Generic filters

CISA’s AI Guidance to Power Plants

CISA’s AI Guidance to Power Plants

By Leonard Wills, NERC Reliability Specialist

The power industry continues to deploy AI technologies to analyze operational data, identify equipment anomalies, improve predictive maintenance, and help operators make faster decisions. These capabilities offer operational benefits, but they also introduce AI-related risks that can adversely impact operational technology (OT) environments.

CISA’s Principles for the Secure Integration of Artificial Intelligence in Operational Technology provides AI implementation guidance without compromising safety, reliability, or cybersecurity. The guidance identifies four principles for entities managing AI technologies: (1) understand AI, (2) consider AI use, (3) establish AI governance, and (4) embed safety oversight and failsafe practices.

Principle 1 – Understanding AI

Plants should understand AI systems and their inherent risks. AI models can drift as operating conditions change. Poor-quality data may produce inaccurate recommendations or outputs. Some models lack explainability, which can make troubleshooting and audits difficult. AI can increase operator cognitive load or erode manual operating skills when personnel rely too heavily on automated recommendations. These risks matter in a power plant because an incorrect output may adversely impact operations, such as contributing to unnecessary downtime, equipment damage, or unsafe operating conditions.

Principle 2 – Consider AI Use in the OT Domain  

Plants should evaluate each AI use case before deploying the technology in their OT environment. For instance, a plant considering AI implementation for turbine monitoring should document the impacted systems, required data, expected benefits, failure consequences, and success criteria. The entity should also determine whether the AI only provides recommendations or can directly influence control functions. Read-only and decision-support applications generally present less operational risk than AI systems with active control functionality.

Principle 3 – Establish AI Governance and Assurance Frameworks

Plants must develop an AI governance program before procuring AI technologies and should not view governance as an ‘add-on’ or ‘optional feature.’ Leadership should work with appropriate personnel and vendors to define roles and responsibilities and accountability structures. Operators must establish and implement monitoring, tracking, and reporting requirements throughout the AI lifecycle, from procurement to deployment. The AI governance program must also address third-party risk management for vendors that develop, provide, maintain, or access AI technologies.

Principle 4 – Embed Oversight and Failsafe Practices Into AI and AI-Enabled OT Systems

For NAES, safety serves as a core component in everything we do. Plants must maintain human oversight and a defined path to safely revert operations when AI systems fail or produce unreliable outputs. Operators should know when an AI system produces unreliable results, how to validate outputs through other sensors or operating information, and how to continue operations when the AI fails. Plants should monitor model inputs and outputs, detect model drift, retain audit logs, and establish safe operating thresholds.

Plants should treat AI as an operational capability that requires governance, testing, monitoring, and human oversight. This approach allows entities to capture the benefits of AI without compromising safety, reliability, or cybersecurity. Entities that follow these principles can integrate AI responsibly, support innovation, and maintain operational efficiency while managing AI-related risks.