The threat of AI to energy security

The energy industry has become increasingly vulnerable to cyber threats as a result of rapid digitization. Cyberattacks against electricity grids, pipelines, and other critical energy infrastructure have long evolved from being mere nuisances to becoming serious security challenges.

Yet in terms of potency, most regular computer viruses pale in comparison to up-and-coming malware based on artificial intelligence (AI). In the near future, this highly disruptive breed of malware will usher in a new era of threats to the energy industry, allowing hostile actors to wreak havoc on a scale hitherto unknown.

Cyberattacks are a scourge for most modern industries, but the energy industry is more exposed than almost any other. Last year, Deloitte reported that the energy industry was the second most popular target for cyberattacks in 2016. In an expert survey conducted by TripWire in 2018, 70 percent of respondents from the energy industry expressed concern that a cyberattack could cause a catastrophic failure, such as an explosion, and nearly 100 percent were concerned that attacks could cause operational shutdowns.

These concerns are anything but surprising. In 2015, sophisticated malware called BlackEnergy and KillDisk attacked the industrial control systems of an electrical grid in Ukraine. The intrusion quickly left 225,000 customers in the dark and caused severe software damage from which the electricity grid took months to recover.

Last year, Saudi Aramco—the world’s largest energy company—was reportedly struck by the Triton malware, which sought to tamper with the company’s industrial control systems and trigger an explosion. Had the attack been successful, it could have caused human injuries at the facility, sabotaged the firm’s operations, and led to disruptions of energy exports.

Regular malware such as BlackEnergy or Triton pose a formidable threat to the energy industry, but AI-driven malware ramps up the threat to a completely new level.

Earlier this year, technology giant IBM unveiled a proof-of-concept called DeepLocker, which became the first-ever malware based on AI. It has been developed in an attempt to understand how deep neural AI models can be combined with malware techniques to create a new a generation of highly sophisticated computer viruses.

In terms of capabilities, DeepLocker stands in a class of its own. By benefiting from machine learning algorithms, this new type of malware can infect computer systems and hide any malicious payload within a legitimate computer program in a way that would prevent anyone from knowing that it is there. As a result, the malware can remain undetected for as long as necessary.

More worryingly, such AI-driven malware can be employed with unprecedented accuracy. Thanks to state-of-the-art algorithms, it can remain dormant until predefined biometric recognition requirements are met. The malware could infect millions of individual users, but it would only strike against a very specific target or targets. This approach contrasts with the “spray-and-pray” method whereby malware hits victims at random and in large numbers.

On top of this, attribution of AI-driven malware is next to impossible. Most regular malware can be “caught” by cybersecurity specialists and reverse engineered to develop a vaccine. It is much more difficult, however, to reverse engineer malware that stays blurred within a harmless computer program, let alone figure out who made it. Such anonymity will drive adversaries to deliver highly targeted attacks with a greater degree of impunity.

While DeepLocker poses no threat to the energy industry, this proof-of-concept was built using freely available open-source AI models and existing evasion techniques. Therefore, it is almost certain that in the near future rogue states and hostile non-state actors with the necessary resources will leverage these freely available tools and weaponize AI for their own purposes.

Given what’s at stake, there is a clear need to start thinking about strengthening the cybersecurity of the energy industry. Basic things such as awareness raising and improved cyber hygiene at the workplace can go a long way, but sometimes this might not be enough. To match and counter the threat posed by AI-driven malware, the energy industry needs to find creative ways to stay one step ahead of the bad guys.

The development of AI-driven cybersecurity systems for the energy industry could be a promising option. To date, significant progress has been made in developing smarter security systems, but most currently available solutions barely scratch the surface of what is possible. Leveraging AI for identifying computer viruses is great, but the future arguably lies within developing autonomous security systems, which would respond to cyber threats faster than any human could.

The energy industry also needs to team up with government institutions to create public-private partnerships to address the cyber dimension of energy security. Though most energy infrastructure is in private hands, governments can still provide support by developing national AI strategies and other frameworks, which would encourage cooperation and spur innovation.

Given the current pace of technological development, we will doubtlessly witness the rise of a new breed of AI-driven malware in the near future. Therefore, the energy industry needs to dive deep into machine learning and consider developing adequate security systems before a devastating cyberattack proves it too late.

Lukas Trakimavičius works at the Economic Security Policy Division of the Lithuanian Ministry of Foreign Affairs. This article reflects the author’s personal views.

Image: A view shows a laptop display showing part of a code, which is the component of Petya malware computer virus according to representatives of Ukrainian cyber security firm ISSP, at the firm's office in Kiev, Ukraine July 4, 2017. Picture taken July 4, 2017. (REUTERS/Valentyn Ogirenko)