AI and cybersecurity: Friends or foes?

MARTINE HANNEVIK     Welcome to the Trust in Industrial AI video series, where we explore how to implement AI with speed and confidence in safety critical industries. In today's episode, we'll explore the cybersecurity threats of implementing AI and how to mitigate them. I'm your host, Martine, and today I'm joined by Ionut and Kenneth. Welcome to both of you.

IONUT COCANU     Good to be here.

KENNETH KVINNESLAND     Thank you for having me.

MARTINE HANNEVIK     Yeah, I think we'll start with the with the big question to you Kenneth and that is what are the new risks associated or cybersecurity risks associated with integrating AI into critical infrastructure?

KENNETH KVINNESLAND     I think that there are some new attack vectors. An interesting possibility is that if an AI application is trained on open data, it can be possible to manipulate those data and that means that the cyber criminals could in principle create an unsafe condition without penetrating the traditional cyber defences at all. Then there are other things. Like, you could have AI model that are or depending on data outside your own control and so on, which could also create some problems.  

But what we are most concerned of is the possibility that AI could empower the attackers. So the attacks may be getting much more sophisticated. And then they could not only create unsafe conditions, but also compromise the independent defences that we have in place to deal with those kind of things.  And then everything falls apart. So if cybersecurity falls apart, then the whole system is compromised.

MARTINE HANNEVIK     Can you elaborate a bit more on the importance of cybersecurity and AI systems?

IONUT COCANU     Sure. So not to be very dramatic when it comes to cybersecurity and AI in the critical infrastructure, but one thing that we need to remember is that we're dealing with the potential loss of life when it comes to critical infrastructure. As per today, we know that we do have quite a lot of incidents because of human failure. It can be like a software or process failure, but this can be also in the future, quite near, AI manipulation. So this is why in the critical infrastructure we need to step up a little bit in the way we work with our suppliers and our products, because the threat actors are evolving. 

MARTINE HANNEVIK     And of course in these industries the consequences can be fatal.

IONUT COCANU     Yes.

MARTINE HANNEVIK     And can you provide an example of how AI has been used when it comes to critical infrastructure?

IONUT COCANU     It's quite hard to find practical example because it's a very close environment. But I did love quite a lot an example called D Blocker which is a research programme by IBM and they demonstrated how they can use AI by performing an attack. They managed to hide this payload how we call it in a very legitimate application which it was a web application and they have proven that they could get away unsuspected by the normal detection systems like antivirus and anti malware and that particular software that they have developed. It managed to use AI to identify a specific target and it acted like a digital weapon. It didn't went randomly on any machines. It just waited by using facial identification and when that target was identified, ransomware was deployed on that machine. And that's more proof how can that how can AI can be used in in those situations.

MARTINE HANNEVIK     Yeah. So we, we see how attackers can use AI to get better in their offense, but the organisations can also use AI for better defence.

IONUT COCANU     Definitely. Then it's a good opportunity from us. And then we can see at least two important areas where they can be improved. One could be the false positives. Now it is more often that we have, we have security operation centres that are helping us to monitor our system, our critical infrastructure. But we also tend to see a lot of errors, a lot of logs that they need to be analysed, a lot of false positives, how we like to call them that are required to be investigated. Having an AI that can support us of train that AI with OT data and help us to de-clog a little bit of this noise will first improve our detection and also help the security teams to focus more on the on the real on the real incidents. And then we also need to think a little bit about the threat, the insiders. Maybe we don't talk that much about the insiders, but we tend to operate on trust. We tend to operate to give opportunities for maintenance and engineering activities to our vendors. And having a behaviour type of AI that can analyse this kind of traffic in our network can help us react faster. And then of course, all these two things are coming to, are bringing more or less the idea that we can go quite fast from being reactive in defence to a more proactive, acting more faster and being proactive by using AI.

MARTINE HANNEVIK     Yeah. So AI can actually help us be more proactive in our defence.

IONUT COCANU     So, so far, we talk, we talk all the time about being more proactive. But I feel that now we actually have the tools to go there and be actually proactive.

MARTINE HANNEVIK     And are there any other best practices that you can share?

IONUT COCANU     Of course when it comes to best practices, we don't need to overcomplicate things. We have very good frameworks already in place and use in, in our businesses here I can name NIST, I can, I can name 62443 from IEC. They are very good points to start also when it comes to AI. And then of course, we have the classical risk assessment that we tend to perform in our critical infrastructure, can be a pen testing to be more evolved, can be threat scenarios and so on.

MARTINE HANNEVIK     So we actually have a lot of the tools and the processes in place already.

IONUT COCANU     We just need to be aware and treat these AIs as critical systems that we probably already do with other systems. We don't need to be afraid of them. We just need to embrace them and we need to introduce them in our already established routines.

MARTINE HANNEVIK     We just need to be aware and treat these AIs as critical systems that we probably already do with other systems. We don't need to be afraid of them. We just need to embrace them and we need to introduce them in our already established routines.

IONUT COCANU     Adopt defence in depth when it comes to cybersecurity and AI models implement of course from beginning of the phases when you're doing the testing and the training of these models until deployment. At the end of the day, we want to treat these, these AI models in similar as we do it from our critical systems, which means that they need to follow the same securities, the same controls that we're doing today for our systems. And then it's more important is to also have that mindset of an attacker. So in the process of our dumping on AI is going to be a phase, maybe a test phase where you can stress that AI stress it, you can fed it with wrong information, see how it reacts. Because at the end of the day, you want to be one step ahead of your attackers and want you want to see how the system reacts and you want to build trust. And one good way is doing this type of approach.

MARTINE HANNEVIK     Great.  And what about you, Kenneth any final advice?

KENNETH KVINNESLAND     Yeah, I'd like to follow up on what Ionut have said because do it like you do with others critical system. Don't put all your eggs in one basket. So if you are afraid that you have a high-risk AI solution that could be vulnerable for example to date the manipulation, there should be an independent way of detecting that which don't depend on the AI solution. Then I need to be fall back functions or whatever you have in place to save the day.

MARTINE HANNEVIK     Great. So I guess it's a kind of key take away from me. The attackers are getting more sophisticated, but so can our defence. And we have already a lot of the tools and the processes to be proactive and AI can help us even more with the productivity.

Thank you very much, both of you for sharing your great insights and thank you to our audience for tuning in. If you have any questions or want to learn more about how DNV can support you with the safe application of industrial AI, then please visit our website. Thank you.