In recent times, a noteworthy discourse has arisen within the operational technology (OT) cybersecurity community, aptly characterized by a palpable anxiety among manufacturers, operators, and their associated security vendors. This trepidation is primarily focused on the fear of being sidelined amidst the rapid advancements in artificial intelligence (AI) technologies, as these developments are increasingly leveraged to protect vital software systems. Concerns are mounting that as major stakeholders pivot towards AI, the unique requirements and security challenges pertinent to OT may not be adequately addressed.

The alarm bells were undoubtedly sounded with the unveiling of Mythos Preview, a groundbreaking AI model recently developed by Anthropic. The model is reported to possess exceptional capabilities when it comes to identifying zero-day vulnerabilities and crafting sophisticated exploits. In a striking move, Anthropic disclosed that the model would not be broadly released due to concerns over its potential misuse and the inherent dangers it presents. This decision raises pressing questions about equitable access to such powerful tools in the cybersecurity arena.

Central to this situation is Project Glasswing, a selective initiative curated by Anthropic. This group is comprised of notable players in the IT security landscape, including heavyweights such as Crowdstrike, Microsoft, Google, and Cisco, all of whom have the privilege of utilizing Mythos to scrutinize their codebases for vulnerabilities. However, a critical observation highlights the absence of any pure play OT or industrial control system (ICS) original equipment manufacturers or security firms among the coalition members, leading to frustration within the OT security community.

Sean Tufts, the Field Chief Technology Officer of the pure-play OT security firm Claroty, articulated the sentiment prevalent among OT security professionals. He emphasized the necessity for participants who are exclusively dedicated to OT security, remarking, “We see security vendors from some larger platform plays, who might offer OT options. I think that’s really helpful. But we need people in there that are more OT specific and OT only.” His assertions underscore the urgency of having specialized representation when it comes to securing critical infrastructure.

Despite the advancement showcased by Mythos, it is crucial to note that these capabilities are not entirely unique. A previous competition organized by the Defense Advanced Research Projects Agency (DARPA) highlighted the burgeoning possibilities in the realm of AI-driven cybersecurity tools. Seven teams successfully developed open-source Large Language Models (LLMs) capable of scanning software libraries for concealed flaws, thereby emphasizing a collaborative approach in addressing systemic weaknesses.

Anthropic’s commitment to public disclosure of vulnerabilities identified by Mythos once they are patched is a noteworthy stride toward responsible security practices. However, this advancement does not negate the challenges besieging the OT security landscape. Tufts pointed out that the traditional timelines for patching vulnerabilities are often extended in OT environments, stating, “The speed and the ferocity is increasing now at the pace of AI.” This creates a paradox, where the vulnerabilities are discovered almost instantaneously, but the remedies lag considerably behind.

Rob Lee of the SANS Institute weighed in on these dynamics, highlighting that if the development and deployment of patches stretch across weeks or months, this creates a window of vulnerability that can be exploited—with significant ramifications, particularly given the current geopolitical landscape. The climate of uncertainty, exacerbated by potential adversarial actions, drives home the critical need for more rapid and effective mitigation strategies.

The absence of OT/ICS companies from the ranks of Glasswing also raises critical questions regarding the composition of participant entities. Leah Siskind, an AI research fellow at the Foundation for the Defense of Democracies think tank, observed that discussions are ongoing regarding the inclusion of other leading AI firms, such as OpenAI, which could further broaden the coalition’s reach and capabilities. Furthermore, she expressed concern regarding the lack of federal agency involvement, emphasizing the vital need for government institutions to engage proactively with these initiatives to safeguard national interests.

In summation, the discourse surrounding the intersection of AI advancements and OT cybersecurity is vital, underscoring the need for representation from diverse stakeholders within the security landscape. While the innovations presented through initiatives like Project Glasswing signal progress, the imperative for inclusive dialogue and cooperative engagement remains paramount, particularly for sectors critical to maintaining national infrastructure and security.

With reporting by Information Security Media Group’s Mathew J. Schwartz in Scotland.