(TLP:CLEAR) CISA and Partners Publish Guidance on the Principles for the Secure Integration of Artificial Intelligence in Operational Technology Guidance

Summary: Yesterday, CISA, in collaboration with other U.S. and international partners, published “Principles for the Secure Integration of Artificial Intelligence (AI) in Operational Technology (OT).” This report discusses how critical infrastructure owners and operators can help ensure the safety and security of AI systems in OT environments.

Analyst Note: Threat actors are increasingly targeting OT systems and industrial control systems (ICS) of critical infrastructure entities. Therefore, it’s critically important that entities planning on utilizing AI in OT environments properly integrate these tools without introducing additional operational risk.

Accordingly, the guidance report provides key principles that will help critical infrastructure owners and operators leverage the benefits of AI in OT systems while reducing risk. The four key steps are:  

1. Understand AI – Understand the unique risks and potential impacts of AI integration into OT environments, the importance of educating personnel on these risks, and the secure AI development lifecycle.
2. Consider AI Use in the OT Domain – Assess the specific business case for AI use in OT environments and manage OT data security risks, the role of vendors, and the immediate and long-term challenges of AI integration.
3. Establish AI Governance and Assurance Frameworks – Implement robust governance mechanisms, integrate AI into existing security frameworks, continuously test and evaluate AI models, and consider regulatory compliance. 
4. Embed Safety and Security Practices into AI and AI-Enabled OT Systems – Implement oversight mechanisms for the safe operation and cybersecurity of AI-enabled OT systems, maintain transparency, and integrate AI into incident response plans.

This guide focuses on machine learning (ML) and large language model (LLM)-based AI and AI agents; however, this guidance may also be applied to systems augmented with traditional statistical modeling and other logic-based automation (which are also types of AI). Although AI can enhance efficiency, productivity, and decision making, it can also introduce new challenges that require careful management to support the safety, security, and reliability of OT systems.

For successful mitigation of the risks of integrating AI into OT systems, the reporting agencies strongly encourage critical infrastructure owners and operators to review and follow the principles of the guidance report.

Original Source: https://www.cisa.gov/resources-tools/resources/principles-secure-integration-artificial-intelligence-operational-technology

Additional Reading:

• (TLP:CLEAR) CISA Fact Sheet: Primary Mitigations to Reduce Cyber Threats to Operational Technology
• (TLP:CLEAR) CISA Releases Guidance for Securing OT Systems

Related WaterISAC PIRs: 6 & 8