ARTICLE AD BOX
Check Point Software is a Business Reporter client
Critical national infrastructure (CNI) powers the world, literally. We rely on these industries to keep the electricity on, access and store our money in banks, get medical treatments and food supplies, and so much more.
In the UK, CNI consists of 13 unique sectors: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport and water. Because of the criticality of these organisations, they are often targeted by cybercriminals – and relentlessly. According to The State of Cyber Security 2025 report, healthcare institutions globally, for example, experienced an average of 2,210 attacks per organisation weekly, with government organisations targeted on average 2,286 times per organisation per week.
What’s more, increased compliance and regulation have muddied the parameters of what it truly means to be “secure” and for CNI organisations to be cyber-resilient. Critically, many of the country’s (and, in many cases, the entire world’s) critical infrastructures are interconnected, with weak links posing a significant threat of catastrophic cascading consequences. Recent standards, such as NIS2 and DORA, aim to keep organisations in check and protect entire supply chains. But is this enough?
Harmonisation of standards
There are a lot of siloed standards when it comes to certain sectors, countries and governing bodies. However, as previously mentioned, many CNI organisations are interconnected and rely on other industries to function properly. The water industry, for example, relies on the energy sector, with energy required to extract, pump, treat and manage water and wastewater. In contrast, the energy sector accounts for roughly 10 per cent of global freshwater usage. One relies on the other, so some overarching governance is crucial. What’s needed is a harmonisation of standards worldwide and across sectors to protect all critical infrastructures.
In recent years, governments and regulating bodies have put measures in place to protect CNI. In Switzerland, for example, the National Cyber Security Centre (NSCS) announced in March 2025 that reporting will be mandatory for critical infrastructure operations within 24 hours of discovery – a significant milestone for Switzerland’s cyber-resilience. While this sort of sharing of information is crucial for transparency and to protect other organisations, there are several grey areas to consider. Some organisations, for example, may not be mature enough to have enough useful information available in 24 hours; others may over-report to avoid any consequences of non-compliance, resulting in many false positives; and, equally, organisations across the supply chain that are perhaps not considered CNI orgs may not report issues that might affect critical infrastructures. Ultimately, an undertaking such as this requires more resources and people.
It’s important to strike a balance between mandating organisations and leaving them to their own devices. This poses the question: does compliance make us complacent? What’s really needed is more proactivity.
Proactivity is key
For many organisations, compliance acts as a security blanket, providing them with a false confidence. It is crucial to realise that being compliant doesn’t necessarily make you secure, and looking good on paper is rarely enough when it comes to real-world threat prevention. Real-life incidents rarely follow a playbook. Compliance moves and evolves with changing threats, so it cannot be a one-and-done or tick-box exercise, especially when it comes to protecting CNI organisations. Business leaders may find their organisation compliant for a snapshot in time but not in perpetuity. The best way to defend is to prevent, proactively.
Ultimately, threat actors don’t really care about compliance. They look for weaknesses and easily exploitable vulnerabilities to gain access to a system and/or network. This is exactly what security teams should be looking for when it comes to protecting their organisations. By adopting this mindset, security teams can further bolster defences beyond compliance. But how should organisations approach this?
Reducing noise: focusing on matters
Organisations should start by employing tools that give them a higher visibility of all assets on a system, which is even more important in environments that converge IT and operational technology (OT) systems, especially if legacy tech is still in use. The fast digitalisation of some critical industries, such as manufacturing, has created security gaps that need addressing urgently. Once assets are mapped, vulnerability assessments should be carried out regularly, with automated threat detection employed where possible. Other measures that teams should proactively employ are red-teaming and tabletop exercises.
However, too many tools can lead to equally dangerous overconfidence. Cyber-security protection is more about quality than quantity. Harmonisation in standards is important, but harmonisation in tooling to protect a security stack is equally critical. Leaders should focus on creating a reliable but simple security strategy to help reduce noise and better understand risk.
Compliance cannot be disregarded altogether, though. When it comes to getting board buy-in, compliance can be a good way to start the conversation, as there are real-world, monetary and/or reputational consequences when compliance is not met. Standardised reporting can also be a good way to communicate the importance of cyber-security to boards, which is an ongoing problem.
Securing the future of CNI
One thing’s for certain: CNI organisations are being targeted more frequently than ever. Organisations must be prepared and stay ahead of threats with tabletop exercises and up-to-date threat intelligence without neglecting basic cyber-hygiene. Most incidents can be prevented, but only if organisations are prepared. Use compliance as a baseline, but go above and beyond to ensure legitimate cyber-resilience.
English (US) ·