Critical national infrastructure security guide

Philip Bunting

Chief Technical Officer

The Safer summary

Critical national infrastructure (CNI) underpins the UK’s essential services, with security requiring more than a perimeter protection approach. Threats including cyber attacks, sabotage, and environmental hazards contribute to complex risk profiles.

A layered approach that combines physical protection, CCTV, perimeter intrusion detection, access control, cyber security, and 24/7 monitoring will build resilience against emerging threats and allow CNI organisations to form an effective response if incidents do occur.

What is Critical National Infrastructure?

National infrastructure projects underpin every facet of modern life. Essential services are found in 13 key sectors designated by the UK government through the National Protective Security Authority (NPSA). Some of these include energy, transport, water, healthcare, telecommunications, and government operations.

These services rely on large-scale assets, systems, or facilities. Large infrastructural projects, like HS2, are increasingly interconnected, growing in complexity and scale. Any disruption can have far-reaching consequences for communities, businesses, and our national security.

Concerns about threats to UK national infrastructure, also known as critical national infrastructure (CNI), are rising amidst global instabilities and diversifying risk profiles. Cyber security has been identified as a key focus by the UK government within this, with significant investment being made to bolster defences against this modern method of destabilisation. However, physical security is still under constant review, including threats like intrusion, sabotage, and terrorism.

Taking these factors into account, it is important that a resilient security approach is prioritised, offering a balanced solution. This balance is found in prioritising proactive deterrence to prevent incidents, while also managing incidents as they happen.

How does a sector get CNI status?

The NPSA suggest that CNI status can only be given to projects or sectors with “major detrimental impact on the availability, integrity or delivery of essential services.” This includes situations in which a breach “could result in significant loss of life” or a “significant impact on national security, national defence, or the functioning of the state.”

What risks can affect CNI?

The risk landscape for CNI is increasingly complex and vulnerable. Industry reports suggest that the UK is inadequately protected against sabotage and cyber threats, while the geopolitical landscape continues to become increasingly unstable.

Owing to the diversity of the 13 sectors covered by the umbrella term of critical national infrastructure, risk profiles vary throughout. However, there are some common risks that should be considered.

Physical threats to CNI

Relying heavily on physical machinery, CNI sectors like energy, utilities, and transport are particularly vulnerable because of insecure perimeters, often protected by weaker traditional security measures.

As with cyber threats, traditional physical security can be reliant on third-party vendors or contractors who may be at risk of insider exploitation. As security breaches often originate from within the supply chain, it can emerge that trusted individuals are acting on behalf of malicious groups.

Unauthorised intrusion that exploits insecure perimeters can carry considerable risks to CNI facilities, with potential threats from urban explorers (urbex) through to organised criminals, terrorists, or activists. Locations can also be subject to espionage and IP theft for corporate or political gain.

Those who commit an act of intrusion may also simply wish to steal physical assets or commit acts of vandalism. Often remote or unguarded, sites within the rail, utilities, and healthcare industries can be prime targets for metal theft and sabotage of equipment.

Railway networks, data centres, or energy substations, for instance, can find themselves targeted by physical attacks launched by hostile groups. This kind of brute force attack is known as kinetic sabotage. These highly targeted attacks can trigger outages which affect whole geographical areas. Whether improvised explosive device (IED) related, or the outcome of a vehicle-borne threat, it is difficult to prevent this kind of threat. This makes a rapid response and containment process a priority.

Digital threats to CNI

Ransomware and extortion attempts utilise malware to encrypt critical data, denying access before demanding large payouts to recover data. This blackmail can escalate with the leaking of the stored data to the public to increase pressure.

Outdated software vulnerabilities can be exploited within utilities, manufacturing, healthcare, and energy sectors. Because computer systems utilise software that was designed to operate for decades, it very often cannot be updated or patched in an easy manner, or at all.

An industry report from 2026 found that 77% of utilities organisations experienced attacks involving legacy equipment. This was the greatest threat, with phishing affecting 76% and malware 74%.

As our world becomes more digital and data-driven, including with the mass adoption of technologies like Artificial Intelligence (AI), organised cyber criminals increasingly target CNI with financial or political motivations.

Insiders can also cause considerable damage. Any former or current employee or contractor that has access to systems can potentially compromise them by stealing data.

Sabotage can be carried out by insiders in an act of corruption. Attacks can be sophisticated, relying on the criminal actor having established trusted relationships which allow them to bypass security controls that would usually prevent unauthorised access.

Related

Environmental threats to CNI

Risks can also be environmental, creating additional challenges. Industrial fire, flooding, and the effects of climate change can all contribute to strain on critical national infrastructure.

Fire is often weaponised during acts of sabotage or terrorism. Fire has been used to destroy premises, as a method of intimidation, or even as a distraction tactic to draw attention away from another act.

Devastating due to the ease and pace with which fire can spread, the combination of fire and smoke can cause significant risk to life within a building. A notable fire in 2026 at a data centre in the Netherlands resulted in significant disruption to public transport, a university, and government agencies who all relied on infrastructure hosted on the site.

Flooding is considered a worst-case natural hazard in the UK, with a 0.5% annual probability for a sustained flood in an inland environment. While the risk is small, heavy rainfall, land instability, snow, storms, and gales can all significantly affect power and water supplies, while also restricting access to vital infrastructure.

Flooding can also be prevalent in rural environments that commonly site large scale CNI projects like solar farms and data centres. Flooding has increased in severity and prevalence due to climate change, with the potential for greater damage if mitigating circumstances are not implemented.

What is the cost of failing to secure CNI environments?

The financial ramifications of poor CNI security are substantial. On top of the damage associated with data theft due to cyber attacks, fines are regularly issued to companies that fail to adequately protect personal data. In one case, South Staffordshire plc and South Staffordshire Water plc were fined £963,900 following a serious cyber attack.

Just one incident could severely disrupt a sector. A major cyber attack on the rail network is estimated to cost the UK economy £1.8 billion based on just a single week of disruption.

The consequences of a failure to secure CNI can have both direct and indirect effects on safety. The disruption of emergency services because of an attack on healthcare infrastructure can result in fatalities. For instance, an attack on a substation that results in a prolonged period of electricity downtime could indirectly result in the death of those who rely on physical life-support equipment to live.

Physical attacks can cause significant monetary loss and disruption. Damage to an electricity substation in Livingston during a premeditated cable theft led to thousands of pounds in property damage, including the destruction of a sidewall. This also caused localised power outages for homes and businesses, demonstrating the wider impact on communities.

Cyber attacks on digital systems can also cause physical damage to infrastructure due to their interconnected nature. A hack affecting an air traffic control station can subsequently cause collisions and delays, while a ransomware attack on NHS infrastructure in 2024 was linked to the death of one patient.

How to build a resilient security strategy for CNI

An effective security strategy for national infrastructure is designed into projects from the outset. Within CNI, prevention is not enough. An organisation must prepare to continue operating through severe disruptions while attempted fixes are underway.

No single technology can mitigate all risks facing CNI, both physical and digital. Risks are also unique on a sector-by-sector basis, making total awareness and mitigation incredibly difficult. Instead, prioritising the adoption of a layered strategy that is built on anticipation, resistance, adaptation, and recovery is the best approach.

Physical Security for CNI

With unique risks in every sector, there is no one-size-fits-all solution to physically securing a CNI project. However, there is some best practice guidance that can be followed to effectively protect a site from key risks. Physical security for CNI follows 5 Ds, which are to deter, detect, deny, delay, and defend. The 5 d’s form the layers to which your site can be protected, affording time to efficiently manage any emerging threats.

Deter:

Firstly, visual deterrence should be addressed. Taking account of the needs of the site environment to manage risks like perimeter intrusion is essential.

Steel perimeter fencing is commonly adopted on the outer perimeter as it can withstand intrusion attempts and hostile actions from those on foot, while creating a secure and visible boundary that can deter any hostile actors. Some projects may benefit from the adoption of security lighting, with a high-powered illumination capable of a deterrent effect while also improving safety on site for any operators visiting out of hours. Lighting has a further bonus of improving any CCTV or active recording devices with greater clarity and less visual grain within captured footage.

Detect:

The second ‘D’ in our list, detection is vital in the process of identifying threats before they have a chance to escalate. Detection further captures footage for later review and evidence purposes.

Fixed CCTV can be used here, equipped with an AI analytical layer to distinguish threat types and eliminate false alarms. Active number plate recognition (ANPR) is an optional feature that is commonly utilised in the management and permitted access of vehicle traffic entering a secure area.

For larger or higher-risk sites, a perimeter intrusion detection (PID) system is advised. Commonly referred to as mobile CCTV towers, these solutions provide an additional layer of protection by detecting intrusion attempts before hostile individuals can enter a boundary. PIDs are popular solutions as they enhance both deterrence and detection due to their highly visible nature, and the flexible camera configurations that they can offer. This makes them adaptable for multiple use cases across a CNI deployment.

Rapidly deployable, modular, self-contained solutions like the Safer POD® S4/X4 can work autonomously in remote environments with Starlink satellite connectivity and solar or methanol fuel cell power options. Fire and flood risks are controlled, with the Safer POD® S4/X4 equipped with thermal detection up to 100m and sensor add-ons to monitor smoke, heat, and CO₂. Escape of water is visually verified, with pressure monitors to identify leaks and shut-off valves capable of halting a water supply.

Ideal for deployments where a permanent infrastructure is impractical, solutions like the Safer POD® S4/X4 allow CNI organisations to establish a secure perimeter quickly with the opportunity to scale over time.

Safer POD® S4/X4

Award-winning perimeter protection with active thermal detection, ideal for medium-to-large projects.

  • Bi-spectrum active thermal detection up to 100m
  • 50m infra-red night vision
  • Methanol fuel for zero emissions aside from heat and water
  • Pulsing illumination signalling active watch and alerts (X4 only).

Deny:

The third ‘D’ is to deny entry to the premises. At this layer, access control can be vital on CNI sites that contain critical assets within areas of sensitivity. While a traditional security approach may look to implementing mobile patrols or guards for a combination of deterrence, detection, and access control, when used in isolation this approach carries risks including the exploitation of blind spots and the threat of insider corruption.

Depending on the risk profile, an access control strategy can be as simple as combining a mobile patrol or guard with a secure automated entry gate, barrier, or turnstile for vehicles and pedestrians.

As the risk increases, this type of solution can scale to include credential-based access, managed by a PIN, QR, or smart-card system. Some high-risk sites like data centres, substations, and control rooms for emergency services, may implement a higher level of biometric security like facial recognition or fingerprint scanning. This ensures only authorised individuals can gain access to these often-restricted areas.

Delay:

The fourth stage within the layer is to delay any attempted intrusion. Delays often take the form of blockers or barriers that intend to slow down any attempted intrusions or attacks to provide time for a response. Considering the risks factors identified for CNI, this is where the adoption of vehicle security barriers can be used to stop, slow, or redirect hostile vehicles.

Barriers can be active, like retractable bollards and hinged gates, or passive in the form of concrete or stone barrier blocks, ditches, or planters. Vehicle barriers are subject to classifications from the ISO and the NPSA.

These benchmark the ability of a barrier to withstand and delay attacks. Traffic calming measures, like the installation of traffic islands or speed bumps, can further reduce the efficiency of vehicles as a weapon by reducing impact speeds and kinetic energy.

Defend:

The final layer of security, this refers to the protocol followed that neutralises a threat once the perimeter has been breached. In the case of CNI, this is likely to refer to any monitored solutions, like fixed CCTV or perimeter intrusion detection technology.

PID devices, as with fixed CCTV, work effectively when monitored 24/7 to identify threats. At Safer Group, our control room provides continuous monitoring to ensure potential threats are assessed in real-time, identifying and prioritising critical incidents and escalating where appropriate. This escalation procedure will action a mobile response for smaller risks and a police response for high-risk incidents.

With compliant, comprehensive reporting, CNI organisations can also be provided with full situational awareness across the total range of projects they possess.

Digital Security for CNI

Taking diverse risk factors into account, a digital security approach will differ across sectors. All organisations with concerns about cyber security must be aware of ISO 27001 and ISO 22301, internationally recognised standards for securing data assets and ensuring continuity in the event of an unexpected disruption.

An effective strategy can be built around guidance provided by the UK government. The National Cyber Security Centre (NCSC) offers clear, detailed steps to follow for cyber security professionals with actionable advice that can assist before, during and after a cyber attack. The NCSC also provide a Cyber Assessment Framework (CAF).

This framework assists businesses in meeting legal and regulatory requirements by creating opportunities for self-assessment of cyber security and resilience outcomes. It helps organisations understand cyber security while providing the means to monitor ongoing compliance.

The NCSC framework measures threat response under CAF Profiles in the form of threat modelling. Basic profiles cover common cyber attack scenarios, while enhanced profiles offer a sector-by-sector response to more sophisticated attacks. The cyber assessment framework acts as a form of risk assessment against cyber threats and should be the first consideration for a business looking to manage digital risks.

Our security strategy for CNI

The UK’s critical national infrastructure is under threat. It is vital that the prioritisation of resilience against the wide array of attacks that modern businesses can face, rather than a sole focus on proactive protection, is achieved. This can be done through a layered, integrated approach which combines physical security, proactive cyber defence, acknowledgement of environmental threats, and operational preparedness.

Organisations that take the necessary steps to implement resilience will be better positioned in the wake of major attacks. By addressing risks today, organisations across all CNI sectors can maintain service continuity, protect communities, and safeguard national interests tomorrow.

Need site protection?

Let's secure what matters most

Book a site visit

Step 1
Step 2
Step 3
Step 4
Step 5

What sector are you in?