Cyber attacks are ‘unavoidable’… how do utilities cope?
The UK Utilities Risk Report 2026 - produced by Utility Week in association with Marsh - again puts cybersecurity at the top of the list of threats to the country's critical infrastructure, but now with a growing realisation that resilience in the face of an attack is as important as fending off the attack in the first place.
By Tom Idle, features writer, Utility Week
Cyber attacks are ‘unavoidable’… how do utilities cope?
The UK Utilities Risk Report 2026 - produced by Utility Week in association with Marsh - again put cybersecurity at the top of the list of threats to the country's critical infrastructure, but now with a growing realisation that resilience in the face of an attack is as important as fending off the attack in the first place.
By Tom Idle, features writer, Utility Week
For years, utility companies approached cybersecurity largely as a challenge of prevention. The priority was to strengthen defences, close vulnerabilities and stop attackers breaching systems in the first place. But a strikingly different mindset is emerging. During a recent webinar discussing the findings of the UK Utilities Risk Report 2026, senior leaders across the water and energy sectors were in agreement that preventing all major cyber attacks was no longer a realistic option.
Instead, utilities are beginning to focus on a far more difficult question: how do we keep essential services operating when disruption happens?
That subtle but important shift – from cyber prevention towards cyber resilience and recovery – was the defining theme of the discussion hosted by Utility Week in association with Marsh. It also runs through a new spin-off Risk Report delving into the number one risk from this year's survey. Both reveal the growing concern that the sector is entering a fundamentally different era of risk, shaped by escalating geopolitical tensions, increasingly sophisticated AI-driven attacks and rapidly expanding digital interconnectivity.
As Bronwyn Bullen, head of organisational resilience at UK Power Networks said, the challenge is no longer simply about trying to stop attacks altogether. “The national conversation has shifted toward one of disruption and resilience. Rather than organisations having to try and prevent attacks altogether, there’s an expectation that organisations are ready to be able to respond to these and continue to perform and function. That’s a material change from a few years ago,” she said.
“Rather than organisations having to try and prevent attacks altogether, there’s an expectation that organisations are ready to be able to respond to these and continue to perform and function.”
Bronwyn Bullen, head of organisational resilience, UK Power Networks
A question of survival
That evolving attitude reflects the sheer pace at which the threat landscape is changing. The latest UK Utilities Risk Report showed cybersecurity not only retained its position as the sector’s biggest concern, but significantly widened its lead over all other risks. Across the webinar discussion, there was broad agreement that utilities are now operating in a more exposed environment than at any point in recent years. Part of that is being driven by the growing sophistication of cyber criminals themselves.
Bullen pointed to threat intelligence data showing energy and utilities featured in 43% of cyber campaigns tracked by external analysts in 2026, compared with just 13% the previous year. The sharp increase underlines how attractive critical national infrastructure has become as a target, particularly given the potential for real-world disruption. “There is a huge amount of interest,” she warned.
Artificial intelligence is also rapidly changing both the scale and speed of cyber threats. Rather than relying solely on human actors manually probing systems for weaknesses, attackers are increasingly using AI tools capable of scanning, identifying and exploiting vulnerabilities at extraordinary speed. “AI is accelerating the existing weaknesses within organisations,” explained Bullen. “Where previously you may have had a human trying to exploit vulnerabilities, AI can now do this at a speed and a scale that humans simply cannot replicate.” She pointed to a recent cyber attack against the Mexican government, where hackers reportedly used AI tools to sift through huge volumes of information and identify valuable targets. The concern for utilities is that this type of capability is no longer theoretical; it is already beginning to reshape how attacks are carried out in practice.
Proportion of all cyber attacks that targeted utilities in 2026
Proportion of all cyber attacks that targeted utilities in 2025
For energy retailers, the operational implications of a successful attack are particularly acute because of the sector’s reliance on real-time digital systems and continuous customer transactions. Bill Bullen, chief executive of Utilita, said retailers have almost no margin for disruption if critical systems are compromised. “We don’t have any time to respond to these things,” he said. “It’s that brutal; that quick.” He also suggested the emergence of increasingly advanced AI models could expose weaknesses companies themselves may not yet fully understand.
Prepare to fail
Coupled with the growing severity of a cyber attack is the acceptance that even the strongest of defences can be breached. The panel largely suggested utilities now need to think less in terms of creating impenetrable barriers and more in terms of ensuring operational continuity under extreme disruption.
For Tim Charlesworth, head of economic regulation and strategy at South East Water, that means asking difficult operational questions that many companies may not previously have considered necessary. “We’ve very much been focused on defence,” he said. “I do wonder whether we also need to think about recovery.”
Charlesworth argued utilities may need to revisit assumptions around digitisation and automation, particularly in sectors such as water where uninterrupted service is essential to public health and economic activity. “Can you operate a water treatment plant manually? If you send ten people to a site, can they turn the pumps on?”
His comments reflect a growing recognition that resilience may increasingly depend on maintaining fallback capabilities in the event digital systems become unavailable. For water companies in particular, the consequences of prolonged cyber disruption could be severe. “If you take a whole water company out, you will start to have a serious problem with drinking water – and there is no way it will be able to provide bottled water to its customers,” Charlesworth warned.
Charlesworth’s comments reflect a wider point about how cyber risk is no longer viewed simply as a technical or IT issue, but as a wider operational and societal resilience challenge. This is amplified as utilities become more dependent on interconnected digital systems, third-party suppliers and cloud-based infrastructure at precisely the same time that cyber threats are becoming more sophisticated and aggressive.
Bronwyn Bullen argued this interconnectedness creates significant cascading vulnerabilities across critical infrastructure. “All it takes is one compromised supplier to have a significant knock-on effect,” she said, citing the CrowdStrike outage as an example of how reliant organisations have become on common technology providers and interconnected digital systems. Even incidents that are not malicious can expose how quickly disruption can spread across multiple sectors and organisations simultaneously. “We are exposed to whatever weaknesses and vulnerabilities they have,” she said.
That growing complexity is forcing utilities to rethink resilience in much broader organisational terms. Cyber preparedness can no longer sit solely within IT functions; instead, companies increasingly need what Bullen describes as a “whole systems approach” combining operational resilience, cyber preparedness, supply chain management and business continuity planning.
“If you take a whole water company out, you will start to have a serious problem with drinking water – and there is no way it will be able to provide bottled water to its customers.”
Tim Charlesworth, head of economic regulation and strategy, South East Water
Affordability pressures complicate resilience planning
Alongside cyber concerns, the webinar also revealed how wider pressures around affordability, regulation and public trust are compounding operational challenges for utilities. The report found policy and regulatory risks now account for three of the top five overall concerns facing the sector. The webinar panelists suggested this reflects growing anxiety over whether utilities can realistically deliver the scale of investment required across infrastructure, resilience and decarbonisation while affordability pressures continue intensifying.
For energy retailers, those pressures are felt firsthand. Bill Bullen argued the sector is now grappling with a structural affordability crisis driven not simply by energy costs themselves, but by wider economic hardship affecting households. “We have a problem of poverty that shows itself in energy,” he said.
Customer debt pressures ranked among the highest risks facing retailers in the report, with Bullen warning the scale of unpaid debt is becoming increasingly unsustainable for suppliers. “The level of debt the industry is carrying now has gone beyond what we can afford,” he said.
Within the water sector, meanwhile, Charlesworth argued underinvestment itself represents one of the greatest long-term threats to resilience. “My worst-case scenario is actually that nothing changes,” he said. “The industry has been underfunded, and the rate of investment is not sustainable.”
He warned that climate change, housing growth and rising water demand are steadily increasing pressure on infrastructure, particularly in the South East of England where water stress is already severe. Yet despite those challenges, political reluctance to increase customer bills continues to constrain investment decisions. “It is never in customers’ interests to underfund the water industry; all that does is kick the problem down the road.”
Workforce challenge
The webinar panelists also repeatedly raised the growing strain facing utility workforces. Several speakers described increasingly hostile public attitudes toward the sector, particularly within water, where executives and staff are facing heightened scrutiny and criticism.
Charlesworth said that companies are now advising employees not to discuss where they work in public settings. Bill Bullen described similar experiences within energy retail, saying companies are increasingly dealing with direct hostility from members of the public. “We regularly have people turn up at our office,” he said.
These pressures are emerging at the same time utilities are trying to recruit new skills in cyber resilience, digital infrastructure and systems thinking, creating growing concern over whether the sector can attract the expertise it will require.
By the end of the discussion, one conclusion appeared clear: Utilities are no longer treating cyber disruption as a remote or exceptional event. Instead, many leaders increasingly view it as an inevitable operating reality that organisations must be prepared to withstand.
For Carl Ratcliffe, utilities leader at Marsh, the conversation illustrated how rapidly utility risks are evolving and overlapping. “The key takeaway for me is the interconnectivity of these risks,” he concluded.
Watch the webinar
But perhaps the most important shift revealed during the webinar was even more fundamental than that. Increasingly, utilities appear to believe resilience will depend less on preventing disruption entirely and more on whether essential services can continue functioning when disruption inevitably arrives.
Download the full UK Utilities Risk Report here.
