Table of contents
DOI: https://doi.org/10.58248/HS81
Overview
Critical infrastructure are assets, systems, and networks that provide functions necessary for our way of life.[1] They are part of a complex, interconnected system, and any threat to its elements could have potentially debilitating national security, economic, public health or safety consequences.[2]
While there are a range of views on defining readiness and resilience, for the purposes of this article readiness is understood as the “capability of an individual, unit, or system to perform the missions or functions for which it was… designed”.[3] Resilience is further defined as “the ability to withstand, recover, and grow in the face of stressors and changing demands.”[3]
The range of threats to the UK is ever-changing and growing.[4] A wider group of state and sub-state actors are developing capabilities to prosecute attacks, including against critical infrastructure.[5] The past few decades have seen increasing risks from climate change and cyber-attacks,[6] in addition to accidents and natural hazards.
Natural hazards include rare but extreme effects such as a Carrington-like event, a geomagnetic storm that caused widespread electrical disruption in the nineteenth century.[7] A 2022 Parliamentary report noted that the impact of climate change means there is now a one-in-four chance of a severe drought in the UK before 2050 unless additional infrastructure is put in place.[8]
In its annual report, the National Cyber Security Centre (NCSC) noted that 2023 had “seen the emergence of state-aligned actors as a new and emerging cyber threat to critical national infrastructure.”[9] The House of Commons Science, Innovation and Technology Committee noted in 2023 that “the UK is the third most targeted country in the world for cyber-attacks, after the US and Ukraine”, and exacerbated by Russia’s full-scale invasion of Ukraine.[10]
In January 2024, the NCSC highlighted how Chinese state-sponsored activity had targeted infrastructure in the US.[11] In October 2023, MI5 warned about the threat to UK companies, critical infrastructure, universities, and start-ups working on research and innovation.[12] The NCSC also warned about cyber threats from Iran,[13] North Korea,[14] and ransomware and cyber-enabled crime. For example, a June 2024 ransomware attack on the NHS was described by an expert as one of the most serious in British history, despite NHS England spending £338 million over the previous seven years protecting itself from such an event.[15]
Challenges and opportunities
Cyber is only one strand of a growing suite of so-called hybrid threats, including against infrastructure.[16] NATO defines hybrid threats as “military and non-military as well as covert and overt means, including disinformation, cyber-attacks, economic pressure, deployment of irregular armed groups and use of regular forces.”[17] These are used to blur the lines between war and peace, sow doubt, and destabilise and undermine societies.
Examples of hybrid threats include attacks on undersea infrastructure, such as on the Baltic gas and data pipelines in October 2023.[18] Windfarms, power stations, energy and water treatment plants and storage facilities are also possible targets.
In April 2024, German authorities arrested two German-Russian dual nationals on suspicion of planning attacks on US military facilities on behalf of the GRU, Russia’s military intelligence agency.[19] Polish police arrested an individual who was preparing to pass information on Rzeszow-Jasionka airport, an important hub for military aid to Ukraine, to the GRU.[20] Also, British authorities made several arrests over an arson attack on a Ukrainian-owned firm in London.[21]
There is also the possibility that hybrid operations are seen as insufficient to achieve policy aims, and an implied or explicit direct threat is made against critical infrastructure. In May 2024 a Russian Foreign Ministry spokesperson allegedly told journalists that British targets “on Ukraine’s territory and beyond its borders” could be hit if British weapons were used by Ukraine for strikes on Russian territory.[22]
Countering hybrid threats where the potential aggressor is less clear is also challenging. The Ministry of Defence (MoD) contributes to the £1 billion Integrated Security Fund (ISF). The ISF may help deliver parts of the 2023 Integrated Review Refresh Strategic Framework by deterring potential aggressors and addressing vulnerabilities.[20] UK armed forces also offer military capabilities to protect infrastructure, such from the two Multi-Role Ocean Surveillance vessels used to enhance protection of undersea infrastructure.[24]
In terms of the consequences of an attack, the 2023 National Risk Register (NRR) covers accidents, natural disasters, and malicious attacks on infrastructure, providing an ’impact’ and ‘likelihood’ scale.[13] A “conventional attack on infrastructure” is categorised ‘4’ (or “significant”, which means up to 1,000 deaths; up to 2,000 casualties; billions of pounds in economic cost) and has a 5–25% chance of occurring in the next two years.[1] [13]
However, the 2023 Integrated Review Refresh said it was “establishing a new process for identifying and assessing chronic risks”.[22] These are defined as “long-term challenges that gradually erode our economy, community, way of life, and/or national security”[13] and are not currently included in the NRR.
In its Annual Review, the NCSC noted that “2023 has seen the addition of state-aligned actors to the ongoing threat from state actors, as a new and emerging cyber threat” to critical national infrastructure. The report also stated that “some [hostile groups] have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure, including in the UK.”[9]
In 2022 the head of MI5 noted that the Centre for the Protection of National Infrastructure (CPNI) had an opportunity to reach a wider audience to better tackle these new threats.[23] Consequently, CPNI became the National Protective Security Authority, with a mandate to engage ten times as many customers by 2025, including businesses, academics and the emergency services to reduce vulnerabilities to infrastructure.[24]
The National Security Risk Assessment (the public version of which is the NRR) will continue to include acute risks: time-bound, discrete events, such as major flooding. The Integrated Review Refresh also set out the use of the National Security and Investment Act to prevent high-risk foreign investment in critical infrastructure and sensitive technologies.[20]
The 2023 Defence Command Paper noted that the “challenge of protecting ourselves against attack from the skies, both overseas and at home, is at its most acute for over thirty years”.[25] However, the MoD told the Defence Committee in March 2024 that “we need to spend more money […] on what we call integrated air and missile defence […] but we work within the money that we have, and we carry the operational risk accordingly.”[26]
Defence may help deter attacks on infrastructure if the Armed Forces are perceived as sufficiently capable of counter-attack. However, the Defence Committee recently noted that UK Armed Forces “…have capability shortfalls and stockpile shortages, and are losing personnel faster than they can recruit them.”[27]
Key uncertainties/unknowns
The resilience of critical infrastructure is being challenged to an ever-greater degree with the proliferation of more sophisticated cyber capabilities across a wider range of state and sub-state actors, criminal gangs and terrorist groups.[22] However, assessing risks to critical infrastructure is difficult, as hybrid threats are intentionally obscure.[28]
The MoD believes that readiness can contribute to deterrence by demonstrating preparedness and resolve.[29] However, the Defence Committee has noted that the MoD now provides less information on readiness and there is “no regular mechanism which allows [Parliament] to scrutinise ministerial decisions on readiness and their impact.”[28]
Key questions for Parliament
- What further steps should the UK take to improve the resilience of its critical infrastructure, and where should government investment be prioritised?
- Given that infrastructure investment requires planning and financial commitments possibly over decades, how will the government manage investment over shorter parliamentary cycles?
- What role does defence play in protecting critical infrastructure, and could it play a greater role in responding to any incident?
- How can the UK deter potential adversaries from attacking our critical infrastructure?
- What information on military readiness is needed by parliament to allow it to properly undertake its scrutiny function?
Related documents
- Joint Committee on the National Security Strategy, Readiness for storms ahead? Critical national infrastructure in an age of climate change, 27 October 2022.
- Science, Innovation and Technology Committee, Cyber resilience of the UK’s critical national infrastructure, 24 April 2024.
- House of Commons Defence Committee, Ready for War? 30 January 2024.
References
[1] Cybersecurity and Infrastructure Security Agency (2024). Critical Infrastructure Security and Resilience.
[2] Cabinet Office (2024). Adapting to Evolving Threats: A Summary of Critical 5 Approaches to Critical Infrastructure Security and Resilience.
[3] The National Academies Press (2013). A Ready and Resilient Workforce for the Department of Homeland Security: Protecting America’s Front Line | The National Academies Press.
[4] HM Government (2023). National Risk Register 2023 edition.
[5] National Cyber Security Centre (2023). NCSC Annual Review 2023.
[6] World Economic Forum (2023). The Global Risks Report 2023.
[7] Wikipedia (2024). Carrington Event.
[8] Joint Committee on the National Security Strategy (2022). Readiness for storms ahead? Critical national infrastructure in an age of climate change.
[9] National Cyber Security Centre (2023). NCSC Annual Review 2023.
[10] Science, Innovation and Technology Committee (2023). Cyber resilience of the UK’s critical national infrastructure.
[11] NCSC (2024). NCSC joins partners to issue warning about China state-sponsored cyber activity targeting CNI networks.
[12] Stone, M. (2023). MI5 boss says ‘tens of thousands’ of UK companies at risk from Chinese AI threat. Sky News.
[13] NCSC (2024). NCSC warns of enduring and significant threat to UK’s critical infrastructure.
[14] NCSC (2024). NCSC and partners issue warning over North Korean state-sponsored cyber campaign to steal military and nuclear secrets.
[15] Lynn, G. and Menon, S. (2024). NHS cyber security: Ex security chief warns of future attacks. BBC News.
[16] HM Government (2023). National Risk Register 2023.
[17] North Atlantic Treaty Organisation (2024). NATO – Topic: Countering hybrid threats.
[18] Brookings (2023). Making sense of the Baltic cable incidents.
[19] Kirby, P. (2024). German spying: Two men held over suspected Russian sabotage plot. BBC News.
[20] Vock, I. (2024). Man arrested in Poland over alleged Russia plot to kill Zelensky. BBC News.
[21] The Economist (2024). Russia is ramping up sabotage across Europe.
[22] Reuters (2024). Russia says it will strike British targets if UK weapons are used to hit its territory.
[23] MI5 (2022). Director General Ken McCallum gives annual threat update.
[24] HM Government (2023). Integrated Review Refresh 2023.
[25] Ministry of Defence (2023). Defence’s response to a more contested and volatile world.
[26] Defence Committee (2024). One-off session with the Secretary of State.
[27] Defence Committee (2024). Ready for War?.
[28] Bilal, A (2021). Hybrid Warfare – New Threats, Complexity, and ‘Trust’ as the Antidote. Nato Review.
[29] Ministry of Defence (2022). UK Defence Doctrine.
Photo by: Lawrence Chismorie on Unsplash