Exposure of the UK’s critical national infrastructure


to cyber-attacks and ransom demands



By Dr R J Chapman

United Kingdom


Those working on a day-to-day basis on critical national infrastructure (CNI) projects may be unaware of the likelihood and potential impact of cyber-attacks on the nation’s CNI or how critical it would be to UK citizens, the economy and national security. In addition, they may be unfamiliar with how UK foreign policy has been received overseas and whether it has unsettled foreign powers to the point where they have threatened or are currently sponsoring attacks on elements of our CNI. Clearly the coming together of evolving international relations and improvements in digital technology is both a global problem but also a potentially more dangerous one[1].  Walker[2] highlighted that given the complexity of projects, more and more specialist disciplines have emerged (and continue to do so) which produces a high level of differentiation. Hence for successful projects, strong integration of these specialisms is required. This is true for the integration of information, technology and cyber security with project design and how completed infrastructure will interface with the internet.

The requirement for this integration is articulated in an article published by Deloitte[3] which states components such as pumps and valves, may now have operational digital sensors or controls connected via computers to the internet. The article goes on to say :

Those digital devices at the edge (sensors, controllers, Internet of Things) are then often linked to the core IT networks (data storage, enterprise software) that may themselves be connected to the wider internet. This convergence of information and operational technology (IT and OT) can make every valve, switch, and pump in a critical infrastructure operation a computer potentially accessible to the internet, vastly increasing the challenge of securing them.

Projects must also take account of adopting or connecting to legacy operational technology (OT) systems, such as electricity substations, transportation control rooms and their associated industrial control systems legacy systems. The Joint Committee on the National Security Strategy (JCNSS) within its November 2018 report[4] highlighted that “these bespoke and often legacy industrial control systems, which were not designed with cyber security in mind, are now increasingly networked and connected to the internet to enable more efficient control and real-time monitoring”.

At a project level there may be no knowledge of the UK government’s recent report issued by the JCNSS[5],[6]. It describes the exposure of the country’s critical national infrastructure (CNI) to ransomware attacks. Over the annals of time, the report may prove to be a landmark publication. It makes for a sobering read. Its key message is stark: “There is a high risk that the Government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking. If the UK is to avoid being held hostage to fortune, it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security”. Ransomware is considered the number one cyber threat to the nation with the ability to “bring the UK to a standstill” [7]. Given events that have occurred in Germany and the U.S., an attack could potentially affect a large section of the population all at once. It is especially relevant to all those engaged in new critical infrastructure projects. While the report highlights the country is currently ill prepared for a widespread attack, are current infrastructure projects exacerbating the problem?  The purpose of this short paper is to question how well does the report draw attention to the need to ensure specifications (and selected components) of ongoing and planned CNI projects take cognisance of and respond to potential ransomware threats. Additionally, whether the subject warrants further scrutiny by a combination of project sponsors, cyber security specialists, designers and risk analysts.


To read entire paper, click here

How to cite this paper: Chapman, R. J., (2024). Exposure of the UK’s critical national infrastructure to ransomware attacks and ransom demands; PM World Journal, Vol. XIII, Issue II, February. Available online at https://pmworldlibrary.net/wp-content/uploads/2024/02/pmwj138-Feb2024-Chapman-exposure-to-Uks-critical-national-infrastructure-to-cyber-attacks.pdf

About the Author

Robert J. Chapman, PhD, MSc.

United Kingdom


Dr Robert J Chapman is an international risk management specialist. He has provided risk management services in the UK, the Republic of Ireland, Holland, UAE, South Africa, Malaysia and Qatar on multi-billion programmes and projects across 14 different industries. He is author of the texts: ‘The SME business guide to fraud risk management’ published by Routledge, ‘Simple tools and techniques for enterprise risk management’ 2nd edition, published by John Wiley and Sons Limited, ‘The Rules of Project Risk Management, implementation guidelines for major projects’ 2nd edition published by Routledge Publishing and ‘Retaining design team members, a risk management approach’ published by RIBA Enterprises. He holds a PhD in risk management from Reading University and has been elected a fellow of the IRM, CIHT, APM and ICM and is a former member of the RIBA. Robert has passed the M_o_R, APM and PMI risk examinations. In addition, he has provided project and risk management training in Scotland, England, Singapore and Malaysia. Robert has been an external PhD examiner.

[1] Deloitte (2022), “Incentives are key to breaking the cycle of cyberattacks on critical infrastructure. The path to protecting critical infrastructure from cyberattack may lie not through new technology, but through a better understanding and shaping of incentives”. Deloitte Insights Magazine, Issue 30, Summer 2022, Featured Article.
[2] Walker, A (1984) “Project Management in Construction”, Published by Granada.
[3] Deloitte (2022), as footnote 3.
[4] JCNSS (2018) Cyber Security of the UK’s Critical National Infrastructure, Section 2   “Protecting CNI against cyber attack: a ‘wicked’ problem”. https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/1708/170805.htm
[5] House of Commons, House of Lords Joint Committee on the National Security Strategy, A hostage to fortune:
ransomware and UK national security, First Report of Session 2023–24, Published on 13 December 2023
[6] The Joint Committee on the National Security Strategy scrutinizes the structures for Government decision-making on national security, particularly the role of the National Security Council and the National Security Adviser.
[7] Ditto