The vast majority (80%) of critical national infrastructure (CNI) providers in the UK face downtime costs of between £100,000 ($132,144) and £5m ($6.6m) from cyber-attacks that disrupt their operational technology (OT), according to e2e-assure.

The SOC-as-a-service provider polled 250 cybersecurity decision makers in CNI sectors including manufacturing, energy, utilities, transport and retail to better understand the impact of cyber threats.

It claimed that around a quarter (23%) of OT downtime incidents costs businesses over £1m, with 6% exceeding £5m.

That might explain why nearly two-thirds (64%) of those polled said they are afraid of nation-state attacks.

Read more on CNI threats: UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs.

 “This fear reflects a shift in how cyber-threats are being used, not just for data theft and monetary gain, but to disrupt operations and apply strategic pressure against critical services such as energy, transport and manufacturing,” said Rob Demain, CEO at e2e-assure.

“For OT environments, the impact of this threat is more immediate and tangible than in IT. Industrial systems underpin physical processes, meaning a successful breach can interrupt operations, halt production or affect safety.”

Iran Threat Increases Tension

The threat of OT disruption has arguably increased in recent weeks with the US-Israel bombing of Iran. The country’s hacking capabilities cannot match Russia’s or China’s for scale or sophistication, but it has previously been able to hijack CNI networks.

In 2024, Five Eyes intelligence agencies warned of a year-long campaign where Iranian hackers used password spraying and MFA-bombing techniques to gain a foothold in the networks of healthcare, government, IT, engineering and energy companies.

Last year, a report from the Intelligence and Security Committee (ISC) warned that “it is unlikely that all UK entities are able to detect or defend against Iranian offensive cyber activity.”

OT Systems Are Exposed

E2e-assure warned that nation states often use phishing or compromised credentials as an entry point into IT systems, before pivoting to OT environments. A lack of visibility into malicious activity is hindering response efforts, it added.

Although nearly a third (31%) of responding organizations claimed they can detect breaches within 12 hours, 10% of large enterprises take over a year to remediate incidents, the report noted.

Over two-fifths (44%) said they are "least concerned" about visibility into OT network activity. 

Supply chain compromise is also a major risk factor: 21% of mid-sized organizations reported four or more incidents linked to suppliers or third parties in the past year.

In terms of business impact, reputational damage (25%) and brand or revenue loss (20%) are among the top concerns for security leaders, although in small organizations staff turnover (37%) also figured prominently.