IN Brief:
- NCSC chief executive Richard Horne has linked roughly three-quarters of cyber attacks affecting UK critical systems to hostile states.
- The warning covered more than 200 cyber incidents affecting critical national infrastructure and its supporting ecosystem.
- Defence suppliers face rising pressure to secure production systems, software, operational technology, and recovery capability.
The UK’s cyber security chief has warned that hostile states are linked to around three-quarters of cyber attacks affecting organisations within Britain’s critical infrastructure, placing defence suppliers and national-security manufacturers firmly inside the country’s strategic attack surface.
NCSC chief executive Richard Horne used his annual security lecture to highlight more than 200 cyber incidents affecting critical national infrastructure and its supporting ecosystem in the year to May 2026. The warning covered hostile activity associated with Russia, China, Iran, and wider state-linked cyber operations, with particular concern around preparation, access, and disruption potential.
Critical infrastructure is not protected by government departments alone. It depends on suppliers that design, build, maintain, and update systems across energy, transport, telecoms, aerospace, defence, digital services, and industrial control environments. Those suppliers are now part of the cyber terrain on which state-linked actors can prepare for future crisis or conflict.
Defence production is also becoming more digitally connected. Secure design files, manufacturing execution systems, quality records, robotics, CNC equipment, additive manufacturing platforms, test rigs, software repositories, and supplier portals are all part of the production base. A cyber attack against those systems may not look like a conventional attack on a weapons platform, but it can delay output, corrupt data, expose intellectual property, or undermine trust in manufactured parts.
Resilience now sits alongside prevention. Defence companies cannot assume every attack will be stopped at the perimeter. They need to understand exposure, maintain essential operations, detect malicious activity, and recover quickly when systems are compromised. For manufacturers, that means tested backups, segmented networks, secure remote access, rehearsed incident response, and a clear view of which systems halt production if they fail.
Cyber skills are already being drawn into the defence production base, with Winchester’s funding work linking training capacity to industrial resilience: Winchester cyber funding puts skills into the defence production base. The NCSC warning reinforces why those skills need to reach beyond security teams. Secure systems engineering, incident response, operational technology protection, software assurance, and supplier-risk management are now part of defence manufacturing competence.
AI adds another pressure point. The NCSC has warned that AI may help attackers exploit known vulnerabilities in legacy technology at greater scale across critical infrastructure. That creates a particular problem for defence and aerospace manufacturers, where long-lived equipment, certified software, and specialist industrial systems cannot always be patched at the speed expected in conventional IT.
The supplier ecosystem widens the problem. Defence primes may have mature cyber teams, but production depends on SMEs that provide machined parts, electronics, sensors, coatings, castings, software modules, tooling, and maintenance services. Many of those companies hold sensitive drawings, access portals, export-controlled data, or quality documentation. Attackers do not need to breach the largest company if a smaller supplier offers an easier path.
Manufacturing consequences can be subtle. Ransomware is visible, but data-integrity attacks may be more damaging over time. Altered drawings, corrupted inspection records, compromised firmware, manipulated production parameters, or stolen design files can create long-term trust problems. Defence manufacturing relies on evidence: traceability, configuration control, test results, acceptance records, and material certificates. Cyber resilience is therefore a quality-assurance issue as well as a security issue.
The UK’s broader defence-industrial push adds pressure. Government and industry are trying to raise output across munitions, shipbuilding, aerospace, autonomous systems, secure electronics, and support equipment. Expansion often brings new suppliers, more digital links, more subcontracting, and faster onboarding. Each can widen the attack surface if security controls are not built into procurement and production planning.
There is no clean separation between cyber and physical output. A factory cannot deliver on schedule if its industrial network is down. A secure communications product is weakened if its software supply chain is poorly controlled. A drone programme is exposed if firmware signing, radio configuration, or payload data pathways are compromised.
The NCSC warning lands as an industrial warning as much as a cyber one. Defence suppliers are part of the infrastructure that allows the UK and its allies to build, repair, deploy, and sustain military capability. If that infrastructure is being targeted, cyber assurance belongs on the factory floor, in the design office, and across every tier of the supply chain.
