How cyber risk intelligence helps critical national infrastructure keep the lights on

Risk Management

Tuesday, 16 September, 2025

Robin Oldham

Landscape photography of electric towers under a calm blue sky

Cyber attacks on Critical National Infrastructure continue to grab headlines, and rightly so. If we want to maintain a ‘normal’ way of life, both in work and leisure, then we need energy, water, and communications. Yet the sector is facing a growing cyber challenge:

Critical infrastructure worldwide was hit by over 420 million cyberattacks between January 2023 and January 2024 - the equivalent of 13 attacks every second. This marked a 30% increase compared with 2022, showing that attackers are scaling their campaigns dramatically (Industrial Cyber). At the same time, the FBI reported a 9% year-on-year increase in ransomware complaints against U.S. critical infrastructure in 2024, with manufacturing, healthcare, government, and IT services all impacted (Reuters).

Incident reports also reflect that both the frequency and sophistication of attacks are increasing sharply as of early 2025, with adversaries exploiting edge devices, targeting operational technology environments, and blurring the lines between state-linked and criminal campaigns (Axios).

Over the past 24 months, Cydea has been working with one of the UK’s primary electricity distributors to strengthen their cyber security and ‘keep the lights on’ amidst the increasing scale and complexity of cyber threats.

The need to change

Our client understood they needed change, “We knew the evolving threat landscape required more than just basic defences - we needed a strategic shift in how we approached cyber risk.” They knew that to stay ahead of emerging risks and the ever-changing threat landscape they needed to mature their security practices, by enhancing both their strategy and their operations.

Fortunately, our client’s ambition to improve aligned perfectly with the regulator’s desire to uplift the security of national infrastructure organisations that fall within their remit. This uplift came in the form of the Cyber Assessment Framework Enhanced Profile. The enhanced profile aims to take Operators of Essential Services (OES) from being able to protect themselves against and respond to attacks from unskilled, unmotivated adversaries, to being able to protect themselves against and recover from motivated, well-funded, advanced persistent threats.

Using risk as the ‘Why’

Both our customer and the regulator understood that any changes made to requirements had to be focused on risk. By using risk and risk reduction as the ‘why’ for any actions, all stakeholders could be confident that resources and grants were being correctly allocated and funded. Cydea used our specialist knowledge at every stage to not only define the ‘why’ but also develop and implement the ‘how’.

Cydea’s subject matter experts were on hand to guide the client every step of the way. From the initial gap analysis, the detailing of security improvement projects and the development of a target operating model to capture all the proposed uplifted capabilities, through to the risk assessment that was used to align the findings and proposals.

To validate the success of the engagement, our experts’ activities directly contributed to our client receiving a £20 million investment to implement their security improvement plans. “Cydea’s work didn’t just tick boxes, it helped us unlock serious investment and confidence from our stakeholders.”

But Cydea didn’t step away after funding was granted. We narrowed our focus to uplifting the organisation’s Governance, Risk and Compliance (GRC) function. Both Cydea and the client knew that this team, as the foundation to continuing to meet the Enhanced Profile, needed to be experienced, resilient and dynamic. They needed the tooling, processes and people in place to ensure that the enhanced capabilities developed and delivered by Cydea could be operated by the Business as Usual team (BAU).

In just over three months, Cydea designed and delivered a suite of 56 comprehensive Policies and Standards aligned to more than 2500 legal, regulatory and framework requirements. The documents were written in plain English, so they were easy to understand, and were used to steer the following eight-figure security improvement project.

We then worked with our client to develop a bespoke tooling that would not only support internal governance and continuous improvement, but also allow dynamic risk assessment at an asset level. That’s right; each and every asset group. The tooling goes beyond achieving Enhance Profile compliance and allows the organisation to be ‘control centric’.

What we achieved

Going beyond static, once-a-year risk assessments, the client now has the capability to monitor control compliance – and in turn framework compliance – in real time. They can also assign risks to assets dynamically as architecture changes or the threat landscape evolves.

Cydea made sure BAU was on the journey with us. “Unlike other partners, Cydea didn’t leave us with a pile of documents, they worked hand-in-hand to ensure our team could carry it forward.” At every stage, they were trained, conducted user acceptance testing (UAT) and shadowed our consultants as they carried out a risk assessment using the enhanced tool set.

The result is that our client now has a GRC function that is engaged, has true, real-time insight into the organisation’s risk, and has the ability to ensure that controls are owned and implemented to mitigate their risk.

After many months, our client is truly audit-ready, “Thanks to this partnership, we’ve built not just compliance, but a culture of cyber resilience.” However, more importantly, their ‘why’ is consistently at the forefront of their thinking and will continue to drive key activities, ensuring better ongoing cyber security, and keeping the lights on for all of us.

Photo by Alexandru Boicu on Unsplash