Government Unveils New Cyber Security Strategy for UK Energy Infrastructure

The UK Government has launched a new four-year cyber security strategy designed to strengthen the resilience of the nation's energy infrastructure as the sector undergoes major technological and environmental transformation.

Published on 28 May, the Energy Sector Cyber Security Strategy has been developed jointly by the Department for Energy Security and Net Zero (DESNZ), Ofgem, the National Cyber Security Centre (NCSC) and the National Energy System Operator (NESO). The plan outlines how government and industry will work together between 2026 and 2030 to address growing cyber risks across the electricity, gas and oil sectors.

The strategy highlights a significant increase in cyber threats targeting Critical National Infrastructure (CNI), warning that attacks are becoming increasingly sophisticated and are often linked to state-backed actors. Recent incidents overseas, including an attack on distributed energy resources in Poland during late 2025, are cited as evidence of the growing vulnerability of energy systems amid rising geopolitical tensions.

According to the report, ransomware remains one of the most significant threats facing the sector, while attacks targeting industrial control systems are becoming an increasing concern. The publication also references previous warnings from the NCSC regarding elevated cyber risks affecting the energy, transport and water industries.

The strategy is closely linked to the UK's transition towards a low-carbon energy system, recognising that greater digitalisation and the expansion of renewable generation create both opportunities and new security challenges. To address these risks, the plan focuses on four key priorities:

• Improving understanding of threats and vulnerabilities across the energy system.

• Increasing resilience as the transition to clean energy accelerates.

• Enhancing preparedness, response and recovery capabilities.

• Strengthening monitoring, regulation and enforcement measures.

Alongside technical measures, the strategy highlights the need to improve cyber security culture throughout the sector and address skills shortages, particularly among professionals with both engineering and cyber security expertise, as well as individuals able to obtain security clearance.

As part of the implementation programme, the Government intends to improve its understanding of cyber risks affecting the most critical parts of the energy network before the end of 2026. This will include a cross-industry exercise designed to test responses to a complex cyber attack scenario.

By the end of 2027, work is expected to be underway on expanding cyber resilience frameworks for key infrastructure operators, while the period between 2028 and 2030 will focus on introducing enhanced monitoring and testing capabilities, identifying critical suppliers and establishing baseline cyber resilience standards for gas and electricity organisations.

The strategy builds on existing Network and Information Systems (NIS) regulations introduced in 2018. Under the framework, Ofgem and DESNZ will continue their regulatory roles, supported by technical guidance from the NCSC, while NESO will oversee whole-system coordination and emergency preparedness activities.

The report stresses that cyber security must be treated as a board-level responsibility and describes resilience as essential to maintaining public trust, safeguarding national security and supporting the UK's transition to net zero. The four organisations responsible for delivering the strategy—referred to collectively as the "quad partners"—will work closely with industry to strengthen defences against evolving cyber threats and support a secure, resilient energy system for the future.