How many AI incidents have been documented in Critical Infrastructure?

TopAIThreats has documented 14 incidents affecting this sector. 71% are classified as high or critical severity.

AI Threats to Critical Infrastructure

How AI-enabled threats affect energy grids, transportation systems, water utilities, and manufacturing — through AI-augmented cyberattacks, autonomous system failures, and cascading disruptions across interconnected infrastructure.

14 Incidents

71% High / Critical

6 Human-AI Control

Human-AI Control (6) Agentic Systems (3) Systemic Risk (2) Security & Cyber (2)

AI-enabled threats to critical infrastructure include AI-augmented cyberattacks targeting industrial control systems, autonomous vehicle and robotics failures, supply chain compromise through poisoned AI models, cascading failures across interdependent AI-managed systems, and AI-assisted reconnaissance for physical infrastructure sabotage. These threats affect energy grids, transportation networks, water and waste systems, telecommunications, and manufacturing facilities.

Critical infrastructure faces distinctive AI risks because disruptions cascade across populations, failures can cause physical harm or environmental damage, and many operational technology (OT) systems were designed before AI-enabled threats existed. Human-AI Control is the most frequent primary threat domain in this sector, reflecting the critical nature of autonomous system decision-making in physical environments.

Use this page to brief leadership, inform infrastructure risk assessments, and explore documented incidents affecting energy, transportation, and manufacturing sectors.

Who this page is for

Critical infrastructure operators and facility managers

Industrial control system (ICS) and OT security engineers

Sector-specific regulators and safety inspectors

National security and infrastructure protection planners

Transportation and energy sector risk managers

At a glance

Severity profile: Majority of documented incidents classified high or critical severity. Human-AI Control is the most frequent primary threat domain.

Primary threats: AI-augmented cyberattacks on industrial systems, autonomous transportation failures, AI-enabled infrastructure sabotage, supply chain AI compromise, cascading failures from infrastructure AI dependency

Key domains: Human-AI Control, Security & Cyber, Agentic Systems, Systemic Risk

Regulatory exposure: NIS2 Directive, NERC CIP, TSA cybersecurity directives, EU AI Act (critical infrastructure provisions), sector-specific standards

How AI Threats Appear in Critical Infrastructure

Critical infrastructure AI risks cluster around five recurring threat patterns, each documented through real-world incidents in the TopAIThreats database.

Recurring AI threat patterns in critical infrastructure
Threat Pattern	Primary Domain	Key Indicator
AI-augmented cyberattacks	Security & Cyber	Adaptive malware targeting industrial control systems
Autonomous system failures	Agentic Systems	Safety-critical autonomous systems behaving unpredictably
Supply chain AI compromise	Security & Cyber	AI components in infrastructure supply chains with unverified provenance
Cascading infrastructure failures	Systemic Risk	AI-managed interdependent systems amplifying localized disruptions
AI-enabled physical sabotage	Security & Cyber	AI reconnaissance used to identify and exploit infrastructure vulnerabilities

AI-augmented cyberattacks — AI-morphed malware that adapts to evade detection in OT environments, AI-assisted vulnerability discovery targeting industrial control systems, and AI-powered social engineering targeting infrastructure operators. The AI-orchestrated cyber espionage campaign demonstrated sophisticated AI-augmented attacks across critical sectors.
Autonomous system failures — Self-driving vehicles, autonomous drones, and AI-controlled industrial processes that fail in safety-critical situations due to specification gaming, edge-case blindness, or adversarial attacks that cause misclassification of environmental conditions. The Uber self-driving fatality and Tesla Autopilot fatal crashes are defining examples.
Supply chain AI compromise — AI supply chain attacks where adversaries compromise AI components (models, training data, inference pipelines) embedded in infrastructure systems, creating persistent backdoors in critical operations.
Cascading infrastructure failures — AI-managed systems that are interdependent across sectors (energy, water, telecommunications, transportation) where a failure in one system propagates through infrastructure dependency collapse to others. The Boeing 737 MAX MCAS failures illustrate how AI-adjacent automation in critical systems can have catastrophic consequences.
AI-enabled physical sabotage — Adversaries using AI for reconnaissance, vulnerability mapping, and attack planning against physical infrastructure, leveraging AI analysis of public data to identify exploitable weaknesses.

Operational technology convergence risks

The integration of AI with legacy OT systems creates risks specific to critical infrastructure:

IT/OT convergence attack surface — AI systems bridging information technology and operational technology networks create new pathways for attacks to reach physical processes
Safety system interference — AI optimization of industrial processes that conflicts with or bypasses safety instrumented systems designed to prevent physical harm
Long equipment lifecycles — Critical infrastructure equipment operates for decades, meaning AI security vulnerabilities may persist far longer than in IT systems where replacement cycles are shorter

Relevant AI Threat Domains

Cyber & supply chain threats

Security & Cyber — AI-morphed malware, AI supply chain attacks, and automated vulnerability discovery targeting infrastructure

Autonomous system risks

Agentic Systems — Goal drift in autonomous infrastructure management, multi-agent coordination failures, and specification gaming in AI-controlled processes
Human-AI Control — Unsafe human-in-the-loop failures where operator override mechanisms are inadequate
Economic & Labor — Decision loop automation reducing human involvement in industrial process decisions

Systemic risks

Systemic Risk — Infrastructure dependency collapse and accumulative risk from interconnected AI-managed systems

What to Watch For

These are the most critical warning signs that infrastructure operators should monitor for AI-related risks, with actionable guidance for each.

AI components integrated into ICS/SCADA systems without security assessment for adversarial manipulation — What ICS engineers can do: Require adversarial input detection testing for any AI component in operational technology environments. Verify that AI failures default to safe states. Maintain manual override capability for all AI-controlled processes.
Autonomous transportation or logistics systems operating without adequate fallback procedures — What operators can do: Ensure all autonomous systems have defined failure modes and manual takeover procedures. Test autonomous systems against adversarial evasion scenarios relevant to the operating environment.
AI-managed infrastructure with single points of failure in AI vendor dependencies — What infrastructure planners can do: Map all AI vendor dependencies across infrastructure operations. Assess the operational impact of each AI system becoming unavailable. Maintain non-AI fallback procedures for critical functions.
Supply chain AI components with unverified model provenance or training data integrity — What procurement teams can do: Implement AI supply chain security requirements for all AI components in infrastructure systems. Require model provenance documentation and training data attestation. Test for data poisoning indicators.

Protective Measures

Detection & defense

Detect adversarial inputs — Adversarial input detection protects AI systems in infrastructure from manipulated sensor data and environmental inputs. The guide to detecting adversarial inputs covers industrial applications.
Detect data poisoning — Data poisoning detection identifies training data contamination in AI models used for infrastructure management. The guide to detecting data poisoning covers detection methodologies.

Supply chain security

Secure AI supply chains — AI supply chain security practices protect against compromised models and training data in infrastructure AI. See the guide to securing AI supply chains.

Monitoring & testing

Monitor AI risk — AI risk monitoring systems provide continuous oversight of AI systems managing critical processes. AI audit and logging systems maintain records required for incident investigation and regulatory compliance.
Red team infrastructure AI — Red teaming for AI systems probes infrastructure AI for adversarial vulnerabilities before threat actors exploit them. The AI red teaming guide provides methodologies for critical infrastructure contexts.

Questions infrastructure operators should ask

“Which operational processes depend on AI systems, and what is the failover procedure if those AI systems become unavailable or compromised?”
“Have we tested our AI-integrated ICS/SCADA systems against adversarial manipulation scenarios?”
“What is the provenance of AI models and training data used in our infrastructure operations?”
“How do we detect and respond to AI-augmented cyberattacks that are designed to evade our current detection capabilities?”

Regulatory Context

EU AI Act (entered into force August 2024, high-risk provisions apply from August 2026) — Classifies AI systems used as safety components in the management and operation of critical digital infrastructure, road traffic, and supply of water, gas, heating, and electricity as high-risk
NIST AI RMF (version 1.0, January 2023) — Provides risk management guidance applicable to AI in critical infrastructure, complementing NIST cybersecurity frameworks
ISO/IEC 42001 (published December 2023) — Offers an AI management system framework for critical infrastructure operators

Critical infrastructure AI governance operates within a dense regulatory environment including NIS2 (EU network and information security), NERC CIP (North American energy), TSA cybersecurity directives (US transportation), and sector-specific safety standards (IEC 61508/61511 for functional safety). Operators should anticipate growing requirements for AI system certification, supply chain attestation, and cross-sector incident reporting.

Documented Incidents

Based on incident analysis, critical infrastructure is most frequently affected by threats in the Security & Cyber domain (AI-augmented attacks on industrial systems) and Agentic Systems domain (autonomous vehicle and industrial automation failures).

14 documented incidents in this sector — showing top 10 by severity

ID	Title	Severity
INC-26-0003	Tesla Autopilot involved in 13 fatal crashes, US regulator finds	critical
INC-26-0041	xAI Colossus Data Center Operates 27 Unpermitted Gas Turbines in Memphis While Consuming 1.3 Million Gallons of Water Daily	critical
INC-26-0044	Waymo Robotaxi Strikes Child Near Elementary School in Santa Monica — NHTSA Investigation Opened	critical
INC-25-0001	AI-Orchestrated Cyber Espionage Campaign Against Critical Infrastructure	critical
INC-25-0013	Waymo Autonomous Vehicles Violate School Bus Stop Laws in Austin	critical
INC-24-0021	Cruise Robotaxi Criminal False Reporting After Pedestrian Dragging	critical
INC-18-0003	Boeing 737 MAX MCAS Automation Failures — Two Fatal Crashes	critical
INC-18-0001	Uber Autonomous Vehicle Pedestrian Fatality	critical
INC-23-0002	Samsung Semiconductor Trade Secret Leak via ChatGPT	high
INC-19-0001	AI Voice Clone CEO Fraud Against UK Energy Company	high

View all 14 incidents →

For classification rules and evidence standards, refer to the Methodology.

→ Explore AI Threat Domains

→ View documented Incidents

Last updated: 2026-04-07 · Back to Sectors