Age of Insecurity? The security vulnerabilities of Operational Technologies and the risks they pose to the UK

Just before Christmas 2025, the UK Department for Science, Innovation and Technology (DSIT) published an Operational Technology Cyber Security Study that examined the potential impacts of attacks on the country's critical national infrastructure.

Commissioned by DSIT, the report examines previous attacks around the world, a breadth of research into incident root cause and summarises interviews with information security practitioners from many of the UK's CNI sectors. These are comprised of:

• Chemicals: including major chemical production and distribution companies.
• Civil Nuclear: including nuclear power stations and related facilities.
• Communications: including Internet service providers, communication networks, domain name systems (DNS) and top-level domain (TLD) name registries.
• Data Centres: operating about 500 data centres in the UK.
• Defence: including key defence contractors and facilities.
• Emergency services include police, ambulance, fire services and the coast guard.
• Energy: including electricity, gas and oil providers.
• Finance: including major financial institutions and payment systems.
• Food: including major food supply and distribution companies.
• Government: including key government departments and agencies
• Health: including NHS trusts, foundation trusts and certain independent healthcare providers.
• Space: including satellite and space infrastructure providers.
• Transport: covering air, rail, water and road transport.
• Water: including major water supply and distribution companies.

Disrupting the UK economy

The authors of the report explore exactly what known vulnerabilities of Operational Technology pose to safety, service continuity, and national resilience and note that:

Loss of or disruption to CNI services has the potential to weaken UK resilience and national security and they must continue to operate and function. The Chancellor of the Exchequer's vision, ’Securonomics’, places security as central to the Government's economic and national security mission.

‘Securonomics’ - a British political campaign slogan focused on the economic security of a nation - ‍was first coined in May 2023 as a response to a perceived 'Age of Insecurity' caused by the combined impacts of Brexit, Covid19 and conflict in Ukraine.

If economic security is a key national objective, it follows that protecting critical infrastructure must be prioritised and this report is intended to drive future resilience activities.

Key findings and recommendations

For OT security experts, the publication has few major surprises when it comes to the converged IT/OT reality of 2025. Common vulnerabilities include:

• IT → OT attack pathways: Many OT systems are accessed via connected IT networks rather than directly, meaning IT vulnerabilities often enable OT compromise.
• Legacy technology: OT environments frequently use old equipment and software not designed for connectivity, lacking patching capabilities and modern security controls.
• Weak asset management: Ineffective inventorying of devices and systems hinders visibility and prioritisation of security responses.
• Inadequate network segmentation: Poor separation between OT and other network zones increases potential blast radius for attackers.
• Shortage of trained OT cybersecurity specialists: Fewer dedicated OT cybersecurity pathways, certifications, or experienced personnel, exacerbating risk and slowing response.
• IT vs OT divide: Different operational priorities and cultures often mean cybersecurity approaches aren’t well integrated across IT and OT teams.
• Board-level ownership lacking: Insufficient organisational governance and oversight of OT risk at senior leadership level reduces accountability for security outcomes.
• Vendor and supplier risks: Outsourced services and components often introduce security gaps that are outside direct organisational control.

To address these, the report suggests the UK Government and OT community work on a range of improvements, many prioritised in cyber security strategies in other nations including the United States:

• Implement defence-in-depth: Multi-layered security, combining network segmentation, access controls, and monitoring to mitigate compromise pathways.
• Improve asset visibility: Maintain detailed inventories of OT assets and their configurations as a foundation for risk prioritisation.
• Strengthen network segmentation: Strict separation of OT from business IT and external networks limits attacker movement.
• Cross-discipline training: Encourage joint training for OT engineers and cybersecurity professionals to bridge cultural and technical gaps.‍
• Elevate OT security to board level: Embedding accountability and risk management into corporate governance.
• ‍Increase information sharing: Government and industry should expand mechanisms for sharing threat intelligence, vulnerabilities, and incident learnings.

The impact of CNI cyber incidents

Case studies from across the world are used as evidence supporting an urgent need to address these known security vulnerabilities, one example being the case of South Staffordshire Water.

In 2022, this regional UK water supply company was breached by a Russian-aligned ransomware group causing disruption to local residents, including the temporary shutdown of some water treatment facilities.

Using a historic water contamination incident in Finland to quantify potential harms, the DSIT report estimates that malicious actions on operational controls at a single water treatment plant serving up to 100,000 people could have resulted in up to 50,000 residents requiring hospital treatment if drinking water was contaminated, a major public health incident.

Securing the UK economy in 2026

In summary, DSIT's pre-Christmas Operational Technology Cyber Security Study stresses the importance of government support, increased regulation and better information sharing among OT asset owners, security practitioners, government departments and industry.

OT systems compromise can impact physical safety and public services, not just result in data modification or loss. Vulnerabilities in OT can cascade across infrastructure, amplifying economic and societal effects and threats continue to evolve as attackers scan the globe for vulnerable systems.

In response, the UK introduced the Cyber Security and Resilience Bill to Parliament for its first reading on 12 November 2025. The second reading is due in January and it's hoped that the 'Securonomics' vision may soon be supported by a refreshed programme of activity to mature CNI systems security across the country.

At Overcyte, we'll be keeping a close on the UK regulatory landscape in the year ahead.