CISA Warns: AI Integration Exposes OT to ‘Unsolved’ Semantic Threats

Digital transformation never sleeps, not even in the historically slow-moving world of operational technology (OT), which is now seeing change accelerate due to the increased digitization of OT systems, the convergence of IT and OT, and the deployment of AI into these environments. 

That forces a harsh reality upon OT operators and security professionals: the tools designed and being deployed to modernize critical infrastructure also create considerable liabilities. For instance, as operators utilize AI agents for grid optimization and predictive maintenance, it will both improve operational effectiveness while also bringing new risks to these environments, such as data poisoning, model manipulation, and prompt injection.

"AI introduces a new class of risk to operational technology because it accelerates both the speed and scale of attacks against systems that were never designed to adapt dynamically," says Joe Saunders, founder and CEO at RunSafe Security. "In OT environments, AI can be used to discover vulnerabilities in legacy software, automate exploit development rapidly, and repeatedly target identical binaries deployed across critical systems. At the same time, defenders are often constrained by uptime, safety, and certification requirements that limit patching or code changes," Saunders adds.

Many new risks will stem from the fundamental way AI integration into OT breaks the "determinism" that operators have defended for decades. Traditional OT systems are broadly, and painfully, specific; they are programmed to execute predetermined logic—if X happens, do Y. AI systems, by contrast, are probabilistic. They make best-guess predictions based on training data, introducing a wider margin of error into high-stakes environments.

This shift creates three distinct risk vectors for critical infrastructure. First, data poisoning can subtly corrupt the training sets used for predictive maintenance, causing models to ignore dangerous warning signs—such as rising turbine temperatures—until catastrophic failure occurs. Second, the connectivity required for AI agents further erodes the "air gap" that historically isolated OT networks, creating new pathways for lateral movement.

AI agents also introduce hallucination and drift. An AI controlling a chemical mixing process might encounter an "edge case" it was never trained for and confidently execute a disastrously unsafe command. Unlike a standard software bug, this isn't a coding error but a fundamental, persistent characteristic of how Large Language Models (LLMs) function.

Establishing an AI/OT Governance Model

OT operators adopting agentic AI systems must establish robust governance frameworks that address the distinctive risks of industrial environments. And to balance innovation with safety, operators should adopt a governance model that treats AI not as software, but as a very inexperienced yet intelligent worker. Rafay Baloch, CEO and Founder at REDSECLABS, says these agents need to be watched as one would treat an employee who isn't yet ready to do their job yet without supervision. "The system requires a solution to manage AI operations as a junior engineer who demonstrates work self-assurance but fails to detect security vulnerabilities. You would never let that engineer operate alone on day one. AI systems need the same level of management authority that humans currently have," Baloch says.

"The governance system requires new solutions to maintain its operational independence from routine operations. The safety authority needs to function independently from all AI experimentation work. Engineers, together with risk leaders, need to maintain complete authority," Baloch adds, especially when it comes to actions that could be physically dangerous.

Various industry groups and standards bodies have published AI governance models that operations should consider, if they haven't already.

The Cybersecurity Infrastructure and Security Agency (CISA), as well as the Australian Signals Directorate’s Australian Cyber Security Center, along with various other federal and international authorities, recently released the CISA and Partners' Principles for the Secure Integration of Artificial Intelligence in Operational Technology. 

This document provides critical guidance aligned with the foundational NIST AI Risk Management Framework (AI RMF), which centers on four interconnected functions: Govern, Map, Measure, and Manage. The "Govern" function establishes accountability through defined roles, responsibilities, and organizational policies throughout the AI lifecycle. 

OT operators should implement this by creating dedicated governance structures that encompass the entire AI system—from procurement and design through deployment and operations—and by assigning accountability to specific teams, including data stewards, AI leads, and compliance officers. Critically, this governance must operate separately from traditional IT or industrial control systems security frameworks; organizations should maintain a dedicated risk register specifically addressing AI system components in operational environments, ensuring that AI governance receives the focused attention its unique risks demand.

Helpful AI Cybersecurity Resources

NIST also has its Control Overlays for Securing AI Systems (COSAIS). The COSAIS framework translates high-level AI risk principles into security controls. COSAIS extends the well-known NIST SP 800-53 security catalog (the standard for federal information systems) to address AI-specific threats like data poisoning, model theft, and adversarial evasion.

The Cloud Security Alliance's AI Controls Matrix (AICM) maps controls across the technical stack and AI lifecycle phases. The AICM provides 243 specific controls distributed across 18 security domains addressing model security, data lineage, supply chain vulnerabilities, and governance compliance—frameworks that OT teams can customize for industrial contexts.

Finally, the DHS Roles and Responsibilities Framework for AI in Critical Infrastructure delineates shared security responsibilities among cloud providers, AI developers, and infrastructure operators, emphasizing data governance, secure deployment practices, and continuous monitoring for anomalies and model drift.

"Critical infrastructure operators should treat AI the same way they treat any safety-critical system, governing it holistically and with discipline across every layer. That means not just looking at the AI model itself, but understanding what data the AI can access, what tools it's connected to, how and where it's being used for optimization or security, and how AI is entering the software supply chain—from vendor-provided components to AI-generated code deployed directly into devices," Saunders adds.

Beyond establishing governance structures, OT operators must rigorously assess both business necessity and technical risk. CISA emphasizes that AI integration should only occur when clear benefits demonstrably outweigh the distinct dangers of introducing autonomous systems into safety-critical industrial processes. "AI systems need to provide guidance, but they must never execute any commands until prompt injection becomes an entirely resolved issue. Critical infrastructure must operate independently because it must remain under constant supervision. The established limit exists to safeguard human existence rather than preventing scientific advancement," Baloch says.

Ultimately, experts advise operators to treat AI the same way they treat any safety-critical system, with careful governance and robust controls. 

"That means not just looking at the AI model itself, but understanding what data the AI can access, what tools it's connected to, how and where it's being used for optimization or security, and how AI is entering the software supply chain," Saunders says. "With the right oversight and transparency across the AI stack, operators can take advantage of AI's value without unknowingly opening the door to safety incidents, environmental harm, or systemic outages," he concludes.