The Cyber Security & Resilience Bill will demand evidence. This is a particular challenge for critical national infrastructure (CNI) organisations, which face additional issues in legacy operational technology (OT) and established industrial systems; such as:
• Difficult to receive vendor patches
• Lack of built-in cyber security
• Deeply integrated with critical processes
• Must remain operational 24/7
This comes at a time when the National Cyber Security Centre, says critical cyber attacks are up. It ‘dealt with 204 ‘nationally significant’ cyber attacks against the UK in the 12 months to August 2025 – a sharp rise from 89 in the previous year’. For critical national infrastructure organisations, breaches are direct risk to national security, service continuity, and stakeholder confidence.
But rip-and-replace is not an option for the critical networks that support the country’s growth and movement. So rather than replacing these systems, which is costly and disruptive, we recommend wrapping modern security around legacy gear. Here’s how that can work:
Map the extent of your system
It’s important to scrutinise existing controls and processes first. Where are they? What needs updating? What’s already monitored and isolated. Where are the weak points? Let’s make the current procedures and controls actually work in practice.
Involve the team
Devise a security management plan and bring together a working group. Perhaps appoint some independent advisors, as well as cyber security experts. Create a schedule for reporting.
Enclose legacy components within a secure layer
It’s possible to use bespoke tools to encapsulate and protect outdated hardware/software. This adds a cyber-hardened layer without interfering with operations.
Add external security controls
Implement modern controls, which can compensate for the controls the system lacks, such as:
- Secure access management
- Continuous monitoring
- Centralised configuration and vulnerability management
Ensure zero downtime
Crucial for essential services and critical networks, as they cannot just shut off the service. Solutions should integrate seamlessly with existing infrastructure, avoiding costly upgrades and minimising downtime. Security improvements should never require taking systems offline.
Centralise visibility and response
Bring all assets, old and new, under a unified management platform. This enables:
- Real-time monitoring
- Co-ordinated defensive response
- Simplified compliance reporting
These processes will also help with the evidence side of the new Act.
Apply secure-by-design principles
Lock down communication between systems and enforce least-privilege access. This reduces attack surfaces and limits who can interact with critical components. This is particularly important when bringing operational technology (OT) into the critical network. The aim is to limit access to or from OT systems based on operational need, and then segmenting that access to prevent unnecessary exposure. This will also ensure IT and OT systems remain autonomous, which will help to avoid issues like the Jaguar Land Rover hack.
Future-proof without full replacement
Extend the lifespan of legacy systems by bringing them into a cyber-assured environment. This approach avoids wholesale rip-and-replace while preparing for evolving threats.
Create evidence
The CS&R Act will require evidence of your security processes, not just self-assessment. Rather than just show you have the tool, there is now a requirement to prove it works in practice. To do this, start with a testing programme for the systems you already have. Develop a schedule for cyber incident exercises (CIEs) and monitor the results. Also use your existing compliance networks to accelerate the Cyber Assessment Framework (CAF).
It’s not that CNIs haven’t invested in cyber security. The technology is often there, but it’s not being properly used, or the processes stringently applied. It’s not enough to plug in an advanced threat detection solution, or tick an ISO box and assume you’re covered. Legacy systems are complex and there’s always something that needs attention and probably an upgrade.
The Cyber Security & Resilience Bill will demand evidence, which will be enforced by the Cyber Assessment Framework. Our approach is to use modern security layered over legacy OT. This will ensure resilience, compliance, and operational continuity. Let’s make 2026 the year you prove the organisation can endure a cyber attack.