by Steve Hoffenberg | 5/1/2023
At this year’s RSA Conference in San Francisco, artificial intelligence was the hot topic. On one hand, industry participants were concerned about the potential of AI, for example, to write better malware or craft more effective phishing emails. On the other hand, vendors were positioning themselves to leverage AI to improve cybersecurity defenses. AI has become an impetus in an escalating cyber arms race between attackers and defenders.
From VDC’s perspective, AI has been a component of cyber defenses for years in industrial systems and critical infrastructure, primarily as machine learning to perform anomaly detection for intrusion detection and intrusion prevention systems. Such machine learning establishes baseline behavior of devices, controllers, networks, and their communications, then continuously observes the system for abnormal behavior indicative of security breaches or operational risks. (Of course, it is crucial that systems are not already infected with malware during the baseline characterization, but that’s another story…) Various implementations of machine learning have been in use by industrial IoT cyber solutions from the likes of Armis, Claroty, Dragos, Forescout, Nozomi Networks, and Palo Alto Networks, all of whom were at the RSA show.
Another level of AI in industrial IoT defenses is using it to help prioritize the numerous security alerts produced by such systems, so that systems operators and security personnel can focus their attention on threats that are likely to be the most severe. Such prioritization is partially based on databases of known vulnerabilities, but can also factor in pattern matching and analysis of previous and current real-world breaches across all the sites under a vendor’s coverage.
The forthcoming next level of AI in industrial IoT defenses is the use of natural language queries to help personnel understand and prioritize threats. Think a ChatGPT-like interface for cybersecurity: “Show me all the anomalous communications between PLCs on production line number 2 and external IP addresses…” Although we did not see any demonstrations of such capabilities at RSA, in a briefing with Nozomi Networks, company executives told VDC that they already plan to add natural language queries to a future version of its new cloud-based AI-driven Vantage IQ security service.
Also of note, a group of cybersecurity vendors—including Claroty, Dragos, Forescout, Nozomi Networks, Schneider Electric, Tenable, and others—announced the formation of a vendor-agnostic community for OT and critical infrastructure information sharing, dubbed ETHOS (Emerging THreat Open Sharing). VDC sees this as a positive step in helping a broader range of industrial operators secure their systems against cyberattacks.
For more on ETHOS, see the press release.
Lastly, we’ll mention a new industrial cybersecurity vendor, called TxOne, that popped out of stealth mode at RSA. The company, with investment from Trend Micro, was originally founded to help a Taiwanese semiconductor manufacturer to protect itself from cyberattacks, which led to the development of a custom ASIC deployed in a network security appliance. It has since introduced a solution it calls Portable Inspector, which is a security inspection tool in the form factor of a USB stick.
For more on industrial cybersecurity, see VDC’s just-released report entitled, 2023 Industrial Cybersecurity Software & Services.