Automated Threat Response Will Take Hold for Operational Technology

Automated threat response (ATR) has emerged in recent years as a key strategy to help companies combat the rising volume and increasing sophistication of cyber-crime. ATR’s importance to operational technology (OT) has become so clear, so quickly, that I expect adoption to begin in earnest during 2018—even for historically conservative areas, such as manufacturing companies’ factory-floor control systems.

Many corporate executives might not realize that advanced technologies, such as behavioral analytics and artificial intelligence (AI), are already being used extensively to automate both the detection of cyber incidents and an initial response. Once an organization defines how it intends to respond to a given type of cyber incident, ATR systems can take that action immediately when an incident is identified. That reduces the workload on your organization’s security teams, while also shortening response time.

So, how applicable is ATR for protecting factory floors from advanced threats? ATR is very relevant, in fact.

An ATR manufacturing scenario

Consider a typical cyber-attack scenario, in which a supervisory system on the factory floor suddenly starts issuing a much higher number of operating commands than it usually does (its “baseline”). This may or may not be a malicious incident, but it is certainly anomalous. ATR systems could be used to detect that event and automatically respond, to either block the rogue device or limit its connection.

So why has this technology not been adopted yet? There are several reasons. In most manufacturing operations, current cybersecurity initiatives focus on visibility and access control; advanced threat prevention is a longer term initiative. Second, newer AI/machine learning technologies used to baseline industrial manufacturing traffic and detect anomalies, thus far, have been mostly used for R&D or pilot projects. Third, manufacturers tend to be conservative. The idea of allowing a system to automatically respond to threat incidents is scary for them, based on the fear of accidentally blocking legitimate traffic and devices, thus causing unnecessary downtime. Finally, work still needs to be done to define automated responses, incident-by-incident.


The year of ATR

My prediction is that ATR will reach production-level maturity in 2018, and we will start seeing large-scale deployments by leading manufacturing companies. There are several reasons for this. First, leading organizations are maturing, and have completed their pilots. Second, needed infrastructure is also maturing: a strong ecosystem around manufacturing-specific behavioral analytics and anomaly detection is emerging. And, at the same time, standalone threat detection tools are being integrated with enforcement devices, such as next-generation firewalls, which can execute the response.

Further driving ATR adoption in manufacturing environments are recent high-profile, cyber-physical attacks, such as those against the Ukraine power grid in 2015 and 2016, and the more recent impact of WannaCry, which caused downtime in some manufacturing plants. I have also begun to see development of manufacturing incident-response playbooks and semi-automated approaches, which make adoption of ATR more attractive to your company’s resource-constrained and risk-averse operations managers.

Another aspect of gradual adoption is to offer managers the option to manually accept or reject a proposed threat response. While not fully automated, this approach might be a necessary intermediate step toward acceptance. Integrators developing these systems will be wise to develop user interfaces and workflows to support such semi-automated approaches.

ATR will become critical to safeguarding manufacturers’ systems from increasingly sophisticated cyber attacks in 2018. In anticipation, enterprise executives, manufacturers, and industry associations might think about putting in place the integration required for ATR adoption.

A version of this article originally appeared on the Palo Alto Networks blog.