Securing Critical Infrastructure: Precision AI for OT Environments

Learn how AI and machine learning protect critical infrastructure as OT/IT systems converge. Palo Alto Networks SVP Anand Oswal shares insights on securing industrial operations and preventing cyberattacks.

16:54

Dec 17, 2024
43,162 Views

Critical infrastructure faces unprecedented cybersecurity challenges as operational technology (OT) systems become increasingly connected to IT networks. How can organizations protect these vital systems while enabling digital transformation?

In this episode, Michael Krigsman speaks with Anand Oswal, SVP and General Manager of Network Security at Palo Alto Networks, about securing critical infrastructure in an IT/OT convergence era. Oswal reveals that over 75% of threats to OT networks originate from IT systems, while 70% of industrial organizations experienced cyber-attacks last year alone.

Learn how precision AI and machine learning transform OT security, enabling organizations to detect and prevent known and unknown threats in real-time. Discover practical approaches to securing legacy systems, managing remote access, and maintaining compliance in harsh industrial environments - all while ensuring continuous operations of mission-critical infrastructure.

This conversation offers essential insights for technology and business leaders responsible for protecting industrial operations, manufacturing facilities, utilities, and other critical infrastructure in today's complex threat landscape.

Episode Highlights

Secure OT/IT Convergence in Critical Infrastructure

  • Industrial organizations must address the growing interconnection between operational and IT systems while managing increased cyber risks. Over 75% of OT network threats originate from IT systems, requiring a unified security approach.
  • Implement a consistent architecture across IT and OT environments while maintaining controls specific to operational technology needs to improve visibility while protecting mission-critical systems.

Deploy AI-Powered Security Solutions

  • Traditional signature-based security approaches are insufficient against sophisticated modern threats targeting industrial systems. Leverage precision AI combining machine learning, deep learning, and large language models for real-time threat detection.
  • Use AI to automatically identify devices, establish baselines, and create dynamic segmentation rules. Manual configuration often leads to breaches, while AI can adapt to changing environments and new threats.

Enable Secure Remote Access

  • Implement least-privilege access controls and secure enterprise browsers for contractors and employees accessing critical OT assets remotely. Over 50% of organizations now allow remote access to high-value industrial systems.
  • Maintain comprehensive audit logs of all remote activities and implement zero-trust principles where no implied trust exists. Monitor and verify every connection to and from OT assets.

Use Virtual Patching to Address Legacy System Challenges

  • Utilize virtual patching to protect outdated or unpatchable systems by blocking exploitation attempts at the network level. This provides central protection for legacy devices that cannot be directly updated.
  • Deploy ruggedized security solutions designed for harsh industrial environments with temperature, vibration, and weather challenges. Ensure security measures don't disrupt critical operations.

Automate Compliance and Reporting

  • Implement automated systems to track assets, vulnerabilities, and security events to meet new regulatory requirements, including 72-hour breach reporting and 24-hour ransomware incident disclosure.
  • Use AI-driven solutions to automatically generate required audit documentation and compliance reports while proactively identifying remediation needs across the OT environment.

Key Takeaways

AI-Driven Security is Essential for Modern OT Protection. Traditional signature-based security approaches are no longer sufficient for protecting operational technology environments. Precision AI, combining machine learning, deep learning, and large language models, enables organizations to detect and prevent known and unknown threats in real-time. Palo Alto Networks stops 12 billion attacks daily, including 2.5 million previously unseen threats, demonstrating the crucial role of AI in modern security.

OT/IT Convergence Creates New Security Challenges. The increasing digitization of industrial environments has led to a critical convergence of operational and information technology systems. Over 75% of OT network threats originate from IT systems, so implementing unified security architecture across both environments is essential. This convergence demands sophisticated security solutions to protect legacy systems while enabling digital transformation.

Automated Compliance and Virtual Patching for Legacy Systems. Organizations must address the challenge of securing legacy OT systems that cannot be regularly updated or patched. Virtual patching provides a network-based solution to protect vulnerable endpoints without directly modifying them, while AI-driven automation helps maintain compliance with new regulations requiring incident reporting within 24-72 hours. This approach enables organizations to secure critical infrastructure without disrupting operations.

Episode Participants

Anand Oswal serves as Senior Vice President and General Manager at cyber security leader Palo Alto Networks where he leads the company’s Firewall as a Platform efforts. He holds more than 60 U.S. patents and earned a bachelor’s degree in telecommunications from the College of Engineering, Pune, India and a master’s degree in computer networking from the University of Southern California, Los Angeles.

Michael Krigsman is a globally recognized analyst, strategic advisor, and industry commentator known for his deep expertise in digital transformation, innovation, and leadership. He has presented at industry events worldwide and written extensively on the reasons for IT failures. His work has been referenced in the media over 1,000 times and in more than 50 books and journal articles; his commentary on technology trends and business strategy reaches a global audience.

Transcript

Michael Krigsman: Welcome to CXOTalk. I'm Michael Krigsman, and we are discussing how AI can protect operational technology and critical infrastructure. We're speaking with Anand Oswal from Palo Alto Networks.

Anand Oswal: Palo Alto Networks is a leading cybersecurity company in the world. Our mission is to make every day more safe than the day before.

At Palo Alto Networks, I am the SVP and general manager of network security. 

Michael Krigsman: Anand, we're talking about operational technology (OT) and information technology (IT). Give us some background here.

Anand Oswal: When you think of operational technology, think of factory floors, manufacturing facilities. Think of utility, oil and gas, mining. These environments have high-value assets, and there's a big difference between IT environments and OT environments.

First, IT environments typically are usually always connected. OT environments are starting to get connected now. 

But they're also mission-critical in nature. If an OT asset goes down, it can mean a big downtime for a factory floor, for a utility network, etc. 

At the same time, we're seeing over 70% of industrial organizations were victims of cyber-attacks just in the last year. One in four organizations had to shut down their operations for a small amount of time.

Michael Krigsman: Anand, there is a convergence between OT and IT systems. What's going on there?

Anand Oswal: As OT environments are getting more and more digitized, the IT and OT environments are converging so that you can have consistent visibility across the entire infrastructure. At the same time, you're seeing over ¾ of all threats on OT networks originated from the IT side and then percolated onto the OT environments. 

You can't have these two disjointed environments operating in silos forever. They're converging. Digitization is bringing all these things together. You want to have a consistent architecture across IT and OT with all the controls you want which are unique to OT. 

Now, digitization is an amazing thing. It brings new opportunities, new capabilities for these factory floors, for these manufacturing facilities. But it also brings in an increased attack surface.

Michael Krigsman: How does this increase the attack surface, as you just mentioned?

Anand Oswal: As you get more and more digitized, as more and more things get connected, your attack surface increases. 

In the past, these organizations were completely air-gapped or not connected to the outside world. As these are getting connected now, what's happening is that the attack surface increases.

Also, these systems or the organizations have very legacy and complex systems, flat layer 2 networks. Their assets have not been patched periodically. 

They are very old assets with a variety of different systems and stacks that have been used from the last one, two, three decades at times, so modernization was not possible. Patching all of these assets is not happening very frequently, and now people are exploiting as these get connected.

Michael Krigsman: Can you give us some examples of exposed OT critical infrastructure that's therefore open to attack?

Anand Oswal: Over ¾ of these attacks originate from the IT side, so you have infiltrated into your IT systems and then you are going into your OT environments. And this could be things like remote code execution, command and control attacks, software exploits happening on specific old systems. A variety of different attacks are happening.

Now, not all attacks, of course, are happening from IT and moving to OT. There are attacks that are happening on OT alone. But a large majority of them are initially happening on the IT side and then they are going to move onto the OT environments.

Michael Krigsman: OT systems do have unique attributes, as you were describing. What about traditional conventional approaches to security: firewalls and so forth?

Anand Oswal: Securing the OT environment is a top, top priority. Most of the customers that I talk to in the OT environment (whether they're customers in manufacturing, in utility, in oil and gas, in food production, et cetera) recognize the problem. 

They understand it's not easy because they have these legacy environments. They're complex. They are flat layer 2 environments. Some of them are getting connected.

And the connectivity varies. Some are being connected the traditional way. Some are getting connected directly or 5G bespoke.

You want to give access to these factory floors and assets from the outside. You want to ensure that you're giving them the least privilege access, and they can only do what you want them to do. So, all those environments are unique for OT environments. 

Now, the way to go about this holistically is on the principles of zero trust: security that is powered through AI; visibility. If you think of visibility, it's not about manually understanding what your assets are in the environment. It's next to impossible to do that because you have new assets. 

I want to be able to understand, through machine learning, what's the device, what's the type, what's the make, what's the model, what is it talking to, what is it not doing, what it's supposed to do, so I can baseline those things. 

Second, your rules for segmentation should also be machine-learning powered or AI-powered because these rules may change and you'll have new devices coming on.

Which devices have access to which group? What's the policies you set for them? They cannot be done manually.

Look. The majority of breaches happen when things are configured manually.

Once you do that, the third is, how do you secure all of the connections outside and coming from the outside world? That only happens through the power of what I call as precision AI, a combination of machine learning, deep learning, infused with large language models, because the traditional approaches of security, which are based on a signature or a database, is not sufficient. 

Attackers are more and more sophisticated. So, you cannot write only on that. The only way to solve problems for the new world will be AI-driven through your machine learning and deep learning models.

Michael Krigsman: You mentioned precision AI to support security on OT devices and environments. Can you elaborate on that? 

Anand Oswal: If you think of a signature, it's like I had a given device or a person infected with a given threat. I understand what it is. I built a signature. And then I give a content update on my network and for some point so that nobody else is affected by the same threat that the first person was.

In my view, that's reactive. It used to take us seven days to give content. Then 24 hours, then 8 hours, and sometimes it's now in a matter of minutes. But it's still reactive.

If you want to stop new threats, threats that you've seen before but also threats that you've never seen before (what I call day zero threats), then you need to not depend only on the signature and databases. You've got to look at things in line in real time. That happens with deep learning across both structured and unstructured data where we're able to understand what's going on and protect you from threats that you've never seen before. 

That's the power of precision AI where we're taking what we did with machine learning, we added these deep learning models, and we infused that in the last two years with all of the variations that we can get with large language models. The combination of these three techniques is what we call precision AI.

Michael Krigsman: Of course, you're dealing with threat actors who have become very sophisticated in the use of AI and machine learning on their side as well.

Anand Oswal: Cybersecurity is the only industry that has an active adversity. Our job is to be right every single time. The attacker's job is to right once. 

The amount of effort that we put into researching all of these various threats, models, new techniques in AI, is to always stay ahead of the adversity. That's what we do with precision AI.

We are now stopping (at Palo Alto Networks) over 12 billion attacks every single day, and 2.5 million of those are net new attacks that nobody has ever seen before. That's only possible because we have 4,400 machine learning, deep learning models running on the platform looking at these things in line in real-time protecting you from threats that you've seen in the past and threats that you've never seen before.

Michael Krigsman: Now many of these OT systems are in legacy environments. They're not patched. There are a whole host of issues. How do you manage that?

Anand Oswal: You need to have something where you can do what I call virtual patching where you can build signatures of what is happening on the endpoints and block them on the network side because they're easier to patch it centrally because it's hard to update these devices periodically and, in some cases, it's not possible.

Michael Krigsman: Why is virtual patching so important?

Anand Oswal: Virtual patching helps us now solve the problem where I'm not able to patch my endpoints with vulnerabilities and CVEs that I see. But I'm having a network solution to still make sure that I'm not affected by that situation. I'm basically solving it more creatively. 

Michael Krigsman: These environments are mission-critical and very often must run continuously. How can organizations integrate these kinds of solutions without causing disruption to their environment?

Anand Oswal: If you are using OT security on a factory floor, you can't stop production in a factory floor. If you're using in a utility or oil and gas environment, you can't stop what's happening with your utility or your oil and gas environment. So, it's very important that you build your OT solutions keeping in mind high availability, keeping in mind how you ensure that, from an operational perspective, they continue to run.

Michael Krigsman: Remote access is critical for these kinds of environments. How do you enable remote access while providing security?

Anand Oswal: Over 50% of organizations today, Michael, are having technicians, contractors, or employees access these high-valued, critical assets remotely. And for that, you want to make sure that you're using the right privileges for what they have access to. 

When they get access to the system, they're accessing ideally from a secure enterprise browser where you can do just in time record, you can look at the activity, you can log all things that they're doing because these are very critical assets. So, you want to make sure that you're designing your solutions with least privilege of what the contractor, the employee, the technician accesses, but also ensure that you have a full audit log of every single activity done by the user. 

Michael Krigsman: Anand, you've mentioned zero trust several times. How does that come into play in this remote access scenario?

Anand Oswal: It is one of the most abused words in cybersecurity. If you think of zero trust, it means no notion of implied trust. 

I want to understand, in this case, who the device or the asset is. Is it something that I understand and is assigned to my OT environment? 

Then you want to know who the asset is talking to, talking to systems inside the organization and talking to things in the outside world. 

Who can access these systems from the outside? For example, we talked about for remote access.

When you allow these connections, who do you ensure that this connection (whether it is from the asset to the outside world or the reverse) is monitored for all threats, vulnerabilities, command control connections, and so on and so forth. 

Four, how do you manage the entire lifecycle of these assets? 

All this, in construct, helps us define zero trust for OT environments where we have no notion of implied trust, we have least privilege access, and are monitoring every single connection and flow from the asset or to the asset.

Michael Krigsman: Anand, factory floors and other OT environments are very harsh. There's humidity issues. There's temperature. How do you handle that aspect?

Anand Oswal: There are harsh environments. Sometimes these environments have vibration, temperature control. And if you think about other OT environments, they could be outdoor, Michael, like your utility, your mining, your oil and gas, which could have to operate in temperatures which are very hot or really, really cold.

For those environments, we have what we call ruggedized firewalls. These are network enforcement points which have all of the ability to weather all the harsh environments, whether it's temperature, whether it is rain, whether it is vibration, whether it is sand, and so on and so forth.

These are enforcement points. These are enforcement points or these are sensors on the network to help identify who the devices are on the environment but also help protect from threats, command control connections, software exploits, and so on and so forth.

Michael Krigsman: Anand, these regulations around cybersecurity reporting are evolving. Can you tell us about that? What's going on there?

Anand Oswal: Within 72 hours, if you are having an attack, you have to report that. For ransomware, you have 24 hours to report that. 

So, these are environments that are happening, and this is quite broad. It affects a large sector of organizations, including OT environments. And that is what the rules and regulations are. 

The best thing that we are advising our customers is to make sure that you are building the systems which are highly secure so that you have the capability then to protect yourself from these threats.

Michael Krigsman: Do you have advice on how organizations can maintain operational efficiency while maintaining compliance with these new regulations?

Anand Oswal: Most of these environments are highly regulated. Most of these environments have to have a lot of things around audits and trails and logs. And a lot of time is spent in creating these audit log reports. 

What we do with our solution of OT security (in addition to the things I talked about, which is visibility, segmentation and policy control, zero trust access and security on an ongoing basis), we also help them automate all the audit information because now we have full visibility into every individual asset in the organization. We know the make, the model, the version, the vulnerabilities associated with it, and we can now automate some of these report creation from an audit perspective and help them be more proactive in how you remediate from these vulnerabilities either by patching the endpoints, by having solutions like guided virtual patching, or support on the network and for some point for security threats.

Michael Krigsman: Given the complexity around these OT environments and the ever-evolving nature of security threats, automation is the key.

Anand Oswal: Automation and your security and your visibility needs to be powered by AI. You cannot do these things manually.

Michael Krigsman: AI and machine learning have been core themes you've touched on during our discussion. Why is it so important in these converged OT IT environments?

Anand Oswal: When you're talking of OT environment and IT environments merging, you're talking of two systems coming together. You're talking of complexity or variety of different things on the OT environment, many of them that can't be patched. Many of them having vulnerabilities. And then you have to have all the segmentation rules and policies. 

All of this has to be powered through AI and machine learning. You've got to be able to have full visibility. You've got to do it on structured, unstructured data. You've got to have your segmentation rules and policies automatically created. 

But now, as these assets get connected, you have to use the power of machine learning, deep learning, LLMs – what we call precision AI – to secure every single connection across every single possible threat vector, whether it's command control connections and software exploits and phishing attacks or malware or OT-specific threats. All of this needs to be done through the power of AI so you can stop and prevent both known as well as unknown threats in real time, reducing any of the downtime for these assets, and have full lifecycle manageability across the entire lifecycle of the OT assets for the factory floor of the plant.

Michael Krigsman: Anand, great talking with you. Thank you so much.

Anand Oswal: Michael, always a pleasure. Thank you so much.

Published Date: Dec 17, 2024

Author: Michael Krigsman

Episode ID: 865