Large-scale industrial control systems are moving from centralized control to edge-based computing. At the same time, artificial intelligence (AI) and machine learning are providing control approaches that promise greater efficiency and precision. These two trends are combining with the rise of edge AI, which require some additional security measures.
Factory and process automation began with sensors and control systems connecting to a central computing server that processed the data and issued control commands based on carefully developed algorithms. As the bandwidth requirements for these connections rose and compute power became less expensive, the sensing and control tasks began migrating toward the points of application — i.e., the system’s “edges.”
Meanwhile, AI technology began replacing traditional control algorithms with algorithms derived via machine learning. At first, only the central server had the processing power to implement AI. However, enabling technologies such as 5G networking, specialty AI processors, and lightweight AI models have also allowed AI to move to the edge.
Security for the Edge
Two distinct architectures for edge AI have arisen. In one approach, each node is independent in its AI behavior, providing purely local control. The node may report information to a central server but does not receive instruction from that server. The second approach, called federated machine learning, calls for the node AI elements to collaborate with one another. The nodes report their behaviors to the central server, which can use additional AI processing to combine the data and make modifications to each node’s models and goals for greater overall system efficiency.
Industrial users considering a shift to edge AI for their factory and process control will likely understand the benefits of such a move. What might not be so well known, however, are the security vulnerabilities that arise from the use of edge computing in general, let alone edge AI.
Security for traditional, centralized control architecture is well established. The software can be protected against alteration both by implementing trusted computing techniques and by restricting physical and digital access to the central processor. Edge computing, however, reduces the ability to restrict physical access and increases system exposure to digital access via the system’s communications infrastructure. This exposure requires the use of trusted computing techniques such as secure boot at all edge nodes and encrypted communications throughout the network.
When edge computing evolves to become edge AI, these security concerns remain. The traffic between the edge nodes and the central server may be far less than with the centralized approach, but still needs encryption to prevent digital access to nodes and to protect data integrity. Similarly, using a federated machine learning approach requires that nodes verify software legitimacy to protect against malicious software updates, just as ordinary edge computing requires.
But AI has some unique needs that ordinary computing doesn’t. These needs arise from the hidden and fluid nature of algorithms derived via machine learning. A key need is that the input data itself must also be protected.
Protect Sensors, Too
With AI, as with all computing, poor data yields poor results. But the mapping between data and results is not particularly visible. When machine learning systems are developing their algorithms — a process called training — there is little to no prior knowledge of how the resulting algorithm should work. The system simply receives sample data and is told the desired outcome, then develops its own approach to ensuring that the system behaves as desired. Additionally, many machine learning systems are configured to continually refine their algorithms while operating in the field. This continual learning can yield continual process improvement, which is a major benefit of AI in process control, but can further obscure the derived control algorithm.
This learning approach also opens a new vulnerability. An attacker does not need to access the processor or its software in order to cause misbehavior. All they need do is alter the data that the AI is training on — for example, by providing false sensor information. Because the algorithm is evolved rather than formulated, it can be very difficult to backtrack system misbehavior to the root cause.
The problem gets compounded with federated machine learning. False information fed into one system node can contaminate the algorithms that all node AIs develop. And backtracking becomes even more complicated.
Research is underway to address such concerns. Specifically, researchers are investigating how to deal with systems comprising untrustworthy devices, as well as developing techniques for ensuring training data accuracy. In the meantime, however, edge AI users must ensure that both the software and the data with which they are working are protected against attack.
Developers seeking to implement edge AI in their industrial control systems can find the necessary hardware as well as system support here at CoastIPC. Our knowledgeable team of experts can be reached at 866-412-6278 or by email at [email protected] for help.