Three Quarters of UK CNI Attacks Were State Sponsored
Three Quarters of UK CNI Attacks Were State Sponsored , Here’s What That Changes Three Quarters of UK CNI Attacks Were State Sponsored , Here’s What That Changes Yesterday, Richard Horne, the head of GCHQ’s National Cyber Security Centre, stood at the Royal United Services Institute in London and delivered one of the most direct assessments of the UK’s security posture in recent memory. In the twelve months between June 2025 and May 2026, the NCSC managed over 200 incidents affecting UK critical national infrastructure. Of those incidents, 75% were believed to be linked to state actors. That number deserves to sit with you for a moment. Three quarters of the attacks on the infrastructure that underpins this country — its energy networks, its water systems, its transport, its financial institutions — were not the work of opportunistic criminal groups or lone actors. They were the work of nation-states. Organised, resourced, and patient. Richard Horne put it plainly: “To some degree, we are fighting them today”. He is right. And the conversation that follows from that statement needs to go further than it currently does. Mark Hobday, CEO Critec Group The Conversation That Isn’t Happening Every major piece of commentary that has followed the RUSI speech has focused,understandably, on cyber defences. Firewall architecture. Legacy systems. AI-enabled attack vectors. Threat intelligence sharing. These are the right conversations. They are urgent and they matter. But there is a parallel conversation that is not happening at anything like the same volume — and it is one that those of us working in physical security and critical infrastructure protection have been having for years. When a nation-state targets critical national infrastructure, it does not limit itself to digital means. The adversaries pre-positioning footholds in UK infrastructure today are not doing so purely through code. Physical access, supply chain infiltration, insider placement, and the exploitation of the gap between cyber and physical security teams are all part of how sophisticated state actors operate. Richard Horne acknowledged this directly when he warned that adversaries are “establishing footholds within technology that underpins critical national infrastructure.” Footholds are not just digital. They are operational. They are physical. The Gap Between Cyber and Physical There is a structural problem in how most UK CNI organisations are currently configured. Their cyber security function and their physical security function operate largely in parallel — separate teams, separate budgets, separate reporting lines, and often, separate assumptions about where the threat comes from. This separation made reasonable sense in a different threat environment. When the primary risk was opportunistic criminal activity, the cyber team handled the network and the physical security team handled the gate. The two rarely needed to speak. State actor threats do not respectthat organisational boundary. When a sophisticated adversary is mapping your infrastructure — identifying which systems are physically accessible, which staff have elevated privileges, which contractors have access to sensitive areas — they are gathering both categories of intelligence simultaneously. A server room that requires a keycard can be accessed by someone with a cloned card, a social engineering play, or a contractor who has been quietly cultivated. The cyber team will not necessarily know it happened. The physical security team will not necessarily understand its significance. This is the gap that state actors understand and exploit. And it is the gap that most CNI security strategies have not yet closed. What “Pre-Positioning” Actually Means on the Ground The NCSC’s language around pre-positioning is important. Horne described adversaries “establishing footholds within technology that underpins CNI that could enable rapid exploitation to cause mass disruption in a time of conflict.” Pre-positioning is a military concept. It means getting assets, access, and intelligence in place before the moment of activation — so that when the order comes, the capability is already there. In physical security terms, we have seen the equivalent of this before. Not always from state actors, but from organised groups who invest time in access and trust before using it. The insider threat that has been cultivated over months. The contractor who knows the layout of every facility they have visited. The access credential that has never been reviewed. The difference now is the scale and the intent behind it. When the actor is a nation-state with strategic objectives, the pre-positioning is more deliberate, more patient, and more difficult to detect — precisely because it does not look like a threat until it is activated. Three Things CNI Organisations Should Be Asking The NCSC’s call for “every board member and every executive in every organisation” to strengthen defences is the right instinct. But strengthening defences has to include the physical layer. These are the questions that CNI security leaders should be asking right now — not just of their cyber teams, but of their physical security function. 1. Do you have a unified threat picture? Are your cyber and physical security teams operating from the same threat intelligence, or are they working in separate silos? A nation-state threat actor will be gathering intelligence across both dimensions. Your defensive posture needs to reflect that. 2. When did you last review physical access at the points where cyber and physical converge? Server rooms, network infrastructure, control systems, and OT environments all have a physical dimension. When was the last time access credentials were audited, contractor access was reviewed, and perimeter controls around critical systems were tested? 3. Are your people prepared for the human element of state-actor targeting? Social engineering, insider cultivation, and supply chain infiltration are human problems before they are technical ones. Training, culture, and clear escalation protocols are part of the physical security response to a state-level threat. A National Security Issue, Not Just a Corporate One Richard Horne’s speech yesterday was a statement of urgency. The threat to UK critical national infrastructure is not theoretical, it is not future-tense, and it is not limited to the digital plane. When 75% of incidents on your most critical national systems can be attributed to hostile states, the nature of the challenge changes. It is no longer sufficient to treat security as a compliance exercise or a technical problem to be solved by the IT team. It becomes a question of national resilience




















