David Ferbrache, Managing Director at Beyond Blue examines how the Heathrow power outage exposed deep weaknesses in the UK’s cross-sector resilience.
The power outage at Heathrow in March 2025 now seems a distant memory, but before it fades completely, we should pause and ask what lessons we can draw for our national resilience from the issue.
While the media headlines honed in on Heathrow’s sleeping CEO, NESO’s final report and Ruth Kelly’s review of Heathrow’s handling of the incident, make an interesting and to an extent, disturbing reading.
Of course we can criticise National Grid Electricity Transmission for not addressing the ingress of moisture into the bushing of a supergrid transformer, first detected in 2018 but never dealt with.
An accident, literally, waiting to happen.
We can ask why the catastrophic fire of that transformer triggered a series of events which led to failure of the supply to Heathrow and why Heathrow was critically dependent on the failure of a single supply when it had three separate connections to the grid.
Behind some of this we will find legacy infrastructure issues, budget constraints on investing in resilience measures and also a lack of understanding of the impact that a single failure event can have on complex and interdependent infrastructure.
NESO noted that there is no mechanism in their legal and regulatory framework to prioritise supply to critical national infrastructure and indeed the lack of dialogue and scenario planning between Heathrow and the operators of the critical infrastructure that support them was obvious.
In short, the incident served as a harsh reminder of the UK’s fragmented approach to resilience, particularly across critical industries.
So, what can we learn from the report and how can other critical infrastructure operators improve their operational resilience?
It’s fair to say Heathrow is a high-profile example of cross-sector failure in critical infrastructure resilience.
While the aviation industry maintains strong internal collaboration between airports, air traffic control and airlines, the same cannot be said for its relationships with essential utilities like power, water and communications, despite their vital role in maintaining safe and effective operations.
In NESO’s report, it was highlighted that National Grid never fully understood the importance of the North Hyde substation to Heathrow’s operations.
It never realised that any disruption in electrical supply would close the airport.
On the other hand, Heathrow was aware of this, but it was not assessed to be a likely scenario due to its expectation of resilience in the wider electricity network.
The airport was aware that a loss of power from one electricity intake would result in a lengthy suspension of operations.
However, the precise impact on systems in this scenario was less well-known by those outside the technical team.
This highlights how a lack of communication both internally and externally potentially exacerbated the incident.
However, it also unearthed a worrying oversight within the UK’s critical infrastructure regulations, where there is no real requirement for cross-sector collaboration across physical dependencies.
Within the UK, there is no formal obligation for critical infrastructure operators to collaborate with each other, even when their operations are deeply interdependent.
Current CNI regulations, such as the Network and Information Systems (NIS) Regulations, heavily focus on cyber and digital dependencies, but they fall short when it comes to considering broader kinetic and physical infrastructure risks.
However, this is a dangerous oversight, with Heathrow providing a clear example of why this all-hazards approach to resilience matters.
It is too easy to focus on cyber security and forget that infrastructure can fail for many more mundane reasons.
The government has recognised these shortcomings and is actively working on reforms to tackle these gaps.
In the wake of the Heathrow outage, the government published its Resilience Action Plan, which sets out a strategic approach to increasing the UK’s national resilience.
Referencing the Heathrow outage, within the plan the government highlights lessons learned from NESO’s report and reinforces the importance of cross-sector collaboration to improve the resilience of the critical services the public depends on.
When it comes to driving these initiatives, the government could mirror the EU’s Critical Entities Resilience (CER) Directive, which complements the NIS 2 Directive and focuses on a holistic approach to infrastructure resilience.
The EU CER Directive adopts an “all-hazards” approach to resilience.
It requires EU states to undertake a national risk assessment (which the UK also does) to identify critical entities who provide essential services to the State and for those entities to assess the risks to their operations, take appropriate resilience measures and share their resilience plans with regulators.
As the UK moves forward with its Resilience Action Plan, there is a strong argument that it needs to adopt some of the measures within the Directive to drive both physical and cyber resilience.
It is likely that the forthcoming Cyber Security and Resilience Bill will focus on cyber security, rather than resilience in the round.
While this reflects real concerns over the cyber threat to infrastructure, we must be careful to not miss an opportunity to take a more holistic approach to resilience which looks beyond just cyber attacks.
Our legal frameworks need to provide the basis for greater clarity on who is judged to be critical infrastructure (including in the supply chain), to be clear on the overall resilience expectations on those firms and to promote stronger cross-sector collaboration and assurance over resilience.
The lessons from Heathrow show how fragile our infrastructure can be and how stove-piped we can be in planning for resilience.
It is important that we don’t treat this as an isolated example, but ask ourselves, is it a portent for future incidents whether accidental or malicious in intent?
