Questioning the most frequent arguments for AI in OT

In our blog post “How useful is AI in OT security monitoring?” we examined the added value and risks of artificial intelligence in OT security solutions. Time to put the some common arguments for AI to the test.

The following arguments for AI in OT security were taken from blog posts and statements from various cybersecurity providers and institutes.

AI can create the baseline faster

In principle, AI can help to define recurring patterns as a baseline for anomaly detection. However,:

• the most time-consuming part of creating a baseline is not so much the evaluation of existing OT communication, but rather the recording of the OT communication in order to have a sample that contains as many legitimate communications (and already existing anomalies) as possible.

• this can be implemented just as well or better (since it is more comprehensible) using heuristic and statistical methods.

• The data volume and data quality may sometimes be too low to define an accurate baseline in which there are no longer any vulnerabilities and risks. Proprietary and legacy systems make automated data cleansing more difficult.

• OT communication varies greatly from company to company and from network to network. Even if AI is used, the empirical experience of OT experts and the relevant OT operators remains key.

• The use of digital twins makes baseline creation even faster, e.g. using the .scd file in IEC 61850 infrastructures.

AI can better monitor IT/OT convergence

That is correct. But AI is not needed for this in OT monitoring, but rather in the SIEM in the centralized IT. This is where the convergence takes place, anyway.

AI can identify vulnerabilities faster

This does not require AI. OT monitoring such as Rhebo Industrial Protector, which documents the systems in the OT including their firmware status and compares them with the CVE database, can accomplish this using simple heuristic algorithms.

AI improves anomaly and threat detection

The strength of AI lies in its ability to recognize new or familiar patterns from a variety of data and sources. This can be particularly important in multi-stage attacks. This means that the threat detection through AI is only given weight in the SIEM. Due to the deterministic, repetitive communication that prevails in the OT, the added value is negligible and does not offset the disadvantages. In OT, the majority of the most important anomalies can be reliably detected using heuristic and statistical methods

AI can bridge the shortage of skilled workers

The hope here is that AI will automate necessary processes and execute them autonomously, thereby relieving the burden on existing teams. This is logical in theory, but only partially realistic in practice because:

• AI systems have thus far been too prone to errors to be left to run alone. At the present time, AI is actually making cybersecurity even more complex, because cybersecurity teams also have to be proficient when it comes to AI engineering and management. AI is simply not a self-starter that can be fully trusted (see our blog post).

• in OT, automation of cybersecurity is rarely desired, because false-positive decisions endanger occupational safety and can lead to millions in damages due to systems being automatically shut down erroneously.