Lifecycle-Integrated Security for AI-Cloud Convergence in Cyber-Physical Infrastructure

TL;DR

This paper introduces a comprehensive lifecycle-based security framework for AI-Cloud convergence in cyber-physical systems, integrating multiple standards and demonstrating its effectiveness through a detailed case study.

Contribution

It synthesizes existing security and governance frameworks into a unified architecture and validates it with a practical case study on grid security.

Findings

Unified architecture covers data, model supply chain, and runtime governance.

Effective multi-layer defenses prevent complex cyber-physical attacks.

Framework aligns with multiple standards and regulatory requirements.

Abstract

The convergence of Artificial Intelligence (AI) inference pipelines with cloud infrastructure creates a dual attack surface where cloud security standards and AI governance frameworks intersect without unified enforcement mechanisms. AI governance, cloud security, and industrial control system standards intersect without unified enforcement, leaving hybrid deployments exposed to cross-layer attacks that threaten safety-critical operations. This paper makes three primary contributions: (i) we synthesize these frameworks into a lifecycle-staged threat taxonomy structured around explicit attacker capability tiers, (ii) we propose a Unified Reference Architecture spanning a Secure Data Factory, a hardened model supply chain, and a runtime governance layer, (iii) we present a case study through Grid-Guard, a hybrid Transmission System Operator scenario in which coordinated defenses drawn from NIST AI RMF, MITRE ATLAS, OWASP AI Exchange and GenAI, CSA MAESTRO, and NERC CIP defeat a multi-tier physical-financial manipulation campaign without human intervention. Controls are mapped against all five frameworks and current NERC CIP standards to demonstrate that a single cloud-native architecture can simultaneously satisfy AI governance, adversarial robustness, agentic safety, and industrial regulatory compliance obligations.