May 30, 2024 By Jonathan Reed 3 min read

Last year, Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) stated that “Artificial intelligence (AI) holds extraordinary potential for both promise and peril.” In response to this reality, the United States Department of Homeland Security (DHS) recently released guidelines to help critical infrastructure owners and operators develop AI security and safety.

The DHS guidelines stem from insights gained from CISA’s cross-sector analysis of AI risk assessments completed by Sector Risk Management Agencies (SRMAs) and relevant independent regulatory agencies. DHS drew upon this analysis, as well as input from existing U.S. government policy, to develop specific safety and security guidelines to mitigate AI risks to critical infrastructure.

“Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk,” said CISA Director Jen Easterly in a statement.

Cross-sector AI security threats

The guidelines in the DHS document highlight three categories of system-level AI risk, which CISA developed in its cross-sector AI risk analysis. The categories include:

  1. Attacks using AI: Refers to the use of AI to automate, enhance, plan or scale physical or cyberattacks against critical infrastructure. Common attack vectors include AI-enabled cyber compromises, automated physical attacks and AI-enabled social engineering.
  2. Attacks targeting AI systems: Focuses on attacks that target AI systems supporting critical infrastructure. Common attack vectors include adversarial manipulation of AI algorithms, evasion attacks and interruption of service attacks.
  3. Failures in AI design and implementation: Refers to problems in the planning, structure, implementation, execution or maintenance of an AI tool or system. This can lead to malfunctions or other unintended consequences that affect critical infrastructure operations. Common failures include autonomy, brittleness and inscrutability.
Learn more on AI cybersecurity

The DHS guidelines’ four core functions

The new DHS guidelines also incorporate the NIST AI Risk Management Framework (AI RMF), including four key functions that help organizations address the risks of AI systems:

  • Govern: This function supports setting up policies, processes and procedures to anticipate, identify and manage the benefits and risks of AI during the entire AI lifecycle. It follows a “secure by design” philosophy, prioritizing safety and security when building organizational structures.
  • Map: This establishes a foundational context to evaluate and mitigate AI risks. This includes an inventory of all current or proposed AI use cases. Mapping begins with documenting context-specific and sector-specific AI risks, including attacks using AI, attacks on AI and AI design and implementation failures.
  • Measure: Refers to repeatable methods and metrics for measuring and monitoring AI risks and impacts. Critical infrastructure can develop its own context-specific testing, evaluation, verification and validation (TEVV) processes to inform usage and AI risk management decisions. Measuring should include continuous testing of AI systems for errors or vulnerabilities, including both cybersecurity and compliance vulnerabilities.
  • Manage: Defines risk management controls and best practices to increase the benefits of AI systems while decreasing the likelihood of harm. This mandates regularly allocating resources and applying mitigations, as outlined by governing processes, to mapped and measured AI risks.

Strengthening AI cybersecurity

In a flurry of activity to establish national AI cybersecurity solutions, the new DHS AI guidelines coincide with CISA being named the National Coordinator for Critical Infrastructure Security and Resilience.

Furthermore, the DHS has recently named a new Artificial Intelligence Safety and Security Board. The Board will develop AI security recommendations for critical infrastructure organizations such as transportation, pipeline and power grid operators and internet service providers. Meanwhile, the NIST GenAI program aims to create generative AI benchmarks to address the sticky issue of whether content is human- or AI-generated.

All these efforts are crucial as the nation fortifies its cyber defenses in the age of AI.

More from News

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

A proactive cybersecurity policy is not just smart — it’s essential

3 min read - It’s easy to focus on the “after” when it comes to cybersecurity: How to stop an attack after it begins and how to recover when it's over. But while a reactive response sort of worked in the past, it simply is not good enough in today’s world. Not only are attacks more intense and more damaging than ever before, but cyber criminals also use so many different attack methods. Zscaler ThreatLabz 2024 Phishing Report found that phishing attacks increased by…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today