Simon Seymour-Perry, CEO at Logica Security warns boards must prioritise cyber resilience to protect the UK’s critical national infrastructure.
From energy grids and water systems to financial networks and emergency services, the UK’s critical national infrastructure (CNI) forms the backbone of everyday life.
Yet as these sectors embrace digital transformation, they also face growing exposure to cyber threats – many of which are sophisticated, persistent and increasingly targeted.
Recent attacks on Operational Technology (OT) systems, such as the breach of a Norwegian water dam via weak credentials, highlight a stark reality: Legacy systems, fragmented defences and human error remain common vulnerabilities.
For CISOs and board directors, the question is no longer whether CNI will be targeted, but how prepared your organisation is to withstand and recover from an attack.
In August this year, Johnson Controls revealed a critical vulnerability affecting its FX80 and FX90 supervisory controllers, devices widely deployed in building automation and facilities management across sectors including healthcare, transport and energy.
The flaw originated from a third-party software component embedded in the controllers.
This weakness could allow remote attackers to access configuration files and alter device settings, potentially disrupting essential operations in environments that rely on automated control systems.
While no attacks were reported during this period, Johnson Controls did suffer a ransomware attack back in 2023 by Dark Angels Group whereby data was stolen, including personal information, building floor plans and security system details.
Given that CISA issued advisories for OT vulnerabilities this year, it presents an ongoing risk that attackers will target these systems again going forward.
Outside of operational technology (OT) systems, attackers are exploiting gaps in outdated SCADA systems and slow patching cycles, often with devastating consequences.
Threat actors and ransomware gangs are increasingly focusing on CNI because successful attacks create mass disruption and hugely impact the general public.
Alongside this, there is the added intelligence gathering exercise that attackers can benefit from when they penetrate systems and gain access to data, rolling out ransomware threats leading to monetisation requests.
Boards must recognise that these threats are not hypothetical.
They are active, sophisticated and often well-funded.
A single breach can lead to operational shutdowns, reputational damage and regulatory penalties.
For over 15 years, Logica Security has worked at the sharp end of critical national infrastructure (CNI) and operational technology (OT) including every nuclear reactor in the UK.
In these environments, the security challenge is never just technical.
It’s a complex balancing act: bridging legacy OT with modern IT, maintaining uptime for safety-critical systems and navigating a dense web of regulatory obligations.
This is why resilience must start at the top. Boards and executive teams play a pivotal role in setting the tone, allocating resources and demanding clarity.
In sectors where downtime isn’t an option and compliance is non-negotiable, cyber risk is a boardroom issue not just an IT concern.
One of the key strategies for CISOs is getting the attention from and collective buy-in from the board is that Cyber and OT risk must be translated into a language that the board truly understands.
What are the potential risks to the business, what will the impact be if a service is disrupted and the knock-on effect on public safety, reputation and trust?
Often, the visibility of security risk presented back to the board is limited.
Fragmented reporting means understanding the true risk becomes unclear, leading to a decrease in cyber posture.
By mapping the risks to the impact on business outcomes will better engage board directors, allowing a more joined up approach of quantifying top risks, control gaps, trend indicators and required decisions.
Protecting CNI demands more than a perimeter defence, it requires deep visibility into OT environments and readiness to respond when things go wrong.
For highly regulated and CNI environments, having robust incident response and resilience planning protocol in place is essential for organisations.
Developing and testing tabletop exercises geared to an OT-specific incident response scenario will ensure key leaders within the organisation are fully prepared in the event that a real-world attack strikes where fallback systems and capabilities can be established.
This also ensures defences are as robust as they can be and if not, systems alterations can be made to strengthen and enhance the cyber posture.
Most of the UK’s critical national infrastructure is in private hands, so the country’s resilience relies heavily on how well those organisations manage cyber risk going forward.
Sectors such as finance have operated under tight regulatory scrutiny for years, while others have leaned more on guidance than enforcement.
The Cyber Security and Resilience Bill changes that. It sets clear, enforceable expectations across industries and gives regulators the ability to hold private operators to account.
So, for CISOs, this means that regulatory requirements have to be built into core security strategies to protect CNI, not addressed after the fact.
Cyber resilience in critical national infrastructure is no longer a strategic option; it’s a national necessity.
As the lines between IT and operational technology continue to blur, organisations must embed resilience into the very fabric of their governance, not just their systems.
This means more than deploying tools, technology alone isn’t enough, it requires leadership.
Boards must balance investment in both technology and people, ensuring that resilience is not siloed within IT but integrated across operations, compliance and culture.
The threats facing CNI are real, persistent and evolving.
But so too are the opportunities. Boards that act with clarity and urgency won’t just protect their operations, they’ll gain a clearer understanding of their risk exposure and build lasting trust with customers, regulators and the public they serve.
