Dragos Discloses First LLM-Assisted Attack on Critical Water Infrastructure (OT) in Mexico

Cybersecurity firm Dragos documented the use of commercial AI models (Anthropic Claude and OpenAI GPT) in a coordinated campaign against a municipal water and drainage utility in Monterrey, Mexico between December 2025 and February 2026. Attackers with no prior OT experience used Claude as the primary technical executor for intrusion planning, malicious tool development, and SCADA vendor documentation analysis. GPT models provided analytical functions and Spanish-language output generation. Dragos analyzed 350 attack artifacts, the vast majority AI-generated scripts. Although the attackers failed to breach OT infrastructure, the campaign demonstrated how commercial AI has lowered the barrier to entry for attacks on critical infrastructure.

LLM-assisted OT reconnaissance and exploitation: (1) Attackers deploy Claude to task-plan intrusion strategy and analyze SCADA/water utility documentation, (2) Claude generates brute-force credential lists and malicious tool code, (3) GPT models translate and refine outputs, (4) Attackers use AI-generated payloads to pivot from IT access toward OT systems, (5) Real-time AI refinement allows actors to adapt techniques without domain expertise.

Water utilities, wastewater treatment facilities, and other critical infrastructure relying on SCADA and operational technology. The Monterrey attack demonstrates that AI has eliminated the expertise barrier that previously protected industrial control systems from less-skilled threat actors. OT operators in Latin America and other regions with governance gaps are at heightened risk.

Immediate: (1) Implement secure remote access policies (VPN + MFA + short-lived credentials) to OT networks, (2) Enforce strong authentication (FIDO2, hardware tokens) for OT system access, (3) Isolate OT networks from corporate IT via air-gap or robust network segmentation, (4) Deploy intrusion detection systems (IDS) tuned for anomalous SCADA behavior. Medium-term: (1) Conduct threat models assuming attackers have access to frontier AI for reconnaissance and exploitation planning, (2) Assume attackers can generate SCADA exploitation scripts in minutes, not days, and design defenses accordingly, (3) Coordinate with water utilities and regional governments on incident response and threat intelligence sharing.