Defending critical infrastructure when nation-State actors use AI for cyberattacks
This article is authored by Robert Huber, chief security officer & head, research, Tenable.
In the few minutes it takes you to read this, a nation-State actor would have probed, mapped, and potentially compromised a piece of critical infrastructure somewhere in the world. In many cases, they have already established a foothold.

The cyberattacks that followed the Iran conflict were a demonstration of what adversaries are capable of using AI. Nation-state actors with the resources of governments and the patience of institutions have spent years embedding themselves in the power grids, water systems, hospitals, and transport networks that modern life depends on. Recent events reveal how long the old threats were ignored.
Attacks that once required teams, months, and significant capital now require far less to succeed. AI has restructured the economics of offensive cyber operations, changing the scale and speed of attacks.
A suspected state-sponsored group used AI agents to execute 80–90% of a sophisticated intrusion operation autonomously including reconnaissance, harvesting credentials, and lateral movement to extract data across 30 targets at thousands of requests per second. Human operators spent fewer than 20 minutes per key phase while AI ran for hours. This is a structural advantage that separates the attacker’s capacity to act from the defender’s capability to respond.
This is just the tip of the iceberg. There’s been a 44% increase in attacks exploiting public-facing applications, accelerated by AI-enabled vulnerability discovery. Nearly half of all operational technology (cyber physical systems) vulnerabilities are rated critical or high and one in five already have public exploit code. Despite these alarming realities, only 48% of business leaders feel capable of surviving a major attack.
The gap between threat velocity and institutional readiness reflects a genuine structural vulnerability in how organisations manage operational risk today.
Visibility or the lack thereof, is the core problem.
IT security programmes have matured significantly over the past decade. Structured vulnerability management workflows, scalable scanning tools, and established remediation cycles have become standard practice for IT infrastructure. Operational technology environments have not followed the same trajectory.
Programmable logic controllers, human-machine interfaces, and cyber-physical systems running power grids, water plants, hospitals, and logistics networks represent a fundamentally different category of infrastructure. These systems resist standard scanning because aggressive queries can trigger operational failures. Instrumenting them properly requires expensive, specialised hardware. Addressing their vulnerabilities demands alignment across engineering, operations, and security teams that historically operate with separate priorities and different risk tolerances.
The result is a persistent blind spot at the centre of the attack surface. Security teams cannot protect what they cannot see, while attackers face no equivalent constraint because they move freely from compromised IT networks into poorly defended OT environments. Research from SANS Institute confirms that 45% of modern OT compromises originate in IT environments, crossing a boundary that most security programs treat as a hard border but adversaries treat as a routine step in a longer campaign. Closing this visibility gap is the defining infrastructure security challenge of this decade.
Cyber defenders must begin with an accurate inventory of what exists. Organisations obviously can’t prioritise remediation, communicate risk to leadership, or satisfy regulatory requirements without a complete picture of their cyber-physical assets. In fact, most organisations don’t have one.
Organisations that deploy unified OT discovery capabilities regularly uncover previously unknown assets, many carrying critical vulnerabilities. Those assets already sit on the network. The gap is simply in knowing they are there.
The next requirement is parity across domains. IT and OT vulnerabilities need to appear in a single view, measured on a consistent scale, and managed through a unified workflow. Siloed tools and separate security consoles replicate the same blind spots that adversaries exploit. Exposure management brings IT, cloud, identity, and OT into a single framework, giving security teams a unified view of where risk is concentrated.
Scanning OT environments continuously introduces real operational risk. Effective discovery uses passive network monitoring combined with safe active querying to surface asset details including vendor, model, firmware version, and operating state without interrupting the systems that critical services depend on.
AI-powered attack path analysis adds the final layer of necessary intelligence. Security teams need to understand precisely how an attacker could move from a compromised IT identity into a critical OT asset, and they need that intelligence before an incident occurs. This shifts security posture from reactive response to proactive exposure management.
Nation-State actors have already reduced the cost and complexity of attacking critical infrastructure with AI. Organisations that treat OT security as a future problem or a niche concern will face consequences that extend well beyond their own operations. Visibility is the foundation on which every other element of defense depends. Security teams that build it first will build programmes capable of surviving the threat environment that already exists.
(The views expressed are personal)
This article is authored by Robert Huber, chief security officer & head, research, Tenable.

E-Paper

