The head of the UK's National Cyber Security Centre (NCSC) issued one of the most direct public warnings yet about the strategic threat facing Britain's critical national infrastructure (CNI), telling a high-profile security audience that hostile foreign states were responsible for approximately three-quarters of all attacks on CNI sectors.
Speaking at the Royal United Services Institute (RUSI) Annual Security Lecture, NCSC CEO Richard Horne warned that adversaries were not simply carrying out opportunistic intrusions — they were systematically "prepositioning" inside energy grids, water systems, transportation networks, and telecommunications infrastructure ahead of a potential future conflict.
"Kinetic targeting in any conflict tomorrow will be based on intelligence gathered today," Horne said, framing the cyber threat as inseparable from conventional military planning. The implication was clear: what looks like espionage now is being laid down as the foundation for physical disruption when hostilities escalate.
The Prepositioning Threat
The concept of prepositioning — placing persistent malware or access footholds inside critical systems long before any conflict — has been central to Western intelligence assessments of nation-state cyber activity for several years. Agencies in the US, UK, Canada, and Australia have repeatedly warned about groups like Volt Typhoon and Salt Typhoon maintaining long-dwell implants in infrastructure networks.
Horne's remarks confirm that the UK views its own critical sectors as active targets of this same strategy. Rather than disruption being an end goal, the intrusions appear designed to:
- Map dependencies and failure points within CNI systems
- Establish persistent access that survives standard incident response
- Enable coordinated disruption or destruction at a time of strategic choosing
This mirrors the US Cybersecurity and Infrastructure Security Agency (CISA) assessment of Chinese state-sponsored groups that have burrowed into American water utilities, power grids, and communications systems — some maintaining access for years without being detected.
Which Sectors Are Targeted
While Horne did not publicly identify specific incidents, the UK's broader threat landscape points to continued targeting of:
- Energy infrastructure — gas pipelines, electricity distribution, and national grid management systems
- Water treatment facilities — operational technology (OT) environments controlling treatment and distribution
- Telecommunications — undersea cables, mobile network core infrastructure, and ISP backbone systems
- Transportation — rail signalling systems and air traffic management
The NCSC has previously attributed campaigns to Russia's GRU, FSB, and SVR intelligence services, as well as to Chinese state-sponsored groups operating under Ministry of State Security direction. Iran and North Korea round out the UK's primary nation-state threat tier.
"Wartime Intelligence Gathering"
Horne's framing of peacetime cyber activity as wartime intelligence preparation reflects a shift in how Western governments are publicly characterising these intrusions. Earlier rhetoric tended to focus on economic espionage and data theft; the 2026 assessment places persistent infrastructure access squarely within a pre-conflict doctrine.
This matters because it changes the response calculus. Removing an intruder from a corporate network is a cybersecurity problem. Removing an adversary's foothold from a power grid — without triggering the very disruption you are trying to prevent — is a national security problem requiring military-grade coordination.
Defensive Posture and NCSC Guidance
The NCSC continues to push CNI operators to adopt principles from its Cyber Resilience Framework, which prioritises:
- Assume compromise — operate on the basis that adversaries may already be present
- Network segmentation — isolate OT from corporate IT and from the internet
- Zero-trust architecture — enforce least-privilege access across all systems
- Incident response readiness — pre-plan playbooks for infrastructure-specific scenarios
UK CNI operators are required under the Network and Information Systems (NIS) Regulations to report significant cyber incidents to the NCSC. The government has also accelerated sector-specific cyber resilience exercises following the 2024 ransomware attacks on NHS pathology services.
The Broader NATO Picture
Horne's comments come amid a wider NATO-wide reassessment of critical infrastructure protection. The 2025 Vilnius Summit committed member states to developing minimum cyber resilience standards for CNI, and the 2026 NCSC warning reinforces the urgency of that agenda.
For organisations operating in CNI sectors, the message is not new — but the public directness of the attribution is striking. Three-quarters is not a marginal figure; it represents a systematic, coordinated campaign across the breadth of British infrastructure by foreign intelligence services preparing for scenarios that most operators would prefer not to contemplate.