Utilities organisations are facing growing cyber security challenges as they balance operational resilience, regulatory compliance and ageing infrastructure, according to new research from Bridewell’s Cyber Security in Critical National Infrastructure Report 2026.
The research found that 77% of utilities organisations experienced attacks involving outdated software or unavailable patches on legacy equipment in the past year, making it the most common cyber incident facing the sector.
Legacy Systems Leave Utilities Exposed
The research highlights a growing challenge particularly acute within the utilities sector: securing ageing operational technology and infrastructure that was designed to last decades, not withstand modern cyber threats. More than three-quarters (77%) of utilities organisations reported attacks involving outdated software or unavailable patches on legacy equipment in the past 12 months, making it the most common cyber incident experienced by the sector.
Utilities organisations continue to face a disproportionate exposure to attacks exploiting vulnerabilities in legacy systems, reflecting the reality that many critical assets cannot be updated or taken offline as easily as traditional IT environments.
Beyond legacy infrastructure, phishing and business email compromise remain widespread, affecting 76% of utilities organisations in the past year. Malware affected 74%, while more than seven in ten experienced unauthorised system access, highlighting the breadth of threats facing the sector.
Top Cyber Security Challenges
The research found that data protection and privacy is now the leading cyber security concern for utilities organisations, cited by 46% of respondents. Managing AI-related cyber risk and the ability to quickly detect incidents closely follow, reflecting growing concerns around emerging technologies and increasingly sophisticated attacks. Utilities organisations are also least confident in data breach notification requirements, cited by 42%, cyber security measures for data protection at 39%, and third-party due diligence at 38%.
Regulation is now the primary driver of cyber security maturity within the utilities sector, cited by 36% of respondents. This places regulatory requirements ahead of both the evolving threat landscape and customer demand for improved security, highlighting the growing influence of frameworks and compliance obligations on cyber security investment and decision-making.
Time To Respond
While 99% of respondents described themselves as resilient after their worst cyber attack, response times still leave room for improvement. Supply chain attacks take the longest to respond to, at 9.9 hours on average, followed by data theft or disclosure at 8.4 hours and unauthorised access at 7.6 hours.
Cyber Incidents Continue To Disrupt Operations
The consequences of cyber incidents are increasingly operational for utilities organisations. Nearly half (47%) reported IT disruption or outages following an attack, making it the most common impact. A further 42% said incidents had resulted in increased cyber security spending, while 35% experienced data loss, 34% reported revenue loss and 32% suffered disruption to production or services.
“Many of the systems underpinning essential utilities services were designed to operate for decades in environments that were never intended to be connected to modern digital networks,” said Sam Thornton, COO at Bridewell. “It’s therefore significant that 77% of utilities organisations reported attacks involving outdated software or unavailable patches on legacy equipment. As utilities providers continue to modernise and connect operational systems, managing the gap between legacy infrastructure and modern security requirements is becoming one of the sector’s biggest cyber security challenges.”
Steps Utilities Organisations Should Prioritise
Bridewell recommends that utilities organisations focus on several key areas to strengthen cyber resilience:
- Improve asset visibility across both IT and operational technology environments to identify unmanaged or vulnerable systems
- Prioritise patch management and vulnerability remediation based on operational risk and criticality
- Conduct regular incident response exercises to ensure teams can respond effectively during a live cyber incident
- Strengthen monitoring and detection capabilities to reduce the time taken to identify and contain threats
- Review third-party and supply chain security arrangements to ensure critical partners meet appropriate security standards
“In the utilities sector, the consequences of a cyber attack extend far beyond IT. When critical systems are disrupted, the impact can be felt by customers, communities and the wider economy, making cyber resilience a business-critical priority,” Thornton concluded.
