A Guide to Critical National Infrastructure Resilience in the UK

Paul Davies
Oct 27
5 min read

Updated: Oct 31

The UK's Critical National Infrastructure (CNI) is the essential foundation upon which the country’s stability, economy, and public safety rely. This encompasses vital sectors such as energy, transport, finance, health, and digital communications. When these systems are compromised, the consequences are immediate and catastrophic. The economic reliance on these services is immense; for example, the UK economy derives over £6.7 billion per annum in benefits from systems like Global Navigation Satellite Systems (GNSS) that underpin CNI operations, all of which are vulnerable to disruption.

For organisations operating within this sphere, security is not a compliance exercise; it is a national responsibility and a strategic imperative. A siloed or static security approach is simply no match for the sophisticated and converging threats now leveraged by state actors, organised crime, and hacktivists. Building true resilience requires a methodical, multi-domain strategy that recognises the absolute synergy between physical and cyber defence.

The Unique Threat Landscape Facing UK CNI

CNI providers are high-value targets due to their low tolerance for outages, the sensitive data they hold, and their profound impact on national security. The threat landscape they navigate is complex, driven by strategic adversaries who treat security as a holistic concept.

Hybrid and State-Led Threats

The nature of the threats facing CNI extends far beyond typical criminal activity. UK government agencies consistently warn that state-sponsored actors and non-state threat actors, often inspired by geopolitical conflicts, are actively targeting essential services.

Threats are often hybrid, meaning they combine military and non-military, covert and overt means, including disinformation, economic pressure, and cyber-attacks. While many CNI organisations focus on protecting against direct, kinetic physical attacks, the modern reality is that subtle intrusions, such as drone surveillance or targeted physical access attempts, are often precursors to a larger digital operation. A significant percentage of CNI organisations face threats from within.

Cyber-Physical Convergence

The most significant challenge for CNI is the convergence of the cyber and physical domains, particularly concerning Operational Technology (OT). Many industrial control systems rely on outdated technology, making them uniquely vulnerable to attack and difficult to secure.

Hostile actors recognise that accessing a poorly secured physical component, such as an environmental control unit or an access panel, can provide the necessary foothold for a deep cyber intrusion. Organisational resilience is inherently dual domain; assuming robust physical security in a cyber scenario, or vice versa, is a failure of imagination that can lead to catastrophic security gaps.

Compliance and Governance

The UK government has responded to these escalating threats by significantly toughening the regulatory framework governing essential services. CNI operators must not only comply with existing regulations but must strategically adapt to new legislation and frameworks that demand higher standards of governance.

Adhering to the NCSC Cyber Assessment Framework (CAF)

The National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) as the primary tool to help organisations assess and improve their cyber resilience. The CAF is mandatory for operators of essential services under the Network and Information Systems (NIS) Regulations and provides a systematic way of measuring security against expected outcomes.

The framework is structured around four main security objectives:

Objective A: Managing Security Risk - Establishing appropriate organisational structures, policies, and processes to understand, assess, and systemically manage security risks.
Objective B: Protecting Against Cyber Attack - Implementing proportionate security measures to protect core functions and critical systems.
Objective C: Detecting Security Events - Implementing monitoring capabilities to detect anomalies and security breaches.
Objective D: Minimising Impact - Ensuring capability to respond to and recover from security incidents to minimise their impact on essential functions.

This framework compels CNI leaders to view security as a risk management function that is integral to overall business governance, rather than a technical silo.

Strengthening the Supply Chain

The new UK Cyber Security and Resilience Bill 2025 is poised to further strengthen regulatory oversight, particularly focusing on supply chain weaknesses. Recognising that supply chain vulnerabilities have caused real-world incidents, the new legislation imposes stronger security duties on CNI operators regarding their suppliers. This proactive legislative change is vital, as a physical security failure at a supplier’s manufacturing site, for instance, could compromise equipment before it is even installed at a CNI facility. This is why a comprehensive supply chain guidance and audit is now a core requirement for strategic resilience.

Building a Multi-Domain Defence (The Physical Strategy)

The process of securing CNI must always begin with a methodical assessment of risk, followed by the deployment of certified physical measures that align with the strategy's goals.

Protective Security Risk Management (PSRM)

In line with guidance from the National Protective Security Authority (NPSA), a successful strategy starts with Protective Security Risk Management (PSRM). This methodical process identifies the specific threats to a site and measures them against existing vulnerabilities to calculate the risk. This rigorous analysis provides the factual data needed to make informed investment decisions, a vital step before any expenditure on technology or physical structures. For more on this critical first step, our page on Physical Security Surveys and Risk Assessments details our methodical approach.

The Role of Physical Barriers

In CNI, physical defence is built around the principle of deter, deny, detect, delay, and respond. The 'delay' phase is crucial, as it provides the necessary time for security personnel to intervene. This requires certified physical security solutions that are tested against standards for forced entry.

Key physical security measures for CNI sites include:

Physical Measure	Primary Standard/Guidance	Strategic Purpose
High-Security Fencing	LPS 1175, Secured by Design	Deter & Delay: Provides a certified minimum delay against forced entry attempts using specific tool kits.
Hostile Vehicle Mitigation (HVM)	PAS 68 / IWA 14-1	Deny: Prevents the use of vehicles as weapons to penetrate perimeters or buildings.
NPSA-Approved Doors/Locks	NPSA Guidance, LPS 1175	Deny: Ensures all entry points resist a determined, forcible attack.
Integrated Access Control	Automatic Access Control Systems (AACS)	Deny & Detect: Audits and restricts access, preventing unauthorised entry and tailgating.
Security Lighting	NPSA Guidance	Deter & Detect: Improves CCTV quality and discourages activity by increasing visibility.

Achieving Dual-Domain Resilience

A truly resilient organisation must take active steps to break down organisational silos:

1. Integrating Governance and Leadership

Overall responsibility for security, covering physical, cyber, and human domains, should be assigned to a senior leader whose role is independent of service delivery. This ensures that security decisions are made based on holistic risk and strategic mandate, rather than departmental budgets or priorities. Procurement must also be leveraged as a security driver, with common minimum security requirements built into every contract to ensure the supply chain is secure.

2. Conducting Full-Spectrum Resilience Exercises

Organisational resilience must be tested with dual-domain attack scenarios. It is insufficient to run a physical outage exercise one month and a cyber-attack exercise the next.

Cyber-Physical Tabletop Exercises: These simulated attacks should involve mixed-capability teams (physical security, IT, OT, executive leadership) who are encouraged to use both digital and physical skills to inflict damage.
Focus on the Adversarial Chain: Exercises should focus on the entire chain of attack, from an initial physical reconnaissance to the final digital exploitation of an Industrial Control System (ICS).

This integration ensures that response teams, including those managing Crisis Management and Business Continuity Planning, are prepared for the true complexity of a modern incident.

3. Continuous Assessment and Proactive Defence

Security is an ongoing cycle of assessment and improvement. Given that many CNI systems rely on legacy or outdated technology, proactive measures are essential. This includes frequent vulnerability scans, regular penetration testing, and continuous auditing to ensure adherence to NCSC and NPSA guidance.

Organisations must commit to regular security audits, much like the methodical process detailed in our post on Building an Effective Physical Security Strategy in the UK, ensuring that security posture evolves in line with the rapidly changing threat landscape.

By adopting this strategic, integrated approach, CNI operators move beyond compliance to build a true national resilience that safeguards the essential functions of the UK.

We exist to enable organisations to realise their strategic ambitions. If you require expert guidance in developing a comprehensive, dual-domain security strategy, from initial risk assessment to the deployment of NPSA-compliant physical solutions, please contact our team today to discuss further.