Cyber-physical risk in critical infrastructure is now being written into consultation papers, board minutes and insurance wordings, as regulators, operators and insurers confront a central question: what happens when an attack that starts in a network ends by turning off the lights, stopping the trains or destabilising the grid?

In January, Ofgem and the Department for Energy Security and Net Zero signalled a shift in how the UK thinks about cyber risk in energy. In a joint blog on futureproofing cyber regulation, they point out that the Network and Information Systems regulations were designed nearly a decade ago, before today’s distributed, digitised energy system took shape. The result, they concede, is that many organisations that will play a major role in the future energy system are not in scope of formal regulatory requirements.

That admission underpins a new consultation on reshaping cyber regulation in downstream gas and electricity, which proposes baseline cyber requirements for all Ofgem licensees, not just the operators deemed ‘essential’ under NIS. The aim, in the government’s own words, is “to ensure cyber is on everyone’s agenda and introduce a consistent cyber starting point for the energy system”. It marks a move away from a narrow focus on a handful of critical operators towards a whole‑system view of resilience and aggregation.

The consultation – which closed in May 2026 – also floated expanding the scope of NIS by revisiting the thresholds and services that qualify as essential. That matters for cyber‑physical risk because grid stability increasingly depends on smaller players – aggregators, flexible demand providers and storage operators – whose failure may not look dramatic individually but could, in combination, significantly stress the system. Ofgem and DESNZ are effectively acknowledging that the perimeter drawn in 2018 no longer matches the way electricity is produced and moved today.

This broader approach sits behind the formation of the Energy Cyber Quad, a partnership between Ofgem, DESNZ, the National Energy System Operator and the National Cyber Security Centre. Its aim is to strengthen resilience through baseline requirements for all licensees, alongside proportionate expectations for the most significant operators. For risk managers, the signal is clear: cyber-physical risk is becoming a regulatory expectation, not just a technical issue.

If Ofgem’s language is measured, NCSC’s recent messaging to critical national infrastructure operators has been blunt. In February, the centre issued an alert urging CNI providers to “act now” to prepare for severe cyber threats, defined as “a deliberate and highly disruptive or destructive cyber attack”. Jonathan Ellison, NCSC’s director for national resilience, added that such an attack “may sound far‑fetched, but we know it’s not”.

In a paper for the World Economic Forum, Robert Lee, CEO of Dragos, said: “An adversary who can infiltrate critical infrastructure networks undetected gains plausible deniability. As systems become more complex, we don’t always know whether disruption is caused by maintenance, misconfiguration or a cyber attack – yet too often, the answer is: ‘We don’t know.’”

The guidance that accompanies these warnings is not glamorous. It focuses on patching vulnerabilities, strengthening access controls and segmenting networks, and making infrastructure secure-by-design. It also stresses strong resilience and recovery plans to reduce both the chances of an attack succeeding and the impact if one does. Taken together with the Ofgem/DESNZ consultation, the message is that cyber‑physical risk is being handled as a blend Of basic hygiene and scenario‑driven resilience, not as a problem that can be outsourced to a single tool or policy.

Transport faces similar pressures. The Department for Transport’s Cyber Risk and Threat Quarterly highlights ransomware, state-linked activity and supply chain vulnerabilities, underlining reliance on fragile digital ecosystems.

Bridewell’s Cyber Security in Critical National Infrastructure Organisations 2026 report found that 93 per cent of CNI organisations experienced a cyber attack in the past year. Regulation has become the number‑one driver for maturing cyber security programmes, with AI‑related cyber risk entering the top five challenges for the first time. It also found that cloud environments are now the most common attack entry point.

Abstract risk no more

The operational consequences are not abstract. Bridewell’s research indicates that half of organisations report IT disruption or outage following incidents and nearly one‑third report revenue loss. For boards and insurers, that is a tangible link between cyber events and business interruption, even when they stop short of causing visible physical damage.

Munich Re’s March 2026 cyber outlook warns that risks are intensifying amid geopolitical, technological and economic pressures. It warns that hyperconnectivity and a reliance on a small number of cloud providers, telecoms and software platforms have created mono‑structures whose failure could trigger large correlated losses. That, in turn, demands accumulation modelling and potential adjustments to budgets and risk appetite.

It also identifies physical AI and robotics as an emerging exposure. Malware or remote hijacking of connected systems could lead to bodily injury, property damage or production shutdowns. As automation expands across energy and transport, these risks become not just engineering challenges but underwriting ones.

Brokers and specialty carriers are confronting a fundamental question: which policies respond when cyber events cause physical damage or extended downtime? Lockton argues that traditional property, casualty and management liability policies were not designed for cyber-driven losses. Gaps commonly arise around non-physical damage, bodily injury, executive liability and social engineering. For energy clients, the broker recommends detailed reviews of whether property damage, system failure, failure to supply and restart costs are explicitly covered
or excluded.

This reflects the industry’s broader effort to address silent cyber. Regulators have pushed insurers to clarify whether traditional policies include or exclude cyber-related losses, rather than leaving coverage to be disputed post-event. While this has increased transparency, it has often resulted in narrower, more explicitly defined coverage.

Efforts to quantify cyber-physical risk are also advancing. The 2025 OT Security Financial Risk Report by Dragos estimates that a typical year of OT-related incidents generates around US$31.1bn in financial risk, driven largely by business interruption and equipment damage. In a severe but plausible scenario, with a 0.4 per cent annual probability, losses could reach US$329.5bn once indirect impacts are included.

Such modelling is helping translate technical risk into financial terms, linking specific controls to measurable reductions in expected loss and providing a clearer basis for investment and insurance decisions. Aon notes that cyber attacks and data breaches remain the top enterprise risk through 2026, and that AI‑driven, systemic events are pushing cyber risk fully into the boardroom. Adam Peckman, Aon’s global cyber risk consulting leader for APAC, said: “There is a multiplier effect with AI that allows bad actors to wage asymmetrical warfare against companies. Threat actors can weaponise the latest vulnerabilities quickly and deploy them at scale, without significant investment in people or computing power.”

Aon’s prescription leans heavily on resilience: zero‑trust and least‑privilege access, robust identity management, tested backups and recovery, rehearsed incident response playbooks, and data‑driven cyber risk quantification, supported by tailored cyber insurance and alternative risk transfer solutions.

The underlying message is that insurer and broker communities are effectively telling CNI operators the same thing that regulators are: controls and governance now sit on the same continuum as capital and coverage.

Maurizio Gobbato, head of cyber catastrophe modelling at Guidewire, points to two emerging challenges. First is correlation: cyber losses are no longer independent, but shaped by shared technology stacks, service providers and regulatory environments, creating systemic exposure across insureds.

“Modelling firms also need to embed coordinated, sector-wide attacks more explicitly,” he added, noting these offer attackers a scalable way to generate correlated disruption. “We expect this risk to grow further as large language models lower the cost of vulnerability discovery and accelerate exploitation.”

He adds that models must better capture upstream dependencies, both digital and physical, that can propagate disruption downstream. “Dependencies on cloud providers and core technologies remain important, but are no longer sufficient,” he said. “The next step is to include upstream vendors whose disruption could transmit both digital and physical impacts. The transition from digital dependency to physical supply chain disruption is a critical element in cyber catastrophe modelling.”

Taken together, these developments point to a fundamental shift. Cyber-physical risk in critical infrastructure is no longer confined to technical teams. Regulators are expanding oversight to embed baseline resilience across systems, insurers are refining models to capture systemic exposure, and policy wordings are evolving to reflect physical consequences.

The practical question is how to navigate this convergence. The emerging answer looks much less like a silver bullet and more like a portfolio of protection to include credible baseline controls, realistic scenarios that acknowledge aggregation, quantification that links controls to loss and, crucially, insurance structures that accept the cyber‑physical tail without pretending it can be wished away.

---