Integration of cyber resilience within energy projects


forming the UK’s critical national infrastructure



By Dr R J Chapman

United Kingdom


This paper is a development of the themes described in the previous PM World Journal Featured Paper titled “Exposure of the UK’s critical national infrastructure to cyber-attacks and ransom demands” published in February 2024[i]. Relevant aspects of the previous paper are drawn on and included here to aid establishing the background to the subject. Further research has shown that the spotlight needs to be kept on the integration of cyber resilience within new Critical National Infrastructure (CNI) projects. Projects need to be made aware of the scale, source and nature of cyber threats; the potential impact of cyber incidents; and hence the necessity to embed cyber resilience throughout each phase of the lifecycle of new CNI projects. However, navigating the literature, guidance and legislation is a very considerable challenge. The goal of this paper is to describe the cyber landscape; the requirements for embedding cyber security within energy projects; and an approach to resilience given their significance to society; and the economy.

The nature of the problem

According to the Cabinet Office, Cyber-attacks against the UK Government and CNI operators nationally have “grown in sophistication, complexity and severity”[ii]. In addition, due to the limited success of current cyber resilience initiatives, efforts have “not yet fundamentally altered the risk calculus of attackers who continue to successfully target the UK and its interests[iii]”. Taking a broad perspective, malign actors have a range of motives for instigating cyber-attacks against the UK, such as the theft of intellectual property; criminal, commercial, financial and political gain; and sabotage and disruption through disinformation. Unfortunately, attackers have developed capabilities that evade mitigations and increasingly sophisticated cyber tools. Related enablers have been commoditised in a growing cyber ‘industry’, and the lowering of barriers to entry for all types of malicious actors. A further factor is that threat actors may well take an industry sector view when developing their attacks whilst CNI organisations will naturally be focussed on their own business scope, which may lead to a suboptimal approach to cyber security risk management.  In addition, rewards are increasing as the ability of actors to steal and encrypt valuable data and extort ransomware payments continues to grow, disrupting businesses and key public services.

International perception of exposure to cyber attacks

There is evidence from around the world that critical infrastructure is subject to cybercrime. For instance, the World Economic Forum Global Risks Perception Survey 2022-2023 included cyberattacks on critical infrastructure among their top risks for 2023 with the greatest potential impact on a global scale. The survey brought together insights from over 1,200 specialists from across the World Economic Forum’s diverse network. In addition, the World Economic Forum’s Insight Report entitled “Global Cybersecurity Outlook 2023” found that 91% of all respondents considered that a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years.

The perception of exposure to cyber-attacks is no doubt due to the global reach of relentless media reports on cyberattacks. For instance, in 2019 the Nuclear Power Corporation of India Limited confirmed the Kudankulam nuclear power plant had been hacked using malware[iv]. In May 2021, a ransomware attack against the Irish Health Service Executive (HSE) disrupted Irish healthcare IT networks and hospitals for over 10 days, causing significant consequences to patients and their families. Some stolen patient data was also published online. The HSE, which provides health and social care services in Ireland, shut down national and regional networks the same day to contain the incident. Malicious cyber activity was also detected on the Irish Department of Health’s (DoH) network. In addition, the attack had an impact on Northern Ireland, affecting the ability to access data held by HSE for some cross-border patient services.

In the same year the US fuel pipeline operator Colonial Pipeline, which supplied almost half of the East Coast’s fuel, shut down its network following a cyberattack[v]. On April 17, 2022, multiple institutions of the government of Costa Rica, (estimated to be over 30), were targeted by a ransomware attack. The government had to shut multiple computer systems used to declare taxes and for the control and management of imports and exports, causing enormous losses. It is reported that Costa Rica required technical assistance from the United States as well as Israel, Spain and Microsoft to deal with the cyberattack.


To read entire paper, click here

How to cite this work: Chapman, R. J. (2024). Integration of cyber resilience within energy projects forming the UK’s critical national infrastructure, PM World Journal, Vol. XIII, Issue VI, June. Available online at https://pmworldlibrary.net/wp-content/uploads/2024/06/pmwj142-Jun2024-Chapman-Integration-of-cyber-resilience-within-UK-energy-projects.pdf

About the Author

Robert J. Chapman, PhD, MSc.

United Kingdom


Dr Robert J Chapman is an international risk management specialist. He has provided risk management services in the UK, the Republic of Ireland, Holland, UAE, South Africa, Malaysia and Qatar on multi-billion programmes and projects across 14 different industries. He is author of the texts: ‘The SME business guide to fraud risk management’ published by Routledge, ‘Simple tools and techniques for enterprise risk management’ 2nd edition, published by John Wiley and Sons Limited, ‘The Rules of Project Risk Management, implementation guidelines for major projects’ 2nd edition published by Routledge Publishing and ‘Retaining design team members, a risk management approach’ published by RIBA Enterprises. He holds a PhD in risk management from Reading University and has been elected a fellow of the IRM, CIHT, APM and ICM and is a former member of the RIBA. In 2007 Andrew Bragg (APM Chief Executive at the time) formally confirmed he has exceptional risk management skills. Robert has passed the M_o_R, APM and PMI risk examinations. In addition, he has provided project and risk management training in Scotland, England, Singapore and Malaysia. Robert has been an external PhD examiner.

To view other works by Dr. Chapman, visit his author showcase in the PM World Library at https://pmworldlibrary.net/authors/robert-j-chapman-phd/

[i] Chapman, R. J., (2024). Exposure of the UK’s critical national infrastructure to ransomware attacks and ransom demands; PM World Journal, Vol. XIII, Issue II, February. https://pmworldlibrary.net/wp-content/uploads/2024/02/pmwj138-Feb2024-Chapman-exposure-to-Uks-critical-national-infrastructure-to-cyber-attacks.pdf
[ii] UK Government (2022) Policy paper, National Cyber Strategy 2022, Updated 15 December 2022, https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022#pillar-5-countering-threats.
[iii] Ditto
[iv] Financial Times (2019) “India confirms cyberattack on nuclear power plant” , October https://www.ft.com/content/e43a5084-fbbb-11e9-a354-36acbbb0d9b6
[v] World Economic Forum (2021) “What the cyber-attack on the US oil and gas pipeline means and how to increase security”. https://www.weforum.org/agenda/2021/05/cyber-attack-on-the-us-major-oil-and-gas-pipeline-what-it-means-for-cybersecurity/