the uk’s cni providers are struggling 2025 will be a critical year for cyber banner

The UK’s CNI Providers Are Struggling: 2025 Will Be a Critical Year for Cyber

The UK’s critical national infrastructure (CNI) is named so for a reason. However, the large volumes of sensitive data that providers store, their low tolerance for outages, and their criticality to national and economic security also make them targets. Emboldened nation-state actors, hacktivists, and financially motivated cybercriminals are increasingly finding security gaps to exploit.

Globally, over two-fifths (42%) reported data breaches over the past year, and 93% have seen attacks increase. With incoming UK legislation expected in the new year, CNI firms clearly need to improve their cyber-resilience. The good news is that standards already exist to guide them in these efforts.

What’s Happening?

There is no typical CNI firm, from utility providers to financial services, healthcare organisations, and defence manufacturers. But many have been buffeted by the same threats, including mass exploitation of vulnerabilities by Russian actors and targeted phishing campaigns from Iranian state hackers.

In the UK, 2024 saw significant ransomware and data breaches at a key NHS provider (Synnovis) and at the MoD, potentially putting lives at risk. There have been ransomware attacks targeting children’s hospitals and major transportation providers. But aside from these isolated incidents, we can uncover the following trends:

Insider threats: According to Thales, 30% of CNI organisations experienced an insider threat incident over the past year. Separately, Bridewell warns that 35% of CNI security leaders believe personal financial woes are forcing employees to turn to data theft and sabotage.

Stress and burnout: Security leaders, in particular, are feeling the pressure. In 2022, a report claimed that 95% experienced factors that would make them likely to leave their role in the coming 12 months.

Stalling budgets: The percentage of IT (33%) and OT (30%) budgets in 2024 earmarked for cybersecurity fell dramatically from 2023 figures of 44% and 43% respectively.

Falling confidence in tools: Bridewell claims nearly a third (31%) of CNI security leaders ranked “trust in cybersecurity tools” as a top challenge in 2024, a 121% annual increase.

Blurred lines between state and cybercrime threats: The role of the Russian state in sheltering and encouraging financially motivated attacks on hospitals and other UK CNI is increasingly being called out at the highest levels.

The NCSC noted in its Annual Review: “Through its activities in Ukraine, Russia is inspiring non-state threat actors to carry out cyber-attacks against western CNI. These threat actors are not subject to formal or overt state control, which makes their activities less predictable. However, this does not lessen the Russian state’s responsibility for these ideologically driven attacks.”

Growing sophistication. Although not focused on the UK, the Chinese group Volt Typhoon displayed sophisticated tradecraft in a multi-year campaign uncovered earlier in 2024, during which it infiltrated US CNI networks to sabotage critical services in the event of a conflict.

“Many CNI systems rely on outdated technology, making them vulnerable to attacks and difficult to secure. Navigating complex and evolving regulatory requirements demands significant resources and expertise,” Thales EMEA technical director for data security, Chris Harris, tells ISMS.online.

“Additionally, a lack of skilled cybersecurity professionals hampers the ability to manage and respond to threats effectively. Balancing the adoption of new technologies with maintaining robust security measures is a continuous challenge.”

Bridewell CTO Martin Riley agrees, adding that operational technology (OT) is another major challenge for CNI firms.

“OT devices lack the rigour of enterprise security, with continuing concerns about impacting operations and health and safety​. Legacy systems, many over 20 years old, don’t often have modern security capabilities, and the trend for convergence of OT with IT systems is increasing the attack surface,” he tells ISMS.online.

“Due to skills shortages, CISOs cannot call on OT-specific expertise to develop proportionate cybersecurity plans and bridge IT and OT security to reduce this risk. Particularly prevalent is the rise of edge devices in IT OT, and IoT infrastructures, which could be exploited in living-off-the-land attacks, where legitimate tools within the system are targeted.”

Riley adds that in some cases, skills gaps could even lead OT teams to adopt measures that inadvertently block user access, causing physical infrastructure damage or even a risk to human life.

What Do Regulators Demand?

The need to build resilience into CNI is evident in the above trends and incidents, but there’s also a growing regulatory imperative. UK providers with operations on the continent must comply with a strict new set of baseline security demands in NIS2. The directive also clarifies that senior business leaders will be held more accountable for cybersecurity failings, including personal liability for serious infractions.

In the UK, an incoming Cyber Security and Resilience Bill will update the 2018 NIS Regulations to cover more service providers, empower regulators and mandate incident reporting. Not all of the details have yet been worked out, but the general direction of travel from a regulatory perspective in the UK is closer scrutiny of CNI firms.

What CNI Firms Can Do in 2025

“The NCSC believes that the severity of state-led threats is underestimated and that the cybersecurity of critical infrastructure, supply chains and the public sector must improve,” says the NCSC in its Annual Review.

That’s all very well, but how can providers improve their security posture specifically?

“CNI faces diverse threats, challenges, and opportunities. Proactive measures, such as formal ransomware responses and compliance auditing, are essential,” argues Thales’ Harris.

“Emerging technologies like 5G, cloud, identity and access management and GenAI offer new efficiencies when integrated into CNI operations. Higher expectations and increased commitments to operational resilience and reliability will enhance security and reduce susceptibility for CNI enterprises.”

Best practice standard ISO 27001 could be a good starting point for many, providing as it does a “robust framework” for managing security risks, he continues.

“Compliance with ISO 27001 ensures that CNI operators implement best practices in cybersecurity, including risk assessment, incident management, and continuous improvement,” Harris says.

Bridewell’s Riley also supports industry best practice approaches.

“A best practice cybersecurity strategy in a typical CNI provider aligns IT and OT risk registers to evaluate risks holistically. This should be driven by blending and mapping ISO 27001 controls to NIST CSF, NCSC CAF, NIS regulations or specific OT frameworks such as IEC 62443,” he explains.

“ISO 27001 alone is not a driver to improving CNI security. Many organisations maintain a single scope and statement of applicability that covers just the enterprise. This is why it’s so important for CNI organisations to incorporate other frameworks and regulations into their strategy for a multi-scope ISMS. Building a multi-scope ISMS can be complicated, but it’s not impossible if OT and IT are effectively separated and relevant regulations are incorporated.”

Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

Streamline your workflow with our new Jira integration! Learn more here.