⚙️ Our free OT PCAP Analyzer has been updated! View PCAP Analyzer v2.0 features
Human-in-the-Loop GenAI for OT Security
> > > Modernizing OT Security with Human-in-the-Loop GenAI Agents
Blog

Modernizing OT Security with Human-in-the-Loop GenAI Agents

Dr. Rishabh Das
Dr. Rishabh Das
Critical Infrastructure Cybersecurity researcher at  || Web

Dr. Rishabh Das is an Assistant Professor at the Scripps College of Communication, Ohio University. Dr. Das has over a decade of hands-on experience in operating, troubleshooting, and supervising control systems in the oil and gas industry. Dr Das's research portfolio includes virtualization of Industrial Control Systems (ICS), threat modeling, penetration testing in ICS, active network monitoring, and the application of Machine Learning (ML) in cybersecurity.

Industrial systems are diverse, made up of complex ecosystems consisting of modern sensor frameworks, a communication backbone, a controller framework, and various safety systems. Most companies employ strategic teams to ensure seamless operations and tight governance that ensures uptime, safety, and operational compliance. That operating model has successfully worked for decades and remains essential in today’s critical infrastructure sector.

What has changed in modern times is the industrial system threat surface. As connectivity increases, security teams need far deeper visibility into a system’s assets and physical processes. Alerts must be interpreted within the context of the physical campus itself. Questions such as:

  • Which controller owns this tag?
  • Is that setpoint change routine maintenance or an attack?
  • Does this alarm pattern reflect normal or a deviation from the safety margin?

… all now necessitate more investigation. To suss out the answers, operators must have a combination of plant knowledge and cybersecurity experience.

Generative AI models can accelerate this workflow by grounding alerts in a plant-specific context. It can correlate identity/endpoint/network alerts and draft actions for later approval by humans. In this modern security workflow, the AI agent drafts a contextualized response, and the human in the loop (someone from the security team) decides what, if any, action to take.

Below are six important use cases in which AI agents will accelerate the existing security landscape.

1. Alert synthesis and prioritization


Instead of flooding analysts with isolated events, GenAI agents can condense artifacts from a variety of sources into a single explainable triage card that aggregates key observations.

The triage card highlights system changes (such as new ladder-logic rung inserted in the last hour, or a non-standard jump-host HMI login), ties them to risk context (safety limits, Safety Instrumented Systems [SIS] inhibits, critical assets, 62443 zones), and then cross-checks for related alerts (passive monitoring IDS hits, End-point Detection and Response [EDR] alerts on the engineering workstation).

The triage cards provide citations back to the logs, diagrams, and past alerts used to support the observations so the security team can verify the evidence used and assess the recommended action.

In this way, the cards capture all evidence and streamlines the escalation process without sacrificing control. The security team is kept solidly within the loop and validates all actions before the changes proceed.

2. Change-management companion

The riskiest moments in an OT environment are controlled changes, especially to critical assets interacting with the PLC, HMI, or the engineering workstations.

A GenAI team member can actively watch the critical assets and translate changes into risk-focused statements that operations, safety, and the compliance team can quickly understand.

Based on the changes, the AI agent can automatically send the record of changes to the correct group for approvals. These teams each assess security information from a different perspective and prioritize data differently. The benefit of a GenAI agent is that it can offer explanations that highlight how changes affect that team’s systems.

This allows the teams receiving the tickets or changing summaries to remain focused on their specific area of responsibility.
This GenAI augmented workflow keeps current governance models intact while also translating system changes into role-specific risks, a system that then creates automated enforcement approval cycles.

3. Accelerating ticketing workflow

Gen AI can accelerate ticket creation and improve consistency in change management and incident response workflows.
The GenAI agent can pre-populate records in the ticketing system for the security teams to review and approve.

A GenAI agent can also aggregate events from multiple security tools and perform a much wider and deeper correlation assessment.

For example, the GenAI agents can structure the ticket and aggregate important information like:

  • (1) Ticket payload: Details about the asset, the detection context that highlights the originating system, and the change context that triggered the event.
  • (2) Event Timeline: Can provide the timestamps, list of suspicious queries or commands, and event markers
  • (3) Evidence bundle: A list of correlated data syslog/Windows Event IDs, controller/HMI audit logs, OT IDS hits, and EDR detections on the engineering workstation for security teams.
  • (4) Impact and risk rationale: Quantifies “why” the event demands investigation.
  • (5) Compliance and governance tags: Automatically maps the incident to compliance processes like NERC CIP, IEC-62443, and references appropriate playbooks to enable rapid response.

Final approval still rests with the security team, but the agent-assisted workflow improves speed and consistency.

4. Remote/vendor access governance

Third-party and remote maintenance are necessary but risky.

A GenAI agent can compile a session-level dossier for each remote/vendor connection. The dossier will include details like “who” authenticated, when, where, what systems were accessed, and what changed. The GenAI agent can outline all the relevant details, compile evidence, and keep a detailed log of the entire transaction.

If an approval is needed during the maintenance, the GenAI agent can redirect the request to the correct team or, if any suspicious activity is observed during the remote session, forward the details to the security team. Essentially, a GenAI agent provides oversight over remote management sessions.

5. Vulnerability identification and planning

A GenAI agent can rapidly gain deep knowledge of a critical infrastructure campus by parsing the documentation for all critical assets, including vendor release notes, firmware manuals, asset configuration documents, manufacturer’s guides, and network diagrams.

This comprehensive system knowledge enables the GenAI agent to map CVEs to the exact PLC/HMI versions, assess exploitability, and rank issues by asset criticality and operational exposure. Where patching is impractical, the GenAI agent can propose compensating controls to reduce risk until a window is available.

At that point, the GenAI agent drafts maintenance scenarios that security and engineering teams can review and approve. These plans, based on synthesized and extrapolated knowledge from the entire system, will align security and engineering activities, ultimately reducing operational downtime.

6. Shift-handover digest

Critical infrastructure processes run 24/7.

Just like the operations team, the security team needs to maintain a constant watch over the network and the critical processes.

By continuously monitoring all critical changes, GenAI agents help create continuity to incoming teams. The agent provides details on unresolved alerts, open tickets, system statuses, and major actions, creating easily digestible summaries for the incoming team. The continuity allows the incoming shift to rapidly get up to speed on the current state of the plant in virtually real time and quickly learn about and address critical pending approval requests.

GenAI agents don’t replace people; they amplify human skill and expertise. With the right guardrails, GenAI agents will become indispensable in helping security experts keep essential services safe, reliable, and resilient.

View additional articles submitted by guest author Dr. Rishabh Das:

Monitoring GenAI-driven Data Exposure in Critical Infrastructure

Detecting GenAI Usage in Critical Infrastructure

Back to Blog

You might also like:

OT asset identification
September 3, 2025

The Basics Behind Building an Asset Inventory in OT Environments

Successfully implementing a project in your OT (operational technology) environment, whether it’s for security, operations,...
Read more
The OSI Model for OT Visibility
August 28, 2025

The OSI Model for OT Visibility

The OSI (Open Systems Interconnection) model describes how different devices and systems communicate with each other. The...
Read more
Internal network security monitoring blog
August 20, 2025

Internal Network Security Monitoring (INSM) for OT Environments

Internal Network Security Monitoring (INSM) is a process or solution that monitors activity on a network with the goal of...
Read more