RunSafe, which is dedicated to delivering comprehensive cybersecurity solutions to safeguard commercial and defense sectors, just released a survey of of 200+ embedded-systems professionals in the US, UK and Germany. The survey finds that AI has moved from experiment to production in critical infrastructure, but security practices lag behind. AI-generated code is pervasive across medical devices, industrial control, automotive and energy systems. Respondents acknowledge AI’s benefits for speed and quality, yet express significant security and operational concerns, and plan major security investments over the next two years.
Key AI adoption findings
80.5% currently use AI tools in embedded development; only 2% report no AI usage. Industrial teams overwhelmingly plan to increase embedded security spending. 93.5% expect security investment to rise in the next 24 months. Automation vendors and integrators need to prepare for rapidly evolving buyer expectations around firmware security and runtime resilience.
Why this matters for industrial automation
The industrial automation sector’s defining constraints—real-time reliability, safety-critical operations and complex integration—shape how AI should be governed and how defenses must be applied. Several findings and recommendations have direct implications for industrial automation teams:
- Standards and regulation: 28.5% of respondents reference ISA/IEC 62443, indicating reliance on industrial automation guidance and certified products. However, 44% rely on internal standards, signaling uneven external standard adoption and the need to adapt existing frameworks to explicitly address AI-generated code.
- Operational priorities: Respondents list real-time system reliability (61%) and compliance/data protection (55%) as top connectivity concerns—priorities that in industrial automation often outweigh security measures that introduce latency or instability.
- Attack surface and integration: 40.5% cite integration complexity and 29% an expanded attack surface; both are acute in OT environments where heterogeneous devices and legacy systems are common.
Recommended security playbook
RunSafe’s report proposes four principles:
- Assume AI-generated code is everywhere: Require traceability, differentiated reviews for AI-assisted code, vendor assessments, training, and AI-usage metrics.
- Design for runtime resilience: Complement SAST/DAST with runtime protections (ASLR, CFI, memory tagging), safety invariants, and low-noise telemetry. 3. Use AI and automation for defense: Apply AI to code review, threat modeling and anomaly detection while validating AI tools’ blind spots and building human-AI workflows.
- Align security with reliability, safety and compliance: Frame security investments in terms of uptime, safety metrics, easier regulatory compliance and measurable KPIs (e.g., devices protected by runtime controls, MTTR).
Conclusion
AI is accelerating embedded software development, and organizations must evolve security practices accordingly. The path forward emphasizes runtime resilience, automation, AI-assisted defense and alignment of security with operational and regulatory objectives to maintain safety and trust in critical infrastructure. Read the full report for more data and recommendations.
