The energy sector is the backbone of life, making it a prime target for cyber threats. Attacks on power grids and energy networks not only disrupt daily operations but pose serious risks to national security, writes John Cullen, Strategic Marketing Director of Digital Identity at Thales.
Alarmingly, 42 per cent of critical infrastructure companies have reported a cyber breach, highlighting the urgent need for stronger defences. A recent report from the UK parliamentary Public Accounts Committee reinforces this concern — cyber threats are evolving faster than defences can keep up. With legacy IT systems accounting for 28 per cent of the public sector’s digital infrastructure, energy networks remain vulnerable not only due to outdated technology but also internal gaps in strategy and cybersecurity capabilities.
From a One-Time Fix to Continuous Protection
The traditional cybersecurity approach – patching vulnerabilities and meeting compliance requirements – is no longer enough. Regular updates and system replacements play a role, but energy operators must adopt a mindset of continuous assurance, smarter system design, and proactive skills development to stay ahead of emerging threats. This is particularly important within the energy sector – where factors like the war in Ukraine has elevated the risk to the UK’s energy industry. Amongst the most significant threats to the energy sector’s critical infrastructure is now malware launched by nation-state groups. These actors aren’t just setting out to compromise CNI networks – they want to persist there too.
Despite government initiatives like Defending the UK in a Digital World: Cyber Security Strategy 2022–25, adoption across sectors remains inconsistent. Many energy organisations still rely on outdated risk models, attempting to counter modern threats with legacy solutions. Cybersecurity must be embedded at every stage of operations, ensuring resilience is built into infrastructure rather than retrofitted as an afterthought.
Legacy systems: managing risks while driving innovation
Legacy systems – many originally designed for isolated, manual operation – were never built for highly connected, digitised energy networks. To enhance operational efficiency, many organisations have linked these older systems to modern platforms, often without implementing adequate security safeguards. Energy providers must carefully evaluate the risks associated with upgrading legacy infrastructure. While fully replacing outdated systems is rarely feasible, mitigation strategies such as network segmentation, continuous monitoring, and enhanced authentication measures are essential to protect critical assets. Supply chain vulnerabilities further compound the risk, as service providers with privileged access often lack robust security controls. Collaborative cybersecurity strategies between energy companies and their suppliers are vital to closing these gaps.
Secure by Design: foundation
Secure by Design is more than a cybersecurity principle — it’s a strategic imperative for resilient energy systems. Security must be integrated from the ground up, ensuring that infrastructure is adaptable, auditable, and capable of resisting sophisticated cyber threats. Yet, implementation remains inconsistent. Too often, security is treated as an isolated function rather than an organisational priority—similar to how health and safety was historically undervalued before regulations enforced its importance. The upcoming Cyber Security and Resilience Bill will play a key role in addressing these weaknesses, enforcing stronger standards and mandatory incident reporting for high-risk sectors.
Transparency and collaboration
Cybersecurity in energy cannot be a siloed effort. Threats do not respect organisational boundaries, and weaknesses in one system can compromise an entire network. Transparency and collaboration, including incident reporting, are crucial to protecting critical infrastructure. Reporting cyber incidents, much like the longstanding practice of reporting near misses and accidents in health and safety, strengthens overall resilience. Greater visibility into cyber threats helps organisations fortify their defences, making it harder for malicious actors to exploit weaknesses before lasting damage occurs.
The Thales Data Threat Report highlights growing risks to Critical National Infrastructure (CNI), underscoring the importance of compliance and proactive security measures. Organisations that successfully passed cybersecurity audits experienced significantly fewer breaches than those that failed—demonstrating the vital role of strong regulatory frameworks in reducing risk. With the Cyber Security and Resilience Bill driving higher standards, more robust protections for essential infrastructure, including power grids, energy distribution networks, and connected industrial systems, will become the norm. Each unreported cyber-attack is a missed opportunity to refine security strategies. Increased transparency and intelligence-sharing across the energy sector enable faster, more informed decision-making, ensuring providers can stay ahead of evolving threats while maintaining the resilience of vital services.
Final word
Cybersecurity in the energy sector requires more than reactive fixes or compliance checks—it demands a strategic, long-term approach to safeguarding critical infrastructure. As legacy systems increasingly integrate with modern digital technologies, understanding these interactions is essential to preventing vulnerabilities before they emerge.
Secure by Design must become the industry standard, ensuring resilience is built into every layer of operations. By balancing robust policy frameworks, proactive security measures, and skilled expertise, energy providers can move beyond reactive defence — creating a security-first foundation that protects against future threats, rather than merely responding to those already at hand.
More reading – Thales’ 2025 Cloud Security Study by S&P Global Market Intelligence 451 Research.
