Cyber operations that impact the physical world rely on attacks against industrial control systems. These are the operational systems that control production lines, electrical plants, and critical infrastructure. Industrial systems’ distinct structures, proprietary communication protocols, and blend of operational technology and information technology make attacking such systems a tall-order for cyber operations, yet machine learning could alter the nature of offensive operations.
Machine learning may change cyber operations against industrial systems in three ways.
First, modeling the industrial process using machine learning may decrease the number of failed attacks by advanced actors. This capability will make the good attackers better, but not improve the operations of less sophisticated attackers.
Second, machine learning models can serve as weapon for attacking industrial control systems (ICS). Fake sensor readings, generated by a model trained on the network’s data, can cause the system to adjust itself in ways that cause damage to the system or the goods it is producing.
Third, adversarial machine learning can falsify data that hides ongoing attacks from ML-based anomaly detection systems—allowing some attacks executed by traditional malware to proceed without being detected. This same attack methodology can also create false alarms that desensitize human operators to alerts of an actual attack.
This issue brief offers three policy recommendations.
- Protect the data historian. If attackers use machine learning models to prepare attacks against industrial systems, the data historian—a repository for some industrial data—will become more important to defend, as its contents are used to train such models. Collaboration between critical infrastructure operators, national laboratories, the private sector, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency may yield more tailored technical solutions that can be deployed widely across industrial sites.
- Field an ICS Hunt Team. The federal government should train and use a corps of ICS experts dedicated to proactive threat hunting in ICS environments. Proactive defense of operational technology networks by federal officers, in collaboration with willing critical infrastructure operators, reinforces the defender’s advantage. Threat hunting capitalizes on the long periods attackers must dedicate to reconnaissance in industrial networks and uses intelligence collected under persistent engagement by Cyber Command and the NSA to detect attackers.
- Bolster defensive research. The U.S. government should support additional research into the potential malicious uses of machine learning in attacks against industrial systems, with the specific goal of identifying weaknesses in attack methodologies. Findings from additional research could drive collaboration between industry and government and the development of technical solutions.