Securing the Grid While Adopting AI

The electric utility industry is embracing artificial intelligence at an unprecedented pace. With 94% of utility executives expecting AI to drive significant revenue growth within three years and the global ADMS market projected to nearly double to over $7 billion by 2030, AI-powered applications for FLISR, predictive maintenance, and outage management are moving from pilot programs to production.

Yet amid this enthusiasm, a critical gap has emerged: the industry lacks a unified set of security architecture principles for deploying AI within operational technology environments. Fewer than 50 of the more than 3,000 U.S. utilities have full ADMS implementations, and many are still in exploratory stages of AI adoption. Without security-first architecture guidelines, utilities risk deploying AI systems that introduce new attack surfaces into the most critical infrastructure our nation operates.

This is not theoretical. The convergence of AI and OT creates threat vectors absent from traditional SCADA deployments: data poisoning that produces dangerous recommendations, model inversion that reconstructs sensitive grid topology, adversarial inputs that fool anomaly detection, and supply chain compromise through ML frameworks. FERC's approval of CIP-015-1 for Internal Network Security Monitoring in June 2025 signals regulators recognize these emerging risks.

After extensive work designing AI inference architectures for utility environments under compliance constraints, I have identified five foundational principles that every utility, ADMS vendor, and system integrator should adopt.

1. Air-Gap Integrity and One-Way Data Flow
AI systems must never have a direct communication path back into OT control networks. Data flows from SCADA, historians, and DMS to AI analytics through hardware-enforced unidirectional security gateways. AI recommendations flow to operators through decision-support interfaces, never directly to RTUs, PLCs, or relay controllers. This principle is non-negotiable. One leading pipeline operator demonstrated this pattern with a private, encrypted, one-way data pipeline where SCADA data flows outward to analytics but nothing returns. Every ADMS vendor embedding AI capabilities must architect their modules in the analytics zone, never on the SCADA runtime.

2. Stateless, Ephemeral AI Processing
AI inference containers should be instantiated per request and destroyed after processing. No BES Cyber System Information should persist between inference requests. GPU memory must be cleared between sessions. For multi-tenant ADMS vendors serving hundreds of utilities, hardware-level memory isolation is essential to prevent cross-utility data commingling. This stateless architecture directly supports CIP-011 information protection by minimizing the attack surface and data exposure.

3. Human-in-the-Loop with Graduated Autonomy
AI must augment operator decision-making, not replace it. I recommend a graduated autonomy framework: Level 0 is fully manual operation; Level 1 allows AI advisory with human execution for use cases like anomaly detection and alarm rationalization; Level 2 permits AI-prepared actions that require human approval for DMS switching plans and OMS crew dispatch; Level 3 enables AI-executed actions with human override capability, limited to pre-approved FLISR scenarios. Level 4 — full autonomy — should not be permitted for any system connected to the Bulk Electric System. Every AI recommendation must generate a complete audit trail capturing the proposed action, operator decision, and execution confirmation.

4. AI Model Supply Chain Security
CIP-013-2 supply chain risk management must extend to all AI components. This means generating Software Bills of Materials for ML frameworks, pinning dependency versions with hash verification, and validating the provenance of every pre-trained model. Cloud AI service providers must undergo vendor risk assessments covering data handling, model isolation, and contractual right to audit. In air-gapped production environments, offline package repositories with cryptographic verification are essential. No model trained on unknown data sources should ever process BES data.

5. Explainability Over Black Boxes
For safety-critical grid operations, interpretable AI models should be preferred over opaque deep learning approaches. When operators cannot understand why an AI system recommended a switching sequence or flagged an anomaly, trust erodes and the humanin- the-loop principle collapses. Every AI output in SCADA anomaly detection, DMS fault location, and OMS restoration prioritization should include confidence scores and explanations. Regulators and state PUC commissioners are increasingly scrutinizing AIdriven decisions in rate cases. If a model's logic cannot be explained to an auditor, it should not be making recommendations that affect grid reliability.

The Path Forward

The utility industry stands at an inflection point. Data center load growth is driving unprecedented demand, with some utilities managing 20 GW or more in new interconnection requests. AI is essential to managing this complexity, but our track record of conservative, safety-first operations must extend to how we deploy it. NERC CIP compliance provides the regulatory floor, not the ceiling. The principles outlined here go beyond checkbox compliance to establish genuine security architecture that protects grid reliability while enabling the transformative potential of AI. Utilities that adopt these principles early will not only reduce risk but also accelerate AI deployment by building the trust frameworks that regulators, operators, and customers require.

The question is no longer whether utilities will adopt AI. It is whether they will do so
with the architectural rigor that our critical infrastructure demands.