This is not a thought experiment. The combination of readily available agentic AI tooling, documented prompt-injection and model-exploitation vulnerabilities, and proven industrial control malware creates a plausible pathway for adversaries to mount scalable, partially autonomous campaigns against electric utilities. Federal agencies and industry warned that AI will be used to plan, scale, and accelerate attacks on critical infrastructure.
Scenario overview: a mid-tier adversary wants a local blackout with maximum disruption and minimal footprint. They build a phased campaign that mixes traditional tradecraft with autonomous AI agents. The campaign runs like a factory: reconnaissance, access, lateral movement, OT interaction, and disruption. At each phase an agent reduces human labor and increases speed while adjusting tactics in near real time. Academic and practitioner research has already shown autonomous agents can discover, chain, and execute offensive steps with limited human supervision.
Phase 1 — automated reconnaissance and targeting. Agents crawl public filings, procurement sites, LinkedIn, vendor forums, and exposed remote management endpoints to build asset maps and identify likely suppliers and third-party maintenance accounts. They generate spearphishing content personalized to industrial staff and produce bespoke social-engineering assets at scale. Prompt-injection and tool-chain vulnerabilities in agent stacks mean an attacker can both weaponize agents and corrupt other agents or services relied on by defenders. Real CVEs from 2024 demonstrate how model and prompt handling errors become remote code execution vectors when tool integration is sloppy.
Phase 2 — initial access and persistence. The agent orchestrates credential harvesting and chained exploits against soft targets: contractor VPNs, cloud-hosted support portals, and developer CI pipelines that interact with OT maintenance tools. Using LLMs to write and refine exploit code, the agent spawns subagents that probe for forgotten or misconfigured management interfaces that bridge IT and OT. This is not pure fiction. ICS-targeting malware has been used against power utilities in the past to achieve physical disruption; the techniques pioneered in those incidents are reusable if an attacker can reach the right equipment.
Phase 3 — autonomous lateral movement and OT reconnaissance. Once inside a network, agents move laterally at machine speed, cataloging PLCs, RTUs, protective relays, and the communication protocols they speak. Agents translate vendor manuals and protocol specs into actionable commands, then test in low-risk ways to learn operator responses. Autonomous agents can run many small, adaptive probes simultaneously, a force multiplier compared with human teams. Research into offensive agents shows they can generate and chain novel actions, reducing the time between discovery and exploitation.
Phase 4 — targeted disruption. With sufficient access the agent coordinates a timed sequence: manipulate telemetry to blind operators, open breakers or issue unsafe commands through exploited protocols, and deploy destructive wipers to slow recovery. The attackers may deliberately trigger alarms and false leads to waste responder time. Historical ICS attacks demonstrate the operational logic and real-world impacts of such a sequence; an autonomous agent simply shortens the timeline and can orchestrate multi-site actions across time zones with minimal hands-on control.
Impact profile. Expect brief regional blackouts, targeted damage to substation equipment, and extended restoration complexity caused by corrupted logs and wiped forensic evidence. Damage scales with access level and the operator response model. Even where manual safety interlocks exist, coordinated attacks across multiple substations or supporting systems can create cascading risk. This matters because attackers no longer need large human teams to conduct complex, timed operations. AI agents lower the bar.
What defenders must do now. The tactical playbook to blunt agent-enabled campaigns is practical and familiar. Prioritize these actions immediately:
-
Treat agent risk like a new threat vector. Include agent scenarios in tabletop and full-scale wargames and update incident response plans to address hijacked AI workflows and model-based manipulation. Use the CISA playbook and interagency AI guidance to share indicators and lessons rapidly.
-
Enforce strict separation between IT and OT. Limit any direct internet access from OT assets. Where tool integration is required, adopt hardened proxies, strong allow-lists, and human-in-the-loop confirmation for any command that affects physical processes.
-
Harden AI integrations. Apply secure development and deployment standards for any AI tools used by operations or security teams. Patch and monitor third-party agent frameworks and libraries. Real-world CVEs show prompt handling and tool-call patterns produce RCE and data-exfiltration paths; treat those dependencies like any other critical software.
-
Implement robust identity and privilege controls. Use short-lived credentials for maintenance accounts, multi-factor authentication for remote access, and strict least-privilege policies for vendor and contractor accounts. Monitor unusual delegation or multi-agent behavior that could indicate a compromised agent or a malicious subagent.
-
Invest in detection tuned for adversarial agents. Traditional AV and signature tools are insufficient. Emphasize behavioral monitoring, OT-aware anomaly detection, and high-fidelity telemetry collection that cannot be trivially disabled or altered by attackers. Log immutability and out-of-band forensic capture matter.
-
Run continuous agentic red teams. Use authorized autonomous agents to stress-test your controls, especially the interfaces between AI tooling and operational systems. Convert findings into automated guardrails that can detect prompt-manipulation, tool misuse, and suspect goal changes.
Final point. Adversaries will combine old tradecraft and new tools. Autonomous agents do not replace nation-state determination or skilled operators. They amplify the reach, speed, and efficiency of those actors. If you are responsible for grid reliability, treat agentic AI as an accelerant you must design around today. Delay is a force-multiplier for your adversary and a liability for your community.