This audio is automatically generated. Please let us know if you have any comments.
Lalitha Krishnamoorthy is vice president of AI and digital at global engineering, architecture and environmental consultancy Stantec, based in Edmonton, Canada. The opinions are the author’s own.
America’s civilian infrastructure is at a critical juncture. While the rise of artificial intelligence has introduced new challenges, it also brings powerful tools and new opportunities to strengthen our systems. Recent increases in cyberattacks have highlighted vulnerabilities, but also encouraged leaders to innovate and adapt so our infrastructure remains robust and secure. AI attacks have made absolute protection impossible, so internal digital policies and governance are even more critical to minimizing system vulnerabilities.
Lalitha Krishnamoorthy
Courtesy of Stantec
America’s utility owners have long recognized the challenges of maintaining and modernizing the nation’s civil infrastructure systems. The highly exposed nature of power grids, water treatment facilities and gas lines make them prime targets for attacks. Over the past decade, there have been hundreds of reported incidents of cybercriminals and foreign actors hacking into some of America’s most vital infrastructure systems to wreak havoc and cause potential harm. Through August 2024, cyberattacks on US utilities it was up nearly 70% year over year.
AI has only proliferated more since then.
The advent of widespread and commercially available AI has created a whole new headache for utility operators as it dramatically reduces the technical knowledge required to mount an attack. At the same time, utility operators now have access to advanced technologies that can detect and defend against threats more effectively than ever before. So, on the one hand, hackers no longer need in-depth knowledge: just a ChatGPT subscription and a Wi-Fi connection. On the other hand, it is now possible for teams to respond quickly and intelligently to emerging risks due to AI-assisted programs that democratize security.
Updating legacy systems
Even the best protections and the most advanced security systems can no longer defend against the scale of attack that AI enables. Deepfakes have proven quite capable of bypassing the knowledge-based authentication systems that banks and government agencies rely on, and the global financial sector reports a 393% increase in deepfake phishing attacks in one year. If this is their effort against top-tier security systems, imagine the vulnerability of legacy systems used more frequently by civilian infrastructure.
This change means that safety teams must move from trying to eliminate all sparks to making sure that if something does catch fire, its impact is contained and recovery is quick.
Part of this is done through the use of properly installed firewalls and security systems. When bad actors inevitably gain access to a system, these walls can close off their entry point. Just because a system is exposed doesn’t mean the entire network of systems has to go down.
Ironically, identifying a breach is where AI can help companies defend themselves. AI trained on the right usage data can leverage pattern recognition skills to detect anomalies and early warning signs of an attack. Strange or unusual user behavior, such as a user trying to access higher security information or making unusual changes to a system, can alert IT teams or automatically isolate the affected area until security teams can assess the threat.
It’s a time-consuming, but worthwhile, security upgrade that civil infrastructure teams can do. In the age of sensors and IoT systems, the digital footprint of infrastructure has expanded enormously, and with each expansion comes an increase in vulnerability. Having the ability to isolate each component is like having a gate valve on a leaky pipe; Water can be shut off in the affected pipe before flooding causes further damage.
The governance of AI and the role of employees
Even before an attack, improved governance and more diligent digital policies can limit the risk an organization faces. As much as limiting companies’ exposure means creating internal firewalls and emergency shutdowns, it also means training and improving their workforce on data hygiene and the use of AI, including rapid engineering, detection of AI-generated phishing attempts, and safe model deployment practices.
Having a workforce that understands what AI is (and isn’t) is vital to using AI correctly and safely. Adoption of frameworks such as NIST AI Risk Management Framework and conducting regular audits supports compliance and creates a culture of trust.
One of the most prominent threats facing organizations as a result of AI is not a traditional attack per se, but an accidental data breach, caused by lax policies and employee awareness. An analysis by the House Homeland Security Committee estimated that 1 in 10 intrusions the US faced in 2023 were due to improper access to credentials rather than any complex hack.
AI creates an even greater potential for this type of opportunistic breach as workers use large language models for their daily tasks. Without clear policies governing the use of AI, the risk of sensitive data being shared with a third-party source is significant. Workers may have little understanding of what happens to this data and how it could be used in the future to make the system more vulnerable. All it takes is for the wrong data to get stuck in a large language processor for highly sensitive information to be exposed.
Organizations must focus on reducing damage and recovering faster when attacks occur. Figuring out how to integrate technologies such as voice recognition, deep counterfeit detection, and biometric recognition will be an essential part of creating more secure infrastructure systems. Incorporating robust testing, continuous monitoring, and clear guidelines for responsible use will help these technologies improve security rather than introduce new vulnerabilities.
It’s not that AI shouldn’t be used in civilian infrastructure. But understanding the risks to data privacy and the new vulnerabilities created by new technology systems is critical to understanding risk. As important as updating legacy systems to modern standards is, minimizing the impact of human error when interacting with AI is equally vital.
The path forward is clear: When we embrace innovation, invest in people, and foster a culture of proactive government, America’s infrastructure can not only withstand today’s threats, but thrive with tomorrow’s opportunities.
