UK CNI Under Attack: 93% Hit by Successful Cyber Attacks — and the Defences Arent Keeping Up

Tech News
UK critical national infrastructure under cyber attack

Published:

Reading time: 8 min.

UK CNI Under Attack: 93% Hit by Successful Cyber Attacks — and the Defences Aren’t Keeping Up

Ninety-three percent.

That’s not a typo. That’s the percentage of UK Critical National Infrastructure organisations that experienced at least one successful cyber attack in the past 12 months, according to Bridewell’s 2026 CNI survey. 600 cybersecurity professionals across 13 sectors. The number barely moved from the prior year’s 95% breach rate.

When 19 out of 20 organisations tasked with keeping the lights on, the water flowing, the trains running, and the hospitals operating are getting successfully attacked, the problem isn’t that defenders are bad at their jobs. The problem is structural.

The UK’s critical infrastructure is under-resourced, over-reliant on legacy systems, and governed by a regulatory framework that’s eight years out of date. The Cyber Security and Resilience Bill is supposed to fix the last part. Whether it fixes the first two is another question entirely.

The Attacks That Actually Happened

Cyberpunk visualization of hospital and transport infrastructure under cyber attack with red breach indicators

The 93% statistic isn’t abstract. It maps directly to incidents that disrupted real services and real lives.

Synnovis NHS — June 2024

The Qilin ransomware group — Russian-linked — hit the NHS pathology services provider Synnovis in June 2024. The damage:

  • 10,000+ outpatient appointments postponed
  • 1,700 elective procedures cancelled, including cancer treatments and organ transplants
  • Blood transfusion IT systems severely impacted, triggering a type-O blood supply shortage
  • 2 patients suffered long-term or permanent health damage
  • Total cost: £32.7 million (revised to £37.7 million by Howden)

The root cause? Reportedly, the absence of two-factor authentication. A children’s hospital in Liverpool — Alder Hey — was hit by ransomware in a separate incident the same year.

Transport for London — September 2024

Scattered Spider hit TfL. Ten million people’s data stolen — names, phone numbers, emails. Online services disrupted. The Dial-a-Ride service for disabled passengers suspended. Customers locked out of Oyster accounts.

The cost: £39 million, including £5 million on external support alone. TfL’s operating surplus was cut from £61 million to £23 million. The attack exploited a legacy system.

Southern Water — January 2024

Black Basta ransomware. 5-10% of customer data stolen, staff data compromised. Cost: £4.5 million. Southern Water claimed no impact on water treatment — but the data was gone before they knew they’d been hit.

MoD Payroll — May 2024

270,000 current and former armed forces personnel affected. Names, bank details, addresses — all compromised through a third-party payroll provider (SSCL/Sopra Steria). Suspected Chinese state affiliation, though never officially attributed.

This is what the 93% looks like in practice. Not a statistic. A hospital canceling cancer treatments. A transport network losing £39 million. A defence ministry unable to protect its own personnel records.

💡 £27 billion — the estimated annual cost of cyber attacks to the UK economy. The average data breach costs £3.6 million. CNI attacks cost more, take longer to recover from, and have consequences that can’t be measured in pounds.

The Response Time Problem

Here’s the number that should alarm anyone responsible for CNI security: 98% of surveyed organisations describe themselves as “cyber resilient.”

And here’s why that confidence is misplaced:

  • Data theft: Average response time ~10 hours
  • Ransomware: Average response time ~9 hours
  • Supply chain attacks: Average response time ~8 hours
  • Time for threat actors to exfiltrate data: Minutes

The defenders are responding in hours. The attackers are completing their objectives in minutes. That gap isn’t a response time problem. It’s an architecture problem.

Worse: fewer than half of CNI organisations have established communications plans as part of their incident response. The weakest component across all sectors isn’t detection or containment — it’s the ability to tell people what’s happening while it’s happening.

A quarter of breaches in CNI organisations were only discovered when data appeared on the dark web. The defenders didn’t detect the attack. They found out about it from the criminals.

Infographic showing the gap between fast data exfiltration and slow incident response

The Investment Collapse

Cyberpunk visualization of declining cybersecurity investment with weakening shield icons

The funding trajectory for CNI cyber security is going in exactly the wrong direction.

  • IT cybersecurity budgets fell from 44% to 33% of total IT spend between 2023 and 2024
  • OT cybersecurity budgets fell from 43% to 30% in the same period

At the same time:

  • Supply chain attacks averaged 6 incidents per organisation in the past year
  • 35% of CNI security leaders cite lack of security monitoring as a primary concern — particularly in OT environments
  • 49% of businesses have cyber skills gaps in basic technical areas

Attacks are increasing. Budgets are shrinking. The skills pipeline isn’t keeping pace. And the legacy systems that power much of the UK’s critical infrastructure were never designed with cybersecurity in mind.

The TfL attack exploited a legacy system. The Synnovis attack exploited the absence of basic multi-factor authentication. These aren’t sophisticated zero-day exploits. They’re the consequences of underinvestment in fundamentals.

The Supply Chain Multiplier

Supply chain attacks are the defining threat to UK CNI, and the numbers show why.

Average of 6 supply chain incidents per organisation in the past year. Cloud infrastructure accounts for 25% of primary attack vectors. Applications and software account for 19%. Human layer: 14%. Supply chain itself: 14%.

The MoD payroll breach came through a third-party provider. Synnovis was a third-party NHS pathology service. The Cyber Security and Resilience Bill is directly targeting this vulnerability — bringing Managed Service Providers into regulatory scope for the first time, with £100,000/day fines for non-compliance.

But the Bill hasn’t passed yet. And when it does, secondary legislation will take months to implement. The regulatory response is 18-24 months behind the threat environment.

Who’s Coming After UK CNI

The NCSC’s 2024 Annual Review identified 89 nationally significant incidents and 12 severe incidents — a threefold increase in high-impact incidents versus the prior year. 317 ransomware incidents involving data exfiltration or extortion, up from 297 in 2023.

NCSC CEO Richard Horne’s assessment was blunt: “There is an ever-widening gap between the threat and our exposure to it, and the defences that are in place to protect us.”

The threat actors aren’t hiding. Russia is identified as inspiring non-state threat actors to target Western CNI. Chinese state-affiliated groups are suspected in the MoD breach. Ransomware groups — Qilin, Black Basta, Scattered Spider — are operating with near-impunity.

The UK is experiencing four “nationally significant” cyber attacks per week. 211 nationally significant incidents in the 12 months to August 2025 — a 137% increase. The NCSC is managing one significant incident every two days.

The question isn’t whether UK CNI will be attacked. It’s whether the infrastructure can absorb the hits.

The Regulatory Gap

The current regulatory framework — the NIS Regulations 2018 — was designed for a different era. It covers Operators of Essential Services and Relevant Digital Service Providers, enforced by sector-specific regulators using the NCSC’s Cyber Assessment Framework.

The gaps are well-documented:

  • MSPs aren’t regulated (being fixed by the Bill)
  • Data centres weren’t CNI until September 2024
  • Supply chain obligations are limited
  • Incident reporting timelines are vague and sector-dependent
  • Enforcement tools are weak — penalties rarely used despite theoretical maximums of £17 million

35% of CNI organisations now cite regulatory requirements as the primary driver of cyber maturity — up from 26% the prior year. Regulation is becoming the forcing function. But the regulation isn’t there yet.

The EU moved faster. NIS2 came into force in October 2024, covering broader sectors including public administration, space, food, and manufacturing. It includes personal liability for management bodies — something the UK hasn’t adopted. The UK is behind on transposition and deliberately diverging in design, favouring flexibility over prescription.

That flexibility has a cost: while the UK debates the optimal regulatory architecture, the attacks continue.

What CNI Organisations Need to Do

The Bridewell data tells a clear story about where the gaps are:

  • Implement basic authentication: The Synnovis attack was reportedly enabled by the absence of two-factor authentication. This isn’t a technology problem. It’s a priority problem.
  • Monitor OT environments: 35% of CNI organisations lack security monitoring in operational technology. You can’t defend what you can’t see.
  • Build incident response communications: Fewer than half have established comms plans. When an attack hits, telling people what’s happening is half the battle.
  • Replace legacy systems: TfL’s attack exploited a legacy system. If your critical infrastructure runs on software that’s past end-of-life, you’re not running infrastructure — you’re running a liability.
  • Map supply chain dependencies: Six supply chain incidents per year per organisation. You need to know who has access to what, and what happens when they’re compromised.
  • Stop self-assessing as “resilient”: 98% say they’re resilient. 93% got successfully attacked. Those numbers can’t both be meaningful.

The Honest Assessment

The UK’s CNI cyber posture is improving — incrementally, unevenly, and too slowly relative to the threat.

The NCSC is more active and better resourced than at any point in its history. The Cyber Security and Resilience Bill, when it passes, will close the most obvious regulatory gaps. Government action — the Cyber Growth Action Plan, the parliamentary inquiry into CNI resilience, the enhanced NCSC mandate — is directionally correct.

But directional correctness doesn’t stop ransomware. Investment in fundamentals does. And the investment trend line — budgets down 10+ percentage points while attack frequency rises 137% — suggests the UK is trying to solve a scaling problem with static resources.

The NCSC’s warning should be taken at face value: “The UK needs to wake up to the severity of the cyber threat it faces.”

Ninety-three percent. That’s not a wake-up call. That’s the alarm going off for the sixth year in a row.

Related Reading

Sources

  1. Bridewell — Cyber Security in CNI 2026
  2. Bridewell — Cyber Security in CNI 2025
  3. New Civil Engineer — 93% of UK CNI operators faced cyber attacks
  4. NHS England — Synnovis cyber incident
  5. Digital Health — Synnovis attack cost £32.7m
  6. Howden — Synnovis cyber attack analysis
  7. BBC — TfL cyber attack
  8. Computer Weekly — Scattered Spider attack on TfL
  9. Bleeping Computer — Southern Water attack cost £4.5m
  10. The Guardian — MoD payroll breach
  11. NCSC Annual Review 2024
  12. The Register — NCSC Annual Review
  13. NCSC — Cyber Security and Resilience Bill policy statement
  14. GOV.UK — Cyber Security and Resilience Bill collection
  15. GOV.UK — Cyber Growth Action Plan 2025
  16. UK Parliament — CNI cyber resilience inquiry
  17. Sentinel Resilience — CNI report analysis
  18. DLA Piper — UK Bill vs NIS2 comparison
  19. ISMS.online — UK CNI providers struggling
  20. DSIT — Cyber security skills in the UK labour market 2025

Related articles

Recent articles

© tsnmedia