Enable breadcrumbs token at /includes/pageheader.html.twig

Researchers Apply AI To Defend Against Stuxnet-Like Cyber Attacks

The soon-to-be-released research could help protect U.S. critical infrastructure.

The U.S. Energy Department’s Pacific Northwest National Laboratory and the Georgia Tech Research Institute are collaborating on ways to use artificial intelligence to protect critical U.S. infrastructure from cyber attacks, including attacks on programmable logic controllers, the systems targeted by the Stuxnet virus in 2009. Credit: Selvam-stock.adobe.com generated with AI

By late November, the Institute for Cybersecurity and Resilient Infrastructure Studies (ICARIS), a partnership between the Department of Energy’s Pacific Northwest National Laboratory (PNNL) and the Georgia Institute of Technology, is poised to release the results of a five-year study applying artificial intelligence (AI) to protect programmable logic controllers, or industrial computer systems, that are embedded across the country’s critical infrastructure networks.

Programmable logic controllers (PLCs) are essentially specialized industrial computers that read data from sensors and use that data to automate the control of electromechanical processes, such as the control of electrical breakers and gas valves. They are ubiquitous across all sectors of any nation’s critical infrastructure, including banking, communications, transportation and energy.

Cyber attackers often target PLCs, including one high-profile attack on Iranian nuclear production systems. “You’ve heard of PLCs. You just don’t know you’ve heard of PLCs. Stuxnet, the big attack on the Iranian nuclear system back in 2009, was an attack on PLCs,” Jeremy Epstein, an ICARIS co-director with Georgia Tech Research Institute (GTRI), pointed out in an interview with SIGNAL Media. “There have been a lot of others. That’s just the one everybody has heard of.”

Danny Herrera, PNNL’s ICARIS co-director, explained that PLCs can be attacked in two ways. “We have all these systems of systems that are deployed out in the field, and they have these programmable logic controllers. These things are susceptible to either changing the rules of the programmable logic controllers or forcing them to think the inputs they’re receiving are correct, but, in fact, are data poisoned,” he said.
Herrera used two hypothetical scenarios to illustrate PLC attacks. In the first, adversaries rewrite the rules under which the system operates. For example, the programming may accept any value up to five because five is the safety threshold for a PLC controlling a gas valve. “If an adversary tricks the PLC to, for example, accept greater than five, then it’ll kind of enter a condition where it’s unstable.”

In the second scenario, the attacker could poison the data feeding into the PLC to make it think an unsafe environment is actually safe. “If the sensor that’s surveying the environment is thinking that the conditions are OK, but they’re actually not OK, then that’s a way to trip up a programmable logic controller to enter an unsteady state. If we protect those PLCs, then we can [protect] many different types of infrastructures,” he said.

The AI program the team uses dynamically translates PLC specifications into temporal logic rules, ensuring adaptability to changing configurations and threat landscapes. “That reduces the burden of the human operator to make these abstractions on each PLC. The goal is for AI to do that at speed and at scale, so then we can go after systems of systems,” Herrera stated.

The research tackles a problem industry is unlikely to explore due to a lack of profit potential. “In this case, the role of a national lab and an FFRDC [federally funded research and development center] is that we take all that expertise that industry has developed in AI and figure out a way to apply it to nontraditional cases that we still need,” Herrera said. “For example, how can you get AI to abstract the rules of a PLC in a way that it could feed into a system so you can see how it behaves?”

Epstein noted that the research actually started two years before ICARIS launched in 2022. “This is an example of an existing GTRI-PNNL collaboration that we’re going to be building on. This is a great example of how we’ve collaborated in the past, and how we plan to collaborate in the future and have other great results for the country.”

Industry owns the vast majority of U.S. critical infrastructure and will need to build on the research and deploy the solution. “We brought our AI capability to bear. GTRI brought their embedded system security capabilities to bear. And now we have the beginnings of this research that could protect these systems of systems down to the nodes that are embedded through infrastructure,” Herrera said. “Several reports will be the outcome of this, and some code for partners to pick up and run with. We have engagements with industry like Southern Company to see if this is something they would be interested in taking to the next step.”

The Southern Company test bed that represents realistic cyber environments could be instrumental in advancing the research, the ICARIS leaders indicate. “We have a lot of wicked smart researchers, but we need partners to take our research in the lab and go that next step. We would like to take the research that we did in the lab with GTRI, apply it to the test bed and have the actual users help us define [whether] the research we’re doing makes sense for the end deployment,” Herrera said.

“One of the things that we see is that we can do all of this research in the lab or at GTRI to protect the grid, but if it doesn’t make business sense, we’re going to have a very hard time deploying that capability, and the people who know that are industry, Southern Company, for example,” he added.

Herrera suggested that the Department of Defense, which owns many systems of systems and relies on much of the industry-owned infrastructure, could also potentially continue developing the research. “You have these bases, you have these Department of Defense missions that are tied to local infrastructure. If the adversaries go after the infrastructure, they could degrade a Department of Defense facility from executing its mission. So, as we look forward to what’s next, we’re looking at what we can do for the Department of Defense.”

In fact, he added, the team has two upcoming collaborations with the Defense Department focused on electronic warfare, a GTRI specialty, and on communications, a PNNL area of expertise. “The details would be classified, but we’re bridging these two capabilities together to field something that is best-of-kind for the war-fighter,” Herrera reported.

AI also may have a role to play in securing the nation’s nuclear capabilities. According to Herrera, Department of Energy Secretary Chris Wright is seeking opportunities to partner with industry for nuclear energy and secure small, modular nuclear reactors and micronuclear reactors, both of which will “have connected devices on them.”

“Can we bring AI to bear to either streamline or to find areas where you can mitigate risk? These are open questions we have. Could AI be brought to bear to figure out how we could do environmental modeling faster, how we could find locations to site these reactors? We’re just beginning to explore these concepts and figuring out how we can support the secretary’s vision for nuclear energy,” he added.

ICARIS can have about 10 research projects at a time. The PLC research falls under the Resilience Through Data-Driven, Intelligently Designed Control Initiative, which has led to other successes.

The Grid Layout Interface for Model Preview and System Exploration (GLIMPSE), for example, is “a graph-based visualization capability for designers, developers, and policymakers to get insight into the topology and measurements of a power grid network,” according to a PNNL document. “It is an intuitive and interactive application deployed across operating systems to support search, highlight, and navigate power grid objects, such as generators, inverter-based systems, loads, and feeder models,” the document adds.

Another project, the Physically Aware Cyber Platform, provides application programming interfaces for electrical applications to exchange data with user-defined quality of service parameters while actively monitoring, detecting and mitigating attacks at cyber layers, according to a separate PNNL fact sheet. It uses machine learning to identify threats like distributed denial of service, command injection and false data injection attacks, assessing the type and confidence level of each.

A reinforcement learning-based mitigation agent dynamically blocks malicious traffic or reroutes it through secure paths to minimize attack impacts, and the platform alerts connected applications to detected threats, aiding in applying resilient control strategies and enhanced system protection.

The ICARIS mission is to deliver the technologies, test beds and talent to secure the critical infrastructure. According to the ICARIS website, it combines PNNL’s strengths in advanced computing and data science, grid controls, secure architectures and critical infrastructure security with Georgia Tech’s strengths in cybersecurity for embedded systems, distributed energy systems and workforce development.