Exclusive: e2e-assure CEO on CNI defence from geopolitical cyberattacks
Cyber attacks against critical national infrastructure are becoming harder to detect, attribute, and stop.
According to Rob Demain, CEO of UK-based threat detection and response firm e2e-assure, the modern threat landscape no longer resembles traditional cybercrime. Instead, it is defined by geopolitical signalling and the growing use of cyber operations as a substitute for physical force.
The customers e2e-assure work with sit at the highest end of the risk spectrum. They include organisations offering power generation, communications networks, high-tech manufacturing, and other government organisations where disruption can carry immediate economic and safety consequences.
Geopolitical tensions are pushing cyber operations further into the foreground of international conflict. Attacks are quieter, attribution is murkier, and the consequences are often invisible until systems fail. Demain pointed to infrastructure failures in Venezuela, where electricity and communications outages coincided with military activity.
"A cyber attack involved that could, what you call make them go dark...Doing that via a cyber attack is a very clean way, because you can put the power back on, and hospitals can keep working," Demain said. "Cyber attacks sneaks into the grey area."
According to reports from Washington D.C. news outlet Politico, U.S. President Donald Trump suggested that American forces used cyberattacks to cut power off in Caracas during the January 3 strikes that resulted in the capture of Venezuelan President Nicolás Maduro.
Demain said serious campaigns may involve months or years of planning and profiling before any technical intrusion occurs. Attackers increasingly rely on open-source intelligence, social engineering, and technical exploits.
The situation becomes more complex when nation-states collaborate with localised organised criminal groups to conduct operations on their behalf.
"The pattern we're seeing is the nation states collaborating with local cyber-criminal gangs," Demain said. "When they get caught, it looks like it's a local cyber operation."
This approach provides plausible deniability, he added. When activity is uncovered, arrests typically occur at the criminal level rather than being traced back to state sponsors.
On January 19, the National Cyber Security Centre (NCSC) issued an alert highlighting the persistent targeting of UK organisations by "Russian state-aligned hacktivist groups aiming to disrupt networks."
"By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day," stated NCSC Director of National Resilience, Jonathon Ellison, in a public statement.
In response to rising threats, the UK government introduced stricter cybersecurity regulations for infrastructure operators.
In November of last year, the Cyber Security and Resilience Bill was enacted, regulating IT services that support private and public sector organisations like the NHS, adding minimum security requirements and imposing tougher penalties for cybersecurity gaps affecting critical infrastructure.
However, the regulatory scope is widening rapidly beyond asset owners themselves.
"If you're involved in delivering services to CNI… then you're being scoped in," Demain said.
This includes managed service providers, telecommunications firms, internet service providers and technology vendors whose systems form part of the operational supply chain.
Attackers have repeatedly demonstrated that indirect access paths are often easier to exploit than hardened core systems. As a result, organisations previously considered peripheral are now required to meet the same security standards as infrastructure operators.
Defending critical infrastructure requires a fundamentally different approach from traditional enterprise IT security.
In operational technology environments such as energy generation, industrial control networks and manufacturing facilities, conventional response tactics can cause more harm than the attack itself.
"In the IT world, we can interrupt things. We can disable," Demain explained. "You can't do that in this type of infrastructure. It's really an observability led approach, which is to look for the problem and then work out human ways to mitigate the risks. Because often turning it off is the worst outcome."
Demain believes attackers currently hold an advantage.
It is comparatively simple for AI to analyse known code for weaknesses. Defending against unknown exploits, by contrast, requires identifying behavioural patterns without knowing what the attack looks like.
The risk is particularly acute for network perimeter devices, such as firewalls and security appliances, which often contain undisclosed vulnerabilities. As AI lowers the barrier to exploit development, the traditional disclosure cycle may no longer provide defenders with adequate warning.
Traditional security tools rely heavily on indicators of compromise, signatures and threat intelligence feeds - all of which depend on prior discovery.
"If you don't know what the attack is, your EDR won't know about it, your signatures won't know about it, your IDS won't know about it, and your intel won't know about it." Demain said.
He cited recent incidents involving the cyber group Scattered Spider as evidence that behavioural detection remains critical. While several high-profile organisations suffered major disruption, Demain said his firm's customers remained operational.
"That's because we're focused on the way these attacks work," he said, rather than waiting for formal indicators to emerge.
Last November, an Anthropic report showed that large language models can already be used to bypass safeguards and generate multi-stage attack plans. More concerning is their growing ability to analyse firmware and identify zero-day vulnerabilities.
"The threat actor - whom we assess with high confidence was a Chinese state-sponsored group - manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases," stated the Anthropic report.
The next phase of cybersecurity, Demain believes, will be defined not by firewalls or compliance checklists, but by deep visibility into how attacks behave.
"We need to go way deeper and look at how these things work on a much more holistic level, and not focus on 'we've got an IOC, let's catch it'. That world is ending quickly'