As cybercriminals harness AI to automate and enhance their attacks on national infrastructure, the … More
In November 2024, a cyberattack on DP World, one of Australia’s largest port operators, forced the company to shut down operations across key terminals for three days. The attack disrupted critical supply chains, delayed cargo movement nationwide and sent ripple effects through industries dependent on just-in-time logistics. While the attackers gained unauthorized access to DP World Australia’s corporate network by exploiting a known vulnerability, imagine for a second that they had also leveraged artificial intelligence.
Imagine the same breach, only this time, instead of a single point of failure, an autonomous AI agent infiltrates multiple control systems across terminals, mapping OT networks in real time, escalating privileges and coordinating shutdowns across multiple facilities simultaneously. No alarms. No warning. Just ports going dark within minutes.
What would happen is the disruption of critical infrastructure within minutes and at a devastating scale. Seaports or even power grids could shut down for days, halting the global supply chain, costing billions of dollars and throwing people into panic.
That exact scenario hasn’t happened yet, but experts say it’s now well within reach.
“Agentic AI is the next frontier,” warned Jamie Moles, senior technical manager at ExtraHop. “An adversary that infiltrates an enterprise network through a phishing attack could deploy an AI agent to quickly collect critical information and move laterally across systems if no safeguards are in place.”
As cybercriminals harness AI to automate and enhance their attacks on national infrastructure, the need to bolster our defenses has never been more urgent.
The Appeal Of Critical Infrastructure
Cybercriminals have historically targeted financial institutions and corporations for profit, but critical infrastructure attacks are now more valuable and easier to execute. One major reason, according to Alex Yevtushenko, co-founder and CEO of Salvador Technologies, is aging legacy systems.
“Critical infrastructure, especially national systems, often relies on outdated legacy technology, which is particularly vulnerable,” Yevtushenko told me in an interview. “AI-driven automation of malicious code exploits and amplifies these weaknesses, increasing the risk of large-scale disruptions.”
Moles agrees with Yevtushenko, noting that “much of today’s critical infrastructure is rooted in legacy technology that can be slow to update in comparison to modern day systems.”
This means that the infrastructures that power our day-to-day lives and enable us to live safely lack the basic protection they should have. When you consider that attackers — including malicious actors who don’t have a technical background — now have sophisticated AI tools at their disposal, the reality becomes worse.
As Yevtushenko noted, “AI-automated phishing costs next to nothing for cybercriminals.” What’s more worrisome, he said, is that “research shows that it fools targets at the same rate as human-generated phishing — about 60%.”
The Consequences
For one, there’s huge financial loss that comes with cyberattacks on the critical infrastructure sector. For example, healthcare ransomware attacks alone cost hospitals $21.9 billion in downtime losses between 2018 and 2024, according to a report by Comparitech. And these numbers will only grow as AI accelerates attack capabilities.
As Moles noted, any type of cyber incident is costly. “Remediation, legal fines, regulatory penalties and reputational damage all add up,” he said, adding that “AI amplifies these costs by making attacks faster and harder to detect.”
But in addition to the financial loss is the risk that such attacks on critical infrastructure pose to human lives and national security. Unlike data breaches in non-critical environments, which often only result in financial loss and reputational damage, attacks on critical infrastructure threaten public safety, national security and economic stability.
For example, Yevtushenko said that in healthcare, if a hospital uses outdated software it risks AI-powered ransomware locking down life-saving equipment. “In the telecommunications industry, AI-enhanced attacks can shut down internet access, disabling emergency communications. In water supply, AI-driven intrusions into water treatment plants can manipulate chemical levels and contaminate drinking water,” he added.
The big message here is that the consequences of AI-driven cyberattacks on the critical infrastructure sector are more devastating than any other.
Defending Critical Infrastructure
Just like malicious actors can use AI to launch sophisticated attacks at scale, organizations in the critical infrastructure sector can also use AI to defend against attacks — and there’s already been a lot of talk about that.
Yevtushenko added more thoughts to that conversation, explaining that “AI enables expansive behavioral analysis and anomaly detection, improving efficiency and accelerating threat monitoring in real time.”
Moles also said that AI is critical for automating security responses and minimizing reaction times. “Security teams are incorporating AI to speed up reaction times, using behavioral analysis to detect deviations from normal baseline behaviors.”
However, according to Yevtushenko, AI-powered defense is not a perfect solution. He warned that when both attackers and defenders use AI, the hacker will always be one step ahead. Remember that while the defender should avoid thousands of attacks, the attacker need only 1 success, which makes it unfair game.
“This is why a defense-only approach is insufficient,” he said. “Organizations need to focus on resilience — ensuring that even if an attack occurs, they can recover in seconds, not hours or days.”
Regulatory Gaps
Despite the growing threat, AI cybersecurity regulations remain reactive and fragmented. While some guidelines exist to protect infrastructure, there is no unified global framework for AI-driven cyber threats.
“AI regulations exist, but not at the level of detail required to provide blanket protection for all organizations,” Moles said. “The rapid pace of AI innovation has made it difficult for policymakers to keep up.”
Yevtushenko argues that governments must take a three-pronged approach:
- Disrupting cybercriminal operations: Stricter penalties, stronger international cooperation and intelligence-sharing between allied nations.
- Encourage and support organizations to integrate AI into their cybersecurity approach: Reducing limitations, financial support and grants.
- Educating critical infrastructure operators: Providing the right security tools, AI-driven monitoring systems and continuous workforce training.
Racing Against AI-Powered Cyberattacks
Moles’ verdict is that “we will consistently see rapid AI innovation from both attackers and defenders, with each side fueling the other.” And while he admitted that it will be used for negative purposes by threat actors, he said that “AI will be a key safeguard for security analysts as the benefits, like streamlining operations and reaching faster security outcomes, are critical to keeping pace in a perpetually transforming threat landscape.”
For Yevtushenko, there’s a need for more urgency. “Cyber threats will never be eliminated entirely,” he said. ”However, organizations that invest in resilience — that is, rapid detection, automated recovery and advanced AI security — stand the best chance of surviving.”
So, if it’s certain that AI-driven attacks on critical infrastructure will happen at some point, the ability to detect and quickly recover from an attack will be the most-defining capability in the future of critical infrastructure security.
“Critical infrastructure, especially national infrastructure, must focus on building and fortifying a forward strategy that focuses significantly on cyber resilience so that in case of a possible attack, a speedy recovery will occur — one that takes seconds, not days or even hours and with that avoiding massive damage that can impact vast populations or geographies,” Yevtushenko said.
