AI Alters OT Security Threats and Defenses

At S4x26, reporting by IIoT-World summarizes research from Dragos, Panasonic R&D Center Singapore, Darktrace, and Georgia Institute of Technology showing that AI is accelerating both offensive and defensive activity in operational technology (OT) security. According to IIoT-World, Dragos researcher Jimmy Wylie used AI coding assistants including Claude to try to recreate the FrostyGoop ICS malware and found that AI speeds development tasks but does not remove the need for deep expertise in industrial protocols and testbeds. IIoT-World also reports that Panasonic presented PAIEL (Packet Analysis and Insight Extraction using LLM), a two-stage retrieval-augmented system that pulls protocol standards as context to translate binary OT packets into plain-language analysis for SOC analysts. The coverage maps where current advantages sit and flags risks from cognitive bias and overreliance on LLM outputs.
What happened
According to reporting by IIoT-World, presentations at S4x26 from Dragos, Panasonic R&D Center Singapore, Darktrace, and Georgia Institute of Technology examined how AI is changing OT security. The article reports that Dragos researcher Jimmy Wylie attempted to recreate the FrostyGoop ICS malware using AI coding assistants including Claude and concluded that AI can speed parts of malware development but does not remove the need for specialized engineering, protocol knowledge, and physical testbeds. The piece also describes Panasonic's PAIEL (Packet Analysis and Insight Extraction using LLM), which uses a two-stage retrieval-augmented generation approach to pull protocol standards as context and translate captured OT packets into human-readable insights for SOC analysts.
Technical details
IIoT-World reports that PAIEL avoids relying solely on the model's internal knowledge by retrieving relevant protocol specifications to reduce hallucination, mapping binary fields to plain-language actions such as a command setting an air-conditioning unit to 100 degrees Celsius. The Dragos experiment, per the same report, found AI assistants can automate reconnaissance and scripting tasks but struggle with proprietary protocol nuances such as DNP3 and Modbus-specific behaviors. The article also references work presented at a DARPA Cyber Challenge by Team Atlanta from Georgia Institute of Technology, with fewer technical specifics given.
Industry context
Teams applying large language models to OT problems are following two parallel tracks. Defenders use retrieval-augmented workflows to ground LLM outputs in precise protocol documentation, which reduces hallucination and speeds analyst throughput. Offensive actors can use AI to accelerate code generation and reconnaissance, but publicly reported experiments show domain expertise and engineered testbeds remain gating factors. For practitioners, tooling that couples LLMs with deterministic protocol parsing and verification is more actionable than unconstrained LLM output.
What to watch
Observers should track reproducible demonstrations of AI-generated payloads that operate on live or emulated OT stacks, adoption of RAG-grounded packet-analysis tools in SOC playbooks, and research addressing cognitive-bias risks where analysts overtrust LLM summaries. IIoT-World's coverage indicates the balance of advantage currently favors defenders when retrieval and protocol grounding are used, while AI-driven scale raises monitoring and assurance requirements for industrial environments.
Key Points
- 1AI coding assistants accelerate ICS exploit scripting but do not remove domain expertise, so near-term risk grows mainly through scale, not new attack classes.
- 2Retrieval-augmented systems that ground outputs in protocol specs, like Panasonic's PAIEL, reduce hallucination and make LLM analysis actionable for SOC analysts.
- 3Practitioners should prioritize grounded parsing and verification over raw LLM summaries to limit cognitive-bias-driven errors in OT environments.
Scoring Rationale
Conference reporting documents concrete uses of LLMs for OT packet analysis and shows AI speeds some attack workflows while leaving the expertise barrier intact, which is notable for SOC and OT practitioners. The underlying facts (FrostyGoop, Dragos's Jimmy Wylie, S4x26) are corroborated, but it is a useful field update rather than a transformational development.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems