CNI and the UK’s new cyber-security budget

Jay Abdallah at Schneider Electric explains what the UK’s new cyber-security budget means for industrial organisations in Critical National Infrastructure 

 

This June, the government announced watershed legislation for digital defence and cyber-security.

 

The new proposals are part of the Strategic Defence Review and represent a significant shift in national priorities. This is especially the case for industrial organisations operating within sectors defined as Critical National Infrastructure (CNI), including energy, water, healthcare, transport and digital infrastructure.

 

Each of these sectors is rapidly accelerating digital transformation programmes in an effort to meet decarbonisation and efficiency goals. But at the same time, moving too quickly and without the right frameworks in place makes them more vulnerable in a world where cyber-threats are increasingly unpredictable and disruptive. 

 

For operators of critical infrastructure, it’s therefore vital to partner with organisations that bring the appropriate expertise needed to safeguard essential systems. The risks of navigating this landscape alone, without the right support, can lead to serious and far-reaching consequences.

 

In his forward to the Cyber Security and Resilience Bill, Peter Kyle, Secretary of State for Department for Science, Innovation and Technology notes how, last year, a cyber-attack against a supplier to NHS hospitals in London caused more than 11,000 appointments and procedures to be postponed. In some cases, patients had to wait months before they were eventually seen.

 

Meanwhile, it’s been reported that 2024 saw almost two thirds of water and energy providers affected by cyber-attacks in some way. While there are no confirmed cases of these attacks causing disruption of everyday services – in most of these cases, even ransomware, the attackers were targeting data, not operational technology (OT) – it’s not difficult to imagine the potential consequences of an attack which did.

 

Just think about the potential consequences for people if a water company could not provide water for drinking or bathing to their homes. Or if a disruptive cyber-attack against an energy provider resulted in power outages across a region, or a whole country.

 

These may only be theoretical examples of cyber-attacks against the operational technology vital to running critical infrastructure. But the concept and the risk are very real, as demonstrated in 2016 when a cyber-attack against a power station in Ukraine caused blackouts across a whole region of the country during the dead of winter. 

 

It likely wouldn’t take much for an attacker who breached IT systems of a critical infrastructure to breach OT systems too. Indeed, in April, hackers were reportedly able to control water valves after breaching a Norwegian dam. Cyber-threats to critical infrastructure are very real national security risk; and the consequences aren’t just restricted to computer systems or data, they can have a disruptive impact on society too. 

 

The ongoing legacy of legacy technology

In 2025, much of the critical infrastructure we rely on is increasingly becoming connected to cloud services, Internet of Things (IoT) connected sensors and now, even AI systems. 

 

However, rather than being built on new, innovative technologies, the reality is that much of the critical infrastructure we rely on is still based on legacy operational technology, software and operating systems. The reason these systems continue to be used is because they’re bespoke, designed specifically for the tasks at hand – no other technology can do what’s asked.

 

But much of this legacy infrastructure was designed decades ago, when the internet wasn’t as widely used as it is now and without connected systems in mind, meaning that in 2025, much of the hardware and software is outdated, bordering on obsolete, and increasingly difficult to secure against modern cyber-threats.

 

The reason for this is simple. When the technology is no longer supported by the manufacturer, it’s no longer receiving security updates.

 

But even if security patches are available, it’s extremely difficult to take critical infrastructure offline to apply them. All of this means that OT remains uniquely vulnerable to evolving cyber-threats, especially if the equipment being used hasn’t been properly certified.

 

Improving the cyber-security of CNI

The government has issued warnings on the unprecedented threat to CNI and how it poses a risk to UK citizens. That’s why it has announced its plans to invest over £1 billion to improve the country’s digital and cyber-capabilities.

 

What’s key to securing infrastructure is ensuring that the correct processes are in place for assessment and prevention of threats, vulnerabilities and other issues. And when necessary, that rapid support is available to respond to suspected incidents, such as attacks or breaches. 

 

The government’s proposals around securing CNI are welcomed. But it’s also vital for those responsible for running and maintaining OT to make sure they have plans in place to react to incidents, while at the same time ensuring that the most vital operations remain active.

 

Therefore, the government’s budget should continue to prioritise spending on securing CNI. The focus should be on securing legacy systems. In addition, digital transformation programmes to modernise the IT of CNI must adhere to the concept of Secure By Design, starting at the development stage. And it is vital to follow secure deployment guidelines and configurations when integrating the technology into real-world operating environments.

 

In addition, the ongoing maintenance and oversight of assets must move to a Secure By Operations approach. Secure By Operations becomes critical when technology is evolving at such a rapid pace that even ‘simple’ system misconfigurations can lead to cyber-incidents.

 

Meanwhile, the rise of artificial intelligence (AI) has increased the potential and speed for both positive and negative consequences.

 

Just a one cyber-attack on a single stakeholder in the value chain can cause significant operational, financial, or reputational damage to other organizations reliant on the affected operator or their technology.

 

Indeed, the National Cyber Security Centre (NCSC) has warned how “the growing incorporation of AI models and systems across the UK’s technology base, and particularly within critical national infrastructure, almost certainly presents an increased attack surface for adversaries to exploit.”

 

But industrial AI can also be used to bolster cyber-security, not just by automating cyber- defences, but by enabling predictive maintenance of OT. Much like how AI can be used to assess the ongoing condition of cyber-physical systems, the predictive capabilities of industrial AI can be used to anticipate potential cyber-threats before they become an issue.

 

For example, by correctly applying appropriate information and instructions , especially when aided by the right partner, AI could anticipate what the vulnerabilities or cyber-threat groups are the biggest risk to the infrastructure at that time, providing the human defenders with vital information to help ensure systems remain protected from attacks and hackers.

 

It’s the human cyber-defenders who are important here. Yes, AI can help boost cyber-security. But humans are still the most important part of the process; it’s still people who are responsible for securing systems, and it’s vital for people to work together towards this goal.

 

Cyber-security professionals may work for organisations which are competitors, but in order to fully ensure that CNI is defended against cyber-threats, collaboration is key. It’s therefore vital that industry support groups implement schemes like knowledge sharing, especially around best practices such as Secure By Design and Secure By Operations, as well as proactive threat mitigation for critical assets and partnerships.

 

As a complex threat landscape continues to evolve, it’s vital for the industry to collaborate on cyber-defence. If one organisation successfully defends against a cyber-attack, sharing that information could help others to do the same. By working together, we can ensure the resilience and security of our critical infrastructure is future-proofed. 

 

---

 

Jay Abdallah is President, Cybersecurity Solutions at Schneider Electric

 

Main image courtesy of iStockPhoto.com and Oselote