The rise of generative AI (Gen AI) in cybersecurity has brought new, heightened risks to Operational Technology (OT) environments that support our nation’s most critical infrastructure. In recent months, the use of Gen AI by cyber adversaries has evolved rapidly, expanding across all stages of the cyberattack lifecycle. These developments have generated concern among operators of OT – similar to the 2022 release of Pipedream, a Swiss Army knife for hacking OT systems. Like Pipedream before it, the availability of Gen AI lowers the technical skill required to execute sophisticated attacks on industrial systems, empowering a wider range of adversaries to exploit critical infrastructure.

Recent reports have confirmed specific cases of Gen AI-powered reconnaissance, vulnerability exploitation, and malware deployment against OT systems. Iranian state-sponsored actors have utilized Gen AI tools to enhance their methods and tactics, accelerating attack cycles and expanding threat capabilities. With threat actors increasingly leveraging Gen AI to achieve their malicious objectives, the stakes for OT cybersecurity and risk management have never been higher.

Reconnaissance: Setting the Stage with Gen AI

The reconnaissance phase – where attackers gather intelligence on potential targets – has long been an essential component of any cyber operation. The emergence of Shodan in 2009 provided attackers with crucial data to help them target internet-connected devices. Gen AI significantly accelerates this phase, providing attackers with insights on OT infrastructure with greater speed and specificity than traditional methods allow.

One notable example is CyberAv3ngers, a group reportedly linked to Iran’s Islamic Revolutionary Guard Corps, which has targeted industrial control systems (ICS) at water utilities in the U.S. and Ireland. Using tools like OpenAI’s ChatGPT, CyberAv3ngers researched programmable logic controllers (PLCs), industrial routers, and network protocols commonly found in OT environments. They also identified critical information, such as default passwords for specific industrial devices and the infrastructure details of electricity companies in Jordan.

This ability to streamline reconnaissance through Gen AI is concerning, as it lowers the barrier to entry for both sophisticated state-sponsored adversaries and less skilled “script kiddies” targeting OT environments.

Post-Compromise and Malware Development

Following initial reconnaissance, Gen AI is also aiding adversaries in the post-compromise phase, where they actively exploit vulnerabilities and expand their foothold within OT systems. For instance, the group STORM-0817 employed ChatGPT to generate server-side code, enabling it to manage connections with compromised devices seamlessly. Meanwhile, CyberAv3ngers used Gen AI to refine their post-compromise strategies, including vulnerability exploitation and password theft on macOS systems.

Additional examples include SweetSpecter, which utilized Gen AI for vulnerability analysis and scripting, and TA547, which deployed a PowerShell loader written by Gen AI to execute its final payload, the ‘Rhadamanthys info-stealer.’ These cases underscore how Gen AI allows attackers to script, refine, and deploy complex malware with less specialized knowledge and fewer resources than traditionally required.

Broader Implications for OT Security

OpenAI and other developers of Gen AI tools have stated that these applications do not offer attackers any novel capabilities that couldn’t otherwise be achieved with existing technologies. However, the real concern lies in the accessibility and speed that Gen AI introduces to the attack lifecycle. With Gen AI, threat actors can accelerate their reconnaissance and malware development phases, giving them a tactical advantage and enabling attacks to occur at a faster pace than some OT defenses can manage.

The use of Gen AI by sophisticated, state-sponsored actors is an indicator that threat capabilities will only continue to grow as Gen AI evolves. When RMC published its first blog on AI in OT cybersecurity, AI-driven attacks were more of a potential risk than a tangible one. The fact that we are now seeing Gen AI actively used in OT-directed attacks reflects an evolution we can expect to continue, demanding that OT environments adapt rapidly to these emerging threats.

The RMC Approach to Mitigating AI-Enabled Threats

As Gen AI lowers the technical threshold required to launch sophisticated attacks, the probability of cyber incidents affecting OT environments increases. This shift in the threat landscape makes it critical for organizations to adopt a proactive and robust approach to OT cybersecurity and risk management.

At RMC, we help clients harden their OT environments against the new wave of AI-enabled threats, implementing strategic defenses that mitigate exposure and prevent systems from becoming “low-hanging fruit.” Our cybersecurity strategies emphasize both resilience and adaptability, recognizing that the rapidly changing nature of AI-driven threats requires solutions that can evolve in tandem with the risks.

In an age where adversaries can leverage powerful, low-cost Gen AI tools, staying ahead demands more than reactive measures. RMC equips clients with proactive defenses that guard against intrusions of all sorts and provide a resilient foundation for navigating the evolving OT cybersecurity landscape.

Gen AI continues to reshape the world of OT cybersecurity, with both risks and capabilities advancing in tandem. As threat actors find new ways to exploit Gen AI tools across the cyberattack lifecycle, RMC remains committed to helping clients build secure, resilient OT environments capable of withstanding the next wave of AI-driven threats.