Attacks on critical national infrastructure (CNI) such as energy and the healthcare sector are growing. According to the 2024 Thales Data Threat Report, 93 percent of CNI organisations saw a rise in cyber-attacks over the last year, and 42 percent of those suffered a data breach.  

Meanwhile, the UK National Cyber Security Centre (NCSC)  reported  2024 was a record-breaking year for significant cyber-attacks affecting UK critical infrastructure.  

Driven by the devastation that can be caused, CNI is being increasingly targeted by nation state attackers. In 2024, warnings were issued by the likes of the NCSC and its US counterpart the Cybersecurity and Infrastructure Security Agency (CISA) that Russia and China are targeting critical services to cause as much disruption as possible. 

In 2025, things are set to ramp up further. So, what threats will plague CNI this year, and how can security leaders manage this? 

CNI attacks will grow and evolve  

Experts agree that CNI-based attacks will continue to grow this year. Karl Holmqvist, founder and CEO, Lastwall predicts “an escalation” of attacks on CNI. “In 2025, cyber-attacks on critical infrastructure will intensify, targeting sectors such as energy grids, water supply systems and communication networks.” 

Attacks will be driven by a range of factors, including geopolitical tensions, says Holmqvist. “These attacks will disrupt essential services and erode public trust.” 

At the same time, the nature of attacks on CNI will evolve, experts predict. Insurance and financial systems will continue to be focal points for attacks, but in 2025, critical infrastructure operations and corporate data will become a higher priority for nation state adversaries, says Cynthia Overby, director of security, customer solutions engineering at Rocket Software. “These attacks will no longer focus on ransomware using forward facing web applications, but on power grids and corporate data stored on critical hardware.” 

Trevor Dearing, director of critical infrastructure at Illumio is more specific, predicting “a major attack on CNI like energy that will cripple essential services and halt basic operations for days”. 

“The impact could lead to unprecedented public disruptions such as power outages and massive hospital evacuations, forcing a rethink by government and industry about cyber resilience and how we protect and operate essential services,” Dearing warns. A new approach, similar to a "DORA for energy" may emerge, calling for “a coordinated secure-by-design model”, he says. 

Matt Aldridge, principal solutions consultant at OpenText Cybersecurity predicts “a major outage” within one or more critical infrastructure sectors during 2025.  “Great work is being done to assess the full scope of critical dependencies at national level, but much is yet to be completed in this area. Unfortunately, the extensive continued use of legacy infrastructure leaves great exposure to risk.” 

State-sponsored attackers will increasingly target CNI 

State-sponsored cyber-attacks are no longer just targeting data; they are preparing to cripple critical national infrastructure, says Phil Lewis, SVP of market strategy and development at Titania. The Volt Typhoon and Flax Typhoon attacks, originating from China, represent “a new frontier in cyber warfare where attackers aren’t seeking financial gain or intellectual property, but disruption and destruction”, Lewis says. 

“These highly-sophisticated campaigns focus on infiltrating CNI across the globe, with the sole goal of wreaking economic and societal havoc.” 

Adding to complexity, attribution of CNI attacks will be increasingly difficult in 2025. "The line between state and criminal operations will continue to blur further, making it increasingly challenging to attribute attacks,” says Douglas McKee, SonicWall executive director of threat research.  

Regulation will take centre stage 

2025 will see firms “make or break critical infrastructure regulations”, says Christian Borst, EMEA CTO, Vectra AI. CNI providers will face “immense pressure” to catch up on compliance with regulations such as the Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) before attackers can take advantage, he says. 

Regulatory changes will be a major focus in 2025, agrees Scott Hudson, principal consultant at Bridewell. The NIS2 Directive will impact both EU companies and UK organisations providing services in the EU, while DORA’s influence will be felt beyond the financial sector.” 

In the UK, the incoming government has committed to bring forward new legislation that will extend cybersecurity requirements to additional sectors, and grant greater powers to regulators, Hudson says. “Keeping ahead of the evolving regulatory landscape will remain a challenge across many industries.” 

Data centres will face new security challenges  

An interesting development in 2024 was the classification of data centres as CNI. Taking this into account, in 2025, data centre owners and regulators will focus on “improving, and proving security”, says  

Piers Wilson, head of product management at Huntsman Security. “On one side, companies will intensify their efforts to strengthen protection, while on the other, we can expect increased regulatory scrutiny, with new requirements and certifications emerging.” 

While security will improve, it's “impossible to air-gap a data center”, Wilson, points out. With this in mind, he predicts “a more sophisticated approach to ensuring the correct configuration and management of controls for both people and data”. 

Mitigating attacks on CNI in 2025 

There’s no doubt attacks on CNI will continue, so businesses operating in the sector need to be alert. Age-old problems will continue to plague critical infrastructure, due to the legacy systems and operational technology (OT) environments that much of the sector relies on.  

Many manufacturing and industrial facilities continue to rely on legacy OT systems that were not designed with cybersecurity in mind, says Carlos Buenano, CTO for OT at Armis. “These systems often lack encryption, proper authentication mechanisms, and patch management capabilities, making them easy targets for cyber-criminals.” 

Taking this into account, securing critical infrastructure including OT and industrial control systems (ICS) should be “a key priority” for CISOs in 2025, says Phil Tonkin, field CTO at Dragos. “UK operational technologies need to be bolstered to protect against attack and deter threat actors.” 

He recommends the SANS Institute’s Five ICS Cybersecurity Critical Controls, a framework that includes a “flexible, impactful set of measures designed specifically for prevention, detection and response to cyber incidents in industrial environments”. 

Supply chains are also an important factor to consider when securing CNI in 2025. James Neilson, SVP of international at OPSWAT predicts “even more sophisticated and impactful attacks, targeting not just individual companies, but the interconnected networks of suppliers and partners that support them”.  

“Attackers will target OT within supply chains for critical sectors like energy, utilities, and manufacturing, which are increasingly digitised but often lack robust security controls,” Neilson predicts. 

“Threat actors will compromise OT suppliers or contractors, using them as conduits to introduce malware that disrupts operations or damages physical infrastructure. Such attacks could result in power outages, halted production lines or risk-to-life events.” 

Kate O'Flaherty Cybersecurity and privacy journalist