CISA issues principles for integrating AI in operational technology

The Cybersecurity and Infrastructure Security Agency and the Australian Signals Directorate’s Australian Cyber Security Centre released Principles for the Secure Integration of Artificial Intelligence (AI) in Operational technology (OT) to address security and safety risks associated with adding AI capabilities to OT systems.

Produced jointly with federal and international partners, the document targets critical infrastructure owners and operators and concentrates on Machine Learning (ML), large language models (LLMs), and AI agents, while noting the guidance also applies to systems that use traditional statistical modeling and logic-based automation.

The guidance aims to help critical infrastructure owners and operators integrate AI into OT systems in a way that balances the benefits of AI—such as increased efficiency, enhanced decision-making, and cost savings—with the unique risks it poses to the safety, security, and reliability of OT environments.

Critical infrastructure owners and operators are encouraged to adopt these principles to maximize AI benefits while mitigating risks, and the advisory directs readers to review the full Principles for the Secure Integration of AI in OT guidance for further details; for related resources, the guidance points readers to CISA’s AI and Industrial Control Systems webpages.

The guidance sets out four principal areas: increasing workforce understanding of AI by educating personnel on AI risks, impacts, and secure development lifecycles; assessing AI use in OT through evaluation of business cases, management of OT data security risks, and attention to immediate and long-term integration challenges; establishing AI governance by implementing governance frameworks, testing AI models continuously, and ensuring regulatory compliance; and embedding safety and security by maintaining oversight, ensuring transparency, and integrating AI into incident response plans.