By Peter Villiers, Director of Cyber Risk at Barrier Networks
There’s a growing risk across the UK’s Critical National Infrastructure (CNI) that is placing the country at serious risk of disruption. It isn’t ransomware or a headline-grabbing data breach. It sits within the systems that keep the country running. The risk is growing over time, because when these systems were first introduced, the risk didn’t exist. Yet today, because of advances in technology and connectivity, it is more significant than ever before.
The risk sits in the background of the systems that keep essential services running. Power, water, transport, electricity. The things people rely on without thinking about them. The things the country could never survive without. The risk is called Operational Technology (OT), the systems that control the physical processes within CNI.
OT is made up of the machines that keep utilities flowing across the country. The machines that control the level of chlorine that goes into our tap water, the reactors that tightly monitor nuclear plants, the sensors that manage electricity supply into people’s homes. Yet one of the biggest problems with these systems today, is that they were built for stability, not security.
When these systems were first introduced into CNI plants, security was physical with the aim of keeping intruders out. Today the introduction of connectivity and automation has changed the playing field, opening these critical environments up to anyone on the internet, while leaving the UK worryingly exposed.
As IT and OT have become more connected, these systems have been exposed to risks they weren’t built to handle. Many are now networked, remotely accessed, and tied into wider business systems. This is where the problem starts. You’ve got infrastructure built for isolation now operating in highly connected environments, and the gap between those two realities is where risk builds.
The visibility issue
If you ask most organisations for a clear, up-to-date view of their OT environment, many will struggle to give one. Asset inventories are often incomplete. Network diagrams don’t reflect what’s actually there. In some cases, documentation is either outdated or never existed at all.
Instead, knowledge tends to sit with individuals, engineers who’ve worked on these systems for years and understand how things fit together because they’ve seen it evolve.
But this creates a problem. If you don’t fully understand what’s in your environment, you can’t properly secure it. You can’t patch what you don’t know exists, and you can’t monitor or segment networks you haven’t mapped.
In OT, the biggest risks are often the ones no one realises are there. Automation and connectivity have often been added without the knowledge of IT and security teams, leaving blind spots which attackers can exploit.
A different kind of threat
Most cyber attacks in IT are driven by money, but in OT, attacker motivations can be significantly different.
Attackers understand that by targeting a country’s CNI, they can inflict serious societal damage. This means it’s often geopolitically-motivated threat actors that target OT. They can either be motivated to cause a country damage, or to conduct surveillance to gather intelligence on a country, often then striking at a later date.
We’ve already seen warnings from UK and international agencies about attackers gaining access to critical infrastructure and staying there, sometimes for long periods of time.
Where resilience falls short
A lot of CNI organisations have invested in prevention, but fewer have properly thought through recovery. In IT, resilience is relatively well established. Backups, disaster recovery, business continuity, these are standard. In OT, it’s more uneven.
Some systems aren’t backed up in a meaningful way. Configurations and dependencies aren’t always documented clearly. Rebuilding after a serious incident can take far longer than most organisations expect.
Identity is another pressure point. As environments become more integrated, shared identity systems are more common. It simplifies access, but it also increases risk. If privileged credentials are compromised, the impact can extend across both IT and OT.
Segmentation is similar. On paper, environments are separated. In practice, legacy infrastructure and quick fixes often mean those boundaries aren’t as strong as intended.
So where do you start?
The first step is getting a proper handle on what’s actually there. That means building a clear, current view of OT assets and how they connect. Not a one-off exercise, but something that’s maintained over time. From there, it’s about understanding exposure. Where are the links between OT, IT, and external systems? Where could someone move if they got in?
Identity needs a closer look too. Shared systems might make sense operationally, but they need stronger controls around them.
Resilience also needs to be treated as a practical exercise, not just a plan on paper. If systems went down tomorrow, could they actually be rebuilt? How long would it take? Who has the knowledge to do it? And finally, monitoring. Not just at the IT layer, but within OT itself, with the ability to spot security issues early.
The bigger picture
Operational Technology underpins everyday life, and when it fails, society is the casualty. Currently, many of the systems we depend on most are operating without full visibility, without clear ownership, and without the resilience needed to withstand a serious incident.
Until that changes, the UK’s most critical infrastructure will continue to carry a level of risk that leaves the country, and its citizens, dangerously exposed.
