Guarding the UK’s critical core from cyber-attacks

Cyber-risks facing the UK are expected to surge in 2025 following a record-breaking year for attacks, writes Phil Tonkin, Field CTO, Dragos.

The National Cyber Security Centre (NCSC)’s 2024 Annual Review has been published and UK organisations are being urged to prioritise cyber risks as the threat of attack continues to surge.

Cyber-attacks are becoming more frequent and impactful as hackers, threat groups and state-backed actors target UK organisations and critical infrastructure in the name of profit and disruption.

This is creating an increasingly challenging terrain for UK organisations and the NCSC to navigate.

The findings from this year’s report highlight the NCSC’s Incident Management team responded to 430 incidents in 2024, compared to 371 in 2023 – of these, 89 were considered nationally significant, including 12 critical incidents, a three-fold increase from 2023.

The report points to areas the UK needs to focus on in order to be prepared for today’s cyber-risks and protect against hostile actors who target critical infrastructure amid increasingly strained geopolitical tensions.

A better understanding of what needs to be done across the UK to ensure organisations can effectively monitor cybersecurity risks and trends should provide greater resilience in the year ahead.

On the back of these findings, what does the threat landscape look like for UK organisations and which steps can they make to safeguard themselves in 2025 and beyond?

State-sponsored attacks on the rise

Cyber-space has felt the increasingly turbulent knock-on effects of current geopolitical unrest as threat actors at state-level ramp up attacks on UK critical infrastructure.

While states can be easier to hold to account compared to non-state actors, they have greater power and resources and can deny responsibility when faced with accusations.

While the UK has one of the largest digital economies in the world through its communications, financial services and technology sectors to name a few, hostile states are also targeting key critical infrastructure that encompasses industrial and operational technology.

These attacks – which are occurring more frequently and effectively – have the potential to inflict disruption across sectors.

The report highlights a three-fold increase in the most serious cyber-attacks between 2023-2024 affecting the UK economy, with this curve expected to continue if nothing changes.

UK government must work closely with industry experts to improve defence capabilities and deter threat actors from taking aim. Identifying and implementing the required cyber-measures will bolster the security of organisations and individuals across the UK and demonstrate to hostile states that cybersecurity is now at the forefront of its critical infrastructure operations.

Ones to watch: Ransomware-as-a-service (RaaS)

Ransomware remains the most prominent form of attack for threat actors targeting critical infrastructure.

The increasing interdependence of businesses – particularly when you also consider complex supply chains – means that the financial and reputational impact of ransomware attacks can affect multiple victims at a time.

They also have the potential to infiltrate or shut down physical plants and machinery until a sum is paid. This level of impact is what has made ransomware the preferred weapon to deploy from threat actors’ cyber-arsenal in recent years.

The top sectors reporting ransomware activity to the NCSC this year were academia, manufacturing, IT, legal, charities and construction.

These sectors pose as an opportunity for threat actors to obtain sensitive data, financial reward and disrupt operations across other sectors, particularly in the case of manufacturing which can result in whole swathes or regions of the UK grinding to a halt.

RaaS is now more sophisticated than ever, with some criminal gangs now offering it as a subscription service. This growth and increasing demand for ransomware is reflected in the numbers as global payments exceeded $1b in 2023.

UK organisations must make sure they are prepared to combat the threat of RaaS. Regular threat vulnerability assessments and asset visibility monitoring are effective tools organisations can deploy to safeguard operations against the threats posed by RaaS actors.

Unfortunately, ransomware is no longer just an IT issue, it is now a commonly used weapon to threaten business continuity and, in some cases, national security.

In Dragos’s recent Industrial Ransomware Analysis, the report noted more than 20 newly observed ransomware groups that impacted industrial organisations in just the third quarter of 2024.

Looking ahead to 2025, many cybersecurity professionals are pointing to ransomware as the threat organisations should be prepared for, as it’s the most common form of attack.

RaaS groups and their tactics continue to evolve, which is why it is integral for organisations to have the necessary strategy and tools in place to combat them.

Critical infrastructure remains a primary target

Less than 20 years ago, the idea that non-state actors could target and successfully compromise national infrastructure via cyber-space was almost inconceivable. Today, the threat landscape has shifted and critical infrastructure is now a common target for threat actors.

NCSC Chief, Richard Horne, touched on the vulnerability of UK infrastructure in the annual report: “Defence and resilience of critical infrastructure, supply chains, the public sector and [the UK’s] wider economy must improve.”

Proactive vs reactive responses

In the past, responses to cyber-attacks and emerging threats have been far too reactionary.

For example, having formal steps on how to respond and report attacks such as ransomware should be pre-planned and agreed internally to avoid confusion in the event of an attack.

The development of defence frameworks such as the SANS ICS Five Critical Controls, will provide crucial support for key Operational Technology (OT).

Created from comprehensive analysis of all known ICS cyber-attacks, the design prevents, detects and responds to emerging threats facing OT infrastructure.

Deploying an insight-driven approach to security will help organisations make informed decisions against threat actors.

Safeguarding critical infrastructure defences in comparison to the reactionary approach will also deter potential attackers as vulnerability levels decrease and safeguarding improves.

Driving cyber-resilience is a key message the NCSC wants to communicate towards UK organisations in a bid to shift away from limited reactionary approaches. 

Looking to 2025 and beyond

The 2024 NCSC annual report underpins the urgent actions required by UK organisations to ensure 2025 can create a safer cyber-space as threat levels are expected to only increase.

2024 saw unwanted new highs as the number and severity of attacks striking UK organisations reached new heights.

As threats such as geopolitical unrest, RaaS surging in popularity and the increasing number of powerful state-sponsored attacks – cyber-resilience is crucial to the UK’s long-term objectives.

About the Author

Phil Tonkin is Field Chief Technology Officer at Dragos, Inc. where he uses his experience in the energy sector to provide technical insight and strategic guidance in securing industrial operations.

His career has included roles in electricity transmission, distribution and generation, gas transmission, distribution and storage and IT.

Prior to joining Dragos, he led the OT security program at one of the world’s largest investor-owned utilities for five years.