This article was originally published in the June 2023 IAEA Bulletin titled Computer Security in a Nuclear World. The only modification has been to replace the cover image.
Artificial intelligence (AI) and machine learning technologies could potentially revolutionize the world, ushering in unprecedented progress and innovation by transforming how we create, consume and use information. As AI technologies become increasingly sophisticated, they will transform industries, streamline processes and may even impact how we live our lives. The nuclear sector is no exception, and the benefits of AI can be expected in many processes and operations in nuclear and radiological facilities.
At the same time, AI’s rapid advancement also brings with it a multitude of risks. Malicious actors may use AI to launch more advanced and targeted attacks or exploit it to compromise the integrity of networks, systems and sensitive information in nuclear and radiological facilities.
Benefits for information and computer security
The IAEA is preparing for the transformations brought about by AI by fostering international cooperation in the area to ensure all countries can benefit from the opportunities while also preparing to mitigate the risks. Through mechanisms such as Technical Meetings and coordinated research projects (CRPs), the IAEA is supporting the development, awareness and application of AI techniques, as well as countermeasures and defence against malicious actors.
Perhaps the most significant advantage of AI in information and computer security is the reduced reliance on human analysis and intervention. AI-enabled systems can operate 24/7 to monitor networks and systems for threats. By automating these tasks, nuclear security professionals have the time to focus on more strategic tasks and respond more efficiently to incidents when they occur.
“The adaptive learning capabilities of AI can be harnessed to enhance information and computer security by swiftly identifying threats and automatically providing human experts with the information they need to coordinate response activities,” said Fan Zhang, an assistant professor at the Georgia Institute of Technology in the United States of America, who participated in a CRP to support research in strengthening computer security. “It will not replace the workforce, but rather establish resources and insights that will make early detection and response in computer security realistically achievable.”
By leveraging advanced machine learning algorithms, AI may also help nuclear and radiological facilities sharpen their defences against cyberattacks by identifying anomalous data in computer systems. AI-supported security systems can continuously monitor and analyse vast amounts of data to determine if any activity is anomalous to the facility’s normal operation. Cyberattacks may feed fake data to maliciously mislead the operators of nuclear facilities. In this case, AI-supported systems can be harnessed to alert those running a nuclear power plant to even the slightest variation from normal operations. By offering heightened situational awareness, AI also allows for the early detection of criminal actions and prompts the necessary incident response.
Challenges to be addressed
The benefits offered by AI in nuclear and radiological facilities depend greatly on how the AI system has been trained. AI is only as intelligent as the training data it is working with, and it can be manipulated into giving false readings and results if it does not have the correct inputs. This remains a significant barrier to its use for nuclear security. Even with the recent advancements in AI technology, using it as a replacement for a human is not feasible. Physical protection, material accounting and control and direct measurements — essential activities for ensuring nuclear security — require a human input.
An additional challenge with AI with regard to nuclear security is understanding how and why an AI model has made a particular decision or prediction. “Transparency and explainability —where humans can understand the reasoning behind decisions or predictions made by the AI — are among the most significant problems with AI models. It is often challenging to understand how these models arrive at their conclusions, making it difficult to trust and ensure the integrity of their output,” said Scott Purvis, Head of the Information Management Section in the IAEA’s Division of Nuclear Security. “This becomes particularly problematic when these models replace sensors providing direct measurements and human experience gained with the unique characteristics of each facility. It becomes impractical to place any assurance in the system’s integrity unless there is a prior comprehensive advanced understanding of the AI algorithms to recognize how and why decisions are made.”
The IAEA’s guidance on computer security for nuclear security includes best practices on human checks and balances to guide facilities’ awareness of which processes can be automated by AI and which should continue to have human oversight, at least until the risks of this rapidly developing technology are known. They also provide an essential resource that can enable countries to put important computer security measures in place to detect, prevent and respond to cyberattacks.
Additionally, a CRP was developed by the IAEA to support research in strengthening computer security. Entitled “Enhancing Computer Security Incident Analysis at Nuclear Facilities”, the CRP brought together representatives of 13 countries to work on improving computer security capabilities, including AI techniques, at nuclear facilities to detect anomalies indicating targeted cyberattacks.
The race to adopt AI technologies
AI has shown its potential to benefit people who use nuclear technology for peaceful ends. As its use to enhance processes and operations in nuclear and radiological facilities expands, so too must the awareness of the risks associated with its broader adoption. Organizations must maintain a robust computer security programme to assure nuclear security while benefiting from AI.
Doing so requires a fundamental paradigm shift in how trust and sensitivity is viewed. Every potential point of failure in a system must be considered, even those unrelated to its design. Malicious actors can leverage AI to create more sophisticated malware, automate cyberattacks, exploit biases and vulnerabilities within the models, or bypass security measures by mimicking legitimate user behaviour. This ‘arms race’ between defenders and attackers will require constant innovation and adaptation.
Greater use of AI technology to enhance computer security measures at nuclear facilities could offer significant benefits, including enhanced threat detection, proactive security measures, reduced reliance on human intervention and improved incident response. By embracing the benefits of AI while addressing its risks, organizations can significantly enhance their computer security in the face of evolving cyberthreats.