In the age of AI cyberattacks, prevention is no longer enough

Critical infrastructure is becoming an increasingly attractive target for cybercriminals, particularly as AI lowers the barrier to launching sophisticated attacks at scale. Against this backdrop, the UAE’s success in blocking AI-powered threats against vital sectors is both reassuring and instructive: a sign of strong national capability, but also of the intensity of the challenge.

The scale is already significant. According to Dr Mohamed Al Kuwaiti, Head of Cyber Security for the UAE Government, the UAE is now recording around 530,000 cyber incidents a day, up from roughly 270,000 prior to the latest escalation. At this volume and complexity, it is clear that the old model of cyber defence is no longer enough. AI-driven threats are moving too fast to be stopped by prevention alone. The real question is no longer whether systems will be breached but how prepared we are when they are.

In a highly digitised economy, where government services, financial systems, energy networks, and healthcare infrastructure are increasingly interconnected, a successful cyberattack on critical infrastructure is not a technology incident. It is a public safety event. It can erode confidence, disrupt essential services, and threaten national stability.

As a national security commitment, security investment in Critical National Infrastructure (CNI) cannot be treated as an IT budget line. That means governments and operators across the region need to ask a harder question: not just “can we stop these attacks,” but “have we designed our infrastructure to limit the damage when they succeed?”

Much of the critical infrastructure operating across the wider Gulf today is still protected by security models originally designed for a different threat landscape, from Operational Technology (OT) systems and the industrial controllers, to human-machine interfaces and field sensors that underpin energy, water, and transport infrastructure.

AI changes the landscape entirely. Adversaries are using it to conduct reconnaissance at machine speed, develop custom evasion techniques on the fly, and test defences continuously until they find a weakness. The old model of building a stronger perimeter and waiting cannot keep pace with attackers who learn and adapt faster than defenders can respond.

The principle of assume breach is not defeatism. It is the foundation of a realistic security strategy.

It means accepting that no perimeter is permanent and designing infrastructure accordingly: not to prevent every compromise, but to ensure that when one occurs, the damage is contained, essential services continue, and recovery is fast. The objective shifts from keeping attackers out to breach containment. This means ensuring attackers cannot move laterally, cannot reach critical systems, and cannot turn a single compromised device into a national-scale disruption.

Breach containment starts with visibility. Operators cannot protect what they cannot see. Across much of today’s OT infrastructure, there is no accurate, real-time inventory of every controller, gateway, sensor, and edge device. Without knowing what is connected and how data flows between systems, the attack surface is functionally unknown.

With visibility established, segmentation becomes the primary containment tool. Instead of assuming everything inside the network can communicate freely, segmentation enforces least‑privilege access between systems, allowing only the connections that are explicitly required for operations to function.

In a breach scenario, this is critical. Even if an attacker gains an initial foothold, segmentation prevents them from moving laterally across environments, reaching sensitive systems, or escalating a local compromise into a systemic failure. This is how Zero Trust delivers containment: not by trusting fewer users in theory, but by technically restricting how far any compromise can spread in reality.

There is a legitimate operational concern in CNI environments: that aggressive security changes risk disrupting the very services they are meant to protect. In sectors where uptime is a matter of public safety, this concern deserves a direct answer.

Phased modernisation provides the answer. Modern segmentation approaches do not require removing legacy systems or retrofitting devices that cannot support additional agents. Overlay architectures can enforce Zero Trust policy around existing infrastructure, without interrupting operations. Containment boundaries can be built incrementally, starting with the highest-value assets and expanding from there, reducing risk at each step without operational disruption.

This approach also reframes how leadership measures security effectiveness. Rather than tracking only what was blocked, organisations can measure what was contained: blast radius size, mean time to containment, critical system availability during an incident. These are the metrics that reflect actual resilience, and they are the metrics that boards and government stakeholders are beginning to demand.

The UAE’s success should be treated as a reference point for the entire region. Across the GCC, governments are digitising rapidly and ambitiously, in energy, healthcare, smart city infrastructure, logistics, and financial services. Vision 2030 and the UAE’s own national strategies are accelerating that trajectory. Each new digital connection creates capability. Each one also creates exposure.

The right response is to accept that breaches are inevitable and build for this reality. Design environments that limit breach impact. Segment critical systems so that a single compromise stays small. Preserve operations under pressure. Recover fast.

Sam Tayan is Regional Vice-President, META at Illumio