Artificial intelligence promises, and in many cases delivers, unprecedented leaps in productivity, efficiency and operational agility in manufacturing—streamlining supply chains, improving visibility and quality and optimizing complex production lines.
But AI has also ushered in a new era of cybersecurity concern across the recently converged IT and OT environments. Since 2019, the manufacturing industry has experienced a 300% surge in cyberattacks. The Norsk Hydro ransomware attack is one of the most notable, but there are many others that never make the headlines.
The rise of AI and the corresponding rise in security threats are no coincidence. The same capabilities that empower manufacturers to streamline operations also arm adversaries with sophisticated new tools that threaten the safety and security of data and systems.
Manufacturers can implement multiple layers of AI to their security tools to bolster defenses and ensure that both sides of the house are protected.
IT/OT Convergence Has Increased the Attack Surface
Manufacturing operations technology (OT) environments, characterized by proprietary systems and air-gapped networks, were considered relatively secure for decades. However, digital transformation and IoT have blurred these traditional boundaries, integrating IT and OT networks and exposing operational systems to the broader internet.
IT/OT convergence has been a vital trend in driving greater data-driven insights and supporting remote plant management. Unfortunately, this has also significantly expanded the manufacturing attack surface. OT environments are no longer air-gapped; they face the same vulnerabilities as IT environments.
With its capacity for pattern recognition, automation and predictive analytics, AI is now weaponized by threat actors, presenting a more potent and elusive adversary. One of AI’s most concerning side effects is cyberattackers’ use for reconnaissance and automated vulnerability discovery.
Traditional cyber reconnaissance involves an attacker manually sifting through publicly available information and network scanning, which can take hours, days or weeks. However, with AI and automation, adversaries can now accelerate this process exponentially.
Machine learning (ML) algorithms can also analyze vast open-source intelligence (OSINT) datasets, identify critical personnel, map network topologies and even pinpoint specific software and hardware versions within a manufacturing facility. Consider AI a hyper-efficient spy, gathering readily available information at warp speed for attackers to help them tailor their attacks with greater precision.
AI-powered tools can autonomously probe OT networks for vulnerabilities, identifying potential software misconfigurations, unpatched systems and exploitable weaknesses that might evade human detection. This automated vulnerability assessment can now be executed at scale and speed, making traditional defensive responses too slow to thwart the attack.
Beyond reconnaissance, AI enhances the efficacy and sophistication of various attack techniques. For example, imagine a sophisticated phishing attempt in which a manufacturing executive receives a video or voice call from what appears to be a trusted colleague, instructing them to transfer funds or grant access to sensitive systems. Today’s AI can meticulously replicate the voices and facial expressions of virtually anyone. AI-powered deepfake phishing attacks have the potential to bypass traditional security awareness training and social engineering defenses, exploiting human trust and the inherent difficulty in discerning synthetic media from reality.
Fire With Fire: AI and the Autonomous SOC
The good news is that AI is also a powerful ally in the cybersecurity arsenal. Enterprises have already been embedding AI into their defensive strategies, transforming threat detection, response and prevention, and now manufacturers can do the same.
AI-enhanced security operations centers (SOCs) leverage advanced network detection and response (NDR) technology to revolutionize how security teams identify and neutralize security threats. AI-powered systems can quickly analyze and learn from massive IT/OT network traffic, user behavior and threat intelligence datasets.
AI and ML can quickly identify anomalous patterns and indicators of compromise (IOCs) that would otherwise go unnoticed. Machine-learning models identify deviations from normal network behavior, detecting potential zero-day attacks, ransomware, insider threats and lateral movement. That might be an employee attempting to access servers, applications or information that isn’t core to their job; a sudden surge in data transfer from or to an unusual internal IP address; or a login attempt from an atypical geographic location at an odd hour. With an AI-powered SOC monitoring for these behaviors, any actions can automatically trigger an alert and start an investigation.
Automated and orchestrated response enables rapid mitigation through automated threat containment, alert prioritization and security workflow automation. What does this mean, exactly? AI can automate various stages of incident handling, such as quarantining infected systems, blocking malicious IP addresses and enriching security alerts with contextual information. These automated responses buy the human security analysts time to continue their investigation into the threats while preventing them from doing any damage to the IT or OT environment. The ability to automate responses significantly reduces the mean time to detect (MTTD) and mean time to respond (MTTR), mitigating the impact of an attack and restoring operational continuity faster. In short, AI makes manufacturing OT systems more resilient in the event of an attack.
Multi-Layered AI: Manufacturing’s Best Defense
A multi-layered defense incorporates architectural safeguards designed for the AI era. An autonomous SOC leverages multiple types of AI, including:
- Traditional AI and deep learning ML that provide predictive analytics
- Generative and conversational AI, such as copilots or personal assistants
- Graph ML that connects security alerts and events automatically, surfacing attacks undetectable to the human eye
- Hyperautomation—the next generation of security orchestration, automation, and response (SOAR) technology—incorporates advancements in AI to slash response times and improve workflow automation, to execute security operations tasks with minimal human intervention.
Agentic AI operates with goal-driven autonomy to proactively triage alerts, detect anomalies and prioritize threats—empowering lean security teams to move from reactive to anticipatory defense with minimal supervision.
The multi-layered AI approach to network detection and response adds significant material speed, scale and efficiency to SecOps environments, regardless of size and scope. Autonomous SOCs free human security professionals to take on more complex tasks such as threat hunting, AI research and investigation.
The future of manufacturing security lies in a proactive, multi-layered AI defense that can withstand today’s threats and anticipate and neutralize the sophisticated attacks of tomorrow, ensuring continued productivity and resilience.
