Asking AI - Create a Cybersecurity Roadmap
And Gemini as a clear winner
My “Always invite AI to the table” topic today was thinking about a basic plan, a roadmap, for a cybersecurity program for small entities in the critical infrastructure sector. There’s an event that’s part of a recurring series that I’m attending soon which covers similar sort of territory, and I always like to brainstorm a little leading up to these.
The AI apps ‘at the table’ this morning were ChatGPT 4o, Claude Sonnet 3.7, Gemini Advance 2.0 Flash and 2.5 Pro (experimental), Le Chat, and Perplexity. Here’s the prompt I gave them:
You're a cybersecurity professional with many years experience in the critical infrastructure sector. Please create a cybersecurity program roadmap for a small entity in the critical infrastructure sector. Keep the initial plan concise, and focus on making it viable (from a human and financial resources perspective) for a small organization in the critical infrastructure sector, think small town, not city.
All the responses were decent, and there were a couple of useful elements included in more than one response. Two of them are most in line with my own thinking, the ones from Claude and Gemini (both models). They are both concise and offer clear, usable guidance. Gemini stands out as the most on target for this particular sector and offers recommendations that are the best fit for critical infrastructure.
So lets look at the best bits from the responses from the two Gemini models. The 2.5 Pro experimental model knocks it out of the park right away with this Number 1 guiding principle:
Guiding Principles:
Prioritize Safety & Availability: Especially for Operational Technology (OT), ensuring safe and continuous operation is paramount. Security controls must not compromise this.
This, more than anything in all of the responses from all the apps, shows a clear understanding of OT environments. These are mission critical components of critical infrastructure organizations and they do prioritize safety and availability - unlike IT environments that typically use the CIA Triad - Confidentiality, Integrity, Availability - as a way to prioritize cybersecurity efforts.
Gemini 2.0 Flash also starts off well, highlighting the importance of regulatory requirements:
Overarching Goal: Establish a foundational cybersecurity posture to protect essential operations and meet regulatory requirements.
Both Gemini models have a very good outline of phases in the roadmap covering the first 18 months of implementing it and advice on ongoing practices beyond that initial period. Here’s the first chunk of Phase 1 recommended by Gemini 2.0 Flash:
Phase 1: Assessment and Foundational Controls (Months 1-3)
Goal: Understand the current state and implement basic, high-impact security measures.
Activities:
Identify Critical Assets: Determine the most important systems and data for operations (e.g., control systems, billing, customer data). Keep this list focused.
Basic Risk Assessment: Conduct a simple risk assessment focusing on common threats (malware, phishing, unauthorized access) and vulnerabilities. Use readily available frameworks (like NIST CSF for Small Businesses or CISA resources).
Inventory IT & OT Assets: Create a basic inventory of hardware, software, and operational technology (OT) systems.
This speaks to the fact that as defenders we need to know what we are defending and what are the most critical things that we need to defend.
Gemini 2.5 Pro adds a little detail on what’s needed to implement Phase 1 activities. Here’s a slice of that on its Phase 1 activities outline:
Key Activities:
Identify Critical Assets & Functions: What systems (IT & OT) and processes are essential for operation? Where is sensitive data stored? Resource: Staff knowledge, operational diagrams.
Basic Asset Inventory: Create a simple list of hardware (servers, workstations, PLCs, network gear) and software. Doesn't need to be perfect, just a starting point. Resource: Staff time, potentially free network scanning tools.
Identify Key Personnel & Responsibilities: Who manages IT? Who manages OT? Who has administrative access? Who is the point person for security issues? Resource: Staff time, organizational chart.
Basic Access Control Review:
Change all default passwords on devices (routers, switches, PLCs, servers).
Identify and minimize shared user accounts.
Review who has administrative privileges – apply principle of least privilege. Resource: Staff time.
All of the elements across the three phases outlined by the two Gemini models are solid recommendations and well stated. My only quibble with them is that vulnerability scanning is part of Phase 3. I think it’s possible and important to include that earlier.
Gemini 2.0 Flash nails the wrap-up guidance at the end of its response. I wanted to just take part of it, but it’s all really good - so here’s that whole section:
Key Considerations for a Small Entity:
Leverage Existing Staff: Identify individuals with technical aptitude who can take on cybersecurity responsibilities as part of their existing roles. Provide them with targeted training.
Prioritize Low-Cost/No-Cost Solutions: Utilize free tools, open-source software where appropriate, and resources from government agencies (CISA, NIST).
Focus on the "Big Rocks": Prioritize implementing controls that address the most common and impactful threats.
Keep it Simple: Avoid overly complex solutions or processes that are difficult to manage with limited resources.
Phased Implementation: Break down the program into manageable steps to avoid overwhelming staff and budgets.
Continuous Improvement: Cybersecurity is an ongoing process. Regularly review and adapt the program as needed.
Collaboration is Key: Partner with other small entities or local government for shared resources or knowledge.
Leadership Buy-in: Ensure that leadership understands the importance of cybersecurity and supports the program.
We should never take everything an AI tools spits out and use it, but Gemini’s responses are definitely usable as food for thought and discussion prompts when looking at this topic.
I also have to say that I’m happy to see a clear win for Gemini here.
Note: I explained where “always invite AI to the table” comes from in this post:
How are you inviting AI to the table these days? Let me know in the comments if any of you would like to see the full responses from Gemini or any of the other apps.