This summer, the United States’ (US) top cyber and intelligence agencies issued a joint warning over potential Iranian cyberattacks targeting critical infrastructure. The alert didn’t mention any specific threat, but it urged those in charge of critical national infrastructure (CNI) to strengthen their defences.
The move reflects how cyberattacks between nations targeting critical infrastructure have become an increasingly prominent concern in the modern digital landscape. These incidents typically involve attempts to disrupt essential services, such as energy grids, water systems, transportation networks or communication frameworks, through unauthorised access or malware deployment.
While the motives and methods vary, the impact can be significant, potentially causing service outages, financial losses, or threats to public safety.
While the latest warnings have been directed at the US, it’s safe to assume other countries around the world will also take notice. An alert was issued last year when the United Kingdom’s (UK) National Cyber Security Centre (NCSC), alongside its international allies, warned of a threat to CNI from North Korea.
These warnings – which affect services such as hospitals, transport networks, energy grids, communications, water treatment plants, and the digital systems underpinning them all – come at a time of heightened international geopolitical tensions. They also underline how exposed some systems are.
Critical services under pressure
Last year, for example, a ransomware attack on the National Health Service led to thousands of appointments being either delayed or cancelled, with the incident linked to the death of at least one patient. The recent data breach at the UK’s Legal Aid Agency’s online digital services could also be viewed as an attack on CNI because of the potential destabilising effect a breakdown of the legal system might have on the rest of society.
When we step back and consider the country as a whole, there is a concern that many of the systems underpinning our national infrastructure are not designed to withstand today’s threat environment.
Across the public and private sectors alike, legacy systems remain deeply embedded within critical infrastructure. These platforms were not built with modern security in mind, and in many cases, no one knows exactly how many are still running. But legacy technology is not the only weak point.
Departments are often heavily siloed – not only operationally but in the systems they use. Neighbouring teams, sitting across from one another, may be running incompatible tools that can’t speak to each other. This lack of interoperability is not only inefficient, but it also creates gaps in visibility. And it is those gaps that attackers exploit.
If you liked this content…
Worse still, many teams believe they’re secure because they’re compliant. This can lead to a sense that everything is in order. But this is not always the case. Many organisations that feel protected are far more exposed than they realise. Audits are outdated. Processes haven’t kept pace with modern operations. And because many of these environments have avoided major incidents so far, there’s a false sense of safety. But the next incident isn’t hypothetical – it’s inevitable.
Add to this a procurement process that moves too slowly to keep up with fast-evolving threats, and the picture becomes more concerning. New vulnerabilities are disclosed every day, but many public sector organisations are still navigating approval cycles that take months or years. By the time a solution is deployed, the threat landscape has already moved on. While there are efforts to speed up cyber-specific procurement, these are patchwork improvements. National resilience requires more than tactical workarounds. It needs systemic changes.
What resilience looks like
The uncomfortable truth is that cyber risk can’t be completely eliminated, but it can be better understood, better managed, and more quickly contained. And that starts with visibility. You can’t defend what you can’t see. Infrastructure operators – whether public or private – need to understand what’s running across their estate, where the weak points are, and what’s happening in real time. This means cross-sector visibility, with operators seeing and understanding activity across their entire digital estate.
It also means embedding observability into critical infrastructure, not only to monitor what’s going on but also to identify anomalies, prioritise threats and support decision-making. With the scale and complexity of today’s systems, this increasingly depends on automation and artificial intelligence to help prioritise risks, detect unusual activity and respond faster than manual processes allow.
This entails moving beyond technical solutions and focusing on the people and processes behind them. This includes putting cyber professionals at the top table and ensuring organisations have the skills, structures and cultural awareness to act before incidents become crises.
Above all, it requires breaking down silos. CNI isn’t neatly divided by sector or ownership. It’s a web of interdependent systems, and when one fails, the effects can cascade. Resilience demands coordination, shared intelligence, and a common understanding of what’s at stake.
State-affiliated cyberactivity is not going away. If anything, it’s becoming more targeted, disruptive and politically weaponised. And the next attack won’t stop to ask whether the target is a hospital, a utility or a local authority.
Our defences need to reflect this reality. This calls for better coordination, improved visibility, and shared accountability across public and private infrastructure owners alike. Whether it’s a server room in a council building or a control system at a water utility, the UK’s critical infrastructure is only as resilient as its weakest link. In the eyes of an attacker, it’s all one connected target.
