DEV Community

Mike Anderson
Mike Anderson

Posted on

Securing State-Owned ICS (Part 6): AI, Governance, Procurement, and the 180-Day National Roadmap

Previous Series: Part 1: Executive Briefing

Previous Series: Part 2: National Risk, Threat Landscape, and the First 30 Days

Previous Series: Part-3: Target Architecture for IT, OT, Cloud, and Power Grid Environments

Previous Series: Part-4: Tools, Technologies, and Control Implementation Catalog

Previous Series: Part-5: SOC, Detection, Incident Response, Resilience, and Exercises

Jump to Part-7: State-Owned ICS Cybersecurity Blueprint

AI can help ICS cybersecurity.

It can also create new risk.

For state-owned critical infrastructure, AI must be introduced with discipline.

The goal is not to make the plant autonomous.

The goal is to improve visibility, triage, detection, reporting, planning, and decision support without allowing AI to directly manipulate unsafe physical processes.

The rule is simple:

AI can advise.

Humans must approve.

Engineering and safety must govern physical action.


Executive summary for leaders

AI should not be the starting point for ICS cybersecurity.

Start with:

  • asset inventory
  • segmentation
  • remote access control
  • identity governance
  • backups
  • monitoring
  • incident response
  • vendor governance

Then use AI to accelerate human decision-making.

Good AI use cases:

  • summarize advisories
  • enrich asset inventory
  • assist alert triage
  • draft detection logic
  • support threat hunting
  • summarize incidents
  • generate tabletop scenarios
  • create executive reports
  • review change requests for missing risk information

Risky AI use cases:

  • autonomous controller commands
  • unsupervised logic changes
  • automatic blocking of critical OT paths
  • cloud processing of sensitive national infrastructure data without approval
  • AI agents connected directly to control networks
  • AI-generated remediation applied without engineering review

For national ICS, AI governance is mandatory.


1. The AI rule for ICS

Approved policy statement:

AI may recommend, summarize, correlate, enrich, detect, and explain.

AI must not independently issue control commands, change controller logic, bypass safety procedures, isolate critical OT assets, or make safety-impacting decisions without approved human authority.
Enter fullscreen mode Exit fullscreen mode

This should be written into national policy, utility policy, SOC procedure, and procurement language.


2. Practical AI use cases

Asset inventory enrichment

AI can help normalize messy asset data.

Inputs:

  • passive discovery output
  • CMDB
  • firewall logs
  • switch tables
  • vendor exports
  • engineering documentation
  • vulnerability reports
  • backup inventories

Useful outputs:

  • duplicate asset matching
  • vendor and model normalization
  • missing owner suggestions
  • criticality suggestions
  • unsupported software identification
  • likely zone or Purdue level
  • communication pattern summary

Human validation remains required.

Alert triage assistant

AI can help analysts understand alerts faster.

Useful outputs:

  • plain-language alert explanation
  • affected process summary
  • asset owner
  • recent related activity
  • approved change window check
  • recommended triage questions
  • evidence collection checklist
  • draft incident notes

Do not allow AI to auto-close high-risk OT alerts.

Detection engineering support

AI can draft detection ideas for:

  • vendor login outside approved window
  • unauthorized PLC or relay write
  • new engineering protocol source
  • RDP bypassing jump host
  • logic change outside approved window
  • new device in control cell
  • suspicious archive creation on engineering workstation

Human validation and test data are mandatory.

Threat intelligence summarization

AI can summarize:

  • national CERT alerts
  • CISA ICS advisories
  • vendor advisories
  • sector ISAC reports
  • known adversary tactics
  • affected products
  • recommended mitigations

The output should be mapped to actual inventory.

A generic advisory summary is useful.

A summary that says "we have 14 affected assets in three sites" is operationally valuable.

Incident response support

AI can help by:

  • building event timelines
  • summarizing log evidence
  • drafting executive updates
  • mapping behavior to MITRE ATT&CK for ICS
  • preparing post-incident report drafts
  • tracking remediation actions
  • generating lessons-learned summaries

AI should not decide containment for safety-impacting assets.

Change review support

AI can review change tickets for missing information.

Questions AI can flag:

  • Is the affected process documented?
  • Is rollback included?
  • Is backup confirmed?
  • Is the maintenance window approved?
  • Are safety and operations owners listed?
  • Is monitoring required after change?
  • Are firewall rules too broad?
  • Is the vendor access window time-bound?
  • Is evidence required after the change?

This is a strong, low-risk AI use case.

Training and tabletop simulation

AI can generate exercise scenarios for:

  • vendor account compromise
  • ransomware on HMI
  • unauthorized logic change
  • relay setting modification
  • loss of historian
  • substation communication outage
  • insider using shared account
  • compromise of IT/OT boundary
  • cloud analytics disruption

Use AI to create exercise material, not to replace human evaluation.


3. AI use cases to prohibit or tightly restrict

Avoid or prohibit:

  • AI issuing PLC, RTU, IED, or relay commands
  • AI modifying ladder logic or controller configuration without engineering review
  • AI automatically disabling critical OT network paths
  • AI deciding safe state
  • AI performing unsupervised active scanning of controllers
  • AI using live OT credentials without approval
  • AI agents connected directly to control networks
  • unmanaged public AI tools processing sensitive OT diagrams
  • sensitive incident evidence sent to cloud AI without approval
  • AI-generated remediation applied without testing
  • AI model training on national infrastructure data without legal review

Failure mode:

A model can be confident, useful, and wrong at the same time.

In ICS, wrong action can become physical impact.


4. Safe AI architecture

Use AI as an analysis layer, not a control layer.

OT sensors, logs, inventory, tickets
        |
        v
SIEM / OT security data lake
        |
        v
AI analysis layer
- summarization
- enrichment
- anomaly explanation
- detection draft
- report generation
        |
        v
Human approval
SOC, OT engineer, safety owner, incident commander
        |
        v
Approved action through existing controls
PAM, firewall, change management, incident response
Enter fullscreen mode Exit fullscreen mode

The AI layer should not connect directly to controllers.

AI governance controls

Minimum controls:

  • approved AI use case register
  • data classification before AI use
  • prohibition on sensitive OT data in unmanaged public AI tools
  • role-based access
  • prompt and output logging where legally allowed
  • human approval for operational action
  • validation of AI output
  • prompt injection awareness
  • data leakage monitoring
  • model owner
  • risk owner
  • periodic performance review
  • incident process for AI failures
  • vendor security review

Local, sovereign, or cloud AI

For national critical infrastructure, use risk-based placement.

Prefer local or sovereign deployment for:

  • network diagrams
  • controller inventories
  • PLC logic
  • relay settings
  • vulnerability details
  • incident evidence
  • national grid topology
  • facility layouts
  • sensitive threat intelligence

Cloud AI may be acceptable for:

  • public advisory summaries
  • generic policy drafts
  • training content
  • non-sensitive writing assistance
  • public research summarization

Do not send sensitive operational data to public AI systems without approval.


5. Secure procurement

Procurement is a security control.

Every new ICS product or service should require:

  • secure development lifecycle evidence
  • vulnerability disclosure process
  • long-term patch support
  • SBOM where applicable
  • secure configuration guide
  • authentication and role-based access support
  • logging support
  • encrypted management where feasible
  • ability to disable unused services
  • documented hardening baseline
  • backup and restore method
  • default credential removal at commissioning
  • remote support model review
  • country-of-origin and supply chain review where required
  • contractual incident notification timeline
  • right to audit security controls
  • end-of-life notification period
  • data sovereignty statement
  • AI feature disclosure if AI is embedded

Do not buy systems that cannot be secured, monitored, patched, or recovered.

Cheap procurement can become expensive national risk.


6. National policy actions

A national ICS cybersecurity strategy should include the following.

Critical infrastructure classification

Classify assets based on consequence.

Do not treat all systems equally.

A national grid control center requires stronger obligations than a low-impact office system.

Minimum OT cybersecurity baseline

Mandate controls for:

  • asset inventory
  • network segmentation
  • MFA for remote access
  • vendor governance
  • logging and monitoring
  • backup and recovery
  • vulnerability management
  • secure procurement
  • incident reporting
  • OT-specific incident response
  • annual exercises
  • AI governance where AI is used

National OT-CERT capability

Create or strengthen a specialist OT incident response function.

It should support:

  • incident coordination
  • malware and forensic analysis
  • threat intelligence
  • emergency advisory publication
  • sector coordination
  • recovery support
  • lessons-learned sharing

Sector threat intelligence

Build trusted sharing across:

  • energy
  • water
  • transport
  • telecom
  • health
  • finance
  • ports
  • aviation
  • defense-linked infrastructure

National exercises

Run exercises that test:

  • power disruption
  • water disruption
  • coordinated cyber and physical activity
  • cross-border dependency
  • public communication
  • incident reporting
  • recovery sequencing
  • manual operations
  • misinformation and public trust issues

Workforce development

Invest in:

  • OT security training
  • control engineering cyber training
  • SOC analyst OT training
  • incident commander training
  • university and technical institute programs
  • government and utility certification paths
  • local language awareness material
  • national cyber range and OT lab environments

7. South and Southeast Asia implementation note

For many South and Southeast Asian environments, the strategy must account for:

  • mixed legacy and modern systems
  • imported technology dependency
  • large geographic coverage
  • remote substations or facilities
  • uneven local security maturity
  • limited OT cybersecurity workforce
  • budget pressure
  • public-sector procurement constraints
  • regional interdependencies
  • climate and disaster resilience needs
  • national data sovereignty concerns

The practical response is not to wait for perfect maturity.

Use a phased model:

  • secure the highest-consequence services first
  • build national OT asset visibility
  • control vendor access
  • remove dangerous IT/OT shortcuts
  • establish sector SOC or shared monitoring
  • build local OT cyber workforce
  • require secure procurement for all new projects
  • run national exercises
  • build cross-border coordination for interconnected infrastructure

The region does not need to copy another country blindly.

It needs a locally governed, standards-aligned, consequence-driven model.


8. 180-day roadmap

Days 0-30: establish control of the basics

Objectives:

  • name accountable owners
  • identify critical processes
  • build top-level architecture view
  • inventory crown-jewel assets
  • identify remote access paths
  • review vendor accounts
  • export firewall rules
  • confirm backup existence
  • create incident contact roster
  • start risk register

Deliverables:

  • critical process list
  • initial OT asset inventory
  • IT/OT connectivity map
  • remote access register
  • backup status report
  • top 10 unacceptable risks
  • executive briefing

Days 31-60: reduce obvious attack paths

Objectives:

  • remove direct enterprise-to-controller access
  • disable undocumented vendor access
  • place remote access behind MFA and approval
  • remove or control dual-homed engineering workstations
  • eliminate default credentials on critical assets
  • segment highest-criticality process cells
  • start passive monitoring
  • define OT severity model
  • create initial detection use cases

Deliverables:

  • updated network rules
  • vendor access governance
  • monitoring plan
  • detection catalog
  • remediation backlog
  • exception register

Days 61-90: operationalize security

Objectives:

  • connect high-value logs to SIEM
  • build SOC triage playbooks
  • define SOAR approval gates
  • test backup restore for one critical process
  • run tabletop exercise
  • review privileged access
  • validate firewall rules
  • start vulnerability management by consequence
  • create leadership metrics

Deliverables:

  • SOC runbook
  • restore test evidence
  • tabletop report
  • access review evidence
  • vulnerability risk register
  • leadership dashboard

Days 91-120: harden and validate

Objectives:

  • expand segmentation
  • harden engineering workstations
  • implement application allowlisting where feasible
  • implement session recording
  • tune detections
  • build threat model for highest-criticality process
  • validate containment decisions
  • formalize procurement security requirements

Deliverables:

  • hardened baseline
  • threat model
  • detection test result
  • procurement checklist
  • risk treatment plan

Days 121-180: scale to resilience

Objectives:

  • expand monitoring to more sites
  • establish sector threat intelligence process
  • integrate national CERT reporting
  • run purple team exercise
  • test emergency isolation process
  • formalize AI governance
  • build 12-month investment roadmap
  • report residual risk

Deliverables:

  • national or enterprise OT security roadmap
  • purple team report
  • emergency isolation test
  • AI use policy
  • 12-month budget plan
  • residual risk statement

9. Budget priorities

If funding is limited, prioritize:

  1. asset inventory and network flow visibility
  2. remote access control
  3. IT/OT segmentation
  4. critical backup and restore capability
  5. monitoring for unauthorized control activity
  6. engineering workstation hardening
  7. vendor access governance
  8. incident response playbooks and exercises
  9. vulnerability management and patch process
  10. AI-assisted triage and reporting

Do not start with AI if inventory, segmentation, remote access, backups, and monitoring are weak.

AI improves a mature program.

It does not replace one.


10. Final maturity score

Score each domain from 1 to 5.

Domains:

  • governance and ownership
  • asset inventory
  • network segmentation
  • remote access
  • identity and privileged access
  • monitoring and detection
  • vulnerability and patch management
  • incident response
  • backup and recovery
  • supply chain and procurement
  • AI governance
  • workforce and exercises
  • leadership reporting

Target scores:

  • minimum acceptable: 3.0
  • critical national target: 4.0
  • strategic national capability: 4.5 or higher

A realistic first-year goal is to move from 1.5 or 2.0 to 3.0.

That alone removes many major attack paths.


Takeaway

The best national ICS cybersecurity program is not the one with the most advanced AI or the largest tool stack.

It is the one that knows its assets, controls access, segments critical paths, monitors meaningful behavior, responds safely, recovers quickly, governs suppliers, trains people, and uses AI carefully to improve human decisions.

Critical infrastructure protection is not only cybersecurity.

It is national continuity.


Top comments (0)