🤖AI Cybersecurity Across IT-OT Automation Stack

🔵 Layer 5 — Cloud (Enterprise IT + OT Cloud Platforms)

🟣 Layer 4 — ERP Systems (SAP, Oracle, Dynamics, etc.)

🟠 Layer 3.5 — DMZ

🔶Layer 3 — MES — the control plane for manufacturing execution

🟡 Layer 2 — SCADA / Supervisory Control

🟢 Layer 1 — HMI (Human-Machine Interfaces)

🔴 Layer 1 — PLCs / RTUs / Edge Devices

⚫Layer 0 — Physical Processes (Sensors, Actuators, Machines)

🧭Final Thoughts / Way Forward - for CXOs 🤝

📘‼️and some references.

73% of organizations reported OT intrusions in 2024 (up from 49% in 2023)

AI-enhanced malware up 11.1% with real-time adaptation capabilities

Supply chain attacks increased 50%, now affecting 20% of manufacturing businesses.

61% of cybersecurity professionals planning AI adoption for OT protection

AI enables anomaly detection in OT networks that learn "normal" behavior patterns

Automated incident response reducing threat dwell time significantly.

Predictive maintenance preventing unexpected failures

Behavioral analytics for device anomaly detection

Automated threat triage and guided response

A key report from How Cyber Risk Is Reshaping Manufacturing in 2025 highlights that cloud adoption and hybrid architecture are major risk vectors. Misconfigured access, “shadow” cloud-IT resources, and a lack of cloud-native security tools are leaving gaps.

According to Kaspersky’s 2025 threat predictions, attackers are increasingly targeting cloud storage and collaboration tools used by OT teams, turning them into initial entry points.

Rockwell Automation’s trend analysis warns that remote workforce devices (laptops, phones) now connect directly into OT via cloud, expanding the attack surface dramatically.

AI-driven cloud security platforms now offer autonomous workload updates and exception management, drastically reducing manual intervention and compliance overhead.​

Hybrid cloud architectures are blending local robustness with cloud scalability, making it easier to manage industrial analytics securely.​

The latest cloud security frameworks emphasize zero-trust and automated patching, especially for remote access and identity management.​

Audit your cloud-to-OT connectivity: map data flows, check for unmanaged “shadow IT” environments, and enforce least-privilege access.

Audit your cloud access controls, enable automated exception management, and segment cloud workloads to minimize attack surfaces.​

Implement or strengthen cloud-native security controls: use Cloud Security Posture Management (CSPM), Identity and Access Management (IAM), and enforce multi-factor authentication (MFA).

Establish tighter governance: involve OT leadership in cloud-security policy, and periodically test cloud access from OT devices to ensure there is no unauthorized lateral movement.

With IT-OT convergence, ERP systems (often cloud-hosted) now directly interact with industrial systems. As outlined in manufacturing-security analysis, insecure ERP configurations can be exploited to influence supply chain and production planning.

Cyber threat intelligence reveals that embedded devices like controllers from major vendors (e.g., control systems related to ERP outputs) have critical flaws that could lead to remote code execution and unauthorized control.

Conduct a security assessment of your ERP-OT integration: focus on authentication, data encryption, and interface controls.

Harden ERP server security: ensure patching, least-privilege for service accounts, and regular penetration testing.

Train both IT and OT teams together: create cross-functional “ERP-OT secure operations” playbooks so that ERP security policies are aligned with production realities.

Kaspersky’s Q2 2025 Threat Landscape report shows that multi-stage attacks targeting industrial automation often rely on scripting and lateral movement from perimeter exposure.

According to Kaspersky’s Q2 2025 report, the number of ICS malware infections eased slightly in Q2 2025, but email- and internet-based vectors remain strong, underscoring the need for tighter segmentation.

Security guidance recommends implementing network segmentation, privileged access management (PAM), and certificate-based authentication (e.g., for SCADA) to prevent man-in-the-middle and lateral attacks.

Revisit your network segmentation strategy: enforce strict DMZ boundaries, segment IT/OT, enforce micro-segmentation where possible.

Deploy certificate-based authentication for cross-zone communication and privileged access.

Use PAM tools to manage and monitor privileged accounts that traverse the DMZ, and enforce periodic certificate rotation.

The growing threat of intelligent, AI-driven attacks on cyber-physical systems was detailed in a recent research paper that warns about adversarial AI being used to learn and exploit operational logic.

The Cyber security of OT networks: A tutorial and overview paper (Feb 2025) provides fresh analysis on securing MES/SCADA/PLC systems as IT-OT convergence increases.

Rockwell notes that hybrid workforces and legacy MES systems lacking visibility are key risk factors in 2025.

Implement anomaly detection on MES transactions: monitor for abnormal commands, data flows, or unexpected behavior using behavior-based detection.

Consider integrating AI/ML-based security tools that can detect deviations in control logic.

Promote cross-team communication: ensure MES engineers and cybersecurity professionals jointly own security playbooks, incident response, and hardening procedures.

Over 200,000 industrial systems (including SCADA) are projected to be exposed to the internet by end-2025, according to a report by Bitsight. Many lack authentication, and some present CVSS 10.0 vulnerabilities.

According to Analysis of Publicly Accessible Operational Technology and Associated Risks (2025), nearly 70,000 OT devices are exposed globally, and many of them run SCADA protocols like Modbus/TCP, EtherNet/IP, or S7 with outdated firmware.

Cybersecurity critical vulnerabilities in popular SCADA/ICS platforms (e.g., Schneider, Honeywell) that allow unauthenticated access or remote execution.

Explore the common cybersecurity challenges that producers face, and ways to mitigate threats and secure industrial automation systems by Tim Mirth.

Immediately scan your SCADA systems for internet exposure (external-facing IPs, open ports, outdated protocols).

Patch known vulnerabilities in SCADA systems, and restrict access from the internet.

Employ network-level protections (firewalls, IDS/IPS) and enforce strict network segmentation to isolate SCADA from risky zones.

ICS/OT Unpatched Vulnerabilities Expose Novakon HMIs to Remote Hacking Novakon - HMIs are affected by remote code execution and information exposure vulnerabilities.

Researchers found hundreds of industrial HMIs for U.S. water utilities exposed on the public internet via simple browser access.

The Analysis of Publicly Accessible OT research also shows screen captures of exposed HMI interfaces, illustrating how dangerous misconfigurations are.

Emerging threat guidance emphasizes securing HMI with MFA, certificate-based authentication, and proper segmentation to mitigate phishing, MITM, and ransomware risk.

Audit all HMI systems for public exposure or weak authentication.

Limit physical and network access to HMIs.

Changing all default passwords to strong, unique credentials.

Use OT asset discovery tools (e.g., scan via Shodan-like methodology privately) to identify which HMI’s are internet-exposed.

Disconnecting HMIs from the public-facing internet.

Enforce MFA and certificate-based authentication for HMI access, especially for remote or internet-connected access.

Harden HMI devices: disable unnecessary services, run secure TLS, and monitor for unauthorized logins or configuration changes.

Unauthorized Access (x, x), targeted malware & ransomware attacks (X), network intrusions, insider threats and man-in-the-middle attacks.

Modern PLCs are adopting military-grade cybersecurity, including secure boot, TLS/SSL encryption, and zero-trust architecture.​

Limit physical and network access to PLCs.

Changing all default passwords to strong, unique credentials.

Use OT asset discovery tools (e.g., scan via Shodan-like methodology privately) to identify which PLCs are internet-exposed.

Disconnecting PLCs from the public-facing internet.

Implementing multifactor authentication (MFA) for all remote access to the OT network (using a VPN or gateway if the device doesn't support MFA natively).

Upgrade or configure PLCs to use secure communication (TLS, certificate-based auth) and disable legacy protocols that lack encryption.

Adopt Zero Trust principles for device-level communications: authenticate every device, restrict permitted connections, and monitor PLC traffic for anomalous behavior.

Enforce cryptographic firmware validation, and keep device firmware and software updated to the manufacturer's latest stable and secure versions.

Performing regular backups of PLC logic and configurations to enable fast recovery from ransomware or destructive attacks.

Interesting perspective from Joe Weiss on The unaddressed cyber frontier: Level 0 sensor measurement integrity - Cybersecurity is still an aspiration at Level 0, but progress has been made Level 1 and Level 2.

In response to above article - Sinclair Koelemij wrote an article about:

Understanding Level 0 Cybersecurity Constraints and the Role of Physics -Based External Validation.

Sensor Fusion: Strengthening Control-System Integrity When Level-0 Devices Cannot Be Secured. Here’s another interesting article by Sinclair.

Kaspersky’s Q1 and Q2 2025 ICS threat reports show that malware is not just staying within the digital realm: self-propagating worms and viruses are being blocked, which suggests potential for physical-process disruption.

The Intelligent Attacks on Cyber-Physical Systems and Critical Infrastructures research warns that AI-driven attacks could learn physical process behavior and exploit it to damage equipment or cause unsafe states.

Real-world incident: In Gujarat (India), industrial hardware — motors, pumps, and controllers — has been targeted, prompting calls for firmware inspections, vendor vetting, and side-channel analyses.

Unauthorized physical access remains a direct gateway to system compromise, with risks ranging from tampering to sabotage.​

Conduct a physical-process risk assessment: map how digital compromises (e.g., PLC or SCADA breach) could translate into physical damage or safety risk.

Build cross-functional cyber-physical incident playbooks: involve both process engineers and cyber teams to plan for scenarios where cyber events impact physical processes.

Strengthen vendor governance: require all hardware vendors to adhere to secure development practices (e.g., ICS patch management, secure boot, firmware integrity) and enforce regular firmware audits.

Conduct regular risk assessments, segment IT/OT networks, and enforce strict physical access controls.

Kaspersky ICS CERT: Threat Landscape – Q2 2025.

ArXiv: Analysis of Publicly Accessible OT & Associated Risks.

ArXiv: Cybersecurity of OT Networks Tutorial Overview.

ArXiv: Intelligent Attacks on Cyber-Physical Systems and Critical Infrastructures.

Misconfigured HMIs Expose US Water Systems to Anyone With a Browser.

Rockwell Automation: OT Cybersecurity Trends: 6 Trends to Watch Discover how OT cybersecurity evolves in 2025 with 6 trends—from hybrid workforce vulnerabilities and compliance drivers to AI and IT/OT integration.

Accenture State of Cybersecurity Resilience 2025 (AI/security guidance).

NIST SP 800-82r3 — Guide to Operational Technology Security. (OT guidance & controls).

IEC / ISA 62443-2-1:2024 — Asset owner program requirements.

CISA — ICS advisories (recent Schneider Modicon advisory). (Actionable CVE & mitigations.).

CISA — Primary mitigations to reduce OT threats. (Practical mitigations for OT owners).

Onapsis — ERP ransomware research. (ERP as a ransomware target; mitigation focus).

Dragos OT best practices — DMZ/segmentation guidance for SMBs. (OT separation & pragmatic steps).

Industry roundups & incident trackers (e.g., SOCRadar / Arctiq blog Q2 2025 landscape) for incident trend context.

Competency Model for Industry 4.0 Employees, Technical University Munich.

AI Skills for Business Competency Framework, The Alan Turing Institute.

ENISA Multilayer Framework for Good Cybersecurity Practices for AI.

🗞️🗞️[ST # 80] Cybersecurity Insights from Q3 2025 ✅IT, OT, AI Cybersecurity Market (fundings, start-ups & M&As), Incidents, breaches, ransomware, cyber threat landscape, regulations and CISOs evolving role. Things are happening & changing very fast.🚀[Securing Things by M. Yousuf Faisal] 🗞️🗞️

🗞️🗞️[ST # 79] The Digital Factory - Architecture - Part 3 ✅ Industry Reference Architectures, Patterns, implementation examples, security controls and CISOs changing role. [Securing Things by M. Yousuf Faisal] 🗞️🗞️

🔐 Building an IT/OT Cybersecurity Strategy Document – A free video guide on where to start drafting one?. ✍️ [Securing Things by M. Yousuf Faisal] 🗞️🗞️

🗞️🗞️[ST # 78] IT/OT Cybersecurity Strategy (+AI) ✅ 10 min Video Guide for Strategy Document Construct. Plus more on Challenges & Solutions and Reference Guidance. ✍️ [Securing Things by M. Yousuf Faisal] 🗞️🗞️

🗞️🗞️[ST # 77] Biggest OT Security Acquisition Ever & Market Shakeup Explained ✅ The Mitsubishi-Nozomi $1B Deal & Industry Future & Cyber attacks on the rise ✍️ [Securing Things by M. Yousuf Faisal] 🗞️🗞️

🗞️🗞️[ST #76] OT Cybersecurity Procurement Process & Practices (OTCS PPP) an ultimate guide - Part 3 (extended) ✅ Q & A Videos addressing common questions & concerns, plus more resources 🚀[Securing Things by M. Yousuf Faisal] 🗞️