ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

Risk assessment has long been an important component of any cybersecurity program and operation for organizations in industrial automation and control systems (IACS). The significance of risk assessment has been thoroughly covered and discussed within the ISA/IEC 62443 series of standards, especially in ISA/IEC 62443-3-2. These standards outline all the aspects that organizations need to follow and focus on to conduct well-rounded risk assessment processes, representing the first phase of the cybersecurity lifecycle in the standard, known as the assess phase.

Artificial intelligence (AI) has of late become a hot topic permeating every corner of our lives, particularly in discussions about IACS and operational technology (OT). Industry 4.0 prominently features AI as a mainstay alongside cybersecurity. 

Within the realm of cybersecurity for IACS, risk assessment is deemed the most crucial action and the initial phase in ISA/IEC 62443. Simultaneously, AI has shown revolutionary potential, especially in applications like natural language processing (NLP), such as ChatGPT. The current question on many organizations' minds is how to effectively integrate both risk assessment and AI NLP applications into OT processes. How can organizations adapt to stay ahead with this revolutionary technology? 

This article aims to delve into how organizations can adopt AI technologies to enhance risk assessment operations for their OT systems. 

Why do organizations need to use AI for risk assessment? 

Consider AI NLP applications, or chatbots like ChatGPT, as individuals with years of experience in cybersecurity, capable of providing high-quality answers to any questions posed to them. Organizations, upon encountering such expertise, would naturally seek to integrate such individuals into their operations to aid in their tasks. Similarly, organizations can leverage AI itself for this purpose. 

Artificial intelligence simulates human thinking to perform specific tasks. Consequently, AI has demonstrated revolutionary results in various industries, including cybersecurity. It excels in factor analysis, such as understanding risk factors and threats, which are critical tasks in risk assessment and analyzing the relationship between them. AI stands to provide significant assistance to organizations in this area. 

ISA/IEC 62443 standards and AI integration strategy 

The fundamental strategy for AI integration with the ISA/IEC 62443 series would seem to be simple – just train AI models on the standards to enable them to answer questions and address implementation in different scenarios. But the standards are proprietary, and training AI on licensed information would require the owner's permission. Users may not upload the ISA/IEC 62443 standards into ChatGPT or any other third party AI. 

To enhance integration strategy while complying with copyright law, organizations can address this issue in two ways: 

• Benchmarking and feeding existing AI models: Organizations can benchmark AI models like ChatGPT by asking questions about specific topics in OT cybersecurity. 

• Fine-tuning open-source AI models: Tuning AI models involves customizing open-source AI models to specific areas by training them with a small dataset related to OT cybersecurity practices. This process makes the AI model familiar with the company's processes and standards. However, this method requires specific tools and AI expertise to execute effectively. 

AI challenges 

Before integrating AI into organizational processes and operations, it's imperative for organizations to understand the risks associated with its use. These risks primarily encompass privacy and security concerns. 

• Privacy and copyright violation risk: Organizations face privacy and copyright risks when their data is collected by AI model developers to train the model. Once collected, this data forms a dataset used for model training, making it challenging to remove from the AI model. This poses a risk of exposing sensitive or legally protected information to users. 
• Accuracy and quality risk: Without certainty of the source of information provided by the AI model, it can be difficult to assess whether or not the solutions offered by AI are accurate or effective. 
• Risk mitigation for privacy concerns involves adhering to AI-acceptable use policies and procedures, implementing data loss prevention (DLP) technologies, and opting for enterprise services that promise not to use organizational data for training models. 
• Security risk: AI systems can pose security risks to organizations, such as AI model poisoning, where attackers manipulate the model to generate inaccurate or harmful information. Implementing a Zero Trust Approach ensures that organizations thoroughly review and analyze information provided by AI models before relying on it. 

Additionally, organizations are encouraged to explore research on poison attacks and other threats from frameworks like MITRE ATT&CK. 

Risk Assessment and AI Integration Strategy 

When planning integration between risk assessment and AI for OT systems, organizations must prepare meticulously and update their risk assessment lists to include risks associated with AI solutions.

The core of the integration strategy lies in defining clear goals for AI implementation within organizations. Clear goals ensure that integration efforts are focused and effective, whether aimed at improving risk assessment processes, reducing costs, or saving time. 

Assuming clear goals are defined and all steps are properly executed, organizations can adopt this strategy by considering both the people and process perspective and the organizational perspective. 

• People and process perspective: This involves documenting roles, responsibilities, and process details for risk assessment, simplifying tasks for AI models to perform. Organizations must master prompt engineering to effectively interact with AI, ensuring a smoother integration strategy. 

• Organizational perspective: This perspective focuses on permanently integrating AI with the organization's DNA, ensuring that AI becomes an integral part of every risk assessment performed within the organization. However, this requires significant effort and commitment from organizations across all aspects, from budgeting to implementation. 

Conclusion 

In conclusion, AI has revolutionized many industries and holds immense potential to enhance processes, particularly in cybersecurity, where OT systems stand to benefit significantly. However, organizations must exhibit vision and adaptability to embrace current industry trends effectively.