Cybersecurity and AI Across the Industrial Automation Stack - Monthly Digest # 1

Hey there,

Hope you are doing well.

This is Cybersecurity & AI across IT-OT Automation Stack - Monthly Digest # 1. 

I’ll be covering brief introduction to each layer of IT-OT automation stack, related Purdue levels, industry 3.0 vs. 4.0 difference, insights, updates, and few interesting resources on Cybersecurity and AI. Featuring:

• ✍️ Poll results / last Vibe check: IT-OT Automation Stack monthly digest.

• 📘 Thoughts on Competence Framework for IT & OT architects.

• ↪️ Cybersecurity & AI across Cloud, ERP, MES, SCADA, HMI & PLC layers.

• How CISO’s role have evolved in context of IT-OT Automation Stack.

• ‼️ Some recent attacks across the layers of IT-OT Automation Stack.

But before we begin, do me a favour and make sure you “Subscribe” to let me know that you care and keep me motivated to publish more. Thanks!

Ready? let’s dig in.

Yours truly.

— Yousuf.

Together with (Sponsor):

An entirely new way to present ideas

Gamma’s AI creates beautiful presentations, websites, and more. No design or coding skills required. Try it free today.

Competence Framework

In Digest # 0, I talked about the IT-OT automation stack and its importance and relevance to building a competence framework for the next generation of IT & OT professionals, whether they are Solution Architects and or Security Architects.

Also shared some initial thoughts on the coverage across the project lifecycle stages.

I’ll cover some more on this in Digest # 2 next month on possibilities for an asset owner to build a competence framework for industry 4.0, cybersecurity and AI for their workforce.

If you have any ideas, suggestions, recommendations and or you want to contribute, please drop me an email @ newsletter[@]securingthings[.]com or DM me via LinkedIn. And you also get a shout out for your contribution.

Cloud (/CRM) and AI Layer

Purdue Level: Cloud / CRM and AI applications, from Purdue (/PERA) Model perspective is Level 5.

Industry 3.0: No or very limited use of Cloud based apps, probably limited to CRM and Accounts Receivable and Accounts Payable.

Industry 4.0: with IIOT as the central theme in 4.0, edge driven architecture became a thing of essential importance and data from lower layers were collected and transferred to Cloud for Big data analytics, ML and now AI based analysis.

In recent years, on-prem workloads have moved into Cloud. This is due to many reasons (both technical and commercial) including availability, cost, ease of scalability and more hence Cloud layer has become a critical part of the industrial automation stack, and the uses cases for industrial environments are unlimited and adaption increasing.

The cloud security market is projected to grow significantly, driven by the increasing number of cyber threats targeting cloud infrastructures.

Companies are investing heavily in securing their cloud environments, with a focus on compliance with regulations and industry standards.

Venture capital firms are pouring investments into cloud security startups. Notably, Sequoia Capital has highlighted the transformative potential of AI in enhancing cloud security measures, which is expected to disrupt traditional models significantly.

Investments are focused on AI-driven analytics for threat prediction and mitigation.

Cloud vendors are incorporating AI-based security features to offer advanced threat detection.

AI-Powered CRM: AI is transforming how manufacturers interact with their customers. Imagine a CRM system that not only stores customer data but anticipates their needs before they even arise. That's the reality of AI-integrated CRM in 2025.

Cybersecurity: As we entrust more data to the cloud, its crucial to secure it. AI powered security solutions are used for:

Anomaly Detection: AI algorithms continuously monitor for unusual patterns in data access and usage, flagging potential security breaches.

Automated Threat Response: AI-powered systems can initiate immediate countermeasures against detected threats, minimizing damage from cyber attacks

AI-Powered Threat Hunting: Cloud security now leverages machine learning to analyze thousands of events per second, detecting anomalies faster than traditional methods.

Zero Trust Orchestration: Strict identity verification protocols now govern cloud access, reducing breach risks in hybrid environments.

Quantum-Resistant Vaults: Enterprises are adopting lattice-based cryptography to future-proof cloud data against quantum computing threats.

ERP Layer: Streamlining Enterprise Operations

Purdue Level: ERP from Purdue (/PERA) Model perspective is usually found at either on-prem at Level 4 and in newer cases, mostly in Cloud i.e., Level 5.

Industry 3.0: In 3.0, major goal was to bring all business processes, planning, scheduling, resourcing, shipping, billing, into the ERP platform. It was a standalone system where data from plant floor and businesses were manually fed into. Did not had integrations to above or below layers.

I remember my fist major networking project for bringing factory from a 2.0 status to 3.0 status - where we needed to layout the foundational network infrastructure within the plant site and back to corporate office (LAN and WAN) - Based on Cisco solution, proposed and designed a solution and called it an ERP Ready Network😀 - as manufacturing group was building an in-house ERP.

Industry 4.0: In 4.0 era, ERP needs to be integrated both with the MES and also feeds data into cloud for data analytics.

ERP systems integrate core business processes and are increasingly targeted by cybercriminals due to their central role in operations.

AI is enhancing enterprise resource planning and applications, bridging the gap between IT and OT.

Organizations are prioritizing ERP security enhancements as part of their digital transformation strategies.

The integration of AI-driven analytics within ERPs is becoming common to predict and mitigate potential threats.

Major ERP vendors like SAP and Oracle are expanding their cybersecurity offerings to include advanced threat detection capabilities powered by AI.

Historically, most manufacturing businesses have focused solely on ERP systems, ignoring the importance of production planning and what happens at the plant floor. Integration between ERP and MES have been very expensive and a lot of manual work needed. Insights for decision makers were never in real-time - rather were a snapshot of the state of production in a distant past.

iDMZ Layer - Security buffer between IT & OT

Industrial DMZ (“iDMZ”), or “OT DMZ”, acts as a security buffer between IT and OT networks, making it a critical area for cybersecurity focus.

Purdue Level: There are no specific level in Purdue (/PERA) Model for OT DMZ. However since it acts as a buffer between Level 4 (ERP) and Level 3 (MES), industry professionals decided to name it level 3.5.

Industry 3.0: typical architecture in 3.0 era, didn’t had much separation except for functional separation, meaning that it was a flat network. With incidents and attacks, including virus/malware outbreaks causing production disruption pushed things to

Industry 4.0: in 4.0 era, this separation has matured from its predecessor. Several solutions supports this zone/segmentation design through one way pull and push mechanisms.

Organizations are slowly gaining maturity in terms of recognize the importance of protecting sensitive data flows between IT and OT systems and limit exposure of OT systems from traffic coming from IT/internet.

Together with (Sponsor):

Learn how to make AI work for you

AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.

Sign up to start learning.

MES (/ MOM / CMM) Layer: Smart Production

Purdue Level: MES and related other systems like MOM or CMM, from Purdue (/PERA) Model perspective resides at Level 3.

Industry 3.0: In 3.0 era, MES was integrated one layer above and below i.e., direct integration between MES and SCADA was more common, and integration between MES with ERP (at-best) was less common.

These integrations were bespoke built, extremely lengthy and expensive. Provided some baseline information, still lacked some useful information.

Industry 4.0: In 4.0 era, MES don’t really need to be point integrated with SCADA and or ERP directly, rather, organisation can utilize a hub-and-spoke 4.0 architecture using a broker technologies (using IIOT protocols e.g. MQTT and related specifications) to feed and exchange data through pull and push means to OT UNS (unified name space).

MES play a vital role in managing manufacturing processes and require robust cybersecurity measures.

Companies are investing in MES cybersecurity solutions that leverage AI to enhance operational resilience against cyber threats.

Manufacturing Execution Systems (MES) are vulnerable due to their integration with other business systems like ERP and PLM.

Traditional on-premises MES architectures face network security and access control vulnerabilities. However, there are now Cloud Native MES solutions out there, which adds additional security controls requirements to be implemented when in use.

A Deloitte report indicates a 15% increase in cyberattacks targeting on-premises MES systems due to inadequate network security measures.

Access Control and Authentication: Mitigation strategies include strong firewalls, intrusion detection systems, multi-factor authentication, and role-based access control. AI systems monitor user behavior patterns to detect unauthorized access attempts and enforce strict authentication protocols.

At the Manufacturing Execution System (MES) layer, AI is revolutionizing how we manage and optimize production processes.

SCADA (/DCS) Layer (Intelligent Process Control)

Purdue Level: SCADA (/DCS) from Purdue (/PERA) Model perspective resides at Level 2.

DCS systems manage operations within a single facility using centralized architecture, whereas SCADA systems monitor and control dispersed assets with a distributed approach. Both use Human-Machine Interfaces (HMIs) for operator interaction, offering visualization and control of manufacturing processes.

Industry 3.0: In 3.0, point to point integrations are built separately, one with MES and one with HMIs, they were costly and time consuming.

Industry 4.0: Whereas in 4.0, the SCADA or DCS layer can also publish and subscribe to the OT plant UNS via message brokers using IIOT protocols (e.g., MQTT).

SCADA systems control industrial processes and are a target for cyber attacks.

Demand for SCADA security solutions is surging as organizations seek to protect critical infrastructure.

Solutions that comply with IEC 62443 standards are becoming standard practice.

Companies like Siemens and Honeywell are enhancing their SCADA offerings with integrated cybersecurity features that utilize AI for improved threat response capabilities.

Supervisory Control and Data Acquisition (SCADA) systems are becoming smarter with AI integration.

HMI Layer - Human-Centric Security

Purdue Level: HMI from Purdue (/PERA) Model perspective resides at Level 1.

Industry 3.0: HMI were integrated with PLCs and separate integration build was required with SCADA.

Industry 4.0: Allowed the use of pre-existing integration, as well as the ability to now publish and subscribe to the OT UNS for real-time visibility for the operations.

HMIs facilitate interaction between operators and machines, making them crucial for operational integrity.

The integration of AI into HMI systems is helping to improve user authentication processes and reduce the risk of unauthorized access.

There is a notable trend towards investing in HMI solutions that incorporate advanced biometric security measures. Human-Machine Interfaces (HMIs) are evolving to become more intuitive and responsive with AI.

Internet-Exposed HMIs Pose Cybersecurity Risks - CISA and EPA warns water and waster systems sector to protect internet-exposed HMI’s.

PLC and Edge Layer (Intelligent Control at source)

Purdue Level: PLCs from Purdue (/PERA) Model perspective resides at Level 1.

Industry 3.0: PLCs were deployed to control and automate physical processes. Did require little to no integrations to any of the above layers except for point-to-point integration with HMI for operators interaction.

Industry 4.0: While the use of PLCs remains mainly the same, the feature and functionalities and security capabilities in PLCs have expanded considerably. PLCs are now also integrated to UNS through a broker technology using IIOT protocols (e.g. MQTT).

PLCs are the brains of the industrial process and edge devices are essential for real-time data processing in industrial environments.

Programmable Logic Controllers (PLCs) and edge devices are becoming smarter with embedded AI capabilities.

PLC Handbook by automation direct - provides a good overall basic overview.

IIC-Edge-vPLC-Tech-Brief-20210907 by industrial IOT consortium provides an overview concepts on “Virtualized Programmable Logic Controllers (vPLCs)” - A paradigm shift toward industrial edge and cloud computing

With the rise of IIOT, securing PLCs has become paramount.

Investments in edge computing security solutions are increasing as organizations look to protect data at the source.

SoK: Security of Programmable Logic Controllers - a research paper highlighting threats and security mechanisms.

Top 20 Secure PLC Coding Practices - how to program PLCs with security in mind.

PLC - Motion and logic controller is a ‘paradigm shift’ for machine controls. At the SPS exhibition in Germany, UK-based Trio Motion Technology introduced the Motion-PLC, a new machine controller that combines motion, robotics, and logic, simplifying designs and reducing costs.

Physical Layer (Devices / Machinery / Sensors)

Physical layer encompasses machinery that directly interacts with production processes.

Purdue Level: from Purdue (/PERA) Model perspective resides at Level 0.

Industry 3.0: Traditional machinery with little to no built in security mechanisms, engineered purely for availability, safety and reliability.

Industry 4.0: Nowadays, physical devices are getting smarter with local sensing capabilities and some control features built-in.

Conference: Interestingly now there’s a Level 0 conference, where engineering meets cyber security to protect critical infrastructure.

Related Securing Things Offering

Industrial Automation Stack Under Siege

Here are couple of cyber attacks across varying levels of automation stack:

• Salesforce Cyberattacks: Cybercriminals are using AI and automation to execute sophisticated attacks on cloud-based platforms like Salesforce. These attacks exploit vulnerabilities such as misconfigurations and the human factor through phishing and social engineering to steal sensitive data. AI is used to automate brute-force attacks to crack passwords and create convincing phishing emails, emphasizing the need for AI-driven cybersecurity measures.

• Schneider Electric Ransomware Attack (January 2024) - The ransomware group Cactus hacked Schneider Electric, stealing 1.5 terabytes of data from its Sustainability Business Division, which serves clients like Walmart and DuPont. This raised concerns about data release, leading clients to pressure Schneider for a substantial ransom payment.

• Cyber Av3ngers Attack on PLCs (January 2024) - The Iranian hacktivist group Cyber Av3ngers attacked Unitronics PLCs globally, disrupting water utilities in Pittsburgh and Ireland for two days, highlighting vulnerabilities in industrial control systems and the need for improved security.

• Triton Malware Attack - Triton malware targeted Schneider Electric's Triconex safety controllers in critical infrastructure through spear phishing, manipulating system memory to disrupt safety functions. Discovered before full execution, the attack highlighted risks to industrial safety systems.

• Forescout Report on OT Attacks - A report revealed that industrial automation protocols like Modbus and Ethernet/IP are major cyberattack targets, with a growing focus on building automation systems.

• Dragos Ransomware Threat Landscape - Dragos reported a dynamic ransomware threat targeting industrial organizations, with groups refining techniques and forming alliances. Existing attacks caused operational disruptions, such as production halts and supply chain interruptions, but no new variants were designed for ICS.

• Dragos Ransomware Threat Landscape - HAHN Group Cyberattack: HAHN Group, a German industrial automation and robotics company, faced a cyberattack. IT staff detected and stopped it, leading to a system shutdown. The company investigated, reinstalled infrastructure, and restored operations using backups.

• Bernina hit by ransomware: Swiss sewing machine maker Bernina International AG was targeted by the ALPHV ransomware group, which published stolen files after Bernina refused to pay.

• Automatic Systems ransomware attack: Belgian manufacturer Automatic Systems thwarted a ransomware attack by the ALPHV group, consulted cybercrime experts, and filed complaints in Belgium and France.

• PLCs Targeted: In recent past, certain advanced persistent threat (APT) actors could potentially gain full system access to Schneider Electric programmable logic controllers (PLCs) and OMRON Sysmac NEX PLCs. Stuxnet: The Stuxnet worm targeted PLCs, disrupting the Iranian nuclear program.

Example list of incidents / data breaches from 2022, 2023 and 2024.

These incidents reflect the growing sophistication of cyber threats targeting industrial automation systems, highlighting vulnerabilities across automation layers.

How CISO’s role have evolved for automation stack

In the past, most CISO’s within critical infrastructure and or especially in manufacturing were limited in their roles and responsibilities across the enterprise side of things, while CIO and other teams were involved in supporting the industrial IT.

In the last few years, things dramatically shifted for CISOs, and their role evolved into taking cybersecurity responsibilities across the entire stack beyond the Cloud, enterprise IT and DMZ layers.

CISOs are now involved in discussions and activities at different stage of the OT project lifecycle from defining cybersecurity requirements specification, procurement / evaluation, SAT, FAT, pre/post implementation, to decommissioning.

Conclusion

AI is transforming industrial automation, from CRM systems to smart sensors, enhancing efficiency, quality, and cybersecurity.

Embracing AI is essential for smart manufacturing, requiring an understanding of market dynamics and emerging technologies to maintain operations and protect against cyber threats.

As attackers continue adapting and changing their tactics, the IT-OT automation stack needs to respond with a layered security controls e.g., AI defenses, zero-trust principles, and quantum-ready infrastructure.

Businesses adopting this multi-tier approach report faster threat response and lower breach costs compared to legacy systems.

Stay tuned for our next monthly Digest, where we'll dive deeper into the emerging trends shaping the factories of tomorrow!

I’d love to know what have you seen works in:

• your Industrial environment → if working as an asset owner.

• your Industrial customers → If you are consultant / vendor / solutions provider.

My Recent Most Viewed Social Posts

In case you’ve missed - here are some of my recent most viewed social posts.

• ISA/IEC 62443 Standards - Part 5 - Security Program Elements (SPEs) for 62443-2-1:2024, Upcoming Asset Owner ACS Security Assurance (ACSSA) Certification Scheme to ISA/IEC 62443-2-1, 2-4, 3-2, 3-3 by ISCI, CISO's role, other interesting reads.

• The Digital Factory (Data Flow) - Part 2 Industry 4.0 data/event driven data flows and security considerations and how's CISO's role is evolved in OT security.

• Cybersecurity & Data Privacy for Hong Kong - HK Cybersecurity Market, upcoming Critical Infrastructure Bill 2024 regulations, Data Privacy Program Core elements, HK markets and more.

• ISA/IEC 62443 Standards - Part 3 - series covering essentials of the standard.

• Tip to remember ISA/IEC 62443 Standards Group & Overview Part 2.

  Continue to be the most viewed post with more than 4.3K views at the time of writing this.

• 📢 📰 Secure by 3Ds (Demand | Design | Default) 📢 📰 ✅ The trifecta reshaping IT & OT cybersecurity industry!

• This is it - Good Bye. Happy New Year! Recap on 2024 and the Future of Securing Things in 2025.

• Cybersecurity (IT, OT/ICS, AI, Open source) Insights from Q4 2024

• What the heck is ITDR - A crash course on Identity Threat Detection & Response.

• IT & OT/ICS Cybersecurity Policy(/ies) - Deciding on the Policy Route for your industrial environments.

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.