NCSC Chief Warns Hostile States are Behind Three-Quarters of Attacks on UK Critical National Infrastructure
UK NCSC: Hostile States Behind 75% of Attacks on Critical Infrastructure
Related Entities
Threat Actors
Organizations
Other
Full Report
Executive Summary
In a major policy speech, Dr. Richard Horne, CEO of the UK's National Cyber Security Centre (NCSC), revealed that state-sponsored actors are the primary threat to the nation's critical services. Of the more than 200 significant cyber incidents affecting UK Critical National Infrastructure (CNI) over the past year, an estimated 75% are attributed to hostile states. Horne emphasized that nations like Russia, China, and Iran are actively 'prepositioning' within UK networks, establishing dormant footholds that could be activated to cause mass disruption during a geopolitical crisis. He called for a paradigm shift from viewing cybersecurity as a 'risk to be managed' to seeing it as an 'ongoing contest' requiring continuous investment in defensive capabilities and a proactive, rather than reactive, posture.
Regulatory Details
This announcement does not introduce a new regulation but serves as a high-level strategic warning to organizations governed by existing UK cybersecurity laws, primarily the Network and Information Systems (NIS) Regulations. The NCSC's findings signal to CNI operators that regulatory scrutiny will likely intensify and that the definition of 'appropriate and proportionate' security measures must be re-evaluated in the context of persistent, state-level threats. Horne's speech implies that simple compliance is insufficient and that organizations must demonstrate a dynamic and resilient security posture capable of withstanding sophisticated adversaries.
Affected Organizations
The warning is directed at all operators of UK Critical National Infrastructure and their supply chains. This includes, but is not limited to, organizations in the following sectors:
- Energy (electricity, oil, gas)
- Finance
- Water
- Healthcare
- Transportation
- Telecommunications
- Media
Compliance Requirements
Horne's 'contest' framing suggests that CNI operators must go beyond baseline compliance. Key obligations under the NIS Regulations, which will now be viewed through this heightened threat lens, include:
- Risk Management: Moving from a passive risk acceptance model to an active threat-hunting and defense model.
- Security Measures: Implementing robust, multi-layered defenses that assume a breach is possible and focus on detection, response, and recovery.
- Incident Reporting: Maintaining a low threshold for reporting anomalous activity to the NCSC, as even minor events could be indicators of state-sponsored prepositioning.
- Supply Chain Security: Vigorously vetting and monitoring the security of technology suppliers, as they are a key vector for state-sponsored intrusion.
Implementation Timeline
This is not a policy with a deadline but a strategic declaration of the current threat environment. The NCSC is urging immediate action from CNI operators to reassess their security posture. The warning about AI-enabled attacks exploiting legacy CNI tech by 2028 sets a medium-term horizon for modernization and hardening efforts.
Impact Assessment
The primary impact is a call to action for a fundamental change in cybersecurity culture within UK CNI. Horne's speech aims to shift board-level conversations from 'how much risk are we willing to accept?' to 'are we capable of winning the contest against our adversaries?'
- Operational Impact: CNI operators will face pressure to increase investment in threat hunting, incident response capabilities, and security personnel. The focus on 'prepositioning' means a greater emphasis on detecting dormant implants, not just active attacks.
- Business Impact: The cost of securing CNI will likely rise. However, this is positioned as a necessary investment to prevent catastrophic disruption that could result from a successful state-sponsored attack on essential services.
- Threat Actor: The speech specifically names Volt Typhoon, a China-linked group known for living-off-the-land techniques and prepositioning in US infrastructure, as an example of the type of threat the UK is facing.
Enforcement & Penalties
While the speech itself carries no direct penalties, it serves as a warning that the NCSC and other regulators will likely take a harder line during audits and incident investigations. Organizations that suffer a breach and are found to have ignored these warnings by failing to address basic security hygiene or adopt a proactive defense could face more severe regulatory fines under the NIS Regulations.
Compliance Guidance
- Assume Compromise: Adopt a Zero Trust mindset. Do not assume any part of your network is secure. Focus on detecting lateral movement and anomalous activity within your perimeter.
- Prioritize Fundamentals: Horne noted that many attacks succeed due to basic failures. Master the fundamentals: patch management, strong authentication (MFA), and network segmentation.
- Hunt for Prepositioning: Go beyond preventing intrusion. Actively hunt for signs of dormant compromise. This includes looking for unusual scheduled tasks, suspicious service accounts, and living-off-the-land binaries being used in unexpected ways.
- Engage with NCSC: Foster a strong relationship with the NCSC. Share threat intelligence and report incidents promptly. Utilize NCSC guidance and services to bolster your defenses.
Timeline of Events
MITRE ATT&CK Mitigations
Network Segmentation
Implement robust network segmentation between IT and OT environments, and within CNI zones, to contain intrusions and prevent lateral movement.
Mapped D3FEND Techniques:
Multi-factor Authentication
Enforce MFA for all remote access and for access to critical systems to defend against credential compromise.
Mapped D3FEND Techniques:
Implement comprehensive logging and monitoring to detect anomalous activity indicative of 'living-off-the-land' techniques.
Update Software
Address fundamental security weaknesses by maintaining a rigorous patch management program for all systems, especially legacy OT components.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To detect the 'prepositioning' activities described by the NCSC, CNI operators must implement User Behavior Analysis (UBA). This involves baselining normal activity for all user and service accounts and alerting on deviations. For example, a UBA system should flag when an administrative account that is normally used only during business hours logs in at 3 AM, or when a service account for an HVAC system suddenly attempts to access a file server. This is crucial for detecting 'living-off-the-land' attacks where adversaries use valid credentials. By focusing on anomalous behavior rather than known-bad signatures, organizations can identify a compromised account before it's used for a disruptive attack.
In the context of protecting CNI from state-sponsored threats, aggressive network isolation and segmentation is paramount. This goes beyond a simple IT/OT split. Critical control systems should be placed in micro-segments or 'enclaves' with strict, default-deny firewall rules that only permit essential, pre-defined communication. For example, a PLC controlling a water pump should only be able to communicate with its specific HMI and data historian on specific ports, and nothing else. This containment strategy ensures that even if an adversary gains a foothold in the broader OT network, they cannot move laterally to reach and manipulate the most critical industrial processes. This directly counters the 'prepositioning' threat by severely limiting the blast radius of a compromise.
Deploying an OT-specific decoy environment, or honeypot, is an effective way to detect and analyze state-sponsored threats. Create a virtualized network segment that mimics your real production environment, complete with decoy PLCs, HMIs, and engineering workstations. This environment should have no production connectivity and be heavily monitored. Any interaction with this decoy network is, by definition, malicious. This provides high-fidelity alerts and allows security teams to safely observe adversary TTPs—such as how they attempt to discover industrial protocols or manipulate control logic—without risking real-world operations. The intelligence gathered can then be used to strengthen defenses in the actual production environment.
Timeline of Events
NCSC CEO Richard Horne delivers a speech at RUSI, revealing the scale of state-sponsored attacks on UK CNI.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.