What will attackers target in 2025? CNI, CNI, and more CNI!

Critical national infrastructure (CNI) has had a rough 2024 in the UK when it comes to cybercrime. From the chaos caused by a teenager who hacked into TfL to the dangerous impact on the NHS after the Synnovis breach. And let us not forget the ongoing fallout from the Sellafield breach in December 2023.

These are just a few of the notable cases of a much wider problem, with Bridewell finding that 60 percent of UK CNI organizations experiencing at least one ransomware attack over the past 12 months.

And according to Trevor Dearing, Director of Critical Infrastructure at Illumio, the problem shows no sign of slowing down in 2025. He explained “we’ll see a major attack on CNI, like energy, that will cripple essential services and halt basic operations for days. The impact could lead to unprecedented public disruptions such as power outages and massive hospital evacuations.”

The reliance on supply chains for CNI organizations to operate also worsens the problem. Attackers will not just target individual companies but the interconnected networks of suppliers and partners that support them, according to James Neilson, SVP International at OPSWAT.

“Threat actors will compromise OT suppliers or contractors, using them as conduits to introduce malware that disrupts operations or damages physical infrastructure,” said Neilson. “Such attacks could result in power outages, halted production lines, or safety-to-life events.”

This is echoed by Matt Caffrey, Senior Solutions Architect, ANZ at Barracuda, who believes “cybercriminals will likely continue exploiting vulnerabilities in outdated systems and supply chains.” It is crucial for companies to “invest in stronger, more adaptive security frameworks,” argues Caffrey.

Adding to these points, Dearing believes that a major CNI attack will force “a much-needed rethink by government and industry in cyber resilience and how we protect and operate essential services.”

What are governments doing to tackle cyber threats against CNI?

The new NCSC CEO, Richard Horne, warned in his debut speech that “the defense and resilience of critical infrastructure, supply chains, the public sector, and [the UK's] wider economy must improve.”

We have seen governments across the world react to the increasing threat cybercriminals pose to CNI. The UK government announced that the Cyber Security and Resilience Bill will go through Parliament in 2025. In the King’s Speech, the government noted the importance of improving CNI and supply security standards, particularly in the public sector.

Meanwhile, in the EU, NIS2 came into enforcement in October 2024, with all CNI sectors falling under the scope of the EU law. While it is believed these laws will help improve security standards across CNI, many security experts believe companies need to go further.

One of the biggest challenges for next year will be balancing cybersecurity spending. “Compliance demands, while absolutely necessary, shouldn’t distract security leaders from focusing on these more strategic issues,” said Pierre Samson, Co-Founder and CRO of Hackuity.

Andrew Lintell, General Manager, EMEA at Claroty, expects the push for greater transparency when it comes to security standards will continue. “Companies that demonstrate progress in meeting milestones will likely gain a reputational edge, especially with investors increasingly attuned to regulatory and security risks,” explained Lintell.

So, the question on everyone’s lips will be: what does it take to secure the UK’s critical infrastructure?

Priorities when securing critical infrastructure.

Claroty’s Lintell points out the importance of companies establishing a joint IT-OT security task force that reports directly to the board. “Bridging the cultural divide between IT and OT teams will be key; those companies that foster a strong security culture across these domains will be better prepared to identify and address gaps in real time,” said Lintell.

Illumio’s Dearing argues that “OT environments will begin to look a lot more like IT environments,” and traditional security architectures will become “obsolete in favor of modern approaches like Zero Trust that promise greater gains in operational and cyber resilience.”

There has been increasing demand for approaches such as Zero Trust, which divide networks and protect critical assets. In 2025, there will be “an increased focus on prioritizing the most critical sites or assets with proper segmentation, developing zones, and conduits to wall off those highest-value product assets,” according to Matt Wiseman, Director of Product Marketing at OPSWAT.

While securing OT assets is key to protecting CNI organizations, many industrial employees lack the “knowledge, skills, and judgment needed to recognize phishing attempts or suspicious behavior, increasing the risk of threats, both intentional and unintentional,” according to Kev Breen, Senior Director of Cyber Threat Research at Immersive Labs.

In the eyes of Max Vetter, VP of Cyber at Immersive Labs, “there will be a need and desire for more effective hands-on exercising and drills that gives their workforce practice and builds confidence in their cyber skills.”

2025 -- the year CNI is secured?

Ultimately, securing the UK’s critical national infrastructure is a complex and pressing challenge that requires action on multiple fronts. While new legislation like the Cyber Security and Resilience Bill and NIS2 mark important steps toward bolstering defenses, real progress will depend on organizations going beyond compliance.

It will require CNI organizations to evaluate how their security controls protect their most critical assets and ensure that employees have the awareness and understanding needed to respond effectively to cyber threats.

With the stakes higher than ever, 2025 must be the year when CNI organizations and their partners unite to build resilience and ensure the protection of the systems that underpin modern society.

Image Credit: Solarseven / Dreamstime.com

Robin Campbell-Burt is CEO at Code Red