The National Cyber Security Centre (NCSC) has urged UK critical national infrastructure (CNI) operators to prepare for “severe” cyber threat conditions, citing recent attacks on energy systems in Poland as evidence that disruption is neither theoretical nor distant.
In a LinkedIn post, Jonathan Ellison, Director for National Resilience at the NCSC, wrote: “Cyber attacks disrupting everyday essential services may sound far-fetched, but we know it’s not.” He pointed to coordinated activity in Poland shortly after Christmas, including attempts to disrupt a heat and power plant and multiple renewable generators, and said Polish partners had compared the attempted disruption to arson.
CERT Polska has since published technical detail on the campaign. It reported that on 29 December 2025 attackers targeted more than 30 wind and photovoltaic farms, a manufacturing-sector company, and a combined heat and power plant supplying heat to almost half a million customers. The incident response body described the intent as destructive, likening it to deliberate arson, and said wiper malware was used against the CHP plant’s internal network.
The renewable element focused on grid connection points at substations, according to CERT Polska. Targets included industrial automation equipment such as remote terminal units used for telecontrol, local HMIs, protection relays, and networking hardware including routers and switches. In several cases, the compromise disrupted communication with the distribution system operator and prevented remote control, even though generation continued.
Ellison’s post reiterated the NCSC’s view that preparation has to be done ahead of any escalation, rather than improvised under pressure. He pointed operators to the NCSC’s Cyber Assessment Framework (CAF), which is used across UK CNI sectors to help operators and regulators assess and implement cyber resilience. Ellison highlighted risk management, identity and access controls, and threat hunting as core components, while also stressing resilience and recovery planning as a means of reducing both the likelihood of success and the impact of an attack.
The intervention also sits alongside a tightening regulatory picture. The Government’s factsheet for the Cyber Security and Resilience (Network and Information Systems) Bill sets out changes intended to strengthen the regulatory framework for key sectors, including energy, and to expand and speed up cyber incident reporting requirements. Under the approach described, organisations would be expected to notify the regulator within 24 hours of becoming aware of a significant incident, followed by a more detailed report within 72 hours.
Industry response has focused on the practical constraints of long-life assets and skills availability. Martin Jakobsen, Managing Director at Cybanetix, said CNI operators “often have aging infrastructure due to the long lifespan of investments they make”, which increases complexity because requirements “don’t come ‘off the shelf’”. He added that frameworks and regulation may sharpen board-level focus, but “regulation does not solve skills and resource gaps which will remain even if CNI providers are legally obliged to protect their assets to a government defined standard.”
With Parliament’s Public Bill Committee expected to report on the Bill by 5 March 2026, the near-term priority for operators is likely to remain evidence and execution: demonstrable control of remote access and privileged accounts, clear segmentation and access pathways between IT and OT environments, tested manual workarounds, and recovery plans built on the assumption that destructive activity may coincide with broader disruption.
