Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

NCSC counts 200+ UK infrastructure hits

3 min read
08:46UTC

NCSC chief Richard Horne told RUSI on 17 June that the agency handled more than 200 cyber incidents against UK critical infrastructure in a year, about 75% state-linked.

TechnologyDeveloping
Key takeaway

Britain's cyber agency put a number on the state-backed threat to national infrastructure: 200-plus incidents, mostly hostile states.

Dr Richard Horne, chief executive of Britain's national cyber agency, the NCSC (National Cyber Security Centre), told the RUSI (Royal United Services Institute) annual security lecture on 17 June that NCSC managed more than 200 cyber incidents against UK critical national infrastructure in the year to May 1. RUSI is a London defence think tank; critical national infrastructure covers the energy, water, health, transport, and finance systems a country cannot function without. Around 75% of those incidents were linked to state actors in Russia, China, and Iran, Horne said 2. He warned that vulnerabilities tolerated today will be exploited in conflict tomorrow.

The number does work beyond the headline. It lands as the UK Cyber Security and Resilience Bill moves through Parliament, having cleared the Commons on 10 June without the ransomware-payment regime that fell out at report stage . A bill asking operators to report incidents and meet baseline standards is easier to defend with a named agency putting a count on the threat to the systems it covers. Horne's 200-plus figure, three-quarters of it traced to hostile states, is the evidence base ministers can cite at the Lords stage.

Horne also looked forward, putting AI-enabled exploitation of known flaws at scale by 2028 3. That horizon would be overtaken within days, when the wider Five Eyes alliance compressed the same timeline far harder in a joint statement of its own.

Deep Analysis

In plain English

The NCSC (National Cyber Security Centre) is the UK government body that defends the country's most important infrastructure: power grids, water systems, hospitals, financial networks, and communications. Dr Richard Horne, the NCSC's chief executive, told a security conference on 17 June that his agency dealt with more than 200 cyber incidents against these systems in the year to May 2026. Three-quarters of them were linked to state actors in Russia, China, and Iran. Horne also warned that by 2028, AI tools will allow adversaries to find and exploit weaknesses in critical systems far faster than today. The analogy is an attacker who currently takes weeks to find an unlocked door being replaced by one who tests every door in seconds. The UK's Cyber Security and Resilience Bill, which was heading to the House of Lords the same day, will require more organisations to report such attacks faster.

Deep Analysis
Root Causes

The 75 per cent state-actor rate against UK CNI reflects a structural feature of the current geopolitical environment: Russia, China, and Iran have each developed persistent access to CNI networks as a strategic hedge against conventional conflict escalation. Maintaining persistent access is cheaper and less provocative than developing kinetic CNI attack capability, making it a dominant strategy for states that want leverage without crossing a war-fighting threshold.

The 2028 AI exploitation warning reflects a specific technical development track: the June 2026 Five Eyes joint statement and GTIG's confirmation of the first large language model-written zero-day both compress the horizon for AI-assisted vulnerability discovery. The 2028 date represents NCSC's assessment of when AI-enabled discovery of previously unknown CNI vulnerabilities becomes operationally reliable for adversaries, not when first instances occur.

What could happen next?
  • Consequence

    The 200+ figure provides the UK Cyber Security and Resilience Bill with a quantified domestic evidence base ahead of Lords scrutiny; peers seeking to strengthen mandatory reporting or sector scope provisions now have NCSC-sourced incident data to cite.

  • Risk

    The 2028 AI exploitation warning compresses the security community's planning horizon: product security teams, CNI operators, and regulators must treat 2028 as a hard planning deadline for AI-resilient vulnerability management, not a horizon to monitor.

First Reported In

Update #8 · CISA tears up the KEV deadline rulebook

NCSC· 24 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.