NATO tests AI’s ability to protect critical infrastructure against cyberattacks

Autonomous intelligence, artificial intelligence (AI) that can act without human intervention, can help identify critical infrastructure cyberattack patterns and network activity, and detect malware to enable enhanced decision-making about defensive responses. That’s according to the preliminary findings of an international experiment of AI’s ability to secure and defend systems, power grids and other critical assets by cyber experts at the North Atlantic Treaty Organization’s (NATO) Cyber Coalition 2022 event late last year.

The simulated experiment saw six teams of cyber defenders from NATO allies tasked with setting up computer-based systems and power grids at an imaginary military base and keeping them running during a cyberattack. If hackers interfered with system operations or the power went down for more than 10 minutes, critical systems could go offline. The differentiator was that three of the teams had access to a novel Autonomous Intelligence Cyberdefense Agent (AICA) prototype developed by the US Department of Energy’s (DOE) Argonne National Laboratory, while the other three teams did not.

The aim of the experiment was to test and measure AI’s efficiency in collecting data and assisting teams in responding to cyberattacks against critical systems and services, along with highlighting the need for tools that improve collaboration between humans and machines to reduce cyber risk. The experimental findings were published in late December 2022 shortly after a new US Government Accounting Office (GAO) report warned that numerous key government entities are flying blind on critical infrastructure security, having failed to implement most recommendations related to protecting critical infrastructure since 2010.

AI reveals critical infrastructure cyberattack patterns, network traffic, target systems

Teams set up a defined list of services, monitored the simulated power microgrid supporting their systems, responded to injected requests, and attempted to disrupt other teams’ attempts to do the same through cyberattack strategies, Argonne National Laboratory wrote. None of the teams knew the scenario or networks prior to the experiment.

The teams that used Argonne’s AICA prototype made key observations surrounding network activity, logged events, and intrusion detection alerts, or they detected malware that enabled enhanced operator queries and automated decision-making about defensive responses, the company claimed. “All the teams were able to keep their grids online, but that wasn’t the only valuable outcome,” stated Benjamin Blakely, cybersecurity research analyst at Argonne, who led the experiment alongside cyberspace experts from NATO’s Allied Command Transformation (ACT). “We were able to see the network as AICA sees it, including relationships between attack patterns, network traffic and target systems. Agents use this information to build a knowledge graph of the network and that helps them better protect it.” Blakely and NATO’s ACT will publish the full results of the experiment in the coming months.

Bob Kolasky, Exiger SVP of critical infrastructure and former assistant director at the Cybersecurity and Infrastructure Security Agency (CISA), tells CSO that the exercise shows the potential for emerging technology to be a game changer in managing risk to complex, interdependent systems. “National Laboratories, such as Argonne, are bringing exquisite modeling, synthetic data, and high computing power to support critical infrastructure. This will enable enhanced AI and it will be important to test how AI is applied through operational concepts. It is exciting to see NATO testing how to apply AI for critical infrastructure protection.”

Critical infrastructure facing increasing, complex cyberthreats

Critical infrastructure, systems, and services continue to face increasing and complex cyberthreats, including heightened risks linked to the Russia-Ukraine conflict. Last December, Microsoft released its third edition of the Cyber Signals report, revealing that risks to critical infrastructure are on the rise due to the pervasiveness, vulnerability, and cloud connectivity of internet-of-things (IoT) and operational technology (OT) devices, which represent a rapidly expanding, often unchecked risk surface affecting a wider array of industries and organizations. “While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever,” the report stated.

Martin Riley, director of managed security services at cybersecurity firm Bridewell, tells CSO that geopolitical tensions surrounding the Russia-Ukraine war left a significant impact on critical infrastructure, and shifted threat levels to greater heights. “Our research, which interviewed 521 cybersecurity decision makers in critical national infrastructure, found that over seven in 10 reported a rise in attacks since Russia’s invasion of Ukraine.”

Riley recently commented on threats posed to Europe’s subsea critical infrastructure with Russia accused of launching a deep-sea sabotage campaign to destroy vital energy and data links, urging network operators to increase the cyber resilience of services. “We’ve seen the cyber-physical or hybrid war played out publicly this year, bringing it to the attention of the world via mainstream media and it’s something that organizations that operate critical infrastructure have understood,” he wrote. “However, sub-sea data cables still remain without consistent regulation nor standards. With 580 active or planned sub-sea cables, our economies and society rely on the inter-connectedness that we all love and expect in today’s world.”

In April, The Five Eyes (United States, Australia, Canada, New Zealand, and United Kingdom) issued an alert giving a comprehensive overview of Russian state-sponsored and cybercriminal threats to critical infrastructure, whilst the notorious cybercrime group behind the Conti ransomware threatened to hit critical infrastructure in support of the Russian government.

Autonomous/artificial intelligence’s role in tackling critical infrastructure cyberthreats

Autonomous/artificial intelligence has the potential to play a significant role in securing critical infrastructure and addressing the complex cyberthreats such systems face. “AI is imperative in the detection of threats to critical infrastructure – then, it is down to the agreed response actions, which may be automated to contain, eradicate, or prevent the wider threat,” Riley tells CSO. “The necessity comes from the constant change of the infrastructure used by threat actors and the slight or wholescale changes of their behaviors. Bridewell has its own intelligence and research team that actively tracks adversaries, their infrastructure, and behaviors alongside the use of AI. The cost of that research and intelligence is large, so shifting to an AI generated model, reduces that cost whilst increasing the maturing and as such, reducing the risk.”

The simple reality is that critical functions are usually based on a complex web of dependencies and interdependencies which are managed largely through digital means, says Kolasky. “It is impossible for humans alone to understand those complexities and attack points. AI will allow for increases in effectiveness and efficiency of risk monitoring and ultimately risk mitigation and system resilience.”