AI in OT: New Joint Guidance from CISA and Global Partners - What Operations Leaders Need to Do Now
Multiple national cybersecurity agencies released guidance on how to deploy and defend AI in operational technology (OT). It's overdue. AI and OT are each high-value targets, and together they raise the stakes for safety, uptime, and compliance.
The document comes from the US's CISA, FBI, and NSA Artificial Intelligence Security Center; Australia's ACSC; Canada's CCCS; Germany's BSI; the Netherlands and New Zealand NCSCs; and the UK's NCSC. The message is consistent: LLMs may boost efficiency, but integrating AI into critical OT "also introduces significant risks - such as OT process models drifting over time or safety-process bypasses - that owners and operators must carefully manage to ensure the availability and reliability of critical infrastructure."
Why this matters for Operations
OT is used in manufacturing, energy, water, defense, medical, and other high-consequence environments. AI is increasingly used to analyze telemetry, flag anomalies in SCADA, recommend operator actions, and optimize workflows. That convenience can fail hard if it's wrong, exposed, or misused.
Nathaniel Jones of Darktrace notes that AI models can "gradually diverge from their original training assumptions, and as the operational data changes, so it could provide recommendations that no longer align with safety limits." He adds, "probabilistic AI outputs can introduce uncertainty into deterministic and very specific OT systems."
The current state: GenAI is mostly "never," for now
Richard Springer of Fortinet says most OT programs are still reinforcing fundamentals: segmentation, asset inventory, patching, and basic detection and response. For many operators, GenAI is less a "not yet" and more a "never."
That said, there's agreement it may help soon: accelerating playbooks, diagnostics, predictive maintenance, and managing complexity. Any automation in OT must be bounded by cause-and-effect clarity, strict risk tolerances, and the primacy of safety and uptime.
Know the risk profile
- LLMs can leak data via prompts, or be coaxed into unsafe actions.
- Agent chains can introduce remote code execution paths and new vulnerabilities.
- Hallucinations and model drift compound risk in deterministic control systems.
- Supply chain exposure: models, data pipelines, plugins, and orchestration layers.
Practical playbook for OT Operations
1) Decide if AI is even the right tool
- Start with the business outcome: safety, availability, quality, or cost.
- Ask: Would a rules engine or statistical method suffice? If yes, skip GenAI.
- Define unacceptable outcomes up front (e.g., unsafe setpoints, false clears).
2) Educate the people who run the plant
- Brief operators, engineers, and maintenance on AI limits, failure modes, and escalation paths.
- Train on prompt hygiene and data handling to avoid unintentional disclosure.
3) Contain the blast radius
- Segment AI components from control networks; default to read-only for initial use cases.
- Disallow direct write access to PLCs or safety systems; use brokered, approved actions.
- Gate any action through human-in-the-loop review with dual controls for critical steps.
4) Put data on a tight leash
- Map where training and inference data lives; classify it; minimize model access.
- Scrub sensitive fields; apply role-based access and short retention windows.
- Separate training from production inference environments to avoid cross-contamination.
5) Governance and assurance before go-live
- Set clear ownership (policy, model performance, safety, incident response).
- Integrate with existing frameworks (NIST CSF, IEC 62443, ISO 27001) and compliance.
- Threat model the AI workflow; test for prompt injection, RCE, model drift, and abuse.
- Require supplier transparency: model cards, SBOMs, patch SLAs, and support paths.
6) Monitoring, fail-safes, and "graceful degradation"
- Instrument everything: prompts, outputs, context, decisions, and overrides.
- Define thresholds for alerts vs. actions; fail safe on uncertainty or low-confidence outputs.
- Prove your rollback works: backup configs, rollback windows, and offline testbeds.
- Run chaos drills: simulate drift, loss of model service, and kill-switch activation.
7) Incremental rollout
- Start with advisory use cases (observability, anomaly triage, documentation).
- Move to low-risk automations with bounded actions and explicit guardrails.
- Keep safety systems out of scope until you have strong evidence and approvals.
LLMs in OT: treat as high risk
The guidance calls out LLMs as high risk in OT environments. They can hallucinate and mislead operators, especially under stress or data drift. That's a poor fit for deterministic control with tight safety limits.
With new standards requiring behavioral analytics and anomaly detection (e.g., NERC CIP-015), some teams assume LLMs are the path. The guidance points out they're often the wrong tool for accurate detection compared to specialized models.
Operator-ready checklist
- Use case defined, measurable benefit, clear "do-not-cross" lines.
- Isolation in place; no direct write to control systems without dual approval.
- Human-in-the-loop for any operational change, with clear escalation.
- Data inventory, minimization, and logging enabled end to end.
- Drift detection, periodic reviews, and retraining plan.
- Incident runbooks for AI faults, model abuse, and supplier outages.
- Kill switch, rollback, and tested degraded modes.
Defender takeaways
AI can speed decision-making, but as Chris Grove of Nozomi Networks puts it, any tech that influences critical processes demands caution and discipline. The path forward is phased, supervised, and boring by design.
If you choose AI, keep it advisory first, then constrain automation with guardrails. If you don't need AI, don't add it. Fewer moving parts mean fewer surprises.
Resources
Upskill your team
If you're standing up governance, assurance, or automation skills for your ops staff, consider focused training that stays practical for plant environments.
Your membership also unlocks:
