Critical infrastructure

AI and critical infrastructure

In today’s increasingly interconnected world, protecting critical infrastructure systems is paramount. AI can be a valuable ally in this endeavour. But its misuse can present a risk to critical infrastructure systems.

The role of AI in safeguarding critical infrastructure

AI plays a pivotal role in safeguarding critical infrastructure systems. AI can strengthen the security of critical infrastructure by employing advanced threat detection and response mechanisms. AI-powered cybersecurity systems constantly scan network activity, system records, and user behaviour for possible threats and abnormalities. These systems use machine learning algorithms to analyse enormous volumes of data, identify patterns linked to well-known and newly discovered cyberattacks, and take prompt, proactive measures to reduce risks.

Additionally, AI-based intrusion detection and prevention systems have the capacity to recognise and prevent harmful activity and intercept attempts at unauthorised access. These systems continuously improve their capacity to identify sophisticated and developing threats by learning from previous data, adapting to new attack strategies, and collecting new information.

The strength of AI in anomaly detection is particularly valuable for critical infrastructure cybersecurity. By developing behaviour models, AI systems can spot deviations and anomalies that can be signs of security breaches or cyberattacks. This approach enables early detection of previously unseen attack vectors.

Furthermore, through analysing vast amounts of security-related data, AI plays a crucial role in security analytics. AI can find trends, correlations, and patterns that might point to vulnerabilities or risks in critical infrastructure systems. This allows security teams to set priorities, make informed decisions, and strengthen their entire cybersecurity posture.

AI can be exploited by malicious actors

However, it is important to acknowledge that malicious actors can also exploit AI.They can utilise AI to create sophisticated evasion techniques that enable them to get around conventional security measures, for instance, by creating undetected malware variants or mimicking legitimate user behaviour. Additionally, they can use AI to automate attacks, which would use algorithms to locate targets and initiate and modify tactics as needed. Lastly, attackers can conduct data poisoning attacks by altering AI training data to introduce biases or weaknesses in the systems.

To mitigate these risks, organisations need to implement robust cybersecurity measures, regularly update their systems, and deploy multi-layered defence strategies. Combining human expertise and oversight with AI capabilities promises more effective defences.

Learn more on AI Governance

Critical infrastructures (CI) can be defined loosely as ‘systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety’ (according to the IETF Security Glossary). And most countries have defined their own CI depending on their national context; in most cases, these include both core internet and, more widely, ICT infrastructures (such as telecommunications networks), and transport, energy, and other key infrastructures that are more and more relying on ICTs.

Critical (information) infrastructure protection (CIP) is ever more important because critical infrastructures depend increasingly on networks linked to the Internet. Many vital parts of global society ‒ including industries such as energy, water, and finance ‒ are becoming more and more dependent on the internet and other computer networks as an information infrastructure. While allowing for resource optimisation, this also leaves them at the risk of a cyberattack or an internet fallout.

The history of the concept can be traced back to the 1998 US Presidential Decision Directive PDD-63 which set up a national programme of Critical Infrastructure Protection. The aim was to secure infrastructures of national importance from cybersecurity risks. Over the last 15 years the concept of CI has developed into a broader concept to include supply chain insurance to physical damage from natural hazards, as well as targeted physical attacks.

In 2007, the IETF added Critical Information Infrastructures to the Internet Security Glossary (RFC 4949). The definition adopted by IETF (presented at the beginning of this description) shows that while ICT can be a CI in itself, the implementation of ICTs in our daily activity has made it a transversal subject. In order to face cyber risks, many countries and even some larger institutions have developed teams of individuals that may respond in case of emergency. This type of team is often called a Computer Emergency Response Teams, but other variations are Computer Emergency Readiness Teams or Computer Security Incident Response Teams (CSIRT). In the case of nation states, these teams are often characterized by strong public-private partnerships (PPP) as many CIs are in the hands of the private sector. The policies pertaining to Information Infrastructure are often called Critical Information Infrastructure Protection (CIIP) policies.

The US Presidential Decision Directive PDD-63 was updated in 2003 through the Homeland Security Presidential Directive 7 for Critical Infrastructure Identification, Prioritization, and Protection. This update broadened the definition of infrastructure as the physical and virtual systems that are ‘so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters’. In 2013, it was replaced by PPD21 – Critical Infrastructure Security and Resilience with the intention of advancing national efforts to ‘strengthen and maintain secure, functioning and resilient critical infrastructure’. The policy directive was accompanied by the Executive Order 13636 ‘Improving Critical Infrastructure Cybersecurity’. The National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity in February 2014. The document provides a generic guideline on how companies and institutions in charge of CI can organize, improve, mitigate and recover from a cyberattack.

In the European Union, the European Programme for Critical Infrastructure Protection (EPCIP), presented by the European Commission in 2006, outlined a series of principles, processes and instruments proposed to implement EPCIP. A complementing CIIP action plan was also set out, and it was built on five pillars: preparedness and prevention, detection and response, mitigation and recovery, international cooperation, and criteria for European Critical Infrastructures in the field of ICT. Directive 2008/114/EC on the identification and designation of European critical infrastructures followed, with the aim to set up a ‘procedure for the identification and designation of European critical infrastructures (‘ECIs’), and a common approach to the assessment of the need to improve the protection of such infrastructures in order to contribute to the protection of people’. The proposal for a Network and Information Security Directive (proposed by the European Commission in 2013 and agreed upon by Parliament, Council and Commission in December 2015), paired with the EU Cybersecurity Strategy, sets more specific guidance to member states on the CIIP measures, including the setting up of CERTs. At the same time, the European Union Agency for Network and Information Security (ENISA) is in charge of following up on the implementation of CIIP measures and providing capacity-building measures and resources. ENISA works closely with national CERTs.

The OECD Recommendations on CIIP (2008) provides a number of steps for the member states: at the national level, states are invited to adopt policy objectives on high-level, develop a national strategy, identify government agencies and organisations responsible for CIIP, develop an organisational structure for prevention and response, including independent (CERTs), consult with the private sector and build trusted public-private partnerships, facilitate information sharing with acknowledging the sensitivity of certain information, conduct a risk assessment, etc. At the international level, states are encouraged to enhance information sharing and strengthen cooperation across institutions in charge of CIIP.

The Organization of American States (OAS), by General Assembly resolution AG/RES 1939 XXXIII-O/03 of 2003 has the Inter-American Cyber-Security Strategy which pools the efforts of three existing, related groupings of the organisation: the Inter-American Committee against Terrorism (CICTE), Ministers of Justice or Other Ministers or Attorneys General of the Americas (REMJA), and Inter-American Telecommunication Commission (CITEL). These groups cooperate to implement programmes that will prevent cybercrime by, among other things, protecting critical infrastructure through legislative and other procedural measures.

In 2007, the International Telecommunication Union (ITU), in cooperation with the Center for Security Studies of ETH Zurich, provided a generic national framework for CIIP, with a number of action pillars. ETH Zurich also published the International CIIP Handbook 2008/2009, with an inventory of 25 national and seven international CIIP policies.