Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

How to secure critical national infrastructure against cyber-attacks

In February 2020, a ransomware attack shut down a US natural gas compressor station for two days. A month later, another accessed schematics and drawings related to two power plants in Missouri, as well as data from a coronavirus testing centre maintained by Hammersmith Medicines Research in the UK. These breaches highlight the need for critical national infrastructure to be cyber secure. In our experience, there are six steps to protecting operational technology (OT):

1. Establish and maintain an inventory of OT network equipment and systems

You can’t protect what you don’t know you have. You need to establish effective asset management and collate up to date inventory databases of installed hardware and software. Together, this will inform risk management practices, such as patching, when new vulnerabilities arise.

2. Segregate IT and OT networks

It’s essential to maintain robust network segregation between IT and OT. Malicious software such as IT-targeting ransomware can have an operational impact if it can access IT-type devices on an OT network. Increasing use of IT to support operations means the boundary between IT and OT is becoming blurred, often resulting in a loss of physical segregation. That means maintaining logical segregation is critically important.

Segregation options include technical or logical solutions such as firewalls, data diodes, step-down servers, de-militarised zones and uni-directional gateways. It’s a question of understanding the rationale that’s driving the connectivity and implementing an appropriate solution to provide the required information while protecting the operational services.

3. Maintain staff awareness of potential threats and attack vectors

The attack on the US natural gas compressor station happened because a member of staff clicked on a link in a spear phishing email. This emphasises the need to maintain security awareness to augment technical and preventative network controls. So, assess what training each of your people needs to build a positive security culture. For example, we have a portable demonstrator that we use with clients to increase awareness of OT cyber security risks by simulating phishing attacks.

4. Patch, patch and patch again

Patching is a challenging subject for operational networks with limited maintenance time and complex safety or change processes. But the principle of knowing what patches are available for the devices on your operational networks and what vulnerabilities those patches address is crucial. This allows for a risk-based assessment to offer a prioritised patch list you can implement on an opportunity or planned basis. In many cases, just knowing about the vulnerability and comparing that with inventory databases can make it possible to deploy alternative mitigations, such as virtual patching on boundary devices or temporary segregation.

5. Backup systems

Reliable, proven backups are essential to cyber resilience. If technical and procedural backups aren’t fit for purpose, regularly tested and secure, you could face financial, regulatory and reputational impacts as it will take longer to recover from incidents. So, create a process and regularly test backups for integrity so you can quickly recover systems.

6. Plan, prepare and test your responses to a cyber incident

Response planning tends to focus on physical disruption. As a result, there’s usually only a limited pre-planned response to cyber-attacks, and a severe lack of awareness about their potential impacts. There must be a tested incident response plan, informed by the OT security risks, that’s kept up to date to ensure recovery from an incident is as effective as possible.

Operational technology must be cyber secure

The stakes are high. A cyber-attack on OT networks and systems can have devastating safety, financial, regulatory and reputational consequences. Advanced planning and preparation, and the continual assessment and assurance of security controls, can significantly reduce the impact of a successful cyber security attack and accelerate recovery.

Helping to protect and grow your organisation in a digital world

Find out more

Contact the authors

Contact the digital trust and cyber security team

Adam Stringer

Adam Stringer

Cate Pye

Cate Pye

Elliot Rose

Elliot Rose

Justin Lowe

Justin Lowe


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.