Last week, we brought together over 130 of the UK’s cyber security leaders across Critical National Infrastructure (CNI) organisations for our second CNI Cyber Security Summit. The event, hosted in central London on March 20th, facilitated a wide range of discussions about how we can work together to secure the future of UK CNI.
Following our inaugural CNI Cyber Security Summit in 2024, this year’s event featured a broader range of speakers, including representatives from the NCSC, Ofgem, the Office for Nuclear Regulation (ONR), Microsoft, and more. We also dived deeper into the specific challenges faced by CNI sectors, including aviation and energy, and hosted four interactive workshops for attendees to talk through key themes affecting the CNI space.
Read on for more information about each of our talks, panels, and breakout sessions.
Collaborating Against Critical Threats
Throughout the day, we were joined by guest speakers from across CNI who elaborated on this year’s topic: ‘collaborating against critical threats’.
NCSC | Building Our Defensive Capabilities
First to take the stage was a senior representative from the NCSC, who looked at how CNI organisations can build their collective defensive capabilities. His talk shared findings from the NCSC’s adversary simulation team, who have carried out engagements across various CNI sectors, including transport, energy, and defence.
These engagements found a direct correlation between inadequate security measures and the extent of compromise, particularly in core networks, as well as an overemphasis on detection capabilities against specific tools rather than a comprehensive defensive detection approach.
Other issues highlighted by their adversary simulation engagements were a lack of segregation between legacy software/ platforms and corporate domains, a lack of privilege access management, and over confidence from organisations with strong phishing defences in their overall resilience.
Based on these findings, the NCSC recommended CNI organisations undertake adversary simulation testing, understand their organisational exposure, shift their approach to resilience, and collaborate with their peers to form effective defence communities.
Office for Nuclear Regulation (ONR) | Regulating High Risk CNI
Following this, we were joined by Paul Fyfe, Deputy Chief Nuclear Inspector, who looked at how regulators and operators can collaborate to drive maturity. In his talk, he presented a detailed case study on Sellafield, the first and only prosecution to date from the ONR.
Using this case study, Paul underlined the importance of building and maintaining relationships between and within operators and regulators, facilitating regular dialogues between inspectors, line management, and senior regulators. He emphasised the need for clear communications and a shared understanding between operators and regulators on what needs to be protected and what security outcomes are expected.
Paul also explained the ONR’s outcome-based approach to regulation, and how this provides more flexibility for organisations to achieve positive outcomes.
“Outcome-focused regulation has enhanced dutyholders’ understanding of risk, improved organisational security culture and encouraged innovation and efficiencies. Collaboration between dutyholders and ourselves as the independent regulator is essential to achieve shared goals around proportionate cyber security and compliance with the law.”
Cyber Security in CNI Research
Lauren Powell, Client Lead, was next on stage as she shared some highlights from our Cyber Security in CNI 2025 research. In her presentation, Lauren shared her insights into the reasons behind and consequences of:
- 98% of UK CNI organisations reporting security challenges
- 41% naming ‘data protection and privacy’ as one of their top five challenges
- 37% bearing costs of more than £500,000 following a ransomware incident
With our research surveying over 600 individuals responsible for cyber security across CNI organisations, these findings reinforced many of themes later discussed by our guest speakers.
SSE | A CISO's Perspective of Driving Cyber Security Improvements Across CNI
We were also joined by Christine Maxwell, Group Chief Information Security Officer, SSE. In her talk, she shared a CISO’s perspective of how to drive cyber security improvements across CNI.
Sharing insights from her career, including her senior roles across RBS, BP, and the Ministry of Defence, she emphasised the importance of attracting and retaining talent in cyber security. She also stressed the need for personal development beyond technical skills, looking at business skills such as leadership, strategy development, and stakeholder management.
Christine also warned of the over-reliance on scare tactics to secure funding and called for strategic cyber threat intelligence to inform organisation’s security strategies, ensuring CNI organisations had a real, contextual understanding of risk that informs their strategies.
On the theme of collaboration, Christine also added that CNI CISOs should come together to share their challenges and experiences. In doing so, they can learn from each other and avoid starting from scratch when they face similar issues,
National Air Traffic Services (NATS), Civil Aviation Authority (CAA), Manchester Airport Group (MAG), Gatwick | Securing the Skies - Aviation Panel
In the afternoon, we brought together cyber security leaders in the aviation space for a panel discussion on countering the threats current facing the aviation sector. The panel consisted of Joe Dauncey, CISO, NATS; Megan Poortman, Head of Cyber Security, Gatwick; Pete Williams, CISO, MAG; and Simon Sheeran, Head of Cyber Security Oversight, CAA.
Our panel looked at the evolving regulatory landscape for aviation, discussing the challenges of working with multiple cyber security frameworks and legislations as well as how the CAF has driven significant improvements in cyber maturity across the industry. The upcoming Cyber Security and Resilience Bill was also a point of discussion, aligning UK aviation with European reforms but potentially adding more complexity for organisations to navigate.
Later, the conversation moved on to the importance of engaging the board with cyber security and promoting cyber awareness, with our speakers affirming the value of a culture where anyone can feel comfortable pointing out that something isn’t safe. Transparency and openness were emphasised as key to addressing safety and security concerns.
Collaboration was also raised as a vital component in securing UK aviation, with our speakers praising that the aviation sector doesn’t look to compete when it comes to security and the general willingness to share insights and best practices. Our panel called for this to continue to further improve safety and security in the future.
AI and Quantum: Fad, Friend, or Foe?
Kieran B., Head of Security Engineering, was next on stage as he discussed the significance of AI and quantum to the future of cyber security. Educating the audience on how the two are being used, he first dived into where AI is being used today, including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
Moving on to quantum, Kieran then broke down how quantum computing works, the risk it poses to current methods of cryptography, and how this impacts legacy systems, OT and custom-developed software.
Microsoft | How Threat Actors Are Sabotaging From Within
Next on stage was Paul Roberts, Global Technical Security Specialist at Microsoft, who looked at how threat actors are sabotaging CNI from within. His presentation looked at the risk posed by insider threats, particularly in relation to IT-OT convergence, and what CNI organisations can do to address their IT/ OT challenges. Among these challenges was enabling a digital business while minimising risk, gaining visibility into IoT/ OT risk, and centralising IT/ OT monitoring and governance within SOCs.
Paul shared his view on the types of insider threat that are commonly overlooked in the OT space. Negligent insiders were his top concern, as he shared insights into how a typical employee may disable security controls in order to improve their ease of use without any awareness of the consequences this could have for OT security. In response to the risk posed by negligent insiders, Paul also pointed to the role of improved ICS training and network segmentation.
Forescout | When IT Met OT
Building on our theme of IT and OT, Rik Ferguson, VP of Security Intelligence at Forescout, talked about the vulnerabilities, cyber threats, and chaos that can result from IT-OT convergence. Setting the scene, Rik looked at notable ransomware groups from the last year, the evolving infostealer market, and the prominence of attacks on edge devices.
Considering the challenges facing CNI, Rik recommended Zero Trust as an effective counter that established visibility as a foundation for security, helping identify actors in the enterprise, assets owned by the enterprise, and key processes. Rik went on to explain the pillars of zero trust and how to progress your organisation along the zero trust maturity journey.
Northern Gas Networks | Maturing Security Operations in an Increasingly Volatile World
Our second panel discussion of the day was with Northern Gas Networks (NGN) who discussed how they had matured security operations in an increasingly volatile world. Joined by Bridewell’s Mark Cathro, Customer Success Manager, and Gavin Knapp, CTI Principal Lead, they dived into their biggest cyber security challenges at present, how the threat landscape has changed over the last year, and how this has impacted NGN’s security operations.
Echoing Christine Maxwell’s guidance earlier in the day, cyber threat intelligence emerged as one of the biggest recommendations from NGN, helping them stay ahead of changing threats and understand the threat actors most relevant to their organisation.
Breakout Sessions
To dive further into some of the key themes of the day, the summit then split out across four breakout sessions.
1. Securing IT and OT: Threat Insights, Tools, and the Path to Resilience
This session looked at approaches to securing OT environments, with discussions amongst participants on the strategies, skillsets, and tools needed to increase resilience.
2. Using the CAF to Defend Against Real World Threats
Looking at practical applications of the CAF, our delegates discussed how it can be used to enhance defences against real world threats.
3. Adversary Infrastructure Tracking and Threat Detection Automation
Our delegates looked at the tradecraft required to in
vestigate and track adversary infrastructure, with our CTI team walking through several practical threat hunts to uncover both APT and criminal infrastructure.
4. AI and Data Privacy – How to Stay Compliant
Our data privacy team led a discussion among attendees on how they can make the most of AI within their organisation while remaining compliant with relevant regulations and legislation.
Securing the Future of UK CNI
Closing out the event, we had Mandy Hickson, a former RAF pilot, entrepreneur and motivational speaker, who engaged the audience with her talk ‘Choose Your Flight Path’. Our delegates then relaxed with cocktails and canapés, with two attendees winning our prize draw.
We’d like to express our thanks to all our speakers and attendees who joined us at the summit last week, as well as our sponsors Forescout and Microsoft. It was great to host so many important discussions around CNI and we look forward to advancing the conversation further at next year’s summit.
Charlie Kahn
Senior Content Writer
