AI Is Reshaping Cyber Risk for GCC Energy Operators, Says TXOne CEO
TXOne Networks CEO Terence Liu says AI is compressing the time GCC energy operators have to patch vulnerabilities, pushing operational resilience from an engineering concern to a board-level priority across the region's critical infrastructure.

Illustration of an industrial control room representing AI-driven cyber risk facing GCC energy and critical infrastructure operators.
Artificial intelligence is reshaping how Gulf energy operators must think about cyber risk, according to Terence Liu, chief executive of industrial cybersecurity firm TXOne Networks. As GCC governments accelerate investment in energy diversification and industrial digitisation, Liu argues that the region's cybersecurity posture needs to shift from perimeter defence toward genuine operational resilience.
The core problem, Liu says, is speed. Generative AI and autonomous reasoning tools are significantly cutting the time required to discover vulnerabilities and adapt exploits, adding pressure to organisations that already struggle to patch legacy operational technology. Unlike conventional IT systems, many industrial control systems remain in service for decades and cannot be upgraded without risking operational disruption. Security teams frequently identify weaknesses faster than operational teams can safely remediate them, and Liu expects that gap to widen as AI accelerates the discovery side further. This dynamic echoes what has already been documented in analysis of AI-powered cyberattacks and financial system risk, where the same compression of the patch-to-exploit timeline was flagged as a systemic concern rather than an isolated technical issue.
Liu's response to this pressure is not to chase every vulnerability, but to adopt a risk-based approach that reduces operational exposure faster than attackers can exploit it. He also pushes back on the idea that visibility alone equals protection. Knowing where assets and vulnerabilities exist is only useful if paired with the operational control to act on that information without disrupting production, a distinction that matters across the Gulf, where modern digital platforms increasingly sit alongside ageing industrial infrastructure still essential to daily operations.
This shift is changing how cyber risk gets discussed inside organisations. Historically treated as an engineering or IT responsibility, operational resilience is becoming a board-level issue as incidents threaten production, supply chains, regulatory compliance and reputation. Regulatory requirements, national strategic priorities and greater executive accountability are already pushing GCC organisations in this direction, consistent with the compliance trajectory already visible in frameworks such as the UAE's National Electronic Security Authority standard, which similarly demands demonstrable operational controls rather than box-ticking.
Looking ahead, Liu expects AI to play a larger defensive role, helping operators understand complex operational dependencies and prioritise protection rather than simply flagging threats. He also points to growing interest in sovereign AI and regionally tailored small language models built for local industrial environments, framing the coming phase not as AI versus humans, but as trusted operational AI, guided by human expertise, defending against malicious AI.
Layla Haddad
Cyber Policy & Digital Risk CorrespondentLayla Haddad covers cybersecurity regulations, data protection laws, and digital transformation initiatives across GCC and North Africa. She has worked closely with compliance teams, fintech startups, and government advisory groups. Her articles explore how cyber policy, AI governance, and privacy frameworks shape the region’s digital future.