Machine Learning solutions utilize trained agents that can function as efficiently without an internet or cloud connection, a condition that exists in Critical Infrastructure networks and most conventional security and analytics solutions fail to address. Let’s dig into the details…

Critical Infrastructure applications are generally slow to adapt new technologies, reliability is always in focus and availability is a key consideration. If you have been around long enough, you have many times heard Protection & Control engineers say things like, “if it works and proven reliable don’t change it” , “let the technology mature enough for us to consider it”, and “Keep it simple, simple works and we need this”. All are very rightfully said, and justified by the extremely high reliability and predictability requirements. The lights need to stay on and that is priority one!

When adapting new technologies for Critical Infrastructure applications the math is simple. For a new technology to be quickly adapted, the technology has to prove a natural fit, be mature, reliable, predictable in behavior and mostly does not interfere with the critical aspects of Protection & Control. In short, the benefits have to outweigh the risks while respecting Operational Technology (OT) priorities. Now lets take a closer look at Machine Learning (ML) and see how it fits the bill.

Without getting into deep technical details, machine learning is about looking at past behaviors, and learning enough to be able to protect future events. taking action based on those predictions is another level and is a step into Artificial Intelligence (AI). AI takes things up a few notches, it requires the system to be more aware of its surroundings and be able to make decisions based on new predictions, presumably in a similar fashion to what a human would do. With this being said, right out the gate, AI would take much longer time to be considered for Power Utilities networks, just because of the fact that it can action things on its own and this can result in protection, availability and/or safety hazards. That is not to say never, but it will take a long time for adaption to take place. On the other hand ML is much simpler, ML only uses past state to predict future state and flags anomalies for a human to look into taking action, while only if desired, a predefined safe course of action can be automatically triggered. The beauty is, it can do all of this without the need for cloud or internet connection, if designed and implemented right.

As things stand today, Critical Infrastructure applications are faced with challenges conventional technologies aren’t able to overcome opening the door for ML to become a core mainstream technology for future Critical Infrastructure deployments. One of the biggest challenges is that critical infrastructure networks are kept in islands, nearly isolated from the outside world with very limited or no connection between the OT world and the internet. If a connection exists, it is secured and data flow is highly restricted to the bare minimum. This presents a challenge for some existing applications to function properly and securely. Lets take a few examples:

Security Applications: Most conventional security applications are signature based, relay on a threat database containing attack patterns. Some of the newer applications use behavior analysis (requiring access to the cloud in most cases). The performance of the security applications is highlight reliant on having access to the most up-to-date threat database which means an internet of cloud connection is required. The more outdated your signature files are the higher the risk you are taking and the less secure you are. This applies to conventional anti-virus (AV) applications as well as Intrusion Detection Systems (IDS) as examples. With this being said, a station computer at a critical infrastructure site is out of luck, same goes for a traditional IDS (even if aware of industrial protocols) as they lack an internet connection to stay current with signatures. In addition to this, the threats detected by conventional security systems are limited to what has already been seen and we have a known signature/behavior for, which means, a new threat comes and you are out of luck, again!

ML based security solutions use a different approach, typically an agent is trained using a threat database and normal site working conditions yet in a controlled environment (typically a vendor power lab) then, the trained agent is placed onsite on an IDS or AV system. The agent acts based on what it has leaned, look for anomalies and reports them without the need of an internet or cloud connection yet gets update every time the device code is upgraded. The agent is not only able to detect the attacks it has directly seen and learned about, it would have the intelligence to detect potential attacks never seen before as it has intelligence built into it, making it future proof to a good extent. Those agents relay on proper training and sophisticated algorithms to function.

Events Correlation is another exampleA properly trained agent can correlate events, recognize images, numbers and normal behavior without a cloud connection and without being told about every possible scenario. Again, training happens typically in a controlled lab environment before getting placed on site. Lets see how this can help in real life. As an example, a utility vehicle comes to the substation gate, the yard door is opened, the building door is opened then a maintenance laptop is connected, this would constitutes a normal behavior. The front door is opened before a utility vehicle is detected and yard door opened would constitute an anomaly to be flagged to the control room. maintenance individuals don’t walk to the substation generally.

Another good example is Predictive Maintenance without a cloud connection. Thermal and vibration data around transformers can be analysed onsite using a trained agent and predicting a transformer blowout can be accomplished. Most conventional predictive maintenance applications out there require a cloud connection or at least a server at the control room. Once again, ML is giving us an advantage and putting us a step ahead of conventional.


Although ML was initially developed for enterprise and everyday use cases, it happened to have a much stronger applicable case in the critical infrastructure applications, due to the fact that a trained agent can work isolated without the need of an internet or cloud connection. As conventional security and analytics solution fail to address functioning properly in isolation, ML become one of the future mainstream technology for critical infrastructure. You may continue to see a home based PC running conventional anti-virus with an internet connection, yet tomorrow’s substation computer will run an ML based one!

Tamer Soliman
Founder & CEO
InProgress Research Inc.
February 25th, 2019