The Cybersecurity and Infrastructure Security Agency (CISA) unveiled new safety and security guidelines on Monday aimed at bolstering the defenses of the nation’s critical infrastructure against the risks posed by artificial intelligence (AI). This development follows closely on the heels of the Department of Homeland Security (DHS) announcing the formation of a dedicated safety and security board to address similar issues, reflecting a heightened federal focus on the intersection of AI and critical infrastructure security.
CISA's newly issued guidelines fulfill obligations set forth by the Biden administration’s recent executive order on artificial intelligence. They provide a comprehensive blueprint for critical infrastructure sectors—which include industries as diverse as farming and information technology—to navigate the dual realities of AI as a potent operational tool and a potential cybersecurity threat. "Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk,” stated CISA Director Jen Easterly.
The guidelines advocate for rigorous governance of AI technologies, encouraging operators to understand vendor dependencies and inventory AI use cases meticulously. They also call for the creation of robust procedures for reporting AI security risks and emphasize the importance of continuous vulnerability testing of AI systems. This approach aligns with the National Institute of Standards and Technology’s AI risk management framework, integrating advanced strategies to safeguard critical infrastructures.
Homeland Security Secretary Alejandro Mayorkas highlighted the dual nature of AI technologies, noting, “AI can present transformative solutions for U.S. critical infrastructure, and it also carries the risk of making those systems vulnerable in new ways to critical failures, physical attacks, and cyber attacks. Our Department is taking steps to identify and mitigate those threats.”
The significance of these guidelines was further underscored by Jason Keirstead, VP of Collective Threat Defense at Cyware, who applauded CISA's proactive stance. “I am pleased that CISA is highlighting the challenges AI presents for securing critical infrastructure. These guidelines underscore the need for robust AI system governance, urging infrastructure owners to adopt a structured framework for AI risk management,” Keirstead said. He also emphasized the importance of leveraging AI to enhance defense mechanisms, adding, “Simultaneously, CISA should work to highlight the opportunities that AI brings to assist in the defense of critical infrastructure, when leveraged effectively and with the goal of helping to break data silos in order to uncover hidden threats."
As DHS continues to expand its focus on AI with initiatives like the AI Corps and collaborations with tech industry leaders, the new guidelines represent a critical step forward in addressing the complexities introduced by AI technologies in critical infrastructure settings, striving for a balance between innovation and security.