In a concerning development within the cybersecurity landscape, key players in the tech industry, including hyperscalers and security giants, have emerged as central figures in discussions about AI-driven vulnerability discovery. However, operational technology (OT) companies have been notably absent from this critical conversation. This exclusion has raised alarms about potential risks to national security, given the essential role that OT plays in various critical sectors such as utilities, transportation, and healthcare.

According to Tatyana Bolton, the executive director of the Operational Technology Cybersecurity Coalition, a trade group representing OT security firms and equipment manufacturers, the absence of OT organizations from these discussions is glaring. None of the specialist OT cybersecurity companies contacted by Information Security Media Group (ISMG) reported being approached by leading AI labs like Anthropic or OpenAI. As Bolton articulated, this oversight appears to stem from a cultural disconnect between the prominent IT players and the more localized OT sector.

“When the big players convene, their focus tends to be on their peers within the hyperscale ecosystem rather than considering smaller-scale critical infrastructure operators,” Bolton noted, highlighting a mindset that prioritizes large institutions like major banks over essential local services, such as rural water utilities. This perspective encapsulates the broader divide between the tech hubs of Silicon Valley and the operational realities faced by rural America.

Despite multiple requests for clarification, neither Anthropic’s nor OpenAI’s press offices provided a statement regarding the criteria for lab access or the absence of OT entities in these discussions. The AI labs contend that by limiting access to their advanced models, they seek to give cybersecurity defenders a competitive edge. Their goal is to enable organizations to identify and remediate software vulnerabilities before adversaries leverage similar AI tools to exploit them.

Bolton insists that OT should play a pivotal role in these conversations, given its vulnerabilities are often targeted by nation-state adversaries. As she cautioned, emerging AI capabilities from labs like Anthropic and OpenAI have the potential to exacerbate these threats, making it imperative for OT to be included in the ongoing dialogue around coordinated vulnerability disclosure related to AI technologies.

The unique operational characteristics of OT systems, which are designed to have a long lifespan, introduce different security protocols compared to typical IT systems. Allan Friedman, a former senior advisor at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the distinct rhythm and rules that govern OT security. The significance of OT stakeholders in the cybersecurity landscape parallels that of open-source developers and leading cybersecurity firms, making it vital for them to have access to tools that can bolster their defenses amid increasing threats.

In an effort to broaden their scope, Anthropic has launched initiatives like Project Glasswing, engaging 40 open-source projects to better understand the nuances associated with vulnerability handling in various software environments. Meanwhile, OpenAI’s Trusted Access for Cyber program aims to provide tiered access to its models, ensuring that a vetted group of cybersecurity researchers can utilize advanced AI tools for enhanced threat detection and mitigation.

However, according to Friedman, the protocols and processes devised by these frontier labs may not translate effectively to the OT domain. The traditional frameworks for assessing vulnerability severity do not adequately reflect how these issues manifest within OT systems. Consequently, the need arises for a bespoke approach that understands the specific realities of OT deployments and prioritizes urgent vulnerabilities accordingly.

Furthermore, stakeholders within the OT sector, such as Armis—a security vendor specializing in OT and IoT—expressed eagerness to engage with the labs’ programs but anticipated challenges stemming from a general hesitance towards adopting AI technologies within the OT market. Carlos Buenano, Armis’s Chief Technology Officer for OT, indicated that vendors in this sector often lag in recognizing the value of AI-driven solutions, as the dynamics of the marketplace discourage embracing newer technologies.

Concerns surrounding federal dynamics further compound the issue. The recent designation of Anthropic as a supply-chain risk by Secretary of Defense Pete Hegseth poses additional obstacles, restricting military utilization of Anthropic’s technologies for an extended period. This designation not only impacts federal operations but also creates a cascading effect through the technology sector. Industry stakeholders, particularly those reliant on federal contracts, may shy away from affiliations with initiatives like Project Glasswing out of fear of repercussions.

Consequently, many within the OT security community believe that the exclusion of OT companies from critical conversations and resources represents a significant oversite with far-reaching implications. Stakeholders are urging frontier AI labs to reconsider their approach to ensure that the vulnerabilities specific to OT systems are adequately addressed. As technological advancements continue to shape the cybersecurity landscape, a more inclusive dialogue that encompasses diverse stakeholder perspectives, particularly those from the OT realm, is essential for fortifying national security.