The UK’s National Cyber Security Centre has been consistently clear: hostile states and state-aligned groups represent an enduring, evolving danger to critical infrastructure, and recent incidents make that danger tangible. The Centre’s assessments over the last year identify sophisticated activity linked to China and persistent malicious operations associated with Russia, while also flagging Iran and North Korea as capable and opportunistic threats. These are not abstract warnings. They reflect a pattern of pre-positioning, espionage, ransomware and disruptive activity that targets IT and the bridge to operational technology across sectors the public relies on.

Three converging dynamics explain why the risk to infrastructure is rising. First, nation-state actors and state-aligned groups are using living-off-the-land and long dwell-time techniques to quietly embed in networks, then map and probe OT environments with an eye to future disruption. This behaviour has been documented in multinational advisories and is a significant component of PRC‑linked campaigns observed internationally.

Second, criminal ransomware groups and hybrid proxies continue to exploit legacy systems, weak supply chain hygiene and insufficient segmentation to inflict immediate impact. The June disruption affecting Synnovis, a pathology provider that supports multiple NHS trusts, shows how a single intrusion into a supplier can cascade into postponed operations and diverted clinical workflows while national bodies and law enforcement work to assess and contain the damage. National agencies including the NCSC and the NCA have been involved in the response.

Third, geopolitical pressure amplifies risk. When international tensions rise, so do attempts to gather intelligence, steal data and, in the most concerning cases, pre-position for sabotage or destructive options. That makes telecommunication networks, energy, water, transport and health particularly attractive targets because compromise there can cause real-world harm. The NCSC has repeatedly urged heightened collaboration between government and industry to raise the resilience bar in those sectors.

What this means for defenders is stark and operational. Tactical gains by attackers translate rapidly into strategic risk when defenders do not treat IT and OT as a unified problem. Practical countermeasures that reduce exposure and buy time for response include:

  • Enforce strong network segmentation and strict access controls between IT and OT environments. Assume lateral movement will be attempted and harden those control points accordingly.
  • Prioritise detection and response for living-off-the-land techniques: telemetry that looks benign can still be malicious when combined with unusual sequences of activity. Threat hunting guided by indicators and behaviours from public advisories must be routine.
  • Harden third‑party and supply chain access: require demonstrable cyber hygiene from suppliers, enforce least privilege for vendor connections, and run tabletop exercises that include supplier failure scenarios.
  • Maintain immutable, tested backups and a practiced incident response plan. For healthcare and other time-critical services, manual fallback procedures and cross-provider mutual aid plans are essential while digital systems are rebuilt.
  • Elevate board-level ownership of cyber risk and fund remediation of legacy systems that remain a common vector of compromise. The technical fixes matter, but leadership and procurement discipline close the loop.

Policy and operational coordination are overdue complements to these technical steps. The NCSC’s public work with international partners to publish advisories and to call out state-linked campaigns strengthens defenders’ situational awareness, but national resilience requires sustained investment in detection capability, regulatory levers for critical service providers, and clearer playbooks for cross-border law enforcement and recovery. The Synnovis incident underlines that resilience cannot be delegated solely to operators; it is a national imperative.

A short checklist for organisations that support critical services: 1) Run a rapid supplier-impact assessment to identify single points of failure. 2) Verify patch and configuration posture for internet-exposed assets and remote management interfaces. 3) Hunt for living-off-the-land behaviours and anomalous account activity. 4) Rehearse business continuity plans that do not assume instant restoration of digital services. 5) Engage the NCSC and report incidents early; national coordination shortens recovery time and helps limit collateral damage.

The landscape the NCSC describes is not static. Adversaries change tradecraft and motive, and both state and criminal operators will continue to seek revenue, intelligence and strategic options in cyberspace. For defenders that means treating resilience as continuous engineering, not a one-off project. Prioritise telemetry, reduce blast radius, and demand accountability across supplier ecosystems. The consequence of not doing so is not just data loss. It is disruption to essential public services and potential harm to people whose safety depends on connected systems.

No single technical control will stop every actor named in public advisories. The right response is layered: sensible defaults, robust segmentation, active detection, prepared response, and an honest assessment of where single points of failure remain. Take the NCSC’s warnings seriously, map your dependencies, and use the public advisories and national support structures that exist to harden what matters most.