OT Security

AI for OT: Why Industrial Control System Security Is the Hardest Problem in AI Cyber, and the Most Important

Why AI security tools built for IT fail in industrial control systems, and what an OT-aware architecture actually requires.

A misfire in an enterprise IT environment is a ticket. A misfire in a steel mill can be a death. That asymmetry isn't new. What's new is that AI security tools built for IT are now being marketed into operational technology environments without the architectural changes the asymmetry demands. You end up with a category that looks identical in a slide deck and behaves dangerously different in the field.

I want to be specific about three things: why standard AI security approaches fail in OT, what an OT aware AI system actually has to look like, and why this is both the hardest problem in AI cybersecurity to solve and the most important one to solve well. I've spent enough time staring at Modbus packet captures and Purdue model diagrams to feel comfortable writing this down. The field needs more voices on it, not fewer.

Why standard AI security fails in OT

Three properties of operational technology environments are non negotiable. AI security tools that ignore any of them produce outcomes that range from useless to dangerous.

Property one. Determinism. A control system in a refinery, a power plant, or a manufacturing line has to behave the same way today as it did yesterday. Production schedules, safety cases, and regulatory approvals all rest on the assumption that a specific input produces a specific output, every single time. AI security tools that inject probabilistic behavior into the control loop break that. A defender that occasionally blocks legitimate Modbus writes in pursuit of a 99.5 percent accurate model isn't a defender. It's a saboteur with good intentions.

Property two. Safety preservation. OT environments run layered safety systems whose whole job is to stop the equipment from damaging itself or the people near it. An AI security tool that interposes on control traffic without understanding the safety architecture can break the safety chain in ways nobody sees until the thing the chain was supposed to prevent actually happens. The interposing tool needs explicit awareness of which traffic is safety critical, which is operationally important, and which is incidental noise. Most current offerings have none of that awareness.

Property three. Bandwidth scarcity. OT networks are often slow by IT standards. Serial interfaces. Cellular backhaul. Fixed bandwidth allocations that have been in place since the equipment was commissioned in 2003. AI security tools that ship full packet captures to a cloud analyzer assume bandwidth the OT environment doesn't have. Tools that need local compute have to fit on hardware budgets that never anticipated AI workloads.

These three properties aren't bugs to engineer around. They're the design constraints. An AI security tool that doesn't respect them gets rejected by the plant operators, which is the correct outcome, or it gets deployed and causes incidents, which happens more often than the trade press currently reports.

What an OT aware AI security tool actually looks like

Let me sketch the shape of a defensible OT AI security architecture, because the field needs concrete sketches and fewer abstract claims.

Local first inference. The model runs at the plant, not in the cloud. That isn't negotiable. Latency points there, bandwidth points there, and the regulatory posture points there too. The hardware budget is small, which is exactly where the small model thesis I've written about elsewhere stops being optional. A 3 billion to 8 billion parameter model running on a ruggedized industrial PC is the right footprint.

Read only by default. The AI's default capability is to observe and alert. It doesn't interpose on control traffic, it doesn't block, and it doesn't modify. The capability to take action exists, but it's gated behind explicit operator approval for each action class, with full audit. Safe is the default mode. Active is the exception.

Protocol awareness. The model has to understand Modbus, OPC UA, EtherNet/IP, BACnet, MQTT, and the rest of what's actually in use on the wire. Generic anomaly detection on byte distributions doesn't count. Protocol awareness means the system knows what a function code 6 (write single register) means in a refinery context, tells it apart from a function code 16 (write multiple registers) on a manufacturing line, and recognizes that the same byte pattern carries different operational meaning in the two places.

Process aware baselining. The defender has to know what the process looks like running normally, and that baseline has to be specific to the plant. A pump cycling pattern at one facility can be identical to a malicious actuator manipulation at another. The baseline can't be vendor supplied. It has to be learned at the plant, validated by the plant's process engineers, and updated when the operating envelope shifts, which it does with every shift change and every maintenance window.

Air gap compatible. The system has to run when the cloud isn't reachable. Not as a degraded mode. As the normal mode. The cloud might be useful for the occasional model update or telemetry forwarding when policy allows. It is not the operating environment.

This shape is achievable. The components exist. Most vendors marketing into OT just haven't assembled them into a coherent product yet.

The procurement trap

There's a procurement pattern in OT AI security I want to name, because I've watched plant operators fall into it three times in the last year.

It goes like this. A vendor with strong IT security credentials decides to expand into OT. They take their existing AI security platform, bolt on Modbus parsers, and ship it as an OT product. The slide deck is impressive. The integration timeline is short. The price is comparable to existing IT tooling.

The plant's CISO buys it. The plant's process engineers never get consulted, because OT security has historically been an IT decision. The deployment goes in. For three months it produces no useful alerts and no false positives. The CISO marks the procurement a success. Then in month four, the system flags an anomaly during a planned maintenance window. The plant operator, trained to trust the alert, halts the production line. That halt costs the company $1.4 million in lost output and three days of restart procedures. The CISO, the vendor, and the plant operations team have a meeting that is not friendly.

This isn't theoretical. Variants of it are happening regularly, and the pattern is the same each time. IT origin tooling. Insufficient OT awareness. A deployment that performs adequately right up until the first non standard operating condition. An incident that costs more than the tooling ever saved.

The procurement defense is unsentimental. Don't buy OT AI security from vendors who lack OT specific architecture. The IT vendor with bolted on OT is the wrong tool. The pure play OT vendor whose AI module respects the three properties above is the right one. The procurement officer who can't tell the difference is the procurement officer who creates the next case study.

Why this is the most important problem to solve well

Two reasons. First, OT environments run things that hurt people when they fail. Power grids, water treatment, hospital HVAC, industrial automation. The blast radius of a security incident in OT is far larger than the equivalent in IT.

Second, OT is increasingly the front line of nation state activity. The publicly reported incidents are a small fraction of the actual targeting. The defensive technology has to mature faster than the offensive technology. If it doesn't, the asymmetry will produce incidents that get pinned on a single bad actor when the real cause is structural underinvestment in OT specific defensive AI.

The work is harder than IT AI security because the constraints are tighter. It's more important because the stakes are higher. The vendors who do it well will be the ones who treated OT as a separate category instead of a feature bolted onto an existing IT product. The ones who don't will be writing apologies after the next incident.

A closing observation

OT AI security is its own category, with its own constraints and its own design space. It is not a special case of IT AI security. The procurement officers and vendors and plant operators who internalize that in 2026 will build defenses that hold. The ones who keep treating OT as IT with extra protocols will produce headlines.

Nobody gets a parade for writing a defender that respects determinism, preserves safety, and runs on a 16GB embedded PC. There's also no substitute for it. The plant operators already know this. The IT security vendors are starting to learn it. The procurement officers in the middle are the population that decides how well this gets resolved over the next twenty four months.

← All Posts

Bring the Data Center to the Workload.

Talk to us about deploying Atlas for your mission.

Contact Us