ISJ hears exclusively from Magpie Graham, Technical Director of Intelligence at Dragos about the impact of global conflicts on cybersecurity.
Rising geopolitical pressure is having consequences for cybersecurity.
Conflicts in Ukraine and the Middle East, alongside wider tensions between major powers, are affecting the security of critical national infrastructure worldwide.
For UK operators of essential services, this is driving measurable increases in cyber-threats targeting the industrial systems that keep energy flowing and manufacturing operational.
With this, operators are being exposed to more pressure from more directions, making foundational operational technology (OT) security practices increasingly important.
Inside the industrial environment
While there have been cases of state-sponsored attacks to critical infrastructure, most cyber-adversaries have focused their efforts on breaking into corporate information technology (IT) systems to gather information and credentials.
During this time, industrial organisations were not the primary target because of their industrial nature – they were collateral.
But attackers have grown more aware of industrial organisations as high-value targets in recent years.
Operational environments can be disrupted from threats to both the operational technology (OT) that runs them as well as the IT systems that influence them.
In both cases, attacks can disrupt production, supply chains and operational decision-making.
For threats targeting operational environments directly, what stands out across architecture reviews and incident work is that state-sponsored threat groups are no longer hovering at the IT perimeter.
They are moving deeper into industrial environments. In Dragos’ latest Year in Review report, two of the three newly identified OT threat groups demonstrated Stage Two capability in the ICS Cyber Kill Chain, meaning they had crossed from IT into OT networks and were doing the work an engineer would do – walking engineering workstations, identifying device models and protocol, reading programmable logic controller logic and mapping the safety systems and physical processes those systems govern.
This is significant because Stage Two activity is about understanding the industrial process itself.
It is no longer only about finding a vulnerable VPN, stealing credentials or gaining access to a corporate network.
It is about mapping devices, identifying technologies and protocols, reviewing engineering workstations and building a picture of the physical processes those systems govern.
The pace of targeting is increasing
The barrier to entry for targeting industrial environments is falling in other ways too.
Threat intelligence teams have recently observed adversaries using large language models (LLMs) to support target development at a pace that manual operations cannot match.
AI has not yet rewritten the OT attack playbook, it has shrunk the gap between curiosity and capability – and for environments that have no monitoring, that gap was the main thing protecting them.
The obscurity that once served as a de facto shield for many OT environments is disappearing.
Ransomware is adding further pressure
State-linked cyber-activity is not the only threat intensifying globally.
The number of ransomware groups targeting industrial entities rose 49% over the prior year, with 119 groups affecting more than 3,300 organisations.
The true number is likely larger because industrial ransomware is still underreported.
One reason for that gap is classification.
Ransomware affecting a Windows machine running a human-machine interface (HMI), engineering workstation or process control software is often classified as an IT incident because the device runs a familiar operating system, even when the function it performs is entirely OT.
This misclassification matters.
If ransomware encrypts the virtualisation layer supporting SCADA, HMI or engineering workloads, the impact can include loss of view, loss of control and delayed restoration, even where no programmable logic controller or field device is directly touched.
The operational consequence is what matters to the plant, site or utility.
How UK operators can respond
UK infrastructure operators do not control the geopolitical forces driving this escalation, but they do control their readiness.
There is no exotic answer here.
The areas that move the needle are unsexy and well known.
Operators are not failing them because the controls are obscure – they are failing them because too few of them are actually in place.
For example, 81% of Dragos architecture reviews reveal poor IT-OT segmentation.
Operators should assess whether an adversary with IT access has a viable path into OT systems, signifying they don’t have an adequately defensible architecture to begin with.
They also need the visibility to know if an adversary gets in the OT environment.
Fewer than 10% of OT networks are monitored globally, which means many organisations would struggle to see adversary activity once it moves past the perimeter.
Monitoring OT network traffic is not discretionary for any organisation whose operations underpin public services.
Having the context to properly identify assets that can impact OT environments is also essential.
Ransomware affecting devices that perform OT functions should be treated according to the operational role of the system, not only by the operating system running on the affected machine.
For vulnerability management, operators should refer to the SANS Institute’s Five ICS Cybersecurity Critical Controls, which set out a risk-based approach for OT environments.
Rather than treating every CVE equally, organisations should assess whether a vulnerability supports likely adversary scenarios, adds functionality an adversary could use or is already being actively exploited, then decide whether to patch, mitigate the impact or monitor for exploitation.
Tabletop exercises and incident response planning should continue evolving to reflect the threat as it exists today.
Exercises that test a single organisation’s response to an isolated intrusion no longer reflect the full operating environment.
UK critical national infrastructure depends on a chain of operational relationships, including suppliers, telecoms, managed service providers and specialist engineering firms.
Test the day a trusted supplier is unavailable.
Test the day a remote access provider is compromised.
Test the day an upstream service needed for safe operation is disrupted.
Exercises should define who has authority to isolate systems, when to move from remote to local operation and what evidence is needed to understand whether a cyber-event has affected the process.
The defensive picture is clearer than the threat picture
The pressure on UK infrastructure is coming from several directions at once, but the defensive potential is clearer than the view of threat.
Groups targeting industrial environments are building the access and understanding they would need to cause disruption later.
Ransomware continues to expose how quickly incidents in connected IT systems can affect operational continuity.
UK operators should focus on reducing the routes adversaries can use, improving visibility inside OT networks and ensuring incident response plans reflect real dependency-chain disruption.
We can expect to see a significant industrial cyber-incident in the UK that is not the failure of the operator, but instead of the operator’s supplier, the operator’s MSP, or the operator’s remote access vendor – and the operator will own the consequence anyway.
That is part of the threat picture that extends beyond the organisation’s own security controls and must also be addressed through corporate governance processes, tabletop exercises, documentation of dependencies and contingency plans.
