The rapid integration of artificial intelligence (AI) tools into the UK’s critical national infrastructure (CNI) presents a range of severe risks that the sector is not yet mature enough to mitigate effectively, experts have told NCE.
The UK government has embarked on a mission to make the country one of the top three countries for the deployment of AI tools and the infrastructure on which the tools rely, i.e. data centres.
It is promoting the development of data centres with so much vigour that ministers now have specific responsibilities to ensure AI data centres’ power demands are met and it looks increasingly likely that some of the first small modular reactors (SMRs) built in the UK will be used to meet the high electricity demands of the data centres.
However, the use of AI is still a new phenomenon, with the most high-profile large language model (LLM) AI tool – ChatGPT – only having been launched to the public in 2022.
It should therefore be of little surprise that cybersecurity experts NCE spoke with have concerns about the integration of AI into our CNI such as the networks and systems that keep the country running.
AI integration in CNI presents range of risks
The integration of AI into CNI presents a wide range of risks, many of which are poorly understood, according to experts NCE spoke with.
Risks range from creating single points of failure in otherwise distributed physical systems, to providing adversaries with an easier route into systems, as well as the potential for AI “hallucinations” to cause havoc.
University College London associate professor and IEEE senior member Francesca Boem told NCE that the vulnerabilities created by the integration of AI into electricity systems could enable attackers to “destabilise the power grid entirely”.
IEEE (the Institute of Electrical and Electronics Engineers) describes itself as “a global community for technologists, helping to shape the systems and standards of tomorrow”.
“Devices capable of sensing their environments are becoming more prominent, with the ability to make or suggest decisions – or even take action – often autonomously,” Boem said.
“As such technologies take on critical roles, from managing power grids and hospitals to transport and industrial sites, the boundary between cyber and physical risk is disappearing.
“A single flaw in an AI-driven control system can now have real-world consequences. Vulnerabilities must be addressed at every phase – from design through to operation, including data acquisition, communication and processing.
“This is especially true in energy systems, where the shift towards intelligent infrastructure depends on vast amounts of data enabled by affordable sensing and communication technologies.
“If attackers compromise sensor data or gain control of connected devices, they could distort meter readings for financial gain or destabilise the power grid entirely.”
Boem continued: “Such attacks are no longer hypothetical – the energy sector has become a primary target, with cyber operations increasingly used to trigger physical consequences. To mitigate these risks, we must understand emerging threats and develop holistic strategies for resilience.”
Orange Cyberdefense managing principal consultant Noel Chinokwetu told NCE that many organisations in the CNI space are still at the early stages of integrating traditional information technologies into their vast infrastructure systems.
“Many, if not most, of these industries are still in the relatively early-to-mid-stages of modernisation,” he said.
“They are grappling with their vast operational technology (OT) networks and navigating the convergence of OT and IT systems. This alone is a huge task and, while it brings a myriad of benefits, it also comes with risks.
“Specifically, OT/IT convergence drastically increases the attack surface, with systems that had previously been offline now exposed to cyber threats.
“My concern is that if these industries have not yet navigated OT/IT convergence, introducing AI to the equation could do more damage than good.”
Chinokwetu did however say that AI does have the potential to improve the performance of CNI.
“Of course, AI is already in use to an extent, and it truly has the potential to transform CNI in the future, but over-implementing this technology now could create a ‘running before we can walk’ scenario,” he said.
“Moreover, relying too heavily on AI for decision-making within any industry comes with risks. LLMs can hallucinate and provide incorrect responses. AI agents can ‘go rogue’ because of incorrect data, poor training or lack of controls.
“None of it is foolproof yet. And the more reach the AI has through agents and integration, the greater the potential for things to go wrong.
“Taking AI’s word as gospel is risky for any company, but this level of risk multiplies exponentially when a country’s CNI is involved, as the potential fallout can be disastrous.”
AI tools present obvious target for adversaries looking to harm CNI systems
The rollout of AI into CNI creates a new and obvious target for attackers hoping to disrupt CNI systems, according to the cybersecurity professionals who shared their analysis with NCE.
AI does not just exist as the images and text we see on our screens, it is physically hosted in places like data centres – which are proliferating internationally and especially in the UK.
This means there are at least two “attack vectors” available to those wishing to create harm – the digital space and the physical space. Attackers could hack the software, or indeed damage or destroy the hardware which the software relies on.
Chinokwetu explained: “There is a growing likelihood that attackers will look to gain access and steal models and the context information they hold, in pursuit of the sensitive information that can be used for malicious purposes – such as causing mass disruptions to a country’s water or energy supply.
“When it comes to generative AI, hackers can employ prompt injections to elicit unexpected behaviour in an LLM, circumventing its alignment policy and potentially generating unwelcome or compromising responses.
“Methods of attack include context switching, as well as concealing harmful code and prompts within input data, all of which can lead to unauthorised content generation or service disruption.”
While ChatGPT is the most high-profile example of an LLM, there is a wide proliferation of other LLMs which are produced by technology companies for consumers, as well as by large organisations for their own internal use, or for use within their market sector.
Mind Foundry director of research Nathan Korda told NCE that most attack risks have mitigations.
Korda leads Mind Foundry’s work with the UK government’s Advanced Research and Invention Agency (Aria) which was set up by former government advisor Dominic Cummings to emulate the work done by the US government’s Darpa (Defense Advanced Research Projects Agency).
“As more workflows become dependent on AI pipelines, these will likely be hosted in cloud environments, increasing the risk to operations from Denial of Service attacks or physical attacks on data centres,” he said.
“Nevertheless, most of these risks also have mitigations.”
Meanwhile, Alliance Manchester Business School professor of applied artificial intelligence Richard Allmendinger told NCE: “AI systems are uniquely susceptible to deliberate manipulation.
“Adversaries can inject poisoned data or subtly distort sensor feeds (‘data spiking’), steering models into unsafe actions without detection.
“Physical attacks on AI hosting infrastructure – data centres, cloud services or edge devices – threaten availability as well as confidentiality.
“Because CNI relies on consistent, trusted inputs, even small manipulations can ripple outward, such as a water-treatment model ignoring contamination alarms, or a power-grid optimiser destabilising supply.
“The interconnectedness of these assets magnifies local sabotage into regional outages. Unlike conventional IT compromises, AI sabotage risks fusing cyber and physical consequences in unpredictable, cascading ways.”
Safeguards exist but are ‘immature relative to the stakes’
The experts told NCE that safeguards against the risks posed by integrating AI into CNI systems do exist, but a variety of approaches and lack of experience means the safeguards are “immature relative to the stakes”.
Chinokwetu said: “It’s important for CNI organisations to adopt proactive measures to effectively navigate this uncertainty.
“The key to effectively leveraging AI’s potential is to take both a security-first and human-centric approach, which ensures automated decisions are transparent and aligned with both regulatory requirements and organisational objectives.
“This approach is what we call ‘Secure Automated Decision-Making’, and it harnesses AI’s potential whilst maintaining human oversight to truly enhance the quality of decision making.”
Korda added: “The Aria program on Safeguarded AI is a national-level effort to address this issue and enact transformationally different AI capabilities that will enable the safe deployment of AI in high-stakes environments.”
Ulster University professor of cybersecurity and IEEE senior member Kevin Curran told NCE that AI must only be integrated where the roles of AI tools and people are clearly defined and where people can understand and control everything AI tools do.
“The only way AI can be integrated successfully within critical infrastructure is through a balanced approach where human and AI roles are clearly defined,” he said.
“AI is best suited to handling data-intensive and repetitive tasks, while humans should remain responsible for decisions that require judgment and context.
“AI systems must be designed to be understandable, allowing operators to see how decisions are reached and to challenge them if necessary.”
Allmendinger warned: “Safeguards are still immature relative to the stakes.
“While risk management frameworks and ‘human-in-the-loop’ controls exist, in practice, many CNI operators face resource constraints that limit rigorous oversight.
“Testing rarely replicates real-world edge cases, so failures may only emerge in once the AI has actually been deployed – at which point it’s too late.
“Regulatory efforts remain fragmented across jurisdictions, leaving uncertainty about accountability when AI systems fail. As a result, safeguards may slow – but not fully prevent – new systemic risks from spreading through interconnected infrastructure.”
Sandboxing does exist but ‘coverage is patchy’
Users of AI tools who have a responsibility to protect CNI should find ways to ensure the tools are safe before they are deployed in the real world, according to those NCE spoke to.
This can involve “sandboxing” – taking the situation where children are allowed to play in a box with sand and toys rather than being exposed to a more open, real environment – and turning it into a metaphor where software is held within a restricted space and tested.
Chinokwetu said: “We’re absolutely seeing a big push from industry regulators around the creation of AI sandboxes. Just last month, Ofgem in the UK called for input on a proposal to create an Ofgem AI technical sandbox.
“The UK’s Office for Nuclear Regulation (ONR) was also awarded funding to develop AI using sandboxing, and the EU AI Act has made provisions for regulatory sandboxes.”
The “regulatory sandbox” will enable the exploration of how AI could be used to “analyse, interpret and categorise data in nuclear installations”, the ONR said.
Chinokwetu continued: “However, much of this is still in very early stages without many ‘real-world’ sandboxes for AI’s use in CNI. This is all the more reason to be cautious when it comes to its implementation.”
Korda said: “In the space of civil infrastructure assets, Mind Foundry is working with partners such as WSP and Network Rail to deliver better world models, which will, in turn, enable better risk management through the use of predictive condition modelling and AI planning tools.”
Allmendinger cautioned: “Sandboxing exists, but coverage is patchy and often more aspirational than comprehensive. Testbeds and digital twins can simulate failure scenarios, yet they cannot capture the full complexity or adversarial pressure of live CNI environments.
“Small-scale sandboxes may validate performance under ‘normal’ conditions but are less effective at uncovering rare, high-impact edge cases – exactly the ones most threatening in CNI.”
Like what you’ve read? To receive New Civil Engineer’s daily and weekly newsletters click here.
