Introduction
The trajectory of urban development is increasingly characterised by a transition from smart automation towards operational autonomy (Cugurullo, 2020). The operational backbone of modern society—spanning energy grids, water treatment facilities, power grids, manufacturing plants and building automation systems (BAS), or more generally categorized as “cyber-physical infrastructure” is managed by a complex web of Industrial Control Systems (ICS) (US Department of Energy, 2023).
The Industry IoT Consortium proposes a three-tier system architecture for implementing this complex OT systems [IIRA19]: the edge tier, platform tier, and enterprise tier. Each tier plays a specific role in processing the data flows and control flows involved in usage activities. The tiers are connected by three networks: the proximity network, access network, and service network. The Industrial Edge tier consists of sensors, instruments, machines, and other devices that are networked together and use internet connectivity to enhance industrial and manufacturing business processes and applications (Berge, 2002).
As IT and OT systems continue to converge and become even more interconnected, the control of physical processes remains a relatively unique and critical concept of OT.
Historically, these systems were isolated, air-gapped from enterprise networks, and secured through physical measures (NIST SP 800-82, 2023). However, the drive for smarter infrastructure, operational efficiency, sustainable manufacturing, remote management, and data-driven business insights has seen an unprecedented convergence of IT and OT systems (Accenture, 2023). As IT and OT systems continue to converge and become even more interconnected, the control of physical processes remains a relatively unique and critical concept of OT. While this integration unlocks significant value, it has concurrently dismantled the traditional security assumptions of isolation and security through obscurity exposing critical OT environments to the full spectrum of cyber threats previously confined to the IT domain.
Furthermore, many older or legacy OT devices remain in operation for years without receiving critical security updates or patches, either because their vendors no longer support those systems, or because the vendors themselves have long since gone out of business. Traditional security tools also present numerous issues related to their resource-intensive monitoring and management features that can pose a direct risk to process stability (Claroty, 2023). These systemic vulnerabilities have not gone unnoticed by threat actors. The cybersecurity landscape for Industrial Control Systems (ICS) has evolved from facing generic malware to combating sophisticated, state-sponsored Advanced Persistent Threats (APTs) and specialized cyber-criminal groups (MITRE ATT&CK for ICS, 2023). These adversaries demonstrate a deep understanding of industrial processes and the specific weaknesses. They leverage this knowledge and more recently the power of AI (AI Attack Staging, AML.TA0001) to orchestrate and execute multi-stage attacks designed for stealth, persistence, and maximum operational impact, as mapped by frameworks like the MITRE ATT&CK® for ICS and MITRE ATLAS. Their tactics, techniques, and procedures (TTPs) often involve abusing the inherent trust within OT protocols for reconnaissance, lateral movement, and the manipulation of physical processes in complex environments.
Adversarial Operations in OT Environments
The critical environments that underpin global critical infrastructure to enable free trade, manufacturing, and global supply chain represent a complex and increasingly vulnerable cyber-physical frontier. The consequences of this systemic exposure have been repeatedly demonstrated through a series of high-profile cyberattacks that transcended digital boundaries and caused tangible operational disruption. In particular, these attacks stand out:
- The TRISIS/Triton malware attack on a Saudi Arabian petrochemical facility in 2017 specifically targeted Schneider Electric’s Triconex Safety Instrumented System (SIS), aiming to disable safety mechanisms and induce physical damage—representing a deliberate convergence of cyber intrusion and process control manipulation.
- The Havex Remote Access Trojan (RAT), deployed in campaigns against European and North American energy sectors, infiltrated industrial control environments under the guise of legitimate software updates, exfiltrating configuration data and establishing persistent access for future compromise.
- More recently, the 2021 Colonial Pipeline ransomware attack, though initiated within the IT enterprise network, demonstrated how the shutdown of critical energy transportation infrastructure across the U.S. East Coast — could cause macroeconomic and national security implications beyond just monetary or reputational damage that companies incur after a cybersecurity incident (Mandiant, 2021; Colonial Pipeline Company, 2021).
- During the 2023–2024 Log4J vulnerability crisis, incident responders discovered not only exposed Java services but also hundreds of BACnet devices “leaking” onto the public internet due to misconfigured routing and a lack of segmentation (DIVD, 2023). This demonstrated that discovery and management failures in BAS can amplify the impact of unrelated IT security events, compounding risk across organizational boundaries.
- In 2023, the MGM Resorts International breach further exposed the fragility of hybrid IT–OT architectures within large-scale operational environments. Attackers exploited a social engineering vector—impersonating IT personnel via a helpdesk call—to gain privileged access to Active Directory and downstream operational systems. The resulting disruption extended beyond hotel IT systems to physical operations including casino floor systems, digital room access, and payment terminals losing $8 Million a day. This incident underscored how modern threat actors exploit human and procedural weaknesses to pivot from enterprise infrastructure into operational assets with cascading financial and reputational consequences (CISA, 2023; Volexity, 2023).
Rise of Covert Channels and Protocol Abuse
Today’s OT threat landscape has evolved significantly from the earlier, more direct and overt forms of cyberattacks spreading to influence kinetic operations. Notable examples include the Russian operations against Ukraine’s power grid in 2015 and 2016, where intrusions relied on visible, disruptive techniques to compromise industrial control systems. In contrast, contemporary OT-focused adversaries increasingly adopt subtle, covert, and persistence-oriented methods aimed at infiltrating a nation’s critical infrastructure while remaining undetected for extended periods. This shift reflects a strategic intent to establish latent access and prepare operational environments for potential future use—such as in the event of armed conflict between states—where pre-positioned capabilities can be rapidly weaponized with significant impact and magnitude.
In 2024, the Cybersecurity and Infrastructure Security Agency(CISA) discovered that Chinese state-sponsored Advance Persistent Threat(APT) Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) had compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon uses a technique known as Living Off the Land(L.O.T.L.) which derives from the LOLBins, or “Living Off the Land binaries” which are legitimate, pre-installed executable files on an operating system (like Windows) that threat actors misuse for malicious purposes.
L.O.T.L. techniques represent a new and insidious frontier in advanced state-sponsored cyberattack campaigns and are characterized by a lengthy reconnaissance phase to study the victims network infrastructure and abuse legitimate OS tools to avoid raising red flags from traditional rule-base and alert-base security tools. According to CISA, L.O.T.L. techniques are not merely a way to conduct extensive and persistent cyberespionage campaigns against the U.S. and its critical infrastructure, but rather have been observed to be a strategy to preposition and laterally move from the IT environment to the OT infrastructure(CISA, 2024). This strategy would imply that adversaries of the U.S. and its allies are slowly but steadily infiltrating the OT substrate in order to weaponize critical infrastructure in the event of escalating tension between the two nations. In the case of Volt Typhoon, the threat group remained undetected for approximately five years, raising serious concerns about how many state-backed threat actors may currently be infiltrating—or may already have infiltrated—the OT layers of critical infrastructure (CISA, 2024).
For defenders, this combination of stealthy adversary behavior and structural visibility gaps means the true scope of existing exposure may be far greater than what is currently understood.
What makes this particularly alarming is that such long-term, covert persistence reflects not only a high degree of operational sophistication, which may or may not have been assisted with the advent of AI, but also the inherent lack of visibility and monitoring capabilities in most OT environments compared to their IT counterparts. Many industrial networks still rely on outdated architectures, limited logging, and fragile systems that cannot support intrusive security controls, leaving defenders with few reliable ways to detect subtle, low-and-slow compromises. As a result, similar actors could be quietly positioning themselves within critical systems, waiting for the most strategically damaging moment to act. For defenders, this combination of stealthy adversary behavior and structural visibility gaps means the true scope of existing exposure may be far greater than what is currently understood.
Asset Discovery and Operational Visibility: Elusive Goals in Complex, Rhizomatic Networks
Discovering and inventorying assets is not security, rather a first step in mapping and understanding the elements that constitute the environment to secure, especially if these environments have complex configurations and follow non-hierarchical structures. Traditional IT-style defense techniques—including tools that rely on active scanning and intensive log monitoring—cannot adequately address the inherent challenges of OT networks. The combination of these deficiencies in OT systems, networks and devices leaves a critical defensive gap exacerbated by a lack of high-fidelity, context-aware security visibility that can bridge the chasm between abstract data and real-time events occurring on the factory floor or within a building’s control network. It is this gap that necessitates a fundamental shift from a reactive, perimeter-centered security posture to a proactive, data-driven, deeply embedded, intelligence focused and aware defense model (SANS ICS, 2023).
Another more intriguing challenge that has recently been discussed is how the standard cybersecurity frameworks map assets, known vulnerabilities, known threats, and controls in hierarchical, static ways to quantify risk. They provide a useful baseline but also a dangerous illusion that systems, people, and permissions behave like tidy, auditable stacks that adhere to a formula. In reality, OT and ICS environments are living meshes—messy, evolving, and governed by emergent and inherent relationships rather than edicts. These environments inherently exhibit the structure of a “rhizome”—a decentralized, non-hierarchical mesh of nodes whose behaviors and relationships are shaped by proximity, inherited configurations, and implicit trust.
These rhizomatic cyber-physical ecosystems are characterized by weak adjacency boundaries, inherited permissions, and decaying trust structures. Traditional risk and security frameworks built on hierarchical assumptions fail to capture the dynamic, non-linear, and multi-layered linkage structures that shape actual attack propagation in these environments (Sienkiewicz, 2025). Unlike conventional Information Technology (IT) ecosystems, which have largely benefited from decades of security maturation, OT networks are frequently characterized by an “accidental architecture” (Schneider Electric, 2023).
This architecture is an emergent construct of heterogeneous devices with disparate lifecycles, a fragmented landscape of specialized communication protocols, and a foundational design philosophy that prioritized operational reliability and safety over digital threat visibility and cybersecurity. The result is a sprawling, deeply interconnected network and chaotic system of systems where devices from numerous vendors and assembled through individual contractors utilizing different protocols like BACnet, Modbus, DNP3, Simatic S7 and IEC 61850, each serving separate and distinct functionalities and software components (ASHRAE, 2023). These protocols often lack inherent secure-by-design controls such as encryption and robust authentication, creating a permissive environment for advanced adversaries who want to pursue physical disruptions that could impact critical operations or safety rather than target data.
Threat Detection: From Signatures to Context-Aware Orchestration
Collectively, we must all face the critical reality that IT-style perimeter-based network defenses are obsolete. Adversaries have repeatedly demonstrated their ability to bypass traditional security boundaries, exploit trusted supply chain and identity relationships, and manipulate the very protocols—Modbus, BACnet, DNP3, OPC-UA—that define operational control and data communication.
Network Intrusion Detection Systems (NIDS) like Snort, Suricata and commercial network scanners and SIEM’s have long been staples of IT security. Their application in OT environments, however, has been fraught with challenges. Early deployments often relied on generic, IT-focused rulesets that generated a high volume of false positives and failed to recognize protocol-specific attack vectors. This led to the development of specialized ICS protocol parsers and rulesets, such as those provided by the open-source community and commercial vendors.
However, even with protocol awareness, a NIDS operating without deep asset context is of limited value. An alert for “Anomalous Modbus Traffic” provides little actionable intelligence. To be effective, detection logic must be contextualized (Hallett et al., 2021).
Current monitoring and security solutions, while non-disruptive, struggle to provide the granular intelligence needed to contextualize threats, detect behaviour deviations and are often missing intermittently connected devices or failing to identify unauthorized configuration changes (Zaki et al., 2021). The central limitation of current ICS/OT security operations is the absence of a real-time, computable understanding of how risk propagates across interconnected systems. Traditional tools focus on siloed asset lists, vulnerability scans, or event logs, which provide value but rarely convey how adjacent devices, inherited configurations, or decaying trust relationships shape operational exposure.
A New Paradigm for Operational Infrastructure Protection
The Threat-Informed Defense for Secure Operational Control (TIDSOC) framework represents more than an incremental improvement in ICS cybersecurity. It embodies a fundamental transformation in how we conceptualize and implement cyber defense for critical infrastructure. At the core of the TIDSOC AI-SOAR platform lies an architecture of reinforcement learning agents designed for autonomous network defense operations. This framework integrates concepts from modern agentic process orchestration (Camunda, 2025) and locally deployed AI agent design (Snowflake, 2025), blending deterministic control with adaptive intelligence to achieve cyber-resilient orchestration. Functionally, it draws inspiration from Unified Linkage Modeling (ULM) that addresses adjacency, trustworthiness, and inheritance as first-class analytical objects rather than secondary metadata (Sienkiewicz, 2025). ULM enables a data structure that agentic AI systems can actually reason over. TIDSOC leverages this structure to perform closed-loop, context-aware orchestration across ICS and BAS networks. TIDSOC introduces distributed, policy-bounded AI agents responsible for discovering, monitoring, analyzing, and acting across ICS systems. The integration of ULM and BIRCH-C™ inference models, shapes how these agents perceive the network, decide on mitigation strategies, and recommend system execution.
Applying ULM & BIRCH-C™ to TIDSOC-AI: Agentic, Linkage-Aware Cybersecurity Process Orchestration.
Conceptualizing which of these three network archetypes applies to an organization and its environments can shape how to visualize risk by tracing its flows, linkages and interdependencies (Sienkiewicz, 2025).
The Unified Linkage Model (ULM) proposes reframing the way organizations analyze complex and disorganized OT networks by elevating the concept of linkage which can be further subdivided into three categories: adjacency, trustworthiness, inheritance. According to the ULM, adjacency, trustworthiness, inheritance serve as the primary units of analysis and correlation in order to understand complex networks of systems and devices. Understanding the linkages across systems and devices results in a better visualization of networks and cascading cyber risk which according to ULM fall under three co-existing archetypes: hierarchical which emphasizes centralized authority and structured flows, rhizomatic reflecting decentralized, nonlinear webs of influence, and chaos-based models that account for emergent behavior and unpredictable transformations. Conceptualizing which of these three network archetypes applies to an organization and its environments can shape how to visualize risk by tracing its flows, linkages and interdependencies (Sienkiewicz, 2025).
Applying ULM across the IoT Consortium’s 3-tier architecture of the cyber-physical infrastructure including its assets, network configurations, and the operational behaviour reframes the problem: risk is less a property of discrete assets and more the product of how operational controllers, field devices, HMIs, and enterprise services are bound together through proximity, delegated authorities, and historical inheritance of permissions and configurations across all layers. These are not just theoretical paradigms; instead they represent realistic mechanisms that attackers can exploit with ease and unbeknownst to operators, owners or defenders of OT infrastructure.
Raw network telemetry or asset inventories and manual triaging are insufficient because they do not capture the operational relationships that adversaries exploit. ULM provides a structured graph representation in which nodes represent assets, identities, processes, or services, while edges define linkage types. This representation transforms a heterogeneous ICS environment into a dynamic linkage graph that agents can query in microseconds.
Instead of simply detecting an anomalous BACnet packet, an agent can determine which adjacency path enables this communication, which inherited trust relationships allow it, and which operational consequences would follow if it persists. This allows TIDSOC process orchestration to prioritize actions based not on event frequency, but on structural exposure and linkage-criticality—a far more accurate approach for OT environments where downtime is unacceptable.
A ULM-informed view forces different tactics for OT risk management rather than conventional check-the-box cybersecurity. First, defenses should strive to map the live linkages that constitute an organization’s network and system. While ULM describes how systems are linked, BIRCH-C™ evaluates whether those linkages remain trustworthy (Sienkiewicz, 2025). When combined with BIRCH-C™, a framework that continuously quantifies the behavioral trustworthiness of users and machines, but extends them into the domain of autonomous defense orchestration, where each agent is both task-specialized and context-aware within an industrial control systems (ICS) network.
Unlike conventional SOAR systems that rely on static playbooks, TIDSOC implements a hierarchical agentic mesh. Within this architecture, multiple AI agents collaborate across sensing, reasoning, and acting phases—mirroring the six-stage cognitive loop outlined by Dataiku’s A Practical Guide to AI Agents (Snowflake, 2025)—to perceive the operational environment, interpret telemetry, plan adaptive responses, and execute mitigations in real time. Each agent operates as an autonomous process node governed by shared orchestration logic that ensures compliance, traceability, and operational continuity (Camunda, 2025).
After creating live visualisations, it is paramount to understand and score adjacency, compute trustworthiness dynamically using BIRCH-C™ Framework, through continuous identity verification, periodic privilege revalidation and behavior attestation, and trace inheritance paths to allow defenders to better anticipate and quantify multiple cascading risks.
Building and implementing these logical strategies and operational defense processes that adhere to ULM & BIRCH-C™ manually through the use of internal security teams and policy-based implementation is difficult and impractical due to the large scale deployments in industrial environments and vendor support lifecycle uncertainty. Adding more security hardware across different layers to solve these inherent OT issues introduces more chaos and complexity to an already fragile ecosystem making it not a viable and sustainable solution.
Toward a Live, Adaptive Defense Posture: Architectural Requirements and Operational Impact
Threat-Informed Defense for Secure Operational Control (TIDSOC) introduces agentic process orchestration to build a realistic pathway to closed-loop security automation and risk management without sacrificing human-in-the-loop oversight. Agentic AI frameworks, such as TIDSOC, emphasize the need for modular, autonomous, goal-driven reinforced local agents that can analyze specific and unique data sets and derive device health, reason over policy, and act through controlled interfaces, enabling real-time and context-aware continuous discovery, monitoring and learning. The model introduced by TIDSOC for contextualizing risk enables precise metrics and linkage scoring as well as localized risk remediation recommendations.
Such automated orchestration replaces static, rule-based and alert-based security automation with adaptive and dynamic process logic. Instead of inanimate scripts, orchestration workflows can delegate sub-tasks to localised reinforced AI agents, each within a constrained domain and verifiable policy boundary, allowing the system to reason about dependencies, contextual understanding of operational impact based on the ULM & BIRCH-C™ metrics its trained on. The transition from theoretical models to an operational agentic defense capability requires specific architectural commitments.
First, ICS environments must be instrumented and contextualised with computable linkage models—graph-based representations of adjacency, trust, and inheritance that agents can query in real time. Static CMDBs or flat asset inventories cannot support the reasoning required for agentic decisions; agents need direct access to a continuously updated linkage graph that reflects how operational dependencies, communication paths, and privilege relationships actually evolve over time. Practical implementation requires representing ICS networks, field devices, engineering workstations, PLCs, HMIs, and service relationships as dynamic, queryable graph structures that expose the exact pathways through which risk propagates.
Second, agentic decisions must be governed by a trust orchestration layer that evaluates all proposed actions through verifiable policy engines—most critically, frameworks like BIRCH-C™ that quantify the behavioral reliability and integrity of users and devices. This prevents unintended or unsafe actions and ensures that any automated mitigation aligns with current trust conditions, not outdated assumptions about identity or device legitimacy. By embedding trust scoring directly into the security loop, the defense system moves from “identity-based access” to “trust-conditioned execution,” a requirement in operational environments where misclassification can cause downtime or physical impact.
This establishes a controlled reinforcement learning loop, where agents improve over time but remain constrained by verifiable rules and operator oversight.
Third, the architecture must incorporate feedback-rich human-in-the-loop data pipelines to ensure all AI-driven risk management activities remain bounded by safety, compliance, and operational continuity requirements. In OT, operators remain the final arbiter for actions that affect process integrity. The agentic system must therefore deliver explainable recommendations, receive operator reinforcement, and incorporate that feedback into its policy refinement and contextualization cycle. This establishes a controlled reinforcement learning loop, where agents improve over time but remain constrained by verifiable rules and operator oversight.
When combined, these commitments yield a defense model capable of treating OT for what it actually is—a rhizomatic system rather than a hierarchical one. Instrumenting this rhizome with structured data, computable linkages, continuous trust scoring, and reinforcement-trained agentic orchestration produces a live, adaptive security posture. The system becomes self-observing (through telemetry mapped onto linkage graphs), self-contextualizing (through ULM and BIRCH-C™), and self-adapting (through orchestration and feedback loops).
This unified approach merges the descriptive power of ULM with the operational responsiveness of TIDSOC and the behavioral enforcement capability of BIRCH-C™, resulting in a security ecosystem capable of keeping pace with the disorder, drift, and heterogeneity of industrial networks. It eliminates the visibility gap by exposing cascading risk; it neutralizes the consequences of rhizomatic architectures by allowing agents to contextualise and reason over them; and it closes the response gap by enabling safe, policy-bounded automation at machine speed.
Ultimately, TIDSOC is a systematic architectural framework to operationalize cybersecurity process orchestration within the constraints and realities of ICS/OT environments. Its foundational principle is to make intelligence actionable—transforming assets, telemetry, trust metrics, process behavior, and linkage structures into a continuously updated operational defense model. Rather than consuming threat feeds and logs passively, the TIDSOC framework creates a closed-loop security environment where contextual intelligence actively shapes the system’s defensive posture in near real time.
The outcome is both localized resilience (agents acting on the specific linkage conditions of each site or system) and federated intelligence (organization-wide learning and trust governance). This ensures that security operations are informed by a rich, continuously refreshed understanding of both the assets being defended and the threats targeting them. In a domain where milliseconds matter, legacy constraints and limited traditional controls fail to provide what the combination of ULM, BIRCH-C™, and agentic orchestration provides as direct, practical pathway to automated, proactive, threat-informed, and operationally safe defense.
The next phase of automation will be shaped by AI agents capable of perceiving state, making decisions, and coordinating with one another continuously—not in batch windows. That requires abandoning static request–response models in favor of event-driven, streaming architectures where data, context, and system state are always live (Confluent, 2025). In this model, agents don’t wait for scheduled jobs or poll for updates; they respond to the world as it unfolds, reasoning and acting on fresh signals with minimal latency.
Organizations that make this architectural shift will be the ones able to operationalize true agentic intelligence. Real-time pipelines turn AI from an analytical tool into an active participant in the system—one that can adapt, coordinate, and remediate at production speed. As adoption accelerates, the competitive gap will widen: those who build streaming-first, event-native infrastructures will run AI systems that learn faster, respond faster, and scale without ceiling, while others remain locked in the constraints of legacy integration patterns.
In short, agentic AI will not thrive on yesterday’s architectures. It requires a live substrate—continuous, reactive, and richly interconnected. The organizations that build on that substrate will define the next era of intelligent automation. 
References
Accenture. (2023). The convergence of IT and OT: Transforming industry operations [White paper]. https://www.accenture.com/content/dam/accenture/final/accenture-com/document-2/Accenture-Leading-With-Edge-Computing.pdf
ASHRAE. (2023). BACnet and building automation security standards update. ASHRAE Journal, 65(4). https://www.ashrae.org/technical-resources/ashrae-journal
Borges, E. (2024). Security through obscurity: Legal and ethical considerations. Recorded Future. https://www.recordedfuture.com/threat-intelligence-101/legal-ethical-considerations/security-through-obscurity
Camunda. (2025). Why agentic process orchestration belongs in your automation strategy [White paper]. https://page.camunda.com/wp-why-agentic-process-orchestration-belongs-in-your-automation-strategy
Claroty. (2023). The global state of industrial cybersecurity. https://claroty.com/resources/state-of-industrial-cybersecurity
Confluent. (2025). A guide to event-driven design for agents and multi-agent systems [White paper]. https://www.confluent.io/thank-you/ebook/guide-to-event-driven-agents/
Cybersecurity and Infrastructure Security Agency. (2023). MGM Resorts International cybersecurity incident [Advisory]. https://www.cisa.gov/news-events/alerts/2023/09/14/mgm-resorts-international-cybersecurity-incident
Cugurullo, F. (2020). Urban artificial intelligence: From automation to autonomy in the smart city. Frontiers in Sustainable Cities, 2, Article 38. https://doi.org/10.3389/frsc.2020.00038
Deleuze, G., & Guattari, F. (1987). A thousand plateaus: Capitalism and schizophrenia (B. Massumi, Trans.). University of Minnesota Press. https://files.libcom.org/files/A%20Thousand%20Plateaus.pdf
Hiles, S. (2022). Rhizomatic networks: Understanding complex industrial topologies. Industrial Networks Quarterly, 18(3), 12-28
Muehmel, K. (2025). The LLM mesh: An architecture for building agentic applications in the enterprise [White paper]. https://pages.dataiku.com/oreilly-tech-guide-llm-mesh
MITRE. (n.d.). ATT&CK for industrial control systems (ICS). https://attack.mitre.org/matrices/ics/
Schneider Electric. (2023). Securing operational technology: Addressing the accidental architecture of industrial networks [White paper]. https://download.schneider-electric.com/files?p_enDocType=White+Paper&p_File_Name=OT-security-whitepaper.pdf
Snowflake. (2025). A practical guide to AI agents: Key concepts, use cases, and considerations to drive ROI [White paper]. https://www.snowflake.com/resource/a-practical-guide-to-ai-agents/
Sienkiewicz, H. J. (2025). Unified linkage models: Recontextualizing cybersecurity. United States Cybersecurity Magazine. https://www.uscybersecurity.net/csmag/unified-linkage-models-recontextualizing-cybersecurity/
Sienkiewicz, H. J. (2025). Establishing trustworthiness: An adaptive governance approach. United States Cybersecurity Magazine. https://www.uscybersecurity.net/csmag/establishing-trustworthiness-an-adaptive-governance-approach/
Stouffer, K., Falco, J., & Scarfone, K. (2015). Guide to Industrial Control Systems (ICS) security (NIST Special Publication 800-82 Rev. 2). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-82r2
Stouffer, K., Tang, C., & Pease, M. (2023). Guide to Industrial Control Systems (ICS) security (NIST Special Publication 800-82 Rev. 3). National Institute of Standards and Technology. https://csrc.nist.gov/pubs/sp/800/82/r3/final
U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response. (2023). Cybersecurity considerations for industrial control systems and operational technology. https://www.energy.gov/ceser
Volexity. (2023). Threat actor intrusion at MGM Resorts International: Technical analysis. https://www.volexity.com/blog/2023/09/14/incident-response-analysis-of-mgm-resorts-international-attack/
Zaki, M., Sivakumar, V., Shrivastava, S., & Gaurav, K. (2021). Cybersecurity framework for healthcare industry using NGFW. In 2021 Third International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV) (pp. 196–200). IEEE. https://doi.org/10.1109/ICICV50876.2021.9388455
Zaki Mohammed
Alessandro Azzaro
Leave a Comment