Where Generative AI Delivers Value
In OT environments, the primary value of generative AI is not alert triage but context. When an investigation occurs, understanding the system relationships, dependencies, and operational impact requires knowledge that may be distributed across engineering teams, documentation, and institutional memory. AI critical infrastructure applications can bring this context together rapidly.
Customer context becomes particularly valuable when supporting OT investigations. What does this asset connect to? What processes depend on it? Who are the engineering contacts responsible for it? What has happened to similar systems in the past? Generative AI can query knowledge bases and semantic models to surface this information instantly, supporting investigation quality without requiring the analyst to navigate multiple systems and documentation repositories.
Coordination between IT security and OT engineering teams is another area where AI critical infrastructure tools add value. Investigations that cross the IT/OT boundary require shared understanding of both domains. AI can translate technical findings into operational context, helping security analysts understand OT implications and helping engineers understand security concerns.
The Role of Machine Learning
Machine learning for anomaly detection in OT environments is valuable but belongs in specialist tools designed for industrial protocols and processes. Platforms like Nozomi, Claroty, Defender for IoT, and Forescout have built detection capabilities tuned for OT traffic patterns and behaviours that generic security tools would miss.
These tools understand the baseline behaviour of industrial control systems in ways that IT-focused ML models do not. They can detect anomalies in process values, communication patterns, and device behaviour that would be invisible to conventional security monitoring. AI critical infrastructure strategies should leverage these specialist capabilities rather than trying to replace them with general-purpose tools.
The integration challenge is ensuring that alerts from OT detection tools flow into unified security operations with appropriate context. This is where generative AI adds value: enriching OT alerts with business context, correlating with IT security events, and supporting the converged IT/OT security operations that modern critical infrastructure requires.
CAF v4.0 Alignment
The NCSC's Cyber Assessment Framework v4.0, released in August 2025, introduces requirements that AI critical infrastructure capabilities directly support. Understanding how AI aligns with CAF can help demonstrate value to regulators and boards.
Under Objective B, AI supports asset management through automated discovery and relationship mapping. Generative AI can help maintain accurate inventories of OT assets and their dependencies, a foundational requirement that many organisations struggle to achieve manually. Context enrichment ensures that asset data remains current and connected to operational reality.
Under Objective C, AI supports multiple Indicators of Good Practice. The new contributing outcome C1.f requires understanding of user and system behaviour integrated with threat intelligence, exactly what ML-based behavioural analytics and GenAI-powered threat intelligence integration provide. The expanded threat hunting requirements under C2 benefit from AI's ability to traverse large datasets and identify patterns that manual hunting would miss.
The new A2.b contributing outcome on understanding threat also benefits from AI critical infrastructure tools that can model attack scenarios and assess likely threat actor approaches based on current intelligence. For a detailed analysis of CAF v4.0 changes and their implications, see our earlier blog on the framework update.
What Doesn't Work in OT
Autonomous response in OT environments carries risks that make it inappropriate in most contexts. Actions that might be acceptable in IT, like isolating a compromised system, could have safety implications in OT. Stopping a process, disconnecting a controller, or modifying access controls could affect physical operations in ways that security tools cannot fully assess.
AI critical infrastructure deployments should maintain human oversight for any actions that could affect physical processes. The value of AI in OT is in accelerating understanding and supporting decisions, not in taking autonomous action. This is not a limitation of the technology but a recognition of the operational context.
A Pragmatic Approach
AI critical infrastructure applications require pragmatism about what works in OT contexts. Generative AI delivers value through context, coordination, and compliance support. Machine learning delivers value through specialist OT detection tools. Autonomous response is generally inappropriate given the operational stakes.
For CNI operators evaluating AI, the questions are specific: Does this help my teams understand OT context faster? Does it support converged IT/OT security operations? Does it help demonstrate compliance with frameworks like CAF? These are the areas where AI delivers genuine value for critical infrastructure, without introducing risks that outweigh the benefits.
Martin Riley
Chief Technology Officer
