By James Neilson
The UK’s critical national infrastructure (CNI) has never been under more pressure. Not only are vital services such as health, energy and telecommunications in greater demand from the general population, but providers have also become a primary target for cybercriminals.
Over the past year, we have witnessed the significant impact of cyberattacks including the Synnovis breach affecting NHS services, and a report revealing that the Sellafield nuclear site was infiltrated by hackers linked to Russia and China.
With the NCSC warning that the “scale, pace, and complexity” of threats to critical national infrastructure are rising, James Neilson explores the security risks facing the UK’s critical infrastructure and how organisations can build resilience.
What cyber threats are targeting CNI?
Cybercriminals and nationstate actors are no longer just targeting IT networks and their data; they are employing a wide range of tactics to breach, disrupt, deny, and hold ransom critical systems.
While common threats such as ransomware and phishing remain prevalent, attackers have evolved their strategies in recent years, increasingly using file-borne malware to target CNI organisations. This includes deploying botnets, exploiting zero-day vulnerabilities, and leveraging Advanced Persistent Threats (APTs).
For instance, the NCSC has issued warnings on multiple occasions this year about state-sponsored actors targeting the UK’s CNI. Russia’s Foreign Intelligence Service (SVR) was found exploiting zero-day vulnerabilities in internet-facing assets, while a Chinese group managed a botnet comprising over 260,000 compromised devices worldwide.
The perpetrators of CNI attacks will seek to maximise the scale and severity of their impact. While breaches in CNI organisations often begin on IT networks, attackers frequently target operational technology (OT) assets which enables them to trigger massive operational disruption.
Consider the chaos caused by cyberattacks on energy networks, medical and food supply chains, transportation systems, or hospitals. These attacks are especially appealing to nation-state actors seeking to undermine national security and stability, drawing the attention of both governments and citizens.
Why are CNI organisations struggling to deal with cyberattacks?
The threats facing CNI organisations are well-known to most security teams. The real issue lies in their level of preparedness to handle such attacks effectively.
For instance, our research revealed that only 25% of security leaders consider themselves “extremely prepared” for DDoS attacks. Alarmingly, readiness for other threats, such as APTs, botnets, API security vulnerabilities, and zero-day malware, was even lower, ranging between 12% and 15%.
This lack of preparedness stems from three main issues: budget shortages, inadequate staff training, and insufficient attention from the board. There is a clear disconnect between what security leaders believe they need and the level of support their organisations provide.
Consequently, many cybersecurity leaders are grappling with stagnant or reduced budgets in the face of an increasingly complex threat landscape. This financial strain forces security teams to prioritise addressing immediate risks rather than investing in long-term strategies. As a result, they are often unprepared when attackers shift their tactics and adopt new methods.
Additionally, the convergence of IT and OT systems has further complicated the situation. Security teams are now tasked with managing systems they have little experience with, stretching their already limited resources. It’s rare for a single individual to have deep expertise in both IT and OT, leading to a knowledge gap in understanding how IT threats impact OT systems and their broader consequences.
How can CNI organisations build resilience in their networks?
Given these constraints and the growing sophistication of cyber threats, adopting multi-layered strategies, such as defence-in-depth, is the only viable path forward. This approach builds multiple layers of interconnected security, which is crucial for enhancing resilience against a wide range of attacks.
The strategy is strongly recommended by the NCSC, which states that “each measure provides a layer of security, and when deployed collectively, greatly reduces the likelihood of a cyber incident.”
A multi-layered strategy should be tailored to each individual organisation to ensure that the most critical assets are secured — specifically, those that are essential to operational uptime. For example, at a nuclear power site, these assets would include the devices and Programmable Logic Controllers (PLCs) connected to the control rods of the nuclear reactor.
The first layer focuses on network security, using tools like firewalls, gateways, and data diodes to regulate traffic and block unauthorised access or data movement. Network segmentation further isolates threats, ensuring that even if one area is breached, the impact remains contained.
Data security is another critical component, addressing the risks posed by malware hidden within files. By integrating with network appliances, file scanning technologies sanitise or block harmful content before it can reach sensitive systems.
Files should also be cleansed of malicious content using Content Disarm and Reconstruction (CDR) techniques and securely stored in isolated data vaults. Only data that has been thoroughly sanitised and validated within these vaults is allowed to enter operational technology (OT) networks.
Similarly, endpoint protection secures devices such as laptops and desktops – common attack vectors – against threats introduced via removable media. Comprehensive endpoint security solutions combine multiple malware detection engines, behavioural sandboxes, and threat intelligence feeds to detect and prevent infections, mitigating the risk of both known and zero-day attacks.
Given that phishing remains a prevalent vector for delivering ransomware payloads, email security is also an essential layer. Advanced email security solutions that block phishing attempts and scan attachments or URLs for malicious content significantly reduce this risk.
Together, these interconnected layers form a robust and comprehensive defence, protecting systems at every stage of an attack. By implementing a multi-layered approach, CNI organisations can establish a solid foundation for a more resilient cybersecurity posture, safeguarding their critical assets.
About the Author
James Neilson is the SVP of International at OPSWAT, where he oversees the go-to-market function and is responsible for scaling the business through our own sales teams and partner channels, meeting revenue and profitability targets, and ensuring customer satisfaction. James has over 25 years of experience in the IT industry, 18 of which are in leadership positions for cybersecurity companies. Prior to joining OPSWAT he served as VP of EMEA at Immersive Labs – a UK-based cyber startup – and held leadership roles at Forcepoint and Symantec.
#Building #Resilience #Critical #National #Infrastructure