The UK government has launched a new cybersecurity strategy for the energy sector, warning that the transition to a more digital and interconnected energy system is creating new risks that could be exploited by hostile states, cyber criminals and other threat actors.
Published by the Department for Energy Security and Net Zero (DESNZ), the strategy outlines a series of measures designed to strengthen cyber resilience across Great Britain’s energy infrastructure, from electricity and gas networks to supply chains and emerging clean energy technologies.
The strategy comes amid growing concern over cyber threats targeting critical national infrastructure, with senior security officials recently warning that the UK is facing an increasingly hostile threat landscape driven by geopolitical tensions and the growing use of AI-enabled cyber capabilities.
Greater scrutiny of critical suppliers
A major focus of the strategy is supply chain security, reflecting concerns that attackers may seek to compromise critical infrastructure through third-party providers and technology vendors.
DESNZ said it aims to develop supply chain security principles by the end of 2026 and build its capability to assess energy sector supply chains by 2027. The government also plans to influence legislation that would allow it to directly regulate critical suppliers, with designated suppliers expected to be identified and assigned cyber maturity targets by 2030.
The move aligns with wider reforms proposed through the UK’s Cybersecurity and Resilience Bill, which seeks to expand regulatory oversight of critical suppliers and strengthen reporting and resilience requirements across essential services.
Tougher resilience expectations
The strategy also signals tighter cyber resilience expectations for energy operators.
If you liked this content…
UK Cyber Resilience Advice ‘Too Bland’, Says Northdoor- Public sector must be resilient by design to counter cyber threats – KPMG
Cyber threat to UK government “severe and advancing quickly”
How the NHS can reduce the risk from the endless loop of supply chain attacks
Navigating supply chain vulnerabilities: A roadmap for government resilience
By 2027, the government plans to review existing Network and Information Systems (NIS) regulatory thresholds to determine whether additional critical sub-sectors should be brought within scope. It also intends to support operators in accelerating cyber maturity programmes for their most critical systems.
DESNZ and energy regulator Ofgem are additionally exploring new baseline cyber resilience requirements for all licensed energy operators, with Cyber Essentials identified as a potential starting point for minimum standards.
The strategy acknowledges that the UK’s energy system is becoming increasingly complex as renewable generation, smart technologies and digital platforms are deployed at scale. While these technologies support decarbonisation and operational efficiency, they also increase the potential attack surface available to adversaries.
Preparing for sophisticated attacks
Alongside regulatory changes, the government plans to test the sector’s ability to respond to major incidents.
DESNZ said it will deliver a cross-industry cyber exercise by the end of 2026 to assess how government and industry would respond to a sophisticated attack on Great Britain’s energy system. It also intends to develop new capabilities to improve the sector’s ability to detect hostile activity, with a pilot planned for 2027 and full deployment targeted for 2028.
Recent warnings from GCHQ have highlighted growing risks to critical infrastructure from state-backed actors, particularly Russia, alongside concerns about the use of AI to accelerate cyberattacks and other forms of hybrid warfare.
