top of page
OTCC logo - white.png

OTCC AI Working Group Series, Part Two: Pressure-Testing Foundational Assumptions for OT Cybersecurity

  • 1 day ago
  • 5 min read

On June 22, the Operational Technology Cybersecurity Coalition (OTCC) convened the second session of its four-part AI Working Group Series, bringing together a diverse group of government leaders, international partners, critical infrastructure owners and operators, technology manufacturers, cybersecurity companies, and policy experts to examine one of the most pressing questions facing operational technology (OT) cybersecurity today: How is artificial intelligence changing the assumptions that underpin cyber defense?


With generous sponsorship from Skadden, Arps, Slate, Meagher & Flom LLP, the working group brought together participants from across the OT ecosystem, including leaders from government, industry, academia, and international partners. Representing a broad range of perspectives from across the critical infrastructure community, participants engaged in a candid discussion on how AI is reshaping cybersecurity strategy, engineering, policy, and resilience.


Building on the inaugural working group, which explored AI's expanding role in operational technology, this second session shifted the discussion from the technology itself to its broader implications for cybersecurity strategy, engineering, policy, and resilience. Participants sought to pressure-test whether many of the foundational assumptions that have guided OT cybersecurity for decades remain viable as AI accelerates both offensive and defensive cyber capabilities.


Throughout the discussion, participants returned to a common theme: while the fundamentals of cybersecurity remain essential, AI is fundamentally changing the speed, scale, and complexity of cyber operations. As attack timelines compress from days to hours, and in some cases minutes, long-standing approaches to defending critical infrastructure warrant renewed scrutiny.


The Patch-Forward Posture Is No Longer Sufficient

For decades, patching has been viewed as the cornerstone of cybersecurity. While participants agreed that effective patch management remains essential, many questioned whether it can continue to serve as the first order of operations when AI is dramatically reducing the time between vulnerability discovery and exploitation.

Much of today's OT environment relies on legacy equipment that cannot be readily patched, and modernization efforts often span years. Rather than relying primarily on patching, participants discussed the importance of designing resilience into systems through approaches such as zero trust, network segmentation, and containment strategies that limit the operational consequences of compromise. Patching remains a critical component of cyber hygiene, but it increasingly represents one layer within a broader resilience strategy.


Legacy Infrastructure Is Reshaping Risk Prioritization

Artificial intelligence is enabling researchers and adversaries alike to identify vulnerabilities at unprecedented scale, but participants cautioned that the sheer volume of findings can obscure what truly matters.


The group discussed research suggesting that many AI-generated findings are either hallucinations or lack sufficient understanding of the underlying systems to be actionable. At the same time, much of the OT environment continues to rely on decades-old infrastructure that cannot easily be updated. Participants also noted that operational impact can often be achieved without exploiting a software vulnerability at all, whether through manipulating engineering logic, abusing trusted credentials, or leveraging legacy industrial protocols.


As a result, several participants argued that risk may increasingly be better understood as a function of access and operational consequence rather than any single vulnerability.


Risk Scoring Must Move Beyond Technical Severity

Participants agreed that scoring systems such as the Common Vulnerability Scoring System (CVSS) remain valuable starting points for understanding technical severity. However, they also emphasized that numerical scores alone cannot adequately capture operational risk within industrial environments.


Rather than relying on a single score, participants discussed the importance of incorporating environmental context, exploitability, and operational consequences into risk decisions. Frameworks such as Stakeholder-Specific Vulnerability Categorization (SSVC) were highlighted as complementary approaches that better account for organizational priorities and mission impact.


In OT environments, where cyber incidents can affect public safety and essential services, technical severity is only one component of overall risk.


Cybersecurity Must Operate at Machine Speed

Participants questioned whether traditional cybersecurity processes, including periodic assessments and manual response workflows, remain sufficient as AI accelerates both offensive and defensive operations.


The discussion highlighted how attack timelines continue to shrink while organizations often already possess the telemetry needed to detect malicious activity but lack the capacity to analyze and act on it quickly enough. Participants discussed the potential for AI to augment cybersecurity operations through continuous monitoring, automated triage, dynamic validation, and predefined response playbooks, while recognizing that today's AI-enabled detection capabilities can still generate significant noise.


This discussion led to one of the session's central questions:

As threats become continuous and compromise unfolds at machine speed, where should humans remain in the loop, and where can automation be safely trusted?


Secure by Design Requires Greater Manufacturer Accountability

Participants emphasized that improving long-term resilience will require reducing the security debt embedded throughout the OT ecosystem.


The discussion focused on the important role manufacturers play in adopting secure-by-design development practices, strengthening vulnerability disclosure processes, and assuming greater responsibility for validating patches before operators deploy them. Participants noted that many asset owners continue to duplicate patch testing efforts independently, creating unnecessary costs and inefficiencies across the sector.


The group also discussed the importance of standards such as ISA/IEC 62443 in establishing baseline expectations for manufacturers and operators alike.


This conversation raised another important question:

Should the cybersecurity community challenge the assumption that asset owners know what to do?


Standards Must Become More Principles-Based

Participants broadly agreed that cybersecurity standards and regulations must evolve alongside rapidly changing technologies while remaining durable over time.

Rather than prescribing specific technologies, future standards may need to focus more heavily on enduring security principles that can adapt as threats evolve.


Participants also discussed whether OT warrants guidance distinct from traditional IT, recognizing the unique operational realities of industrial environments while acknowledging the importance of avoiding unnecessary regulatory fragmentation.

International participants also noted the potential for diverging regulatory approaches to unintentionally extend the lifecycle of legacy technologies by shifting older equipment into markets with fewer cybersecurity requirements.


Partnership Must Extend Beyond Threat Sharing

The discussion concluded by examining how public-private partnership must continue evolving to meet the demands of an AI-enabled threat landscape.


Participants emphasized that collaboration should extend beyond sharing threat intelligence to include identifying the critical services that cannot fail, assessing resilience across supply chains and shared dependencies, and developing practical ways to support smaller organizations that may lack the personnel, expertise, or resources to respond at machine speed. The discussion also highlighted the potential for procurement requirements and market incentives to accelerate the adoption of secure-by-design practices across the industrial ecosystem.


The session concluded with a final question for future discussion:

Beyond sharing threat intelligence, what partnership model can equip smaller and non-domestic operators that lack the people, tools, or budget to meet this threat?


Looking Ahead

The discussion closed on a theme that resonated throughout the session: the more the threat changes, the more the fundamentals stay the same.


Cyber hygiene, resilience, secure system design, and effective risk management remain foundational to OT cybersecurity. What is changing is the environment in which those fundamentals must operate. Artificial intelligence is compressing decision timelines, increasing the scale of cyber operations, and challenging assumptions that were developed for a much slower threat landscape.


As the OTCC AI Working Group Series continues, these conversations will help inform how governments, manufacturers, asset owners, and technology providers collectively adapt cybersecurity strategies for an era in which both attackers and defenders increasingly operate at machine speed.

Comments

Interested in joining the OTCC?

We welcome organizations committed to advancing OT cybersecurity through collaboration and shared expertise. If you’re interested in becoming a member, please visit the Join the OTCC page. If you have any further questions, please reach out to info@otcybercoalition.org.

bottom of page