Analysis of potential cybersecurity risks associated with the use of AI in the future model of the Swiss electricity ecosystem
The expected increase in the use of artificial intelligence (AI) in critical infrastructure poses new challenges for Switzerland's cybersecurity and digital sovereignty.
The National Test Institute for Cybersecurity NTC has therefore conducted a risk assessment of the AI-supported expansion of the Swiss electricity ecosystem to identify potential threats at an early stage and to derive recommendations.
As part of the analysis, the following eight risks for a possible future model of the Swiss electricity ecosystem were identified and discussed with cyber, digitalization and AI experts.
1. Increased attack surface of commercial end-customer products
2. Cascading effects due to high complexity
3. Unintentional AI errors
4. Vendor dependencies
5. Leakage and misuse of sensitive data
6. Interruptions in data transmission
7. Backdoors and targeted manipulation
8. Intentional manipulation of the data basis
During the discussions, the experts clearly emphasized the importance of analyzing the changing electricity ecosystem – whether due to increasing digitalization, networking or the use of AI. There was consensus among the experts regarding the relevance and urgency of the eight risks identified. They confirmed that these are serious risks that need to be considered. Accordingly, many risks were rated as “high” or “very high”. The results underline the need for the NTC to address the challenges posed by AI intensively and proactively.
Commercial end-customer products, which are integrated in very large numbers into the communication network of the electricity system, were considered by the experts to be at the highest risk. Commercial end-customer products are products intended for direct sale to consumers (end customers). These products are developed and marketed for personal or domestic use, as opposed to products intended for business or industrial use. Commercial end-customer products include devices such as smart home appliances that are connected to the internet. These could be washing machines, dryers or solar power inverters. Vulnerabilities due to insufficient cybersecurity and lack of security updates could be exploited to destabilize the power grid, feed in false information or generate destructive patterns of consumption and production.
This risk is increased by the use of AI. On the one hand, there is a dependency on the few providers or vendors of AI models, which could intentionally or unintentionally generate destructive consumption or production patterns. On the other hand, complexity is increasing, making it increasingly difficult for humans to fully understand the interactions between different networked components in order to anticipate and prevent incidents.
In the risk assessment, 11 out of 12 experts assigned one of the two highest probabilities (“likely” to “very likely”) and rated the impact as “significant” to “critical”. The experts agreed that because of the time pressure to introduce these devices to market quickly, they are often not adequately tested for cybersecurity.
Recommendations
The cybersecurity risks posed by AI need to be addressed with the necessary awareness and regulation, the necessary resources, and repeated cybersecurity testing: