Global conflicts accelerate cyber threats against UK CNI

From the perimeter to the process

While there have been cases of state-sponsored attacks to critical infrastructure, most cyber adversaries have focused the vast majority of their efforts on breaking into corporate IT systems to gather information and credentials. During this time, industrial organisations were not the primary target because of their industrial nature – they were collateral. But cyber attackers have grown more aware of industrial organisations as high value targets in recent years.

Take last year’s ransomware attack on Jaguar Land Rover. This attack wasn’t targeting industrial equipment, yet production lines stopped, supply chains seized, and disruption ensued. The incident highlighted how the connections between organisations matter as much as the defences within them. And while ransomware like the JLR attack causes disruption from the outside in, a different category of threat is now emerging from groups that have moved far deeper into industrial environments.

Of the three newly identified threat groups tracked by Dragos last year, two have demonstrated Stage 2 capability, meaning they have crossed from IT into OT networks and are now able to interact with specific industrial control system technologies. These groups are probing port, interfacing with industrial protocols, mapping devices, and building an understanding of the physical processes those devices govern, from power generation and water treatment to manufacturing lines.

These tactics, techniques and procedures (TTPs) are consistent with pre-positioning reported by public sources.  The US government and allied nations have publicly attributed Chinese-linked groups to a sustained campaign of pre-positioning inside critical infrastructure, believed by these agencies to be establishing persistent access intended for activation during a Taiwan contingency to disrupt power, communications, or essential services. Separately, groups with ties to Iranian interests have been tracked targeting industrial environments as Middle Eastern instability continues to escalate. In both cases, the access is being built now, against the backdrop of active conflicts, as preparation for future disruption.

The barrier to entry for targeting industrial environments is falling in other ways too. Threat intelligence teams have recently observed adversaries using large language models to automate target development at a pace that manual operations cannot match.

Ransomware is compounding the problem

State-sponsored pre-positioning is not the only threat intensifying globally. The number of ransomware groups targeting industrial entities rose 49% over the past year, with 119 groups affecting more than 3,300 organisations. The true number is almost certainly larger: ransomware hitting a Windows machine running a human-machine interface or process control software is routinely classified as an IT incident because the device runs a familiar operating system, even when the function the device performs is entirely OT. This reporting gap means the sector is making risk decisions on incomplete data and underestimating the true scale of industrial ransomware exposure.

Manufacturing sits at the top of ransomware’s target list because the sector embraces newer technologies and cycles through equipment faster than energy or water. Every upgrade cycle widens the gap between what’s deployed and what’s defended. Newer devices run standard operating systems and open-source libraries, removing the specialist knowledge barrier that once stood between adversaries and OT environments.

What UK operators should do now

UK infrastructure operators do not control the geopolitical forces driving this escalation, but they do control their readiness. Firstly, UK organisations need to realise the boundary has been crossed. With 81% of architecture reviews revealing poor IT-OT segmentation, operators should be assessing whether an adversary with IT access has a viable path into their OT systems - and acting on the findings rather than just documenting them.

There is also an urgent need for UK organisations to close the visibility gap. Less than 10% of OT networks are monitored globally, and what isn’t seen isn’t detected. Monitoring OT network traffic is no longer a discretionary investment for any organisation whose operations underpin public services.

Reporting blind spots across the sector need to be addressed before the true scale of industrial ransomware exposure can be understood. Ransomware affecting devices performing OT functions needs to be classified by the operational role of the system, not by the IT system running on the affected machine. Without accurate classification, the sector will never build an honest picture of its exposure. In parallel, tabletop exercises and incident response planning need to be designed to reflect the threat as it exists today, not the threat of three years ago. Tabletop exercises testing a single organisation's response to an isolated intrusion no longer reflect the operating environment. Exercises need to simulate disruption across dependency chains and test whether suppliers and partners can continue operating under simultaneous pressure from the same adversary or campaign.

Where next?

State-sponsored attacks and the surge in ransomware groups targeting industrial organisations are not separate trends. They are compounding pressures on the same set of UK infrastructure operators, and they are increasing in parallel. The threat groups tracked over the past year are building capability inside industrial environments now, and they are doing so against the backdrop of conflicts that show no sign of easing.

UK infrastructure operators won’t out-run adversaries. What they can do is shut the gaps that adversaries depend on – poor segmentation, missing visibility, ransomware misclassified as IT, and exercises that test individual perimeters rather than the full dependency chain. More information on these best practices can be found in the framework published by the SANS Institute, The Five ICS Cybersecurity Critical Controls.

Magpie Graham is VP, Strategic Intelligence at Dragos