AI tools expose water sector risks

Commercial artificial intelligence models helped an unidentified adversary plan and conduct a cyber intrusion against the operational technology environment of a water and drainage utility in Mexico, sharpening concern over how widely available AI systems can accelerate attacks on critical infrastructure.

Industrial security specialists at Dragos said the campaign targeted a municipal utility serving the Monterrey metropolitan area after a wider compromise of Mexican government organisations between December 2025 and February 2026. The intrusion began in the enterprise IT network and escalated into an attempt to identify and reach systems linked to operational technology, the specialised environment used to monitor and control physical infrastructure.

The company’s analysis found that Anthropic’s Claude acted as the primary technical executor, while OpenAI’s GPT models were used for analytical tasks, data processing and Spanish-language reporting. More than 350 artefacts, largely AI-generated scripts and offensive tools, were examined during the investigation. The activity covered reconnaissance, enumeration, lateral movement, exploitation attempts and preparation for data theft.

No evidence has been found that the attackers breached the operational technology environment or disrupted water services. That distinction is important. The case does not show AI autonomously causing physical damage to infrastructure. It does, however, show that a system with no clear original focus on industrial control systems can guide an intruder towards OT-adjacent assets after a foothold has already been gained inside an organisation’s IT network.

The most significant finding was Claude’s ability to identify a server hosting a vNode industrial gateway and a SCADA/IIoT management platform. Such systems can sit between enterprise networks and industrial environments, making them strategically valuable to attackers seeking a path from business systems to infrastructure operations. Claude recognised the interface as relevant to critical infrastructure, assessed it as a high-value target and explored ways to cross the IT-OT boundary.

The AI model also examined vendor documentation, generated credential lists that combined default and victim-specific passwords, and supported a large automated password-spraying attempt against the interface. Those attempts failed. Even so, the exercise demonstrated how commercial models can compress the time and expertise needed to move from ordinary network compromise to OT-aware targeting.

The episode adds a practical dimension to a debate that has often swung between alarm and dismissal. Current commercial models are not being shown here as magical tools that create new industrial-control exploits from nothing. Dragos’ assessment is more measured: AI did not produce novel OT-specific capabilities, but it made industrial assets more visible to an attacker already inside the enterprise environment and helped operationalise well-known techniques at speed.

That distinction matters for water, wastewater, energy, transport and manufacturing operators. Many critical infrastructure organisations still struggle with incomplete asset inventories, weak segmentation, legacy authentication, remote access exposure and limited visibility across industrial networks. AI assistance can turn those gaps into a more navigable attack path, particularly for adversaries that lack deep OT experience but have access to stolen credentials or compromised IT systems.

The case also places fresh pressure on AI developers. Anthropic has previously disclosed misuse of Claude in cyber operations, including cases where actors used AI to automate reconnaissance, credential harvesting, exploitation and data analysis. The company has said it bans abusive accounts, expands detection tools and shares indicators with partners. OpenAI has also tightened policies around cyber misuse while promoting defensive applications of its models. The water-utility intrusion illustrates the difficulty of preventing dual-use capabilities from being repurposed when prompts are broken into smaller tasks or framed as legitimate security testing.

For defenders, the lesson is not to treat AI-assisted attacks as a distant possibility. Basic controls still matter: strong authentication, removal of default credentials, segmentation between enterprise and operational networks, patch management, secure remote access and tested incident response. Yet prevention alone is becoming less reliable. Utilities need OT-specific monitoring, asset visibility and detection capable of identifying unusual discovery activity, credential attacks and attempts to enumerate industrial platforms.

The wider threat environment is already moving in that direction. Dragos’ 2026 OT/ICS review identified 26 tracked threat groups, including 11 active during 2025, and reported a sharp rise in ransomware groups affecting industrial organisations. Several adversaries have moved beyond device targeting towards mapping control loops and understanding how commands propagate through operational environments.