US and Australia issue guidance on secure AI in infrastructure

AI News


U.S. and international cybersecurity agencies have issued new guidance to help critical infrastructure operators securely incorporate AI into operational technology (OT) systems.

The guidance, released on December 3, was developed jointly by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber ​​Security Center, with input from international partners such as the UK National Cyber ​​Security Center (NCSC).

This document focuses on AI tools such as machine learning (ML), large-scale language models (LLM), and AI agents, but is also applicable to traditional logic-based and statistical automation systems.

This addresses both the unique security and safety challenges that AI introduces into OT environments, as well as the potential efficiency and cost benefits of AI.

Key principles of AI security in OT environments

According to the guide, critical infrastructure operators are encouraged to:

  • Understand AI risks and promote safe development practices among personnel

  • Evaluate the use of AI in OT environments, including data security and integration challenges

  • Establish a governance framework for continuous model testing and regulatory compliance

  • Incorporate safety and security practices and maintain transparency and incident response integration

The guidance also emphasizes the protection of sensitive OT data. This includes engineering configuration information such as schematics and asset inventory, as well as ephemeral data such as process measurements that may be exposed if used to train an AI model.

Read more about AI governance: BSI warns of impending AI governance crisis

The cyber agency also noted that OT vendors are increasingly incorporating AI directly into devices. To this end, the guidance recommends that carriers require transparency around AI capabilities, software supply chains, and data usage policies.

Integration challenges include system complexity, cloud security risks, latency constraints, and ensuring compatibility with legacy OT systems.

Operators must conduct tests in controlled environments, maintain human oversight, and regularly update AI models to prevent errors and maintain safety.

Monitoring, compliance and safety

The report warns that human oversight remains central to AI-powered OT systems. Monitoring AI output, detecting anomalies, and maintaining failsafe mechanisms are critical to ensuring operational reliability.

Operators are also required to align AI integration with existing cybersecurity frameworks, conduct regular audits, and comply with evolving international AI standards.

“The integration of AI into OT presents both opportunities and risks for owners and operators of critical infrastructure,” CISA commented.

“By adhering to these principles and continuously monitoring, validating, and refining AI models, critical infrastructure owners and operators can balance the integration of AI into the OT environments that control critical public services.”



Source link