A new report, Cyber Security in Energy: 2025 from Bridewell, a leading UK-based cybersecurity services provider, reveals that the UK energy sector, spanning oil, gas, and electricity, is facing mounting cyber security risks as it undergoes rapid digital transformation and scales up infrastructure investment to support net zero goals.
Nearly half (48%) of energy organisations cite data protection and privacy as their top cyber challenges, an eight-point increase from last year, while 62% have experienced a cyber breach or attack in the past 12 months, surpassing the UK business average of 50%. Despite this, only 12% cite “understanding their security posture” as a challenge, suggesting possible overconfidence or lack of visibility. AI-driven threats are also on the rise, with 79% of security professionals in energy organisations expressing concern about AI-powered phishing and 76% flagging AI-driven social engineering.
“As billions pour into new infrastructure and digital systems, the sector’s exposure to cyber threats is escalating sharply due to an increase in connectivity as well as vulnerable legacy systems, underdeveloped cyber security capabilities and AI-driven threats that can expose critical infrastructure to heightened risk,” explained Martin Riley, CTO at Bridewell. “The electricity industry in particular is expanding rapidly, with offshore wind projects and digitalisation creating fresh attack surfaces.”
Rising threats but faster responses
The report shows that ransomware remains the most time-consuming cyber incident for energy organisations to respond to, with an average of 7.7 hours, an improvement from 15 hours last year. Other attacks, such as supply chain breaches (5.8 hours) and DDoS (4.4 hours), require faster action, which highlights the need for rapid detection and mitigation.
State-linked cyber threats are also a growing concern. Around two-thirds of respondents flagged actors from Russia (66%), China (65%), Iran (64%), and North Korea (65%) as posing a significant risk in 2025. However, the top concerns were broader with 73% citing economic turbulence and 71% flagging a potential new global health crisis as the most worrisome events to their organisations.
AI as a tool and a threat
The sector demonstrated a heightened alert to the dangers posed by artificial intelligence in the hands of cyber criminals. AI-powered phishing (79%) and social engineering (76%) ranked highest among emerging threats, followed by exploit development (73%) and AI-driven botnets (74%).
At the same time, energy organisations are cautiously exploring AI to strengthen cyber resilience, though skills, tools and governance remain inconsistent across the industry.
Operational Technology under pressure
Operational technology (OT), vital for monitoring and controlling energy infrastructure, is another key area of vulnerability for energy organisations. Malware was cited as the most significant threat to OT (39%), followed by AI and machine learning (31%) and phishing (29%). Insecure ICS/OT protocols, generic user accounts and inadequate backups were among the top internal risks.
Despite these risks, only around half of energy companies are outsourcing critical OT cyber security services like managed detection and incident response. This limited reliance on external expertise, paired with known talent shortages, may hinder their ability to respond to threats effectively.
Regulatory pressures and compliance challenges
The energy sector is also grappling with increasing regulatory scrutiny. In addition to GDPR and the EU’s NIS Regulations, companies must meet the enhanced Cyber Assessment Framework by 2027. However, 42% report low confidence in implementing cyber security measures to meet data protection requirements, well above the 34% average across critical national infrastructure.
Other weak spots include third-party data processing agreements and maintaining processing activity records, suggesting resource strains and complexity are weighing heavily on compliance.
Strategic resilience
Although many organisations claim confidence in their current IT and OT defences (74% and 75% respectively), belief in the security of their active OT environments is lower at 67%. Budget pressures remain a challenge too, with energy companies dedicating about 32% of their IT budgets and 26% of OT budgets to cyber security.
The sector is leaning heavily on reskilling, STEM initiatives and apprenticeships to fill its cyber skills gap; however, this may not be enough to keep pace with evolving threats.
“As AI-powered attacks grow in sophistication and legacy systems remain widespread, the industry must act decisively,” said Anthony Young, CEO and Founder of Bridewell, “Cyber resilience can no longer be a reactive measure, it must be embedded into the DNA of our infrastructure, operations and culture. This research reinforces the importance of strategic investment in cyber capabilities, skilled talent and partnerships that safeguard our critical national energy assets.”
Download the full Cyber Security in Energy: 2025 Research Report report here.
