The NCSC Wants Critical Infrastructure to “Act Now”: What Does That Mean?

By Phil Muncaster • 17 March 2026 • 5 min read

The UK’s critical national infrastructure (CNI) providers are on notice. The National Cyber Security Centre (NCSC) has been ramping up its rhetoric over recent months, warning of an impending attack which could have dire societal consequences. In its telling, there is a “widening gap” between the threat to these systems, and the ability of CNI providers to defend them.

Most recently, director for national resilience, Jonathan Ellison, took to LinkedIn to urge once again the development of “strong cyber defences and resilience” in the sector. “Operators of UK critical national infrastructure (CNI) must not only take note but, as we have said before, act now,” he said.

But in this context, what exactly does “act now” mean? And how can action be taken in a thoughtful and joined up way?

A Worst-Case Scenario

Ellison’s missive was precipitated by an unprecedented cyber-attack on Polish energy infrastructure by a suspected Russian army intelligence unit known as Sandworm. Some 30 locations including wind farms, solar installations, and combined heat and power facilities were targeted in a coordinated campaign. Although it was foiled before it caused a major outage, the hackers managed to access operational technology (OT) systems “critical to grid operations and disabled key equipment beyond repair at the site”, according to Dragos.

The use of destructive wiper malware should send shivers down the spine of UK CISOs working in CNI sectors. As staunch allies of Ukraine, both Poland and the UK are exposed to potential Russian attacks – something not lost on the NCSC. The chances of a similar campaign targeting facilities closer to home have just risen.

We should all know what’s at stake. Attacks on CNI threaten not only financial losses, but also public safety and national security. And they’re getting more frequent. The NCSC recorded a 50% increase in “highly significant incidents” it handled last year, the third consecutive year the figure has risen. A combination of geopolitical tension, rapid technological change and a sophisticated cybercrime economy continues to amplify the risk of a severe incident.

Where to Go from Here?

The good news is that there are already various resources to help CISOs craft a response. Ellison cited the NCSC’s Cyber Assessment Framework (CAF) and a newer CNI guide for dealing with severe threats. It has also produced documentation on secure connectivity principles for OT and recommendations on developing secure OT architecture. The issue is how to absorb all of this guidance in a holistic and complementary manner.

This isn’t about tearing up existing plans. It’s about focusing on the most severe threats, and planning on the basis that compromise will happen, recovery may take time and adversaries may seek to destroy rather than merely disrupt. While the CAF leans more towards preventative controls, the value of the CNI guidance is on designing systems for resilience – to ensure they continue operating and support recovery during lengthy periods of disruption.

The expectation is to design systems that can be rapidly segmented, isolated, or operated in degraded modes under attack.

Turning Theory into Practice

For Cytidel co-founder and CEO, Matt Conlon, the challenge is how to operationalise the various frameworks CISOs have at their disposal, in order to move away from a reactive “control-implementation” approach.

“Too often, security teams fall into a ‘whack-a-mole’ cycle: responding to alerts, patching vulnerabilities, and implementing ad hoc technical controls in isolation,” he tells IO (formerly ISMS.online). “While necessary, this approach doesn’t connect governance, operational risk, and technical safeguards into a unified management system.”

To mature security posture, CISOs should integrate threat intelligence directly into risk and governance processes, he argues. That means monitoring the threat landscape, identifying which vulnerabilities are being exploited, feeding that intel into security decision-making, and prioritising the threats most likely to cause “material impact”, he adds.

“This approach ensures security teams focus on what truly matters, rather than trying to fix everything at once and hoping they address the most critical risks in time. Crucially, this must be adopted culturally across business units, not just within security,” Conlon argues.

“Governance, operations, risk, and audit functions all need to align around dynamic risk prioritisation. That can feel uncomfortable, as continuously re-prioritising risk does not always sit neatly within traditional annual review cycles or static policies. But in today’s environment, particularly within CNI, annual risk assessments alone are not just insufficient; they are increasingly viewed as negligent.”

Taking the Next Steps with ISO 27001

Conlon says that this kind of approach will create a “living management system” that connects strategy, governance, technical controls and improvement. But CISOs can and should go further – to tackle supply chain risk management, network hardening, resilience and recovery, and other areas. This is where ISO 27001 can add value.

“Standards such as ISO/IEC 27001 play an important role,” says Conlon. “They provide structure, governance discipline, and assurance that security controls and processes are formally documented and consistently applied.”

These best practices will ultimately help CISOs evolve their strategy with a proactive, structured and board-visible approach to risk management. And with the Cyber Security and Resilience Bill making its way through parliament, they offer an invaluable opportunity to future-proof operations in a world where cyber-resilience is non-negotiable.