Back to Knowledge Vault

UK critical infrastructure hit by 200 cyber incidents in a year, NCSC warns

NCSC chief Richard Horne says the UK faced more than 200 nationally significant cyber incidents against critical infrastructure in a year, with about three-quarters tied to state actors.

The UK's critical national infrastructure absorbed more than 200 cyber incidents in the year to May 2026, and about three-quarters of them are believed to be the work of state actors. That is the headline from a speech by Richard Horne, chief executive of the National Cyber Security Centre, delivered at the Royal United Services Institute and reported by The Guardian.

For an island that runs on a tightly coupled mesh of energy, water, health, transport, telecoms and finance, that number is not a statistic. It is a forecast.

What the NCSC actually said

Horne framed the threat as an "ongoing contest with capable adversaries", naming Russia, China and Iran as the states most actively probing the systems behind the United Kingdom's key services. He compared it not to a wrestling match in a defined ring but to a football or basketball game played across the entire pitch, with success depending on how well you operate across the whole field.

The NCSC defines a cyber incident as any attempt to damage, disrupt or gain unauthorised access to computer systems, networks or devices. More than 200 of those, in a single year, touched the operators of national infrastructure or the suppliers that hold them up. Hospitals, power plants, airports and the nuclear deterrent are all in scope.

Horne also warned that advances in artificial intelligence are likely to accelerate the threat, exposing cyber flaws in national infrastructure. He pointed to 2028 as the moment when that pressure is likely to crystallise. His message to organisations was unromantic: concentrate on the fundamentals, and make sure you can recover quickly from an attack.

Why this is a backup problem as much as a defence problem

No operator of critical infrastructure expects to keep adversaries out forever. The realistic objective is to limit the blast radius and to come back online before a service outage becomes a national event.

That is precisely where most estates are weakest. Modern ransomware and destructive intrusion sets target backups first, because attackers know that an operator with a clean, reachable backup is an operator who will not pay. "Immutable" object storage and hardened backup appliances raise the bar, but they remain reachable across the network through identity systems, APIs and management consoles. A sufficiently determined attacker who reaches domain admin reaches the backup plane too.

NCSC has already published its own Principles for ransomware-resistant cloud backups describing exactly this risk: backups must be resilient to destructive actions, the system must not be possible to lock customers out of, and there must be a backup of last resort that can be restored from. Those principles are unforgiving, and they are the right standard for critical infrastructure.

The Firevault view

Firevault was built to be the backup of last resort. The gold copy sits in a physically air-gapped module, disconnected at Layer 1 of the OSI model. While offline there is no IP address, no API, no console and no identity path into the data. It is brought online only inside a scheduled, identity-verified connection window managed from a separate plane, and every event is recorded on a tamper-evident audit trail that auditors, insurers and regulators can read.

For a CNI operator that already has hot, warm and immutable backups, Firevault is the layer that survives the day those fail. It will not stop the intrusion. It is the reason the lights, the water or the trains come back on the day after.

What CNI operators should do this week

• Test a restore from a truly offline copy. Not a snapshot, not a vendor-managed immutable tier — a copy that is physically disconnected from the production estate and identity system.
• Separate the management plane. The console that controls your backups should not share identity, network or operators with the systems they back up.
• Schedule identity-verified connection windows. Treat access to the backup of last resort as a distinct workflow, not a continuation of day-to-day admin.
• Keep the evidence pack ready. Regulators (Ofgem, Ofwat, the ICO, sector CAs under NIS Regulations) will increasingly ask to see proof that a restore is possible. Tamper-evident logs are the easiest answer.

Horne's closing line at RUSI is worth keeping on the wall: "The many vulnerabilities that organisations tolerate today will be exploited in conflict tomorrow. If they are too expensive or hard to fix in peacetime, then they certainly will be in war."

Source: The Guardian — UK critical infrastructure hit by 200 cyber incidents in a year, agency says.

Mark Fermor is the founder of Firevault.

How Firevault helps

• Offline Secure Storage keeps gold-copy data physically disconnected from the network, so a ransomware or exfiltration event cannot reach it.
• Control gives boards and operators a single view of what is online, what is isolated, and what is recoverable across the estate.

Talk to Firevault about Disconnect to Protect® for your organisation.

Share this article