NCSC highlights design, segmentation and monitoring as key to tougher CNI testing

The UK’s National Cyber Security Centre has shared practical lessons from penetration testers working on critical national infrastructure (CNI), saying organisations can make life significantly harder...

The UK’s National Cyber Security Centre has shared practical lessons from penetration testers working on critical national infrastructure (CNI), saying organisations can make life significantly harder for attackers by improving basic architecture and response capabilities.

The blog, written by an NCSC lead researcher focused on cyber-physical systems, draws on feedback from industry testers whose role is to probe networks, identify weaknesses and help teams fix them before hostile actors can exploit the same gaps.

Security should be built in from the start

According to the testers, systems are easier to secure when they are designed with security in mind from day one rather than patched later. A “secure by design” approach makes it more practical to introduce controls that reduce the chance of successful intrusion and limit the impact of any compromise.

One of the most effective examples is network segmentation. By dividing environments into smaller, tightly controlled zones, organisations can reduce the risk of lateral movement after an initial breach. The NCSC said this is especially important in operational technology, where separating OT control systems from business IT helps protect availability and reduce the chance of disruption to physical processes.

  • Separate OT and IT environments as a core design principle
  • Control which data and services can cross boundaries
  • Use hardened access paths and privileged access workstations for administration

Monitoring only helps if it is acted on

The article also stressed that logging and monitoring become far more valuable when they are paired with clear incident response. Good telemetry can reveal suspicious activity, but only if organisations collect the right data and investigate alerts promptly.

The NCSC said teams should regularly test their response plans and consider “purple team” exercises, where offensive and defensive specialists work together to identify and fix weaknesses.

Use testers with the right expertise

For organisations planning a penetration test, the NCSC recommended using approved providers under its CHECK scheme. It also warned that OT environments require specific experience, since testers unfamiliar with industrial systems may overlook important risks or accidentally create operational problems.

The guidance is not intended as a complete defence strategy, but the agency said these steps can raise the bar for both testers and real-world attackers.