Legacy kit behind vast majority of cyber attacks on utilities
With equipment and software poorly suited to withstand modern cyber threats, organizations need to do more to identify unmanaged or vulnerable systems
More than three-quarters of utilities organizations were hit by cyber attacks involving outdated software or unavailable patches on legacy equipment over the last year.
At 77%, it was the most common type of cyber incident facing the sector, according to Bridewell's Cyber Security in Critical National Infrastructure Report 2026.
And the most common effect was IT disruption or outages, affecting 47% of organizations, despite the fact that 99% of respondents described themselves as resilient after their worst cyber attack.
A further 42% said incidents had resulted in increased cybersecurity spending, while 35% experienced data loss, 34% reported revenue loss, and 32% suffered disruption to production or services.
Supply chain attacks take the longest to respond to, at 9.9 hours on average, followed by data theft or disclosure at 8.4 hours and unauthorised access at 7.6 hours.
The utilities sector is particularly hampered by the need to secure ageing operational technology and infrastructure that weren't designed to withstand modern cyber threats, as critical assets can't be updated or taken offline as easily as traditional IT environments.
"Many of the systems underpinning essential utilities services were designed to operate for decades in environments that were never intended to be connected to modern digital networks," said Sam Thornton, COO at Bridewell.
Beyond legacy infrastructure, phishing and business email compromise remain widespread, affecting 76% of utilities organizations in the past year. Malware affected almost as many, at 74%, while more than seven-in-ten experienced unauthorized system access.
The main concern for utilities organizations is data protection and privacy, cited by 46% of survey respondents. Managing AI-related cyber risk and the ability to quickly detect incidents were close behind, reflecting growing concerns around emerging technologies and increasingly sophisticated attacks.
Utilities organizations are also unconfident when it comes to data breach notification requirements, cited by 42%, cybersecurity measures for data protection at 39%, and third-party due diligence at 38%.
And regulation is now the primary driver of cyber security maturity within the utilities sector, cited by 36% of respondents - ahead of both the evolving threat landscape and customer demand for improved security, and highlighting the growing influence of frameworks and compliance obligations on cyber security investment and decision-making.
"As utilities providers continue to modernize and connect operational systems, managing the gap between legacy infrastructure and modern security requirements is becoming one of the sector's biggest cybersecurity challenges," said Thornton.
Bridewell recommends that utilities organizations improve the visibility of assets across both IT and operational technology environments to identify unmanaged or vulnerable systems.
They should prioritize patch management and vulnerability remediation based on operational risk and criticality, conduct regular incident response exercises to ensure teams can respond effectively during a live cyber incident and strengthen monitoring and detection capabilities to reduce the time taken to identify and contain threats.
They should also review third-party and supply chain security arrangements to ensure critical partners meet appropriate security standards.
"In the utilities sector, the consequences of a cyber attack extend far beyond IT," said Thornton. "When critical systems are disrupted, the impact can be felt by customers, communities and the wider economy, making cyber resilience a business-critical priority."
-
UK faces huge AI talent shortageNews As global hiring gets easier, many organizations are recruiting from overseas
-
Everpure’s data management pivot puts it on a ‘collision course’ with industry big hittersNew horizons await for Everpure with its ‘data primacy’ vision, but so do big challenges, competitors, and execution issues
-
Hostile states behind three-quarters of UK critical infrastructure attacksNews NCSC CEO warns that with the rise of AI, the danger is only set to get worse
-
Security professionals want leaders who have already led their organization through a major cyber incident – regardless of how things turned outNews Research from ISC2 reveals what makes for a good security leader
-
Hospital cyber attacks are increasingly hitting patient careNews New research shows only 14% are confident they can lose access to health records for 72 hours without risk to patients
-
Russian sentenced to jail for his part in ransomware attacksNews Aleksei Volkov operated as an initial access broker, helping cybercrime groups, including the Yanluowang ransomware group
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Japan running super dry of its favourite beer as Asahi cyberattack continuesNews Production of Asahi beer, one of the country's favourite beverages, has been halted, and reserves are running low
-
A new 'top-tier' Chinese espionage group is stealing sensitive datanews Phantom Taurus has been operating for two years and uses custom-built malware to maintain long-term access to critical targets
