, , ,

Hostile states drive UK infrastructure cyber risk

The NCSC says hostile states are linked to most cyber incidents affecting UK critical systems, shifting cyber risk deeper into infrastructure resilience.

Hostile states drive UK infrastructure cyber risk
Summary
  • NCSC chief executive Richard Horne says around 75% of cyber incidents affecting UK critical systems over the past year were linked to hostile states.
  • The warning places cyber resilience inside the operational risk of essential services, suppliers, and public infrastructure.
  • AI may increase attacker capability, but the NCSC continues to stress recovery, authentication, patching, and resilience fundamentals.

The National Cyber Security Centre has warned that hostile states are behind most cyber incidents affecting the UK’s critical systems, after managing more than 200 incidents involving critical national infrastructure and its supporting ecosystem in the year to May 2026.

Richard Horne, the NCSC’s chief executive, used the Royal United Services Institute’s Annual Security Lecture to say that around three quarters of those incidents are believed to be linked to state actors. He identified Russia, China, and Iran as hostile states whose activity is affecting systems that underpin essential services.

The figures put cyber risk firmly inside infrastructure policy. Critical national infrastructure covers the systems that support energy, transport, healthcare, communications, finance, water, and other essential services. The supporting ecosystem also matters because attackers do not always need to breach a major operator directly. Suppliers, managed service providers, software vendors, maintenance contractors, and smaller connected organisations can create routes into larger systems.

Horne described cyber security as an ongoing contest with capable adversaries, not a static risk that can be closed through periodic compliance work. That distinction changes how resilience should be planned. A control checklist may show that policies exist, but it does not prove that an organisation can operate through a serious attack, recover quickly, or understand how dependencies behave under pressure.

Geopolitics has made the problem more severe. Russia’s war in Ukraine has shown how cyber operations can accompany military, intelligence, and information activity. China remains a long term strategic cyber concern for Western governments. Iran linked activity has also been cited in UK threat discussions. Essential services may be targeted for espionage, disruption, coercion, or preparation for future conflict.

AI adds to the threat environment without replacing the basics. Advanced tools can help attackers find vulnerabilities, generate convincing social engineering material, automate reconnaissance, and scale parts of an operation. Defenders can use similar capabilities to analyse code, triage incidents, and detect anomalies. Many successful attacks still exploit known weaknesses: poor authentication, unpatched systems, weak recovery planning, and supply chain complexity.

Businesses operating in or around critical infrastructure need resilience plans that extend beyond the security team. Asset visibility, identity systems, remote access, cloud environments, operational technology, backups, and supplier connections all have to be understood. Senior leadership needs to know which services must keep running during an incident, which systems can be isolated, how recovery will work, and which suppliers are essential to restoration.

Public bodies face a similar burden with fewer resources. Hospitals, councils, transport authorities, and utilities often run mixed estates of legacy systems and modern cloud services. That makes security architecture harder to simplify and recovery harder to test. Budget constraints can leave institutions dependent on ageing technology even as threat levels rise.

The policy environment is tightening in response. The UK’s Cyber Security and Resilience Bill is expected to expand regulation around organisations that provide or support essential services. Suppliers and managed service providers are likely to face greater scrutiny as the government recognises that modern infrastructure is delivered through networks of organisations rather than single operators.

Cyber resilience will increasingly influence supplier selection and contract management. Buyers of critical services will ask whether vendors can prove incident response capability, backup integrity, vulnerability management, continuity planning, and security governance. Insurers, regulators, and investors are likely to apply similar pressure.

More than 200 managed incidents in a year suggests a persistent operating condition, not a rare emergency. The practical test is whether essential services, suppliers, and public bodies can keep functioning when hostile states treat cyber operations as routine strategic activity.