The technology and systems that deliver critical infrastructure services such as power grids and drinking water are increasingly under attack from cyber criminals, according to recent reports published by two cybersecurity firms.
The studies by US-based cybersecurity firm Semperis and UK CNI cyber firm Bridewell follow several significant attacks on critical infrastructure organisations.
These include attacks on Massachusetts-based Littleton Electric Light and Water, which was infiltrated by Chinese threat actor Volt Typhoon and remained undetected for over a year.
Pro-Iranian hackers also exploited vulnerabilities in Unironics programmable controllers to breach the Municipal Water Authority of Aliquippa, Pennsylvania while, in the UK Black Basta, a cybercriminal group, breached Southern Water in England, stealing personal information belonging to millions of customers and employees.
A growing threat to utilities
Semperis’ new study, published today, The State of Critical Infrastructure Resilience, Evaluating Cyber Threats to Water and Electric Utilities surveyed 350 utility operators across the UK and US, revealing that cyber threats pose a growing risk to utility operators and public safety.
The report found that over 60% of organisations had experienced cyberattacks in the past year, often multiple times. More than half of these attacks disrupted operations, with over 50% also experiencing permanent data or system damage.
Nation-state actors, particularly from North Korea, Russia, Iran, and China, were responsible for a significant number of these breaches.
Chris Inglis, former US national cyber director and currently a strategic advisor at Semperis, has warned that too many people assume critical systems are protected when they remain highly vulnerable.
Chris Inglis former US cyber official
“This is a flawed assumption, borne out by frequent systemic failures of poorly designed and weakly defended systems that are easy prey for criminals and rogue nation states. This responsibility cannot be deferred to others. We need to harden our systems and extract criminal elements — now,” he urged.
Simon Hodgkinson, former CISO at BP, suggested that many attacks on utilities may be reconnaissance missions for future large-scale disruptions.
He added that nation-state actors, particularly China’s Volt Typhoon, prefer stealth tactics, making them harder to detect. “What we’re seeing now is likely a precursor of future disruption,” Hodgkinson warned.
Semperis CEO and cofounder Mickey Bresman meanwhile, emphasised the importance of securing identity systems like Active Directory, Entra ID, and Okta, as cybercriminals frequently target them.
“From post-attack engagements in breached environments, we know that 90% of the time, identity systems are targeted and successfully compromised.
“Unfortunately, many organisations lack the tools needed to gain visibility into those compromises, preventing them from restoring trust in their identity systems,” he said.
The UK: misplaced confidence, rising costs…
Bridewell, a UK-based cybersecurity firm, surveyed over 600 critical national infrastructure organisations in a report published last month.
The research report, Cyber Security in Critical National Infrastructure 2025, found that 95% of its respondents experienced a data breach in the past year. Over half reported financial losses exceeding £100,000 per breach, with some reporting costs reaching as high as £7million annually.
One-third of organisations targeted by ransomware admitted to paying the ransom, despite the growing consensus that such payments encourage further attacks.
While this practice has been hotly debated in recent months, Bridewell’s response team recommends that its customers “open up negotiations with attackers because it buys time,” one of the firm’s security experts stated during a presentation.
Elsewhere, despite the high level of attacks, Bridewell found that many organisations expressed misplaced confidence in their cybersecurity maturity.
Although 90% of firms believed they had robust cybersecurity strategies, only 25% conducted regular cyber risk assessments, while 3% admitted to not conducting any risk assessments at all.
The report also noted a shift in the origin of cyber threats, with Russia emerging as the dominant aggressor over China as geopolitical tensions influence attack patterns.
AI-driven cyber threats also appear to be on the rise, with AI-powered phishing attacks becoming the most concerning trend.
Over 80% of respondents cited AI-driven phishing as a top threat, followed by automated hacking and AI-powered botnets.
Additionally, supply chain security remains a major concern, with 57% of organisations experiencing a supply chain attack in the past year, including firmware attacks, data interception, and third-party service provider breaches.
Global cyber intelligence sharing at risk
Last month the Trump Administration suspended intelligence sharing with Ukraine, a move former UK Defence Secretary Ben Wallace called “suffocating” for Ukraine’s defence against Russia.
This reflects a cautious and unpredictable stance on international cybersecurity intelligence sharing, potentially affecting alliances like Five Eyes—a post-WWII intelligence-sharing partnership between the US, UK, Canada, Australia, and New Zealand.
At a press conference at the launch of his firm’s report last month, TechInformed asked Bridewell CEO Anthony Young how this might impact the UK’s critical national infrastructure.
Bridewell CEO Anthony Young
Young noted that while the UK is not overly reliant on international cybersecurity providers, an increase in cyberattacks is likely. He warned that rising global insularity could lead to reduced information sharing, making cyber defence more challenging.
“For the last 10 years, we’ve focused on collaboration through Five Eyes and similar initiatives,” he said.
“If the US only cares about the US, the UK only cares about the UK, and Europe only cares about Europe, we’ll share less information, making cybersecurity harder. To win this race, we need global cooperation—but I don’t see that happening in the short term.”
