search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
further work in this area. This will require a new mindset across governments, militaries, private sector operators and regulators. Accompanying the SDR, the UK’s National Security Strategy 2025 also highlights a connection between hostile state activities and critical national infrastructure.


● Regulation: In the US, the Federal Energy Regulation Commission has ordered a refinement of the Critical Infrastructure Protection standard for physical security of the bulk power system, due to evolution of threat. In the EU, the overall regulatory approach is chiefly described in the Critical Entities Resilience Directive (CER), which adopts an “any cause” approach but specifically calls out sabotage and hybrid warfare as threats, acknowledging that physical threats require risk assessment and mitigation alongside approaches for resilience against cyberattack, like NIS2 and the Digital Operational Resilience Act. Since 2018 the UK has had its own version of NIS to improve resilience for essential services. In 2023, regulators for the downstream gas and electricity sector added additional requirements for “Protecting Against Non-Cyber Risks” to the existing Cyber Assessment Framework. The UK’s Cybersecurity Resilience Bill, due to be enacted in 2025, will expand the scope of the NIS, and it is likely that a UK form of the CER will follow. Essentially, energy infrastructure is raising its security game to have a more similar approach to that in place across most civil nuclear security regimes, even if “appropriate and proportionate” security design is different due to non-radioactive outcomes. But the need to assess risk and then produce a plan and maintain it is common to all regulatory approaches.


Assessing threat and risk Resilience plans need to be based on a clear understanding of both threat and risk. They are not the same thing. A design basis threat, reflective of government agencies’ advice as well as overall government risk appetite, is used by some sectors to determine what a security design should reasonably protect against, in terms of adversary intent, capability, and tactics, techniques and procedures. This approach would be beneficial for all critical sectors, if appropriate expertise is available. At a strategic level, when making the decision to put


effort into resilience planning, likelihood matters less than whether a scenario is applicable and plausible. If the reasonable worst-case impact is high enough to an organisation or country, a resilience plan is required. Risk assessment and the likelihood of accidents and


hazards can be calculated using techniques such as probabilistic safety assessment, essentially an actuarial approach. Cyber risk quantification techniques exist for attacks targeting digital assets. Assessing the likelihood of sabotage by intelligent threat actors targeting tangible assets directly, potentially more than one of them simultaneously, is more problematic. To date this has required an essentially deterministic approach, in other


words once a design basis threat is agreed, protective security planning is based a probability factor of the threat materialising of 1.0 (100%). This approach is necessary because an assumed capability side of the threat equation can be countered by engineered resistance and planned responses, and because the intent side is volatile and binary (i.e. an attack will occur or it won’t, so it’s sensible to assume it will). Investment decisions in hardened infrastructure and protective security also need a stable design to enable cost-effective construction and operation. Risk assessment of impact and vulnerability is where


operators of energy infrastructure can make the most valuable headway toward resilience. Impacts can be postulated using digital models and a deep well of engineering knowledge that can simulate systemic risk. The same is true for vulnerabilities. An engineer is less likely to be concerned about whether it’s arson or not, just that there is the potential for fire. Equally, in the cyber domain, a technical vulnerability can be discovered and addressed, whatever the likelihood that any threat actor may choose to exploit it – someone probably will, after all. Research conducted in 2012 by the US Nuclear


Regulatory Commission into SMR security highlights how a “Probabilistic Risk Assessment” approach could dovetail with the traditionally deterministic method to inform SMR security design. Since 2012, protective security has become a component of a wider resilience approach, in which the ability to be more agile in the face of a developing threat landscape has become increasingly important. Advances in open-source intelligence, enhanced by AI, create the possibility of understanding and measuring a changing threat landscape, which can complement the initial and then periodic assessment which influences physical security design. Identifying and measuring potential vulnerabilities and impacts means that this can be translated into a risk assessment. This is especially relevant to private sector operators who will need to provide early warning of specific threats to infrastructure which may require state-level assistance for enhanced deterrence, detection, and response. The combination of continuous threat and risk assessment with cyber risk quantification for operational technology can result in a form of physical risk quantification. The most effective security and resilience plans will


use threat and risk assessments to be clear about the security effects they wish to achieve and will acknowledge interdependencies, trade-offs, and opportunities across safety, security, and operational efficiency, and across the physical and cyber domains. The need to understand both cyber and physical threats in resilience plans is by now very clear. Many operators of critical infrastructure will now also need to plan for how they will interact with public sector civilian and even military response assets, potentially in a multinational environment. They will also have to be clear about how coordinated efforts between different operators and potentially across sectors can address systemic risks. ■


www.neimagazine.com | September 2025 | 31


Above: Many renewable units are centrally controlled by operational technology, which is vulnerable to sabotage


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45