Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because NCSC's own disclosure establishes that nation-state actors are already responsible for 75% of 200+ confirmed CNI incidents in the prior twelve months, meaning adversarial activity against this sector is statistically continuous rather than episodic — not a prospective threat but a documented current-state; impact is very_high because successful compromise of UK CNI (energy, water, transport, telecoms, financial services) carries cascading societal consequences, regulatory intervention, potential loss of operating licence or government contract, and severe reputational damage that cannot be bounded by a single organisation's controls.
Treatment rationale: Avoidance is not operationally feasible for CNI operators, transfer cannot cover operational disruption or regulatory sanction at this scale, and acceptance is inconsistent with the NCSC's explicit reframing of this as a continuous adversarial contest requiring active defence investment; mitigate — through resilience uplift, network segmentation, OT/IT boundary hardening, and threat-intelligence-led detection — is the only treatment that reduces both likelihood and impact within the organisation's control.
Third-Party / Supply-Chain Risk
CNI operators are extensively dependent on OT/ICS vendors, managed service providers, and shared telecommunications and cloud infrastructure; nation-state actors targeting CNI routinely exploit trusted third-party access paths and shared-platform vulnerabilities (consistent with NIST SP 800-161 Tier 1-2 supply chain threat vectors). Organisations should assess whether critical suppliers and operational technology vendors have been subject to the same nation-state campaigns disclosed by NCSC, particularly where those vendors hold privileged access to operational networks or provide software with embedded components in legacy CNI systems.
Loss Exposure (illustrative)
Magnitude: very high — illustrative £10M–£250M+ per material incident for a mid-to-large CNI operator, reflecting operational downtime, emergency response, regulatory investigation, and potential remediation of legacy OT infrastructure; upper end reflects multi-sector cascade scenarios
Frequency: Illustrative: given NCSC's disclosure of 200+ incidents across UK CNI in twelve months, a CNI-sector organisation should plan for at least one significant attempted intrusion per year and a material incident (requiring public or regulatory disclosure) at a frequency of roughly 1-in-3 to 1-in-5 years under current threat tempo, increasing toward the 2028 AI-exploitation horizon
Annualized: Illustrative ALE: applying illustrative mid-range loss magnitude of £50M against a 1-in-4 annual event frequency yields an illustrative annualized loss exposure of approximately £12M–£15M for a material CNI incident; this is a planning-order-of-magnitude figure only
Basis: Loss magnitude derived from the operational, regulatory, and remediation cost profile of CNI disruption — OT recovery timelines are substantially longer than IT, regulatory scrutiny of CNI incidents is high under UK NIS Regulations, and legacy infrastructure replacement costs are capital-intensive. Frequency derived solely from the NCSC-disclosed incident count and sector breadth disclosed by Richard Horne on 17 June 2026. No third-party loss databases or vendor reports were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• State-sponsored disruption to CNI operations may trigger force majeure or material adverse change clauses in critical service contracts — verify with counsel.
• A confirmed compromise of systems processing personal data in the course of CNI operations may invoke UK GDPR Article 33 breach-notification obligations — verify with counsel.
• Nation-state attribution may engage war or hostile-act exclusion clauses in existing cyber insurance policies, potentially affecting coverage for incident response and business interruption costs — verify with broker and counsel.
• Government contracts tied to CNI supply chains may carry specific security assurance obligations (e.g., Cyber Essentials Plus, NCSC baseline requirements) whose breach in the context of an incident could constitute a contractual default — verify with counsel.
