Cybersecurity services firm Bridewell revealed that the top challenges facing critical national infrastructure (CNI) organizations are consistent with last year – mainly being data privacy, cyber resilience and cloud security. Survey data also recognized numerous potential attack vectors in operational technology (OT) environments, with cloud services and internet access standing out as notable concerns. While the adoption of cloud for OT applications is still emerging, it raises apprehension. However, internet access should be less worrisome due to NIS regulations emphasizing restricted direct access. Nonetheless, CNI organizations may have legitimate reasons for connecting OT systems to the internet, making them acutely aware of the associated risks.
In its report titled ‘Cyber Security in Critical National Infrastructure Organisations: 2025,” Bridewell found that most third-party experts in the OT sector would expect remote access to be the main avenue of attack that most organisations fear. “The fact it is not suggests OT is an area where risk-perception differs from the reality in many organisations.”
Bridewell recognized that in the energy sector, Ofgem has been very active about the implementation of NIS regulation requirements, which makes these results all the more surprising. “In the survey, 37% of energy organisations are concerned about cloud services. Looking at other sectors we can see web browsing and internet access are of particular concern to broadcast media organisations (cited by 45%), while for central government it is weak user credentials (highlighted by 35%).”
Respondents continue to identify malware and phishing as the two most significant threats, with cloud platform attacks not far behind. The growing interconnectivity between OT and IT systems presents a potential entry point for malware, a fact many organizations are already aware of. All threats to OT environments have seen slight increases compared to last year, when we asked a slightly different question about the biggest risks.
Notably, there has been a 71 percent rise in the perception of DDoS attacks as a significant threat. The heightened concern about social engineering reflects the rise in phishing incidents as well as improved cyber awareness. This comes as 95 percent of U.K. CNI organizations experienced a data breach in the past year, with 25 percent of them only discovering the breach once an attacker notified them. Also, 83 percent of these organizations are concerned about AI-powered phishing attacks, while 95 percent are using AI-driven tools in their operations.
Bridewell disclosed that the level of outsourcing in OT and IT to be similar and to have changed little since last year. The exceptions are increases in use of outsourced security operations sectors (larger than in IT) and managed detection and response capabilities (which showed a one percentage point decline in IT). Vulnerability management emerged as a key concern for CNI businesses, closely followed by a lack of security monitoring/threat detection and insecure ICS/OT protocols.
“Vulnerability management is a high-profile approach with much attention in IT. It is, however, less well-suited to OT,” Bridewell reported. “The lack of security built into the majority of ICS components helps explain the level of concern among respondents. Organisations are likely to come to this from an IT viewpoint, having deliberated on the CAF framework with a focus on vulnerability management. Yet, while patching programmable logic controllers is laudable (and expensive) it still leaves them exposed to instructions from any source that has gained access to the network.”
“As cyber threats continue to evolve, UK CNI organisations must prioritise rapid incident detection and response, as well as bolster their cyber security maturity and strengthen resilience against supply chain risk,” Anthony Young, CEO at Bridewell, said in a media statement. “With AI taking a bigger role in both attacks and defences, organisations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate.”
The report revealed that confidence in cybersecurity has increased slightly, as has levels of outsourcing for cybersecurity and managed security services. This year, AI has unsurprisingly become a prominent topic, dominating discussions across the industry for better or worse. Several questions have been included to explore the AI-related threats that concern respondents and how AI is currently being utilized.
Furthermore, the 2024 Cyber Security in CNI report highlighted increased worries about data privacy, prompting the addition of more questions to identify specific concerns shared by CNI organizations in this area. Additionally, there has been a deeper delve into topics such as supply chain risk, operational technology, and risk assessments.
Bridewell disclosed that 56 percent of CNI organizations anticipate their cybersecurity investment will increase next year. “After a very significant dip in cyber security investment in 2024, more organisations have increases in mind in both IT and OT, which is welcome news. Time will tell whether the planned investment increase will occur, or whether budgets will become constricted once more.”
Bridewell reported that 41 percent of organizations are reskilling their current workforce, compared to 43 percent in 2024, to enhance their cybersecurity talent pool over the next two to three years. To tackle the cybersecurity skills gap, U.K. CNI organizations are prioritizing the reskilling of existing employees, collaborating with external partners, and establishing apprenticeship programs within the same timeframe.
The study revealed that 37 percent of CNI organizations have incurred costs exceeding £500,000 due to ransomware attacks. This is concerning, especially since the research also highlighted that incident response times remain sluggish, with only minor improvements. Given that delays of over an hour can lead to significant issues, it is alarming that 69 percent of CNI organizations are taking up to six hours to respond to ransomware incidents.
“The longer an attack persists before an organisation remediates it, the greater the potential damage,” Bridewell identified. “This research found average response times were similar between different types of attack but encouragingly, organisations have improved their speed overall compared to last year’s survey. This is reflected in the 22% of organisations that respond to a ransomware attack within an hour, 21% achieving the same response time for data theft or disclosure, and 20% for supply chain attacks.”
Phishing was nevertheless among the three most common types of attack or incident that organizations experienced, along with malware and unauthorised access to systems. “A successful phishing attack is often the precursor to a ransomware or malware attack. It therefore remains extremely important for organisations to take phishing seriously to avoid significant consequences.”
Among the different sectors surveyed, the water industry stands out for its response time to incidents of data theft or disclosure. Half (50 percent) of respondents from this industry say they can respond to such incidents within an hour, compared with an average of 29 percent across all organizations surveyed. In insurance, 35 percent of respondents said their organization is capable of responding to ransomware attacks within an hour, compared with 12 percent in the rail industry.
Looking ahead, Bridewell said that the most successful CNI entities will refine detection, streamline their tools for greater efficiency, and coordinate closely with regulators and partners to stay aligned with emerging standards. “Pragmatic investment in people, processes, and technology will underpin a safer and more resilient future. Adherence to cyber security best practice – doing the simple things regularly and observing cyber hygiene rules – is essential. AI-powered threats are no use if they cannot penetrate systems in the first place.”
The report added that if CNI organizations follow best practice and collaborate with specialist third-parties, their high levels of confidence reported in this survey may prove well-founded.
