
Nick Ferrari 7am - 10am
6 June 2025, 07:30
Few services are more critical than energy in keeping our society running. April’s mass blackouts, which affected Spain and Portugal’s electricity grids, left millions without power for more than half a day.
The incident exemplified the extent of disruption caused by outages, as towns and cities were plunged into darkness and transport and communications networks were shut down.
While a cyberattack has been ruled out in the Spain case, the cybersecurity risk to all energy networks persists and is in fact growing in line with broader geopolitical tensions.
According to Thales’ Data Threat Report—a global survey of cybersecurity professionals—93% of critical infrastructure companies, including essential utilities such as gas, electricity and water, reported an increase in cyberattacks over the last year, with 42% suffering a data breach of some kind.
An additional warning came in May, with the publication of a report by the UK Public Accounts Committee. It warned that hostile states and criminals have developed their capability to disrupt public services and critical national infrastructure (CNI) faster than the Government expected.
Staying ahead of emerging threats will require energy operators to adopt a mindset of continuous assurance, smarter system design and proactive skills development—going beyond the basics of patching vulnerabilities and merely meeting compliance requirements.
Factors such as the war in Ukraine have elevated the risk to the UK’s energy industry. Malware launched by nation-state groups—or criminal elements employed as proxies—is among the most significant threats to the industry.
These threat actors do not merely intend to compromise CNI networks; they also aim to persist within them. By means of an example, the most recent UK Strategic Defence Review recommended ‘a more substantive body of work’ is required to ensure the security and resilience of CNI, and the services it delivers.
A combination of internal gaps in strategy and cybersecurity capabilities, alongside outdated technology, is leaving critical electrical grids and other energy networks vulnerable.
To this end, Secure by Design is a strategic imperative for resilient energy systems. Security must be integrated from the ground up, yet too often it is treated as an isolated function rather than as an organisational priority.
Each unreported attack—successful or not—is a missed opportunity to refine security strategies, share knowledge and enhance the overall resilience of the sector.
It is not always as simple as merely upgrading or replacing legacy infrastructure. Complete replacement is rarely feasible, so many organisations have linked these older systems to modern platforms, often without implementing adequate security safeguards.
Continuous monitoring, network segmentation and enhanced authentication measures are vital to protecting essential command and control systems.
Systems also need to be built around Digital Trust principles – trusting no user by default until their identity has been authenticated, granting access only to the data they absolutely need, and continuously checking for discrepancies, anomalies and unusual activity.
The often complex supply chains of energy networks add to the challenge. The level of security controls can vary from one organisation to another, creating gaps that threat actors can exploit.
They may be able to gain access to the whole system thanks to the security flaws of one individual component, or unidentified counterfeit goods within the supply chain foster vulnerabilities of their own.
After all, threats do not respect organisational boundaries, and energy companies and their suppliers must collaborate closely to identify and close these security blind spots.
The forthcoming Cyber Security and Resilience Bill is an encouraging step in this direction, as it mandates incident reporting for high-risk sectors and essential infrastructure.
This includes power grids, energy distribution networks and connected industrial systems, thereby enforcing stronger standards across the board.
The value of robust regulatory frameworks in reducing risk is demonstrated by the Thales Data Threat Report, which found that organisations that successfully passed cybersecurity audits experienced significantly fewer breaches than those that did not.
With so much at stake, cybersecurity in the energy sector cannot be taken for granted. As legacy systems are reviewed and integrated with modern digital technologies, understanding how the two interact and how data is shared will be essential to preventing incidents before they occur.
Avoiding future blackouts – as well as safeguarding wider national defence capabilities - depends on having energy resilience. It will require a careful balance of robust policy, proactive security measures and skilled expertise to shift energy providers away from a merely reactive defence towards preparing for what lies ahead.
There is no time to waste.
__________________________
John Cullen is the Strategic Marketing Director for Digital Identity and Cybersecurity at Thales UK
LBC Opinion provides a platform for diverse opinions on current affairs and matters of public interest.
The views expressed are those of the authors and do not necessarily reflect the official LBC position.
To contact us email opinion@lbc.co.uk