By Sumeet Sharma, Vice President, Automation, Communications and Protections Adani Energy Solutions Limited
OT networks and vulnerabilities
OT networks are designed to support real-time and deterministic operations, where strict timing and predictable protocols are essential for ensuring safe and continuous control of industrial processes. These networks rely on specialised hardware and technologies such as supervisory control and data acquisition systems, programmable logic controllers and sensors, many of which operate on older protocols with limited built-in security features. In OT environments, high availability and process safety are prioritised over conventional IT performance goals, while the direct interaction between digital systems and physical machinery adds further complexity to monitoring and cybersecurity management.
However, OT networks remain highly vulnerable to cyber threats due to several persistent challenges. Legacy software and firmware often do not receive timely updates, leaving known vulnerabilities unpatched and susceptible to exploitation. Insufficient network segmentation between IT and OT environments increases the risk of lateral movement by attackers. In addition, many OT devices continue to rely on weak authentication mechanisms, default credentials and inadequate encryption practices, making unauthorised access easier.
The continued use of insecure legacy protocols further exposes industrial control systems to spoofing and man-in-the-middle attacks, as these protocols were not originally designed with cybersecurity in mind. Misconfigured remote access solutions also expand the attack surface, enabling external threats to penetrate critical systems. Further, inadequate monitoring capabilities and delayed patch management increases exposure across internet-facing OT assets, leaving critical infrastructure vulnerable to potential exploitation.
Role of AI in OT cyberattacks
AI is increasingly being leveraged to support cyberattacks targeting OT environments. AI automates network scanning by identifying networks, protocols and exposed services to rapidly surface vulnerabilities. AI can also assist in OT asset mapping by correlating devices, network topology and system dependencies to identify critical operational paths and weak links within industrial infrastructure. Further, machine learning-based traffic pattern analysis can infer protocol usage, timing behaviour and operational anomalies, allowing attackers to develop low-noise intrusion techniques designed to evade detection. Simulated attack modelling using AI can also generate attack graphs and identify optimal intrusion vectors for compromising industrial systems.
AI has further strengthened reconnaissance capabilities targeting industrial assets. By rapidly analysing publicly available information, AI tools can map industrial architectures, vendor technologies and operational environments with greater speed and accuracy. At the same time, the expanding digital footprint of OT systems through remote gateways, industrial internet of things devices and vendor communication channels has increased the exposure of critical infrastructure. AI-driven tools can automate the identification of weak entry points and develop targeted exploits for industrial protocols such as Modbus. In this context, effective zoning, reduced internet exposure and controlled disclosure of operational information have become critical measures for mitigating AI-driven cyber risks.
AI is also intensifying social engineering threats aimed at OT personnel, including operators, engineers, system integrators and support staff who play critical roles in industrial operations. AI-generated phishing emails, as well as deepfake audio and video content, can closely imitate trusted vendors and internal communications, increasing the likelihood of successful compromise. Such attacks can potentially affect safety systems and production networks, posing risks to both operational continuity and industrial safety. Addressing these threats requires a combination of employee awareness, procedural safeguards and strong identity and access management practices alongside conventional technical security measures.
In addition, AI is enabling more advanced malware customisation and living-off-the-land techniques within OT environments. Attackers can use AI to tailor malware specifically for industrial devices and systems, improving both stealth and operational effectiveness. Living-off-the-land techniques involve the misuse of legitimate system tools and utilities to conceal malicious activities within routine operations, making detection significantly more difficult. These risks are compounded by the fact that OT environments often resist frequent patching and invasive monitoring due to operational and safety constraints. As a result, cybersecurity strategies in OT systems increasingly focus on anomaly detection, strict access controls and continuous monitoring of engineering and operational activities.
Defence strategies for OT cybersecurity
One of the primary applications of AI is anomaly detection in industrial networks. By learning stable operational and process behaviour patterns over time, AI-based systems can detect deviations from normal activity and identify unauthorised changes or abnormal behaviour at an early stage. Such capabilities enhance threat detection while supporting passive monitoring approaches that minimise operational disruption and maintain system integrity and safety. These capabilities also support compliance with the IEC 62443 framework for the cybersecurity of industrial automation and control systems by enabling timely cybersecurity response and improving system integrity management.
AI is also strengthening asset visibility and risk assessment across industrial environments, particularly in brownfield facilities where complex operational histories often make comprehensive asset visibility difficult. AI-driven tools can passively identify OT assets, detect firmware versions and classify devices based on their operational role and criticality. Improved asset intelligence enables more effective risk-based security decisions, particularly in the design and management of security zones and conduits. In addition, accurate and continuously updated asset data supports targeted security implementation and more efficient allocation of cybersecurity resources while maintaining operational flexibility.
In industrial security operations centres (SOCs), AI is helping address several limitations associated with traditional IT-centric monitoring systems. Conventional SOCs often generate large volumes of alerts that may not be relevant to OT operations, overwhelming operational teams and reducing response efficiency. AI-enhanced SOC platforms can correlate both IT and OT security events, filter false positives and prioritise incidents based on their potential impact on industrial processes. OT-aware AI analytics further provide contextual insights into operational environments, enabling security teams to focus on threats that could affect safety, reliability and production continuity. These capabilities support compliance with IEC 62443 requirements while also reducing threat detection and response time without causing operational downtime.
AI is also supporting incident response and recovery processes in industrial cybersecurity environments. AI-based systems can assist in reconstructing attack timelines to help organisations better understand the sequence, scale and impact of cybersecurity incidents. Predictive impact analysis further enables operators to assess potential consequences on industrial processes and take proactive measures for safe containment and recovery. At the same time, effective cybersecurity governance continues to require a human-in-the-loop approach, where AI supports decision-making while trained personnel retain operational control to ensure safety and reliability.
The way forward
Going forward, the effective integration of AI into industrial cybersecurity frameworks will require strong alignment with the principles of IEC 62443. AI should function as an enabling technology that strengthens existing security controls rather than replacing fundamental protections such as network segmentation and access control within OT environments. AI-driven tools can support risk-based security approaches by helping organisations determine appropriate security levels and prioritise risks through informed analysis. However, AI systems themselves require continuous life cycle management, including regular validation, monitoring and maintenance to ensure reliability and effectiveness in industrial settings. At the same time, human oversight will remain essential to ensure that AI-enabled cybersecurity measures continue to align with operational, reliability and safety objectives.
A balanced approach between automation and human supervision will also be critical in OT cybersecurity strategies. AI-driven automation can significantly improve the speed and coverage of threat detection and incident response across industrial networks. However, cybersecurity experts remain necessary to interpret AI-generated outputs, validate responses and address operational or ethical complexities that AI systems may not fully understand. Human operators also play a crucial role in verifying or overriding AI-generated alerts in order to minimise false positives and false negatives. In high-risk industrial environments, human judgement continues to be indispensable for complex decision-making where contextual understanding, safety considerations and operational priorities extend beyond the capabilities of automated systems.
