On a grey January morning (29th), senior cyber security leaders from across the UK’s Critical National Infrastructure (CNI) gathered aboard HMS Belfast for CNI Sec 2026 – an exclusive, invitation-only forum designed to move beyond theory and into practical action.
Hosted by CIISec Corporate Member, Cyro Cyber, the event attracted decision-makers from CNI sectors including highways, utilities and regulators, creating a rare opportunity for candid, peer-to-peer discussion. The setting – a cruiser still bristling with the operational technology (OT) of its time – provided a fitting backdrop for a day focused on the realities of protecting modern OT environments and the nationally significant systems they support.
Two clear threads ran throughout the sessions and discussions.
The first was the anticipated impact of the forthcoming Cyber Security and Resilience Bill. The legislation represents a significant shift in the UK’s approach, moving from a narrow sector-based regulatory model to a centrally steered national resilience framework. For CNI operators, this signals increased scrutiny, expanded scope and heightened accountability.
One of the most significant changes will be the formal regulation of supply chain risk. Organisations will be required not only to secure their own systems, but to demonstrate that resilience extends down – and across – complex supplier ecosystems. Smaller suppliers, many of whom may never have considered themselves “critical”, are likely to feel this most acutely. Tight incident reporting windows of 24 to 72 hours, alongside enhanced expectations around risk management and incident handling, could prove challenging for organisations with limited security maturity.
Yet the mood aboard ship was not resistant. Across sectors, the Bill was broadly welcomed. Both highways and water representatives reflected on longstanding difficulties in enforcing standards consistently throughout supply chains. While frameworks such as the Cyber Assessment Framework provide the “how” – the map organisations can follow to improve cyber resilience – legislation will increasingly define the “must”. In effect, it becomes the rule book. The consensus was that this regulatory uplift will help shift cyber risk firmly into the realm of business risk, not simply a CNI compliance issue.
The second thread woven through the day was the inseparability of cyber and physical security.
CNI operations almost always span multiple sites – many of them remote, lightly staffed, or housing ageing tech. In highways, for example, thousands of roadside technology cabinets underpin the systems relied upon to keep traffic flowing and road users safe. In water, a single incident at a treatment plant can disrupt supply to an entire town. Legacy equipment, dispersed infrastructure and constrained operational budgets all combine to create complex risk landscapes.
Speakers challenged attendees to reflect on how often CISOs personally visit remote sites. Do they speak with those responsible for on-site physical security? Do they see how easily access controls might be bypassed – how a person wearing a high-visibility vest can quite literally open doors, or how a plastic id card from another office might secure an all-access pass with minimal scrutiny?
The message was clear: if security is treated in silos, vulnerabilities will persist in the gaps between them.
There was also discussion of insider threat – not only malicious intent, but the risks created by coercion, complacency or social engineering. If an environment is too difficult to penetrate from the outside, an adversary may simply seek to recruit someone within. It served as a reminder that resilience depends as much on culture and awareness as it does on technical controls.
Encouragingly, collaboration emerged as a consistent strength as organisations described healthy information sharing and close working relationships with trusted vendors who understand the operational realities of their industries. That collective mindset will be critical as the regulatory environment evolves.
CNI Sec will be returning in January 2027 in a new, bigger venue. If you are a senior cyber leader operating within the CNI sector, contact laura.reilly@cyro.uk to register your early interest.