AI Security Wire

Published

- 4 min read

CISA Publishes AI Security Guidance for Critical Infrastructure

CISA critical infrastructure AI security guidance threat modelling NIST AI RMF governance
img of CISA Publishes AI Security Guidance for Critical Infrastructure

CISA has published new guidance on AI security for operators of critical infrastructure, expanding its AI-specific advisory portfolio with sector-focused threat models and a minimum security baseline that aligns with — and extends — the NIST AI RMF 2.0. The guidance is advisory but carries significant weight for organisations subject to CISA oversight, particularly those in energy, water, transportation, and financial services.

Scope and Authority

The guidance applies to “AI-enabled critical systems” — defined as AI components that directly influence or control critical infrastructure operations, or that inform decisions with potential safety or continuity implications. This includes:

  • AI-assisted operational technology (OT) monitoring and anomaly detection
  • Predictive maintenance systems in energy and transportation
  • AI-driven demand forecasting in grid management
  • Automated fraud detection in financial infrastructure
  • AI-assisted threat detection in security operations

AI used purely for administrative functions (HR, internal communications) is explicitly out of scope.

Sector-Specific Threat Profiles

CISA identifies differentiated threat profiles by sector, reflecting the distinct adversary interests and attack surfaces in each:

Energy Sector

Primary threats: Nation-state actors seeking to degrade grid stability via AI manipulation; ransomware groups targeting AI-assisted control systems.

Key scenario: AI systems used for grid balancing are trained on historical load data. Data poisoning attacks that introduce subtle biases in this training data could cause the AI to make systematically incorrect load predictions — triggering outages or equipment damage without any direct cyberattack on OT systems.

CISA minimum requirements: Adversarial robustness testing for AI used in grid balancing; air-gap or strict network segmentation between AI inference infrastructure and OT networks; human-in-the-loop requirements for AI recommendations affecting load above a defined threshold.

Water and Wastewater

Primary threats: Manipulation of AI-assisted chemical dosing or treatment process optimisation.

CISA minimum requirements: AI recommendations for chemical treatment parameters must be validated against hard-coded safety limits before execution; AI systems must not have direct write access to treatment control systems without human approval.

Transportation

Primary threats: Adversarial attacks on AI-based traffic management, flight scheduling optimisation, and rail signalling support systems.

CISA minimum requirements: AI outputs that affect routing or scheduling decisions must be logged in an immutable audit trail; anomalous AI behaviour (outputs outside historical distribution) must trigger human review before implementation.

Financial Services

Primary threats: AI system manipulation for market advantage; fraud detection bypass by sophisticated adversaries.

CISA minimum requirements: Adversarial robustness testing for fraud detection models; monitoring for systematic patterns in fraud detection false negatives; model provenance documentation.

Minimum Security Baseline

Across all sectors, CISA defines five baseline requirements:

1. AI System Inventory

Organisations must maintain a complete inventory of AI systems that meet the scope definition, including: system function, data inputs, decision outputs, human oversight mechanisms, and responsible owner. The inventory must be reviewed and updated at least annually and following significant system changes.

2. Threat Modelling

Each AI system in the inventory must have a documented threat model covering at minimum:

  • Data poisoning risks for training and operational data
  • Adversarial input risks at inference time
  • Model integrity risks (unauthorised modification of weights)
  • Inference attack risks if the model is accessible via API

3. Incident Response Integration

AI systems must be included in existing cybersecurity incident response plans. CISA specifies that AI-specific incident types (adversarial manipulation, data poisoning, model integrity failure) must have defined response procedures distinct from conventional cyber incidents.

4. Human Oversight for High-Consequence Decisions

AI systems that can affect physical processes or safety-relevant decisions must have defined human oversight mechanisms. CISA explicitly rejects “human-on-the-loop” (human monitors AI decisions retrospectively) as sufficient for high-consequence contexts, requiring “human-in-the-loop” (human approves before execution).

5. Supply Chain Verification

Third-party AI components (pre-trained models, ML libraries, training datasets) must be assessed for supply chain risk before deployment. Minimum: verify cryptographic hashes of model weights against supplier-published values; assess training data provenance for high-risk applications.

Alignment with NIST AI RMF 2.0

CISA has published an explicit crosswalk between its guidance and the NIST AI RMF 2.0 functions. Organisations implementing the full AI RMF satisfy the majority of CISA baseline requirements. CISA’s additions are primarily sector-specific and consequence-focused, reflecting the physical safety implications of AI failures in critical infrastructure that are less prominent in the RMF’s technology-agnostic framing.

The guidance is available on the CISA website and is accompanied by sector-specific implementation worksheets for energy, water, transportation, and financial services.