DOD learned it shouldn’t always trust AI after hacking microgrids at DEF CON

Pentagon officials focusing on building confidence in artificial intelligence learned a lot at the annual DEF CON cybersecurity and hacking conference in August.

Defense Department personnel left the conference in Las Vegas with informative lessons about securely operationalizing the technology in a specific use case and recruiting tech-savvy personnel as the labor landscape evolves, DOD’s Digital Services Director Katie Savage said Thursday at the Fortinet Security Transformation Summit hosted by FedScoop.

“As we’ve seen in the news, industrial control systems are vulnerable to a wide range of attacks because they’re so dependent on technology. And more specifically, microgrids rely on weather data,” Savage explained. 

DOD has big plans to deploy local, self-contained electric grids — or microgrids — to 134 military installations, starting in May. 

The Army “in particular has really taken the lead on this,” Savage noted. Right now, members of the service are building microgrids that will be tested for vulnerabilities before putting them into use. Officials involved in that work opted to leverage the DEF CON conference as an opportunity to help puzzle out how to deal with specific industry and ICS threats and vulnerabilities. 

“So what we’ve learned in working with the DEF CON community is that the data underlying microgrids can actually be manipulated by false weather data,” Savage explained.

Weather information marks one of the largest data inputs that influence how those mini-grids work. The most modern partial microgrids depend on a management system that will implement a simple AI for controlling the behavior and the grid, according to Savage. Typically, such a system will usually take in weather data as a means of optimizing the performance of the microgrid throughout the day or the week. 

“So, this is a system that we had people attack at DEF CON,” Savage said. To do so, hackers injected what she referred to as “sort of impossible” weather conditions. “Imagine the weather in Alaska being injected into a microgrid in Texas,” she said. 

From that practice at the conference, Pentagon officials recognized that hackers were able to manipulate the microgrids by manipulating the weather data — which suggested that they should not trust the underlying AI capabilities that were part of the microgrid system. 

So, an important component of deploying associated microgrid technologies “is not just ensuring that the data is accessible, and that it’s clean, and that we can feel confident about where’s it’s being stored — but to the extent that we’re starting to bring AI and ML capabilities to it, we also need to feel confident from a cybersecurity perspective, that the data hasn’t been tampered with,” Savage said.

Throughout her public service, Savage has also advocated for innovation in how the DOD recruits and maintains talent. 

Coming out of the COVID-19 shutdown, many employees now seem more mission-oriented, she noted, and aim to gain more job security. To her, this means it is an excellent time to be thinking about how the Pentagon can accelerate the growth of its cybersecurity talent. 

“Again, I mean, this is something we saw at DEF CON. Maybe it’s not the conventional hackers and mentees that we would be thinking about bringing into government, but they’re the people who’ve helped us expose this wider path that we saw. So, now it’s time to be really creative about who and where we recruit from, because we absolutely need to be more thoughtful and more intentional about the cyber workforce that we’re bringing into the DOD,” she said.