At the Georgia Institute of Technology, a team of researchers spend their days scouring the internet for vulnerable solar inverters and panels.
These panels tend to be installed by well-meaning homeowners, looking to cut their energy bills and embrace renewables. They’re cheap and easy to buy online — but their security can be wonky, with authentications and passwords often set to the manufacturer default, if they’re used at all.
Saman Zonouz is an associate professor at Georgia Tech’s School of Cybersecurity and Privacy, where he advances a number of projects dedicated to the security of engineered systems. And he told Latitude Media that these precarious assets have become easy targets for cyber attacks.
“Anybody can connect to and control [these panels and inverters] to make the solar panel inject more or less power into the grid, causing malicious incidents,” Zonouz said. “And there are lots of these devices that are exposed. We have found so many vulnerabilities.”
Zonouz’s findings are just one example of the increasing cybersecurity risk threatening utilities and critical infrastructure.
Last month, the North American Electric Reliability Corporation warned that the number of weak spots in electrical networks is increasing by around 60 per day, while cyberattacks against U.S. utilities jumped 70% in 2024 compared to the previous year. Utilities are far more exposed to cybersecurity risk now than they were a decade ago for three main reasons: increased geopolitical tensions, the growing sophistication of attacks, and a wider threat vector through digitization of the grid. As utilities digitalize assets, they are creating millions of new entry points for potential cyberattacks.
Payal Thakkar, industrials and energy cybersecurity leader for EY Americas, told Latitude Media that this is creating an environment where utilities’ resilience is more dependent than ever on cybersecurity.
“We’re all aware of how the weather is impacting utilities and their end customers across the Americas. If we were to draw a parallel, cybersecurity is the next storm, the next big event that could have a massive impact on the utilities’ operations,” she said. But while weather events are mostly localized to cities or regions, cyber-attacks have “no boundaries,” and can spread across a utility’s whole network, she added.
In this context, artificial intelligence presents an opportunity, but also a major threat
AI as a threat
The most obvious way AI constitutes a cybersecurity threat is when it gets deployed by bad actors like hostile nation-states to multiply the speed and volume of attacks. But the threat can also come from a careless adoption of AI when dealing with something as sensitive as cybersecurity for critical infrastructure.
“AI is known for its unknowns, meaning it’s not explainable, it’s not interpretable, and it sometimes hallucinates,” Zonouz said. “There’s a lot of potential mistakes and disruptions that AI could cause. So unless we can cope with such mistakes that AI makes, bringing AI into the picture is a very risky course of action.”
For instance, relying on AI to automatically block threats when it comes to high-stakes energy assets can have adverse consequences. Let’s say you’re establishing a connection via email or video call with someone at a company you don’t normally interact with. AI may detect the anomaly and automatically block that connection — but while that’s an inconvenience, your daily operations wouldn’t be very disrupted. But if the blocked connection occurs between the grid and one of its generation assets, it would be a whole other matter.
AI as a shield
But this is not to say utilities shouldn’t embrace AI to enhance their cybersecurity. Leo Simonovich, global head of industrial cyber and digital security at Siemens Energy, told Latitude Media that when well-used, AI can be a good defensive shield.
“It’s something that can be used to help defend critical infrastructure, and we’ve been very focused on deploying tools and technologies that help give the defenders the advantage,” he said.
For example, the Georgia Tech researchers scanning the internet for vulnerable distributed energy assets use AI and machine learning to help with the process. The university is also using AI to monitor the security of the energy supply chain, dissecting the controllers in power grids, solar inverters, and nuclear plants to make sure they don’t have malicious software in them.
“Doing it in a traditional way is very hard, because you don’t have the source code for that software, and it’s difficult to get information about those executables and potentially malicious codes,” Zonouz explained. “But using AI, it’s much easier to dissect the software and identify a label.”
And using AI, utilities have the ability to perform better anomaly detection. Siemens Energy, for example, has built a managed service offering for utilities that uses the technology to detect threats faster.
“Risk management is about being able to detect attacks in your environment and understanding the threat landscape, and speed is of the essence,” Simonovich said. “So we’ve powered our monitoring technology with artificial intelligence to detect threats in our customer environments.”
Then, Siemens Energy flags the anomaly to humans, and provides them with context about why it was flagged, how it could impact operations, and recommendations around a proportionate response to the threats — which doesn’t necessarily entail shutting down operations.
Building trust
This context is crucial for building trust in AI as a reliable tool in cybersecurity. That trust will be a prerequisite for utilities to embrace new digital tools and take full advantage of AI’s potential.
So far, though, the trust is still a work in progress.
“Customers remain cautious in deploying emerging technologies like AI, and cybersecurity is a major concern,” Simonovich said. “So what’s important right now is to deploy and mature, so that utilities get a lot more comfortable with these technologies, which requires them to monitor and understand their risk.”
Thakkar agreed, pointing out that utilities tend to be cautious about adopting new technologies.
“With time, people will get more comfortable with the idea of AI and they will have more trust in AI reacting or responding to a threat. But utilities aren’t typically the first adopters of new technologies, and most of them are not there yet,” Thakkar said, adding that companies that rely on intellectual property have been more proactive.
Cybersecurity, though, tends to be developed in reaction to an incident.
“They introduce technology, they wait, and if an attack happens, then they react,” Zonouz said. It was only after the discovery of the malicious computer worm Stuxnet, which targeted Siemens industrial control systems in nuclear enrichment plants, that everyone rushed to protect the controllers, he explained.
However, something is shifting in the industry. It is becoming clear that overcoming challenges like staffing and AI’s malicious potential will require “a village,” according to Simonovich. A collaborative approach would bring together energy players like utilities, hyperscalers, developers, operators, cybersecurity firms, and government entities. Siemens Energy, for example, is participating in a joint industry project led by risk management provider DNV to develop a blueprint for securing offshore wind farms from evolving cyber threats. The project includes various industry players, including Siemens Energy competitors, and the idea is to build something that extends far into the future, despite the constant updates and evolutions of new technologies.
“We believe in something called the evergreen approach to security, which is not just secure by design,” Simonovich said. “It’s about being able to make cyber security user-friendly, making it easier to swap out security components as the threat landscape changes, and working across the project and operational landscape. You need to build in the flexibility to upgrade your security as the infrastructure ages.”
