As the UK’s vital services face escalating digital threats, the role of intelligent automation in cybersecurity has become paramount. Chris Jacob, VP, Global Field Operations at ThreatQuotient, outlines why proactive, automated defences are crucial for safeguarding the critical national infrastructure that powers the nation.
Ask anyone who was scheduled to fly in or out of London Heathrow airport in the UK on March 20 and 21 2025, and they’ll tell you that disruption to critical national infrastructure (CNI) is no joke. A fire at a local electricity substation resulted in thousands of journey disruptions and cancellations as one of the world’s busiest airports was closed and incoming planes were diverted to alternative locations.
The knock-on effect of the closure continued for days, and lost tourism revenue for the UK. This was not a malicious attack, but it showed just how vulnerable major infrastructure is to disruption and that you can’t always plan for all eventualities. Sadly, it is certain that malicious actors were watching with interest to see just how much trouble is caused when a major transport hub experiences downtime.
Of course, today, systemic disruption is just as likely to arise in the digital networks that underpin CNI. They are an attractive target for nation-state actors and malicious cyber criminals precisely because of the scale of disruption incidents can cause. They pose a direct threat to citizens and systems that rely on them for services such as health, utilities, transport and more. In the past year alone, the UK’s National Health Service suffered widespread damage following an attack on key supplier Synnovis.
In the US, an unprecedented joint statement with intelligence agencies worldwide saw the Cybersecurity and Infrastructure Security Agency (CISA) warn of widespread infiltration of its communications, energy, transportation and water systems sectors by the People’s Republic of China-backed Volt Typhoon cyber group.
Strengthening CNI Digital Resilience: Regulation and Awareness
National and regional authorities are acutely aware of the risks associated with vulnerable digital infrastructure. An attack originating in a single CNI organisation – or one of its suppliers – can quickly escalate across networks and borders. As a result, there has been a flurry of recently implemented regulations designed to strengthen operational resilience in organisations that are central to public service provision.
In Europe, the second Network Information Services Directive (NIS2) and Digital Operational Resilience Act (DORA) encompass all CNI providers and the financial sector – including their supply chains. These regulations require organisations to meet defined cyber security standards, to report cyber incidents rapidly and to contribute to intelligence sharing programs to drive awareness and achieve a collective improvement in cyber security.
Cybersecurity automation: Unlocking productivity for CNI SOCs
Within this intense threat and regulatory environment, Security Operations Centres (SOCs) are on the front line, attempting to anticipate, detect and neutralise threats while adhering to the best practices required by regulations – and meeting their own high-performance standards. It is a heavy load, with teams handling thousands of data points and alerts. Burnout is often a problem.
Tipping the balance back in the SOC team’s favour is essential, and cybersecurity automation is the primary route to achieve this. Automating labour-intensive activities such as incident response, phishing analysis and alert triage lift a considerable burden from SOC analysts, allowing them to concentrate on higher-value activities.
ThreatQuotient has been tracking cybersecurity automation across different vertical sectors in the UK, USA and Australia since 2021, including in CNI. Over that time, CNI organisations have increased the importance they place on cybersecurity automation. Eighty-one percent of respondents from that sector rate it as important – a figure that has risen ten percent over the past two years.
The primary driver for adoption by CNI organisations is to improve or maintain security standards – something this sector feels more strongly about than other industries, such as retail and central government. Regulation and compliance are also key drivers, which reflects the intensifying regulatory environment.
Cybersecurity automation use cases that add value for CNI organisations
CNI teams are more likely than those from other sectors to be using automation in threat hunting, which reflects the necessarily proactive approach CNI must take to identify threats before they become reality. Similarly, they are more likely than other respondents to be using automation to manage the high volume of threat intelligence they receive daily.
These are genuinely valuable uses for automation for this sector; we’ve seen use cases vary over the course of our research, but the most recent findings show that different vertical sectors are identifying the use cases that add the most value for their SOC.
That’s not to say the road to effective cybersecurity automation has been smooth. Ninety-nine percent of CNI cybersecurity professionals surveyed said they’d experienced problems, most commonly through a lack of budget and technology issues. Nevertheless, they are developing KPIs to assess the impact of their investment in automation.
Interestingly, most judge the success of their automation project on the basis of how well they are managing the team in terms of employee satisfaction and retention. This aligns with the fact that in the previous year’s study, CNI respondents said the top challenge facing their organisation was team churn.
Deploying solutions that support team members and keep them with the business has exponential benefits, especially in a sector like CNI where recruitment can be challenging and obtaining employee security clearances adds to the time needed to onboard new employees. Certainly, it is better to retain corporate SOC knowledge as far as possible and automation will help elevate analyst’s daily activities beyond the mundane.
The final strand of our research looked at the frequency of cyber threat intelligence (CTI) sharing. Perhaps encouraged by the reporting and sharing requirements of NIS2 and DORA, 99% of CNI organisations say they share threat intelligence in some way, with more than half sharing with direct partners and suppliers, and 48% regularly sharing CTI with others in their industry through an official sharing community.
Cybersecurity automation is an important solution in the CNI sector. If organisations can continue to refine their use cases and develop more sophisticated automation programs, they will see benefits accumulate in terms of not only improved security posture, but also in team satisfaction and employee retention. In an area as important as CNI, this will deliver safety and resilience for citizens, too.
20130 Lakeview Center Plaza
Suite 400
Ashburn, VA 20147
