Cyber-physical attacks fueled by AI are a growing threat, experts say

Network security graphic user interface background.

Da-kuk | E+ | Getty Images

When most people hear about cybersecurity hacks they envision frozen monitors, ransomware demands, and DDoS attacks that compromise connectivity for a few hours or even days.

Some experts, though, are worried that with the arrival of widespread artificial intelligence in the hands of hackers — both lone wolves and nation-states — we may be entering the era of the “cyber-physical attack.”

In fact, last month the FBI warned Congress that Chinese hackers have burrowed deep into the United States’ cyber infrastructure in an attempt to cause damage. FBI Director Christopher Wray said Chinese government hackers are targeting water treatment plans, the electrical grid, transportation systems and other critical infrastructure inside the U.S.

Stuart Madnick, an MIT professor of engineering systems and co-founder of Cybersecurity at MIT Sloan (CAMS), has studied and written about the cyber-physical nexus. He said with the widespread arrival of generative AI, concerns about physical attacks being the next phase of cybercrime have grown.

More than taking a system offline

Madnick said that he and his team have simulated cyberattacks in the lab, resulting in explosions. They were able to hack into computer-controlled motors with pumps and make them incinerate. Attacks that cause temperature gauges to malfunction, pressure values to jam, and circuits to be circumvented can also cause blasts in lab settings. Such an outcome, Madnick said, would do far more than simply taking a system offline for a while, as a typical cyberattack does.

“If you cause a power plant to stop from a typical cyberattack, it will be back up and online pretty quickly, but if hackers cause it to explode or burn down, you are not back online a day or two later; it will be weeks and months because a lot of the parts in these specialized systems are custom made. People don’t realize downtimes can be substantial,” Madnick said.

He added that the technology, now boosted by AI, exists to wreak havoc on physical systems. Still, three elements must be in place for such attacks to occur: capability, opportunity, and motivation.

“The only thing really keeping bad things from happening is there is not sufficient motivation,” Madnick said. Attacks on physical infrastructure would be tantamount to war, and so far, that is something nation-states have avoided.

Experts, though, vary on the threat level from cyber-physical attacks and how much AI is raising it.

Tim Chase, CISO at data platform Lacework, said that the number of systems utilizing programmable logic controllers (PLCs) is a weak spot in the nation’s infrastructure. 

Chase fears that hackers could use generative AI to help create code for PLCs. And once a bad actor has control of a PLC, they can wreak havoc on industrial systems that can result in a physical manifestation. And while industrial controls are tricky to hack, Chase does worry that AI gives the “mid-level hacker” tools to up their game.

“AI can make it easier for someone who lacks the skills and patience to attack industrial control systems themselves,” Chase said.

Many of the industrial and health-care systems in the United States still rely heavily on decades-old legacy systems that have weak protections. AI’s arrival will make it easier to exploit these vulnerabilities. “Anytime you make attacks easier, more will happen,” Chase said.  

Sivan Tehila, program director and professor at Katz School of Science and Health, Yeshiva University, and CEO of cybersecurity management platform Onyxia, also worries about the potential rise of cyber-physical attacks.

“AI-powered cyberattacks can happen very quickly, and they are sophisticated and complex to detect and mitigate,” Tehila said.

But while she views the threat of AI-assisted cyber-physical attacks as growing, she said AI also assists the good guys. “AI plays a crucial role in enhancing cyber defenses, detecting and responding to threats more effectively by analyzing vast amounts of data in real-time and identifying malicious activity,” said Tehila, who also worked in the Israel Defense Forces, specializing in cybersecurity.

University of Pittsburgh professor Michael Kenney, and director of the university’s Matthew B. Ridgway Center for International Security said that there are risks for cybercriminals in trying to destroy physical infrastructure. They don’t want to take down vast swaths of the internet because they rely on it also. He said terrorists, in general, are more likely to use tried and true tools that worked in the past, such as weaponry and military hardware.

But Madnick does worry. “When something blows up, it not only destroys that unit but other units nearby, which can be more problematic and hurt people,” he said.

Companies need to understand that cyber risk is business risk, says fmr. CISA director Chris Krebs

Source link