Keeping the lights on: How exposed is UK CNI to a major cyber attack?

Phil Tonkin asks whether Netflix thriller Zero Day may be a portent of bad things to come

Netflix’s latest political thriller, Zero Day, tells the story of a devastating cyber attack on US critical infrastructure (CNI), which leaves millions affected. Given today’s heightened geopolitical tensions and increasingly sophisticated cyber-threat actors, could it be a warning of things to come?

Safeguarding CNI

UK CNI has always been a key target for threat actors looking to disrupt public assets, critical services and utilities. Operational technology (OT) is the spine which supports the delivery of water, energy, food, essential chemicals and fuel, and the operation of transport and logistics hubs we take for granted. Unfortunately, too many organisations providing these services have failed to build suitable resilience into their OT.

Attacks might come from state-sponsored operatives, hacktivists or even criminal groups. Whatever the source, adversaries are increasingly adept at exploiting known vulnerabilities, weak remote access configurations, and exposed OT assets to penetrate industrial environments. A lack of visibility into these assets conceals the full scope of these attacks from network defenders.

Strained geopolitics intensifies threat levels

State-sponsored threat actors are increasingly collaborating with hacktivist groups, leading to a hybrid threat model where the latter amplify state objectives through shared infrastructure and intelligence. Governments use these arms-length groups for plausible deniability, allowing for more aggressive attacks that are harder to attribute.

“UK CNI has always been a key target for threat actors looking to disrupt public assets, critical services and utilities.” Phil Tonkin

Established threat groups, Kamacite and Electrum have successfully targeted oil & gas, electric, defence and manufacturing infrastructure across Ukrainian and European targets. The UK is particularly exposed to the threat of Russian attacks given its support for Ukraine. It’s led to increased defence spending, and an uptick in reporting and awareness across the cybersecurity space.

Ransomware becomes a broader threat

Findings from Dragos’ 2025 OT/ICS Cybersecurity Year in Review report reveal an 87% increase in ransomware attacks against industrial organisations over the past year. This sharp uptick in victims, which includes CNI providers in sectors such as transportation, oil and gas, and electric, highlights that threat actors value the leverage they have when ransomware threatens operational downtime and disruption.

It’s not just the volume of ransomware attacks increasing, but the number of organised threat groups. In 2023, there were 50 such groups globally, but this number increased to 80 in 2024.

In addition to traditional ransomware groups, hacktivists are now employing ransomware as part of an evolution in their operations against a variety of industrial targets. They understand that hitting these sectors not only brings financial reward, but also widespread disruption to potentially millions of people.

Always proactive, never reactive

Industrial systems weren’t built with cybersecurity as a priority, leading to adversaries exploiting weaknesses in traditional OT assets and protocols. To avoid nationwide outages and disruption, security teams must implement the SANS Institute’s 5 Critical Controls for OT Cybersecurity. This includes developing an ICS incident response plan and implementing a defensible architecture with proper network segmentation. Continuous ICS network visibility monitoring and secure remote access with multi-factor authentication (MFA) are also crucial. As is risk-based vulnerability management.

“The events of Zero Day may be fiction, but there are parallels with the current global threat landscape.” Phil Tonkin

While these critical controls have formed the foundation of strong cybersecurity for a number of years, one component is gaining even more importance. Threat hunting has become a fundamental defence strategy as attackers exploit known vulnerabilities, remote access weaknesses, and supply chain gaps at an accelerating rate. Organisations that proactively search for threats and adversarial activity within their environments gain a crucial advantage in preventing attacks before they escalate.

Lessons to be learned

The events of Zero Day may be fiction, but there are parallels with the current global threat landscape. State and non-state actors are a growing and increasingly sophisticated threat. And CNI is now a favoured target.

Putting the necessary monitoring and defence systems in place is the first step to countering a cyber attack on UK CNI. But employees operating CNI also need to be educated with the necessary response protocols in case an attack strike – particularly in the event of ransomware.

Defenders must adopt continuous monitoring, proactive threat hunting, and incident response capabilities tailored for OT environments. To avoid the events of Zero Day, the time for passive defence has passed.