyber threats and process incidents before significant damage can occur. 

Alerts point analysts and operators to suspicious events and activities that deviate from established baselines, while filtering out benign anomalous activity below established thresholds. For example, If a device in an industrial process starts dropping 10 packets over time, that’s not a big deal.If the same process starts dropping hundreds of packets, that’s something to investigate.   

AI-Enriched Asset Inventory with Asset Intelligence

 Industrial and critical infrastructure networks typically contain thousands of OT devices from hundreds of vendors, as well as IoT devices, that monitor and control processes. Creating an accurate, up-to-date inventory of OT and IoT assets and keeping track of them, along with important context information, is foundational for maintaining cyber and operational resilience, managing vulnerabilities and prioritizing mitigation. It can’t be done manually. You need an automated asset management solution. 

The Nozomi Networks platform uses a variety of network, endpoint, remote and wireless sensors to automatically discover assets as they connect to the network, collecting and validating detailed context attributes. It then continuously monitor sthem, watching for suspicious changes that could indicate a cyber incident or process anomaly. Sensor-derived OT and IoT device profiles are further enriched with additional detailed asset information from our Asset Intelligence feed to deliver a near 100% accurate asset inventory that is always up to date.  

The Nozomi Asset Intelligence database leverages data collected from millions of OT, IoT and IT devices to determine when to generate alerts on anomalous behavior, reducing the amount of alerts caused by benign anomalous behavior by knowing when “new” or “different” is not a risk. It uses attributes and behaviors that are visible in your network, such as MAC addresses and protocols used by your assets, and compares them against device behaviors and performance of known devices in the database. When a match is found, the attributes and behaviors of the known device are added to your device profile. The result is asset classification that is up to 50-70% more accurate, which helps simplify vulnerability management and reduce false positive alerts within your environment.

 

Asset profile enriched with AI-assisted Asset Intelligence, with customizable risk scoring

 

AI-Assisted SOC Efficiencies

The burnout rate for security operations center (SOC) team members is notoriously high, owing to heavy workloads, understaffing, limited automation and alert fatigue. The critical shortage of skilled cybersecurity professionals, especially in specialties like OT security, would be dire if AI and ML weren’t tailor-made to help security teams do more with less. They automate the time-consuming tasks of reviewing, correlating and prioritizing network, asset and alert data to provide meaningful insights into real threats and how to address them. Activities that previously took a team of people a week to do can now be handled by one person in day if not offloaded entirely to AI/ML.                

Vantage IQ in Nozomi Networks' cloud-based AI/ML engine. Its deep neural networks identify activity patterns in network data and present prioritized insights based on instantly correlated alerts, supported by root cause information for streamlined investigation and efficient remediation.

 

Prioritized risks uncovered by Vantage IQ, with recommended remediation steps.

The Vantage IQ engine continuously analyzes your environment, correlating risks and conditions to surface things you probably should investigate but may not have the time to. It presents these insights in a constantly refreshed list, prioritized by importance, without anyone having to write a query. When these insights are addressed regularly, the result is less noise in your environment coming from configuration changes and other items that are easy to overlook — but also easy to fix.