It goes without saying that the digital transformation of our critical national infrastructure (CNI) isn’t a nice-to-have, it’s a must-have. Especially, if we’re to meet today’s and tomorrow’s energy demands, improve efficiency, and enable smart-grid capabilities that offer a new level of control and resource management. It also goes without saying that in this context, strong cybersecurity should never be a barrier to transformation. Instead, it should be the enabler that makes it possible and sustainable.
But as we know, the battle for cybersecurity never ends. There’s a silent war being fought round-the-clock to protect the critical systems that power our homes, fuel our economy, and underpin our national security. It’s a front line stretching far and wide.
A growing threat
As these systems become increasingly digitalised and interconnected, they also come under increasing attack from hostile actors. And the threats are evolving at an alarming rate. According to the 2024 Thales Data Threat Report, 93% of CNI organisations saw a rise in cyberattacks over the last year, 42% of which suffered a data breach.
Cybersecurity agencies have consistently flagged the growing threat, with research by the International Energy Agency finding that cyberattacks at least doubled in most sectors between 2020 and 2022. Even more concerning, they doubled again in 2023. Based on this upward trend, it’s little wonder most organisations’ security posture today is based on “when”, rather than “if” a cyberattack happens.
The evolution of modern warfare
The ongoing conflict in eastern Europe starkly illustrates the potential consequences of inadequate CNI cybersecurity measures. Russia’s ‘hybrid war’ in Ukraine is the first to see such extensive cyber operations being used alongside conventional war-fighting tactics, including the taking down of Ukraine’s military communications in the war’s early stages.
Russia also targeted the power grid in a combined physical and virtual attack that resulted in blackouts across the country. These hybrid attacks not only provide important insights into modern warfare for other nations, they also serve as a salutary warning of the vulnerability of CNI if its inadequately protected.
From grids to gadgets
The range of cyber threats to the UK’s CNI are wide-ranging and include all critical infrastructure – from major sources of energy generation and distribution to the physical systems that control water treatment, heating, sewage, transport and healthcare facilities. They also include the growing band of modern smart meters and connected appliances in most homes today.
Organisations responsible for sourcing, managing, producing and storing oil, gas, water, and electricity are prime targets for cyberattacks. While the upstream sector is becoming increasingly aware of cyber threats, there’s more to do to protect these essential organisations. This is especially true in fast-growing areas such as wind farms.
Network distribution, a key element of CNI from energy and water to telecoms, is also at risk. Disrupting the UK’s grids has the potential to bring the nation to a standstill. These networks are vulnerable to a variety of cyberattacks, such as malware, credential theft, and hacking of insecure devices. And with critical systems compromised, the potential risk to cause service outages, death, injury, or significant financial impact increases significantly.
The proliferation of smart meters and connected vehicles also introduces new vulnerabilities. Although digital certificates and encryption keys protect smart meters today, they don’t guarantee they’re future protection. For example, quantum computing’s decryption capabilities has the potential to compromise these certificates and keys, allowing hostile actors to ‘game’ the system.
A comprehensive approach to CNI defence
Tackling multi-dimensional threats requires a multi-dimensional approach. One that combines technologies, policies, and industry collaboration.
Technology solutions
At the technical level, implementing zero trust architecture (ZTA), which requires verification at every stage of digital interaction, is crucial for CNI operators. A comprehensive ZTA approach includes public key infrastructure (PKI) certificates, quantum-proof algorithms, online key management systems, identity and access management, and data encryption. However, ZTA is not being rolled out across CNI organisations fast enough compared to other sectors. This is leaving some critical systems vulnerable.
Testing and training
However, technology alone is not enough. A recurring challenge across all organisations, including CNI, is a lack of detection and response capabilities. Well-prepared organisations are structured to not just prevent attacks, but to quickly detect and respond when their systems are compromised. This requires, among other things, regularly testing cybersecurity and resilience architectures, integrating solutions that detect intrusions and alert operators, implementing strong processes with clear plans for responding to cyberattacks, and effective employee training.
Our globally recognised Cyber Resilience Lab in Ebbw Vale, South Wales, provides a unique dedicated space for industry collaboration and research to develop leading cybersecurity solutions for the UK’s critical assets. Here, CNI operators can install and test equipment, train cyber teams, and host cyber exercises to strengthen incident response capabilities.
The cyber lab has physical smart energy grid and gas distribution test benches, as well as digitally simulated environments. Through stress testing and simulated attack scenarios, we work with operators to help them detect and respond to cyber threats, ensuring resilience measures can withstand potential disruptions.
Policy and collaboration
At the policy level, stronger Government action is needed to reinforce the message that strong cyber resilience is a matter of national security, not just a business decision. Key ways to achieve this include:
- implementing an NIS2 equivalent to utilities and the supply chain
- expanding the RIIO3 funding formula beyond energy to all regulated CNI monopolies
- introducing investment-relief measures for CNI operators to ensure significant investment in the cybersecurity required to protect critical national assets that comply with the NCSC’s Cyber Assessment Framework (CAF).
This includes initiatives that enable closer collaboration between regulators, industry, and the supply chain, and also develop a coherent strategy to develop cybersecurity skills.
The role of industry in strengthening CNI cannot be overstated. CNI operators must view their cybersecurity investment not as a business overhead, but a critical contribution to national security. This includes the exchange of best practice and threat intelligence throughout the sector. More training and upskilling of the workforce is also needed to keep up with the fast-paced threat environment.
Last word
Protecting the UK’s CNI is not just a collective responsibility; it’s a national imperative. It demands urgent, coordinated action from Government, regulators, industry leaders, and cybersecurity experts. At Thales, we’re committed to spearheading this collaborative effort, making the most of our expertise and facilities to build a resilient and secure critical infrastructure. The stakes are too high for anything less – our nation’s security and the well-being of our citizens depend on it.