WASHINGTON – The Cybersecurity and Infrastructure Security Agency and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), in collaboration with U.S. and international government partners, published Principles for the Secure Integration of Artificial Intelligence (AI) in Operational Technology (OT) today. This joint guide provides four key principles that will help critical infrastructure OT owners and operators mitigate unique risks and achieve a balanced integration of AI into OT environments.
“AI holds tremendous promise for enhancing the performance and resilience of operational technology environments – but that promise must be matched with vigilance,” said CISA Acting Director Madhu Gottumukkala. “OT systems are the backbone of our nation’s critical infrastructure, and integrating AI into these environments demands a thoughtful, risk-informed approach. This guidance equips organizations with actionable principles that AI adoption strengthens—not compromises—the safety, security, and reliability of essential services.”
This joint guide provides key principles that will help critical infrastructure owners and operators safely and effectively integrate AI into OT systems. The four key steps are:
- Understand AI: Educate personnel on AI risks, impacts, and secure development lifecycles.
- Assess AI Use in OT: Evaluate business cases, manage OT data security risks, and address immediate and long-term integration challenges.
- Establish AI Governance: Implement governance frameworks, test AI models continuously, and ensure regulatory compliance.
- Embed Safety and Security: Maintain oversight, ensure transparency, and integrate AI into incident response plans.
“The integration of AI into critical infrastructure brings both opportunity and risk,” said Nick Andersen, Executive Assistant Director for Cybersecurity. “While AI can enhance the performance of OT systems that power vital public services, it also introduces new avenues for adversarial threats. That’s why CISA, in close coordination with our U.S. and international partners, is committed to providing clear, actionable guidance. We strongly encourage OT owners and operators to apply the principles in this joint guide to ensure AI is implemented safely, securely, and responsibly.”
This joint guide focuses on machine learning (ML)- and large language model (LLM)-based AI, and AI agents. However, this guidance may also be applied to systems augmented with traditional statistical modeling and other logic-based automation.
In addition to ASD’s ACSC, this joint guide was developed in collaboration with the
- National Security Agency’s Artificial Intelligence Security Center (NSA AISC)
- Federal Bureau of Investigation (FBI)
- Canadian Centre for Cyber Security (Cyber Centre)
- German Federal Office for Information Security (BSI)
- Netherlands National Cyber Security Centre (NCSC-NL)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- United Kingdom National Cyber Security Centre (NCSC-UK)
For more information on related resources, visit CISA’s Artificial Intelligence and Industrial Control Systems webpages.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.