Security Intelligence

Security for Critical National Infrastructure Operators | CloseProtectionHire

Q: "What personal security risks do senior executives at critical national infrastructure operators face?"

"Senior executives at critical national infrastructure (CNI) operators -- energy companies, water utilities, transport operators, telecoms providers, and financial market infrastructure -- face a threat profile that combines the standard corporate executive risk categories with specific threat actors motivated by the organisation's critical role. The NPSA (National Protective Security Authority, formerly CPNI from 2023) Personnel Security guidance 2024 identifies three primary threat categories for CNI personnel: state-sponsored targeting (foreign intelligence services seeking to cultivate, recruit, or coerce individuals with access to CNI operational systems or security architecture); serious and organised crime (targeting of CNI operators for extortion, blackmail, or disruption leverage, as documented in the Colonial Pipeline DarkSide ransomware incident of May 2021 where the personal threat to executives was a component of the coercion model); and domestic extremism (targeting of CNI executives by environmental, anti-capitalist, or politically motivated groups, documented in actions against energy sector executives in the UK, Germany, and the Netherlands between 2022 and 2024). The personal security measures for CNI executives are calibrated to this specific threat mix: residential security that addresses state-surveillance capability (not just opportunistic intrusion); communications security aligned to NCSC guidance on protecting sensitive information; travel security that includes counterintelligence awareness for business travel to state-actor markets; and a continuous threat assessment function that monitors for indicators of targeting rather than waiting for an overt approach."

Q: "What was the Metcalf sniper attack and what does it demonstrate about physical CNI security?"

"On 16 April 2013, unknown attackers cut underground telecommunications cables at PG\u0026E's Metcalf Transmission Substation near San Jose, California, and then opened fire with rifles on the substation's high-voltage transformers, disabling 17 transformer units and causing approximately USD 15 million in damage. Power was rerouted to prevent a wider outage. The Federal Energy Regulatory Commission (FERC) conducted a vulnerability assessment in 2014 that concluded a simultaneous, coordinated attack on a small number of critical transmission substations (it assessed the figure at 9 specific substations) could destabilise the entire US national grid. No perpetrators were identified. The Metcalf attack demonstrates: large-scale physical infrastructure can be damaged or destroyed from a standoff distance using widely available equipment; the attack preparation (cutting telecommunications to prevent real-time alarm response) showed sophisticated understanding of the facility's security architecture; and the response time from attack initiation to arrival of security forces was insufficient to prevent significant damage. For corporate security teams at energy infrastructure, Metcalf defines the standoff physical attack scenario that perimeter security design and threat assessment must address. The specific FERC 2014 finding on critical substation interdependence has driven regulatory requirements (NERC CIP-014-2 Physical Security Standard) requiring high-impact substations to conduct physical security risk assessments and implement operator-approved security plans."

Q: "What were the Colonial Pipeline and Ukraine power grid attacks, and what is their relevance to CNI personnel security?"

"The Colonial Pipeline ransomware attack (May 2021) was conducted by the DarkSide group, which accessed Colonial's IT network through a compromised VPN credential. The pipeline, which supplies 45% of the US East Coast's fuel, was shut down as a precautionary measure, creating fuel shortages across six states. Colonial paid a ransom of USD 4.4 million in Bitcoin; the US DOJ subsequently recovered approximately USD 2.3 million. The attack illustrates the cyber-physical convergence risk for CNI: a credential obtained through a phishing operation or insider action translates directly to operational shutdown of physical infrastructure. The Ukraine power grid attack of December 2015, documented by SANS ICS and attributed to the Russian BlackEnergy malware group, resulted in 230,000 customers losing power for 1-6 hours. It was the first documented cyber-attack to successfully interrupt electrical distribution at national scale. The relevance to personnel security is direct: both attacks had a human access component. Colonial through a compromised credential, Ukraine through spear-phishing of utility company employees to deliver the BlackEnergy payload. The CISA/FBI/NSA joint advisory on insider threats to CNI (2021) identifies that the human vector -- whether through negligence, social engineering, or deliberate insider action -- is the most common initial access pathway for attacks on CNI. Personnel security measures that reduce the human attack surface are the most cost-effective mitigation."

Q: "What are the UK's legal obligations for CNI operators under the NIS Regulations and NIS2?"

"The UK Network and Information Systems (NIS) Regulations 2018 implement the EU NIS Directive for operators of essential services (OES) and relevant digital service providers. The Regulations require OES to implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks, take appropriate measures to prevent and minimise the impact of incidents, and notify the relevant competent authority of incidents with a significant impact on continuity of services. Competent authorities vary by sector: OFCOM for telecoms, Ofgem/BEIS for energy, DHSC for health. The EU NIS2 Directive (Directive 2022/2555, effective October 2024 for EU member states) significantly expands the scope and obligations compared to NIS1, adding new sectors (postal/courier, food, manufacturing, space), extending supply chain security obligations, and introducing board-level accountability for cybersecurity governance. The UK, post-Brexit, is implementing its own enhanced version of NIS2 through the Cyber Security and Resilience Bill announced in the King's Speech 2024. For CNI operators, the converging regulatory framework creates board-level personal accountability for security governance that was not present before NIS2. Senior executives at CNI operators face potential personal liability for governance failures that result in significant security incidents. The threat model must therefore include regulatory and reputational risk alongside the physical and cyber threat categories."

Q: "How should CNI operators manage insider threat in the context of state-sponsored targeting?"

"CNI insider threat in the context of state-sponsored targeting is qualitatively different from the standard corporate insider risk. The CISA/FBI/NSA joint advisory on insider threats to CNI (2021) documents that foreign intelligence services conduct long-term cultivation of CNI employees -- identifying individuals through open source and social media, building relationships over extended periods at conferences or through online professional networks, and exploiting financial, personal, or ideological vulnerabilities. The target is access, not data exfiltration in the traditional sense. A cultivated CNI insider can provide information about security architecture, operational procedures, staff schedules, or access credentials that enables a subsequent external attack. The NPSA Personnel Security guidance 2024 recommends a personnel security programme that includes: baseline pre-employment vetting to BS 7858:2019 (security screening for security industry employees) or enhanced vetting for roles with access to sensitive operational systems; periodic re-vetting on a risk-based cycle for roles with ongoing access to critical systems; a behavioural awareness programme that trains staff to recognise approaches that may represent cultivation attempts; a clear reporting mechanism for staff who believe they have been approached; and a protective security culture that makes reporting concerns normalised rather than exceptional. The tension between employee privacy rights and security monitoring obligations is managed through documented policy, a proportionate basis for monitoring under UK GDPR (legitimate interests), and DPIA compliance -- the same framework that applies to any insider threat monitoring programme."

Security guide for CNI operators and senior executives in energy, water, transport, and telecoms. Covers NPSA guidance, NIS2 Directive, Colonial Pipeline, Ukraine power grid attack, Metcalf sniper incident, and insider threat.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

Critical national infrastructure operators are among the highest-priority targets in the global threat environment. They are targeted by nation-states for intelligence collection and pre-positioning for future disruption, by serious organised crime for financial extortion, and by politically motivated groups for the symbolic and operational impact of infrastructure disruption. The executives who lead these organisations – and the operational staff who run the systems that keep electricity flowing, water running, and fuel moving – carry a threat profile that requires a specifically calibrated security response.

The UK designates thirteen CNI sectors: energy, transport, water, health, food, defence, government, telecoms, finance, emergency services, civil nuclear, space, and chemicals. The National Protective Security Authority (NPSA, formerly the Centre for the Protection of National Infrastructure until 2023) publishes protective security guidance for these sectors and their personnel. The threat environment has not remained static since NPSA’s predecessor published its first guidance: the Metcalf substation attack of 2013, the Ukraine power grid attack of 2015, and the Colonial Pipeline ransomware of 2021 each defined a new capability threshold in the CNI threat landscape.

The Physical Threat: Metcalf and the Standoff Attack Model

The Metcalf Transmission Substation attack of 16 April 2013 remains the most significant physical attack on US electrical infrastructure in history. Attackers cut underground fibre optic cables to disable telecommunications, then fired an estimated 100 rounds from rifles at the substation’s transformers from a position off the adjacent road. Seventeen transformers were disabled. The attack lasted less than 20 minutes before the attackers withdrew. No perpetrators were identified.

The Federal Energy Regulatory Commission (FERC) vulnerability assessment prompted by Metcalf (2014) is classified, but testimony to Congress confirmed that a coordinated attack on a small number of specifically identified transmission substations could destabilise the US grid. NERC CIP-014-2, the Physical Security Standard for bulk electric systems, was a direct regulatory response, requiring high-impact transmission stations to conduct site-specific physical security risk assessments and implement approved security plans.

The Metcalf security planning implications for CNI physical security:

Standoff attack capability must be incorporated into perimeter security threat assessment – not just intrusion-based attack
Telecommunications cutting as a precursor to physical attack is a documented methodology requiring a telecommunications resilience response
Response time from attack initiation to security forces arrival at an isolated substation was insufficient to prevent significant damage; this defines the protective value of remote monitoring, early detection, and expedited emergency service protocols

The Cyber-Physical Threat: Colonial Pipeline and Ukraine

Colonial Pipeline (May 2021). DarkSide accessed Colonial’s IT network through a compromised VPN credential, reportedly obtained from a previous data breach. Colonial shut down 5,500 miles of pipeline as a precautionary measure, creating fuel shortages affecting six US states and four days of declared state emergencies. Colonial paid USD 4.4 million in Bitcoin; DOJ recovered approximately USD 2.3 million. The attack required no sophisticated technical capability – the credential was the entire initial access.

Ukraine power grid (December 2015). The SANS ICS report documented the BlackEnergy malware attack on three Ukrainian regional electricity distribution companies. Staff received spear-phishing emails containing infected Microsoft Office attachments. The malware established remote access to SCADA systems, enabled the attackers to open circuit breakers at substations, and deployed KillDisk to destroy forensic evidence and impede recovery. 230,000 customers lost power for between one and six hours.

Both attacks share the human vector as initial access. Credential compromise, spear-phishing, and social engineering are the entry points. The convergence of corporate IT networks with operational technology (OT) systems – the condition that allowed remote access to SCADA from a corporate email compromise – is the architectural condition that converts a standard cyber intrusion into critical infrastructure disruption.

The CISA/FBI/NSA joint advisory on insider threats to CNI (2021) identifies the human component as the most common initial access pathway. Personnel security measures are the most cost-effective mitigation at this entry point.

The Regulatory Framework

NIS Regulations 2018 (UK) apply to operators of essential services in energy, transport, water, health, and digital infrastructure. Requirements include: implementing appropriate technical and organisational security measures, taking preventive action against incidents, and notifying the relevant competent authority of significant incidents. Competent authorities include OFCOM (telecoms), Ofgem (energy), DHSC (health), and others.

NIS2 Directive (EU, 2022/2555, effective October 2024) expands scope to additional sectors and introduces board-level governance obligations. Senior management is required to approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable for infringements. This is a material change from the NIS1 framework: board members at CNI operators now have a personal governance obligation, not just a delegated responsibility.

The UK Cyber Security and Resilience Bill (announced King’s Speech 2024) will implement UK-equivalent NIS2 obligations. For UK CNI executives, the direction of travel is increased personal accountability for security governance outcomes.

NERC CIP Standards (North American Electric Reliability Corporation Critical Infrastructure Protection) apply specifically to the bulk electric system and represent the most detailed mandatory security framework in any CNI sector. CIP-014-2 (Physical Security) and CIP-013-1 (Supply Chain Risk Management) are the most operationally significant for physical and personnel security planning.

Personnel Security and Insider Threat

The NPSA Personnel Security guidance 2024 addresses the specific insider threat profile for CNI. Foreign intelligence services conduct long-term cultivation of CNI employees – identifying targets through professional networks, LinkedIn, and conference attendance; building relationships over months or years; and exploiting financial, personal, or ideological vulnerabilities before making an explicit ask.

The cultivation target is access information: security architecture, staff schedules, credential details, or operational procedures that enable a subsequent external attack. The CISA 2021 advisory documents this pattern specifically for US CNI and attributes it primarily to PRC, Russian, and Iranian state actors.

The personnel security programme appropriate for CNI operators includes:

Pre-employment vetting to BS 7858:2019 baseline, with enhanced vetting for operational and security-architecture roles
Periodic re-vetting on a risk-based cycle for roles with continuing access to critical systems
A staff behavioural awareness programme covering what intelligence cultivation approaches look like and how to report them
A clear, confidential reporting mechanism managed outside line management for staff who believe they have been approached
A documented insider threat response procedure

For the wider corporate security programme that CNI personnel security sits within, see the related article on corporate crisis management and security incidents. For the physical-cyber convergence that the Colonial Pipeline and Ukraine attacks demonstrate, and the security architecture implications for organisations where IT and OT systems connect, see the physical and cyber security convergence guide.

James Whitfield is a Senior Security Consultant with 20 years of experience in executive protection, threat assessment, and corporate security across the UK and internationally.

Summary

Key takeaways

Colonial Pipeline demonstrates that a single compromised credential can shut down critical national infrastructure serving 50 million people

The May 2021 Colonial Pipeline attack, initiated through a compromised VPN credential, triggered the shutdown of a pipeline supplying 45% of US East Coast fuel and caused shortages across six states. The attack required no physical access, no sophisticated technical capability beyond purchasing a credential on a darknet market, and no insider action. The human vector -- a credential compromised through a previous data breach -- was the sole initial access pathway. Credential hygiene, multi-factor authentication, and regular credential rotation are the specific controls this attack would have defeated.

FERC 2014 identified 9 US transmission substations where simultaneous attack could destabilise the national grid -- Metcalf defined the physical scenario

The Federal Energy Regulatory Commission's 2014 vulnerability assessment, prompted by the Metcalf attack, concluded that coordinated attack on a small number of critical transmission substations could interrupt stable US national grid operation. The Metcalf attack itself demonstrated that physical infrastructure can be damaged from a standoff distance with publicly available equipment by attackers who understand the facility's security architecture. NERC CIP-014-2 requires high-impact substations to conduct physical security risk assessments; those assessments must address the Metcalf scenario specifically.

NIS2 and the UK Cyber Security and Resilience Bill create board-level personal accountability for CNI security governance

The EU NIS2 Directive (effective October 2024) and the UK's equivalent in development both introduce board-level governance obligations for CNI operators -- requirements that senior management have documented responsibility for cybersecurity governance, that training obligations apply to board members, and that governance failures creating significant incidents create personal liability. Senior CNI executives are no longer in a position to treat security governance as delegated to a CISO or security team. The personal liability dimension is a material change to the executive risk profile.

State-sponsored insider cultivation operates over extended timescales and targets conference and professional network contacts

NPSA and CISA advisory material documents that foreign intelligence services cultivate CNI insiders over months or years, building relationships through professional events, LinkedIn, and academic or industry networks before making any explicit approach. The cultivation period is designed to create familiarity and reciprocity before any ask is made. CNI staff in roles with access to operational or security-architecture information who receive unusual personal attention from previously unknown contacts -- particularly at international conferences or in online professional groups -- should have a reporting mechanism and a trained point of contact for assessing whether the contact represents an intelligence approach.

The Ukraine 2015 power grid attack defined the cyber-physical convergence threat at national scale

The December 2015 BlackEnergy attack on Ukrainian power distribution companies -- the first documented cyber attack to interrupt electrical supply at national scale -- demonstrated that industrial control systems connected to corporate IT networks are accessible through the same spear-phishing and credential theft vectors used in standard corporate cyberattacks. The 230,000 customers who lost power did so because a malware payload delivered to corporate email accounts eventually reached operational technology (OT) systems. The air-gap between IT and OT systems, where it exists, is the single most effective control against this attack category.

FAQ

Frequently Asked Questions

Senior executives at critical national infrastructure (CNI) operators – energy companies, water utilities, transport operators, telecoms providers, and financial market infrastructure – face a threat profile that combines the standard corporate executive risk categories with specific threat actors motivated by the organisation’s critical role. The NPSA (National Protective Security Authority, formerly CPNI from 2023) Personnel Security guidance 2024 identifies three primary threat categories for CNI personnel: state-sponsored targeting (foreign intelligence services seeking to cultivate, recruit, or coerce individuals with access to CNI operational systems or security architecture); serious and organised crime (targeting of CNI operators for extortion, blackmail, or disruption leverage, as documented in the Colonial Pipeline DarkSide ransomware incident of May 2021 where the personal threat to executives was a component of the coercion model); and domestic extremism (targeting of CNI executives by environmental, anti-capitalist, or politically motivated groups, documented in actions against energy sector executives in the UK, Germany, and the Netherlands between 2022 and 2024). The personal security measures for CNI executives are calibrated to this specific threat mix: residential security that addresses state-surveillance capability (not just opportunistic intrusion); communications security aligned to NCSC guidance on protecting sensitive information; travel security that includes counterintelligence awareness for business travel to state-actor markets; and a continuous threat assessment function that monitors for indicators of targeting rather than waiting for an overt approach.

On 16 April 2013, unknown attackers cut underground telecommunications cables at PG&E’s Metcalf Transmission Substation near San Jose, California, and then opened fire with rifles on the substation’s high-voltage transformers, disabling 17 transformer units and causing approximately USD 15 million in damage. Power was rerouted to prevent a wider outage. The Federal Energy Regulatory Commission (FERC) conducted a vulnerability assessment in 2014 that concluded a simultaneous, coordinated attack on a small number of critical transmission substations (it assessed the figure at 9 specific substations) could destabilise the entire US national grid. No perpetrators were identified. The Metcalf attack demonstrates: large-scale physical infrastructure can be damaged or destroyed from a standoff distance using widely available equipment; the attack preparation (cutting telecommunications to prevent real-time alarm response) showed sophisticated understanding of the facility’s security architecture; and the response time from attack initiation to arrival of security forces was insufficient to prevent significant damage. For corporate security teams at energy infrastructure, Metcalf defines the standoff physical attack scenario that perimeter security design and threat assessment must address. The specific FERC 2014 finding on critical substation interdependence has driven regulatory requirements (NERC CIP-014-2 Physical Security Standard) requiring high-impact substations to conduct physical security risk assessments and implement operator-approved security plans.

The Colonial Pipeline ransomware attack (May 2021) was conducted by the DarkSide group, which accessed Colonial’s IT network through a compromised VPN credential. The pipeline, which supplies 45% of the US East Coast’s fuel, was shut down as a precautionary measure, creating fuel shortages across six states. Colonial paid a ransom of USD 4.4 million in Bitcoin; the US DOJ subsequently recovered approximately USD 2.3 million. The attack illustrates the cyber-physical convergence risk for CNI: a credential obtained through a phishing operation or insider action translates directly to operational shutdown of physical infrastructure. The Ukraine power grid attack of December 2015, documented by SANS ICS and attributed to the Russian BlackEnergy malware group, resulted in 230,000 customers losing power for 1-6 hours. It was the first documented cyber-attack to successfully interrupt electrical distribution at national scale. The relevance to personnel security is direct: both attacks had a human access component. Colonial through a compromised credential, Ukraine through spear-phishing of utility company employees to deliver the BlackEnergy payload. The CISA/FBI/NSA joint advisory on insider threats to CNI (2021) identifies that the human vector – whether through negligence, social engineering, or deliberate insider action – is the most common initial access pathway for attacks on CNI. Personnel security measures that reduce the human attack surface are the most cost-effective mitigation.

The UK Network and Information Systems (NIS) Regulations 2018 implement the EU NIS Directive for operators of essential services (OES) and relevant digital service providers. The Regulations require OES to implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks, take appropriate measures to prevent and minimise the impact of incidents, and notify the relevant competent authority of incidents with a significant impact on continuity of services. Competent authorities vary by sector: OFCOM for telecoms, Ofgem/BEIS for energy, DHSC for health. The EU NIS2 Directive (Directive 2022/2555, effective October 2024 for EU member states) significantly expands the scope and obligations compared to NIS1, adding new sectors (postal/courier, food, manufacturing, space), extending supply chain security obligations, and introducing board-level accountability for cybersecurity governance. The UK, post-Brexit, is implementing its own enhanced version of NIS2 through the Cyber Security and Resilience Bill announced in the King’s Speech 2024. For CNI operators, the converging regulatory framework creates board-level personal accountability for security governance that was not present before NIS2. Senior executives at CNI operators face potential personal liability for governance failures that result in significant security incidents. The threat model must therefore include regulatory and reputational risk alongside the physical and cyber threat categories.

CNI insider threat in the context of state-sponsored targeting is qualitatively different from the standard corporate insider risk. The CISA/FBI/NSA joint advisory on insider threats to CNI (2021) documents that foreign intelligence services conduct long-term cultivation of CNI employees – identifying individuals through open source and social media, building relationships over extended periods at conferences or through online professional networks, and exploiting financial, personal, or ideological vulnerabilities. The target is access, not data exfiltration in the traditional sense. A cultivated CNI insider can provide information about security architecture, operational procedures, staff schedules, or access credentials that enables a subsequent external attack. The NPSA Personnel Security guidance 2024 recommends a personnel security programme that includes: baseline pre-employment vetting to BS 7858:2019 (security screening for security industry employees) or enhanced vetting for roles with access to sensitive operational systems; periodic re-vetting on a risk-based cycle for roles with ongoing access to critical systems; a behavioural awareness programme that trains staff to recognise approaches that may represent cultivation attempts; a clear reporting mechanism for staff who believe they have been approached; and a protective security culture that makes reporting concerns normalised rather than exceptional. The tension between employee privacy rights and security monitoring obligations is managed through documented policy, a proportionate basis for monitoring under UK GDPR (legitimate interests), and DPIA compliance – the same framework that applies to any insider threat monitoring programme.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.