Cybersecurity: Generative AI & System Recovery

Sarah Kolberg | February 19, 2024

"We are not on an island of incompatibility. We have attack surfaces.", Prof. Dr. Tobias Heer explains, professor at Esslingen University of Applied Sciences and researcher in the Future Networking Technologies department at Hirschmann Automation & Control. Just a few years ago, cyber-attacks were only seen as a theoretical possibility in many companies and were not perceived as an actual threat. They assumed to not be a strategic target and therefore not attractive to cyber criminals. Nowadays, almost all companies are affected by  cybersecurity problems and attacks. New technological developments, such as generative artificial intelligence (AI), pose a major threat. For many affected companies, however, system recovery after an attack is the real mammoth task.

The size, sector and previous exposure of a company often provide information about the level of cybersecurity. Listed companies are particularly attractive targets and must therefore take far-reaching security measures. Critical infrastructure (CRITIS), such as the energy sector, transportation, or the telecommunications industry, must have certain security measures and standards in place regarding the legal situation.

In some sectors, there are specific industry standards and requirements, such as TISAX® in the automotive industry. In industries without regulations, there is no standardized level of security. IT security is increasingly becoming an economic factor. Those who protect themselves are reliable business partners, suppliers and can handle customer data with confidence. Supply chains in particular are increasingly under attack.

Technologies, such as artificial intelligence, have mainly been used for analytical purposes in recent years. With developments like ChatGPT, generative AI is becoming more important. Attackers can also take advantage of this to make their attacks more effective, qualitative, and cost-effective.

There are numerous opportunities for attackers, especially during the initial infection. The initial infection describes the entry method used by cyber criminals to gain access to a system for the first time. The most effective methods are social engineering and entry via system vulnerabilities.

Generative AI makes social engineering much more dangerous. Security awareness training sensitizes employees to phishing emails and dubious content. With the help of AI, however, this content can be made high-quality and tailored precisely to positions in the company.

In addition to highly specific phishing content, AI voice generators can simulate the voices of superiors or colleagues. The voice can be created from a publicly accessible database, for example from the company's YouTube content, in which the person in question can be heard. In the case of a call in which you are informed of an email that you should process quickly, it is easier to violate security guidelines such as downloading malicious attachments in the rush. Accordingly, more caution is also required when making calls!

Generative AI can not only imitate and create images, videos or voices, but also write code. AI therefore also simplifies the creation of specific malware. Accordingly, programs can be written in a very short time to detect vulnerabilities and exploit them. Both steps, which were previously time-consuming, can be automated. The quality of the attacks increases, while the costs per attack decrease. A larger number of companies can be targeted. Increasing security awareness among employees is required in order to recognize social engineering attacks. At the same time, vulnerabilities in systems become visible to attackers much more quickly.

Taking the new opportunities available to attackers into consideration, companies that see themselves as unattractive targets should also take proactive security measures. Because even if an attack cannot be prevented, the right security solutions can help with damage control and IT forensics.

The following questions need to be clarified after a cyber-attack:

• Which systems are affected?
• How did the attacker gain access?
• How long has the attacker been in the system?
• Which systems need to be isolated?
• Which systems need to be reinstalled?
• Has there been any data loss?

The status of a back-up must be found in which the attacker has not yet been in the system. In addition, multiple attacks must be ruled out, for example through the attacker's built-in backdoors. Even if a ransom has been paid or the attacker has been successfully banned from the system, there is a much more serious issue for many companies: system recovery. In the best-case scenario, the steps for system recovery are clear before an attack occurs. This is because restarting systems often proves to be complicated, especially in OT environments. Decentralization and heterogeneity can mean intense logistical effort.

Individual system recovery steps can take several weeks or months and result in higher monetary losses than the cyber-attack itself. To minimize the effort involved, companies should comprehensively document how system recovery should be carried out in an emergency to avoid long downtimes.