Previous Series: Part 1: Executive Briefing
Previous Series: Part 2: National Risk, Threat Landscape, and the First 30 Days
Previous Series: Part-3: Target Architecture for IT, OT, Cloud, and Power Grid Environments
Previous Series: Part-4: Tools, Technologies, and Control Implementation Catalog
Previous Series: Part-5: SOC, Detection, Incident Response, Resilience, and Exercises
Jump to Part-7: State-Owned ICS Cybersecurity Blueprint
AI can help ICS cybersecurity.
It can also create new risk.
For state-owned critical infrastructure, AI must be introduced with discipline.
The goal is not to make the plant autonomous.
The goal is to improve visibility, triage, detection, reporting, planning, and decision support without allowing AI to directly manipulate unsafe physical processes.
The rule is simple:
AI can advise.
Humans must approve.
Engineering and safety must govern physical action.
Executive summary for leaders
AI should not be the starting point for ICS cybersecurity.
Start with:
- asset inventory
- segmentation
- remote access control
- identity governance
- backups
- monitoring
- incident response
- vendor governance
Then use AI to accelerate human decision-making.
Good AI use cases:
- summarize advisories
- enrich asset inventory
- assist alert triage
- draft detection logic
- support threat hunting
- summarize incidents
- generate tabletop scenarios
- create executive reports
- review change requests for missing risk information
Risky AI use cases:
- autonomous controller commands
- unsupervised logic changes
- automatic blocking of critical OT paths
- cloud processing of sensitive national infrastructure data without approval
- AI agents connected directly to control networks
- AI-generated remediation applied without engineering review
For national ICS, AI governance is mandatory.
1. The AI rule for ICS
Approved policy statement:
AI may recommend, summarize, correlate, enrich, detect, and explain.
AI must not independently issue control commands, change controller logic, bypass safety procedures, isolate critical OT assets, or make safety-impacting decisions without approved human authority.
This should be written into national policy, utility policy, SOC procedure, and procurement language.
2. Practical AI use cases
Asset inventory enrichment
AI can help normalize messy asset data.
Inputs:
- passive discovery output
- CMDB
- firewall logs
- switch tables
- vendor exports
- engineering documentation
- vulnerability reports
- backup inventories
Useful outputs:
- duplicate asset matching
- vendor and model normalization
- missing owner suggestions
- criticality suggestions
- unsupported software identification
- likely zone or Purdue level
- communication pattern summary
Human validation remains required.
Alert triage assistant
AI can help analysts understand alerts faster.
Useful outputs:
- plain-language alert explanation
- affected process summary
- asset owner
- recent related activity
- approved change window check
- recommended triage questions
- evidence collection checklist
- draft incident notes
Do not allow AI to auto-close high-risk OT alerts.
Detection engineering support
AI can draft detection ideas for:
- vendor login outside approved window
- unauthorized PLC or relay write
- new engineering protocol source
- RDP bypassing jump host
- logic change outside approved window
- new device in control cell
- suspicious archive creation on engineering workstation
Human validation and test data are mandatory.
Threat intelligence summarization
AI can summarize:
- national CERT alerts
- CISA ICS advisories
- vendor advisories
- sector ISAC reports
- known adversary tactics
- affected products
- recommended mitigations
The output should be mapped to actual inventory.
A generic advisory summary is useful.
A summary that says "we have 14 affected assets in three sites" is operationally valuable.
Incident response support
AI can help by:
- building event timelines
- summarizing log evidence
- drafting executive updates
- mapping behavior to MITRE ATT&CK for ICS
- preparing post-incident report drafts
- tracking remediation actions
- generating lessons-learned summaries
AI should not decide containment for safety-impacting assets.
Change review support
AI can review change tickets for missing information.
Questions AI can flag:
- Is the affected process documented?
- Is rollback included?
- Is backup confirmed?
- Is the maintenance window approved?
- Are safety and operations owners listed?
- Is monitoring required after change?
- Are firewall rules too broad?
- Is the vendor access window time-bound?
- Is evidence required after the change?
This is a strong, low-risk AI use case.
Training and tabletop simulation
AI can generate exercise scenarios for:
- vendor account compromise
- ransomware on HMI
- unauthorized logic change
- relay setting modification
- loss of historian
- substation communication outage
- insider using shared account
- compromise of IT/OT boundary
- cloud analytics disruption
Use AI to create exercise material, not to replace human evaluation.
3. AI use cases to prohibit or tightly restrict
Avoid or prohibit:
- AI issuing PLC, RTU, IED, or relay commands
- AI modifying ladder logic or controller configuration without engineering review
- AI automatically disabling critical OT network paths
- AI deciding safe state
- AI performing unsupervised active scanning of controllers
- AI using live OT credentials without approval
- AI agents connected directly to control networks
- unmanaged public AI tools processing sensitive OT diagrams
- sensitive incident evidence sent to cloud AI without approval
- AI-generated remediation applied without testing
- AI model training on national infrastructure data without legal review
Failure mode:
A model can be confident, useful, and wrong at the same time.
In ICS, wrong action can become physical impact.
4. Safe AI architecture
Use AI as an analysis layer, not a control layer.
OT sensors, logs, inventory, tickets
|
v
SIEM / OT security data lake
|
v
AI analysis layer
- summarization
- enrichment
- anomaly explanation
- detection draft
- report generation
|
v
Human approval
SOC, OT engineer, safety owner, incident commander
|
v
Approved action through existing controls
PAM, firewall, change management, incident response
The AI layer should not connect directly to controllers.
AI governance controls
Minimum controls:
- approved AI use case register
- data classification before AI use
- prohibition on sensitive OT data in unmanaged public AI tools
- role-based access
- prompt and output logging where legally allowed
- human approval for operational action
- validation of AI output
- prompt injection awareness
- data leakage monitoring
- model owner
- risk owner
- periodic performance review
- incident process for AI failures
- vendor security review
Local, sovereign, or cloud AI
For national critical infrastructure, use risk-based placement.
Prefer local or sovereign deployment for:
- network diagrams
- controller inventories
- PLC logic
- relay settings
- vulnerability details
- incident evidence
- national grid topology
- facility layouts
- sensitive threat intelligence
Cloud AI may be acceptable for:
- public advisory summaries
- generic policy drafts
- training content
- non-sensitive writing assistance
- public research summarization
Do not send sensitive operational data to public AI systems without approval.
5. Secure procurement
Procurement is a security control.
Every new ICS product or service should require:
- secure development lifecycle evidence
- vulnerability disclosure process
- long-term patch support
- SBOM where applicable
- secure configuration guide
- authentication and role-based access support
- logging support
- encrypted management where feasible
- ability to disable unused services
- documented hardening baseline
- backup and restore method
- default credential removal at commissioning
- remote support model review
- country-of-origin and supply chain review where required
- contractual incident notification timeline
- right to audit security controls
- end-of-life notification period
- data sovereignty statement
- AI feature disclosure if AI is embedded
Do not buy systems that cannot be secured, monitored, patched, or recovered.
Cheap procurement can become expensive national risk.
6. National policy actions
A national ICS cybersecurity strategy should include the following.
Critical infrastructure classification
Classify assets based on consequence.
Do not treat all systems equally.
A national grid control center requires stronger obligations than a low-impact office system.
Minimum OT cybersecurity baseline
Mandate controls for:
- asset inventory
- network segmentation
- MFA for remote access
- vendor governance
- logging and monitoring
- backup and recovery
- vulnerability management
- secure procurement
- incident reporting
- OT-specific incident response
- annual exercises
- AI governance where AI is used
National OT-CERT capability
Create or strengthen a specialist OT incident response function.
It should support:
- incident coordination
- malware and forensic analysis
- threat intelligence
- emergency advisory publication
- sector coordination
- recovery support
- lessons-learned sharing
Sector threat intelligence
Build trusted sharing across:
- energy
- water
- transport
- telecom
- health
- finance
- ports
- aviation
- defense-linked infrastructure
National exercises
Run exercises that test:
- power disruption
- water disruption
- coordinated cyber and physical activity
- cross-border dependency
- public communication
- incident reporting
- recovery sequencing
- manual operations
- misinformation and public trust issues
Workforce development
Invest in:
- OT security training
- control engineering cyber training
- SOC analyst OT training
- incident commander training
- university and technical institute programs
- government and utility certification paths
- local language awareness material
- national cyber range and OT lab environments
7. South and Southeast Asia implementation note
For many South and Southeast Asian environments, the strategy must account for:
- mixed legacy and modern systems
- imported technology dependency
- large geographic coverage
- remote substations or facilities
- uneven local security maturity
- limited OT cybersecurity workforce
- budget pressure
- public-sector procurement constraints
- regional interdependencies
- climate and disaster resilience needs
- national data sovereignty concerns
The practical response is not to wait for perfect maturity.
Use a phased model:
- secure the highest-consequence services first
- build national OT asset visibility
- control vendor access
- remove dangerous IT/OT shortcuts
- establish sector SOC or shared monitoring
- build local OT cyber workforce
- require secure procurement for all new projects
- run national exercises
- build cross-border coordination for interconnected infrastructure
The region does not need to copy another country blindly.
It needs a locally governed, standards-aligned, consequence-driven model.
8. 180-day roadmap
Days 0-30: establish control of the basics
Objectives:
- name accountable owners
- identify critical processes
- build top-level architecture view
- inventory crown-jewel assets
- identify remote access paths
- review vendor accounts
- export firewall rules
- confirm backup existence
- create incident contact roster
- start risk register
Deliverables:
- critical process list
- initial OT asset inventory
- IT/OT connectivity map
- remote access register
- backup status report
- top 10 unacceptable risks
- executive briefing
Days 31-60: reduce obvious attack paths
Objectives:
- remove direct enterprise-to-controller access
- disable undocumented vendor access
- place remote access behind MFA and approval
- remove or control dual-homed engineering workstations
- eliminate default credentials on critical assets
- segment highest-criticality process cells
- start passive monitoring
- define OT severity model
- create initial detection use cases
Deliverables:
- updated network rules
- vendor access governance
- monitoring plan
- detection catalog
- remediation backlog
- exception register
Days 61-90: operationalize security
Objectives:
- connect high-value logs to SIEM
- build SOC triage playbooks
- define SOAR approval gates
- test backup restore for one critical process
- run tabletop exercise
- review privileged access
- validate firewall rules
- start vulnerability management by consequence
- create leadership metrics
Deliverables:
- SOC runbook
- restore test evidence
- tabletop report
- access review evidence
- vulnerability risk register
- leadership dashboard
Days 91-120: harden and validate
Objectives:
- expand segmentation
- harden engineering workstations
- implement application allowlisting where feasible
- implement session recording
- tune detections
- build threat model for highest-criticality process
- validate containment decisions
- formalize procurement security requirements
Deliverables:
- hardened baseline
- threat model
- detection test result
- procurement checklist
- risk treatment plan
Days 121-180: scale to resilience
Objectives:
- expand monitoring to more sites
- establish sector threat intelligence process
- integrate national CERT reporting
- run purple team exercise
- test emergency isolation process
- formalize AI governance
- build 12-month investment roadmap
- report residual risk
Deliverables:
- national or enterprise OT security roadmap
- purple team report
- emergency isolation test
- AI use policy
- 12-month budget plan
- residual risk statement
9. Budget priorities
If funding is limited, prioritize:
- asset inventory and network flow visibility
- remote access control
- IT/OT segmentation
- critical backup and restore capability
- monitoring for unauthorized control activity
- engineering workstation hardening
- vendor access governance
- incident response playbooks and exercises
- vulnerability management and patch process
- AI-assisted triage and reporting
Do not start with AI if inventory, segmentation, remote access, backups, and monitoring are weak.
AI improves a mature program.
It does not replace one.
10. Final maturity score
Score each domain from 1 to 5.
Domains:
- governance and ownership
- asset inventory
- network segmentation
- remote access
- identity and privileged access
- monitoring and detection
- vulnerability and patch management
- incident response
- backup and recovery
- supply chain and procurement
- AI governance
- workforce and exercises
- leadership reporting
Target scores:
- minimum acceptable: 3.0
- critical national target: 4.0
- strategic national capability: 4.5 or higher
A realistic first-year goal is to move from 1.5 or 2.0 to 3.0.
That alone removes many major attack paths.
Takeaway
The best national ICS cybersecurity program is not the one with the most advanced AI or the largest tool stack.
It is the one that knows its assets, controls access, segments critical paths, monitors meaningful behavior, responds safely, recovers quickly, governs suppliers, trains people, and uses AI carefully to improve human decisions.
Critical infrastructure protection is not only cybersecurity.
It is national continuity.
Top comments (0)