Documents to download

Control Room

The recent ‘WannaCry’ ransomware attack affected organisations around the world, including over 60 NHS trusts, some of whom cancelled operations and clinical appointments. In 2015, the Ukraine suffered the first confirmed instance of a disruptive cyber-attack on an electricity network, which caused a power outage that affected 225,000 customers. The UK Government says that foreign states or state-sponsored groups regularly attempt to penetrate UK networks, targeting in particular the defence, finance, energy, telecommunications and government sectors.

This note focuses on critical national infrastructure, the majority of which is privately owned. Many sector-specific regulators cover aspects of cyber security, with varying enforcement powers and responsibilities, but much of the Government’s support to private operators consists of optional information sharing, guidance and assessment. The Government aims to better understand the state of cyber security across UK critical infrastructure, and is currently reviewing regulation to ensure it has the measures in place to intervene where necessary.

Key Points

  • Critical national infrastructure (CNI) refers to infrastructure whose disruption would have significant national impact. The Government organises CNI into thirteen sectors, each with a lead Department that identifies which infrastructure qualifies as CNI in their sector. CNI is making increasing use of computer systems connected into large networks, and often to the internet. This is raising the potential for cyber-attacks to achieve physical disruption.
  • A variety of technical and organisational measures can improve cyber security, but it is impossible to guarantee invulnerability from cyber-attack. For this reason, measures to ensure service continuity during an attack and full recovery after an attack are also important.
  • The Government published its second five-year national cyber security strategy in 2016. Noting that the previous strategy’s dependence on market forces to drive cyber security improvement did not achieve sufficient progress, the new strategy promises greater Government intervention.
  • There is a global cyber skills shortage, with a particular shortfall identified in the UK. Specific challenges for CNI cyber security include the need for people with experience of infrastructure technologies as well as computer systems, and nationality requirements for certain roles.
  • Potential motivations for launching cyber-attacks include conducting espionage and disrupting the essential services provided by CNI. Over 30 nations are thought to be developing offensive cyber capabilities, including the UK.


POSTnotes are based on literature reviews and interviews with a range of stakeholders. They are externally peer reviewed. POST would like to thank the following interviewees and peer reviewers for kindly giving up their time during the preparation of this briefing:

  • The National Cyber Security Centre
  • The Cabinet Office
  • Ofcom
  • The Office for Nuclear Regulation
  • Bank of England
  • NHS Digital
  • The European Union Agency for Network and Information Security
  • Stuart Aston, Microsoft
  • Stephanie Daman, Cyber Security Challenge UK
  • Paul Fidler, Energy Networks Association
  • Andrew Fitzmaurice, Templar Executives Ltd.
  • Professor Chris Hankin, Imperial College London
  • Professor Chris Johnson, University of Glasgow
  • Mike Loginov, Ascot Barclay
  • Dr Jim Marshall, Water UK
  • Talal Rajab, techUK
  • Matt Shreeve, Helios
  • Professor Peter Sommer, Birmingham City University
  • Professor Martyn Thomas, Gresham College

Documents to download

Related posts

  • People’s behaviour has a major role in the success of test, trace and isolate programmes. Uncertainty about whether to report symptoms, low perceived risk of COVID-19 disease and concerns about the consequences of self-isolation are among the barriers to adherence. Has the Scientific Advisory Group for Emergencies looked at adherence to TTI? What evidence is there on people’s understanding and willingness to be tested, provide contact details and self-isolate? Is there anything that can be done to improve this?

  • Test, trace and isolate programmes across the UK are under pressure as COVID-19 cases rise in all age groups and demand for tests grows. Further pressure comes from people seeking tests because they have symptoms caused by other respiratory viruses but need a test in order to rule out COVID-19. The Scientific Advisory Group on Emergencies has described the impact of current test and tracing on the transmission of the virus as “marginal”. How does test and trace work and what are the current challenges limiting its effectiveness in reducing COVID-19 cases?

  • Some occupational groups have experienced higher rates of both COVID-19 infections and related deaths. Many people who work within these groups are involved in caring for people or patients that are more likely to be infected, or have otherwise been unable to work from home during the peaks of transmission. Which occupations have been most affected, what factors are contributing to this risk and are some sectors of the population being impacted more than others?