top of page
Search

10 Key Takeaways from RUK’s 2026 Cyber & Security Conference London

On 12th March 2026, industry leaders, security specialists, and renewable energy experts gathered in London for RenewableUK’s Cyber & Security Conference. The event offered practical guidance for strengthening cyber resilience across the UK’s renewable energy sector. Below, we’ve summarised the ten most important takeaways shaping the future of cyber security in our industry. 


  1. Directors won’t be explicitly liable for cyber security breaches in the UK 


The UK’s Cyber Security and Resilience Bill does not explicitly introduce director personal liability in the same way as the EU’s NIS2 Directive, which increases management accountability and oversight obligations for non-compliance. While the UK approach is less penal, it does still increase director responsibility through existing governance-based accountability.  

 

  1. You think you’re insured – you’re probably not 


Standard cyber security insurance cover includes: 

  1. First party loss (e.g. computers, dependent business interruption, ramson and breach response 

  2. Third party loss (e.g. liability claims and where insurable, certain regulatory fines) 

But these policies usually exclude physical damage.  

New “fully affirmative products” are now available to cover bodily injury, environmental damage, failure to supply subject to a power purchase agreement and spot open market cover. 


Regarding NIS2, standard Directors & Officers liability cover typically does not respond to non-indemnificables liability from an inadequate cyber security posture – i.e. you can’t insure your way out of cyber security responsibilities. 


  1. Nationally significant cyber-attacks have doubled in the last year 


In the last 12 months, nationally significant cyber security incidents in the UK have risen from 89 in 2024 to 204 in 2025. These are driven by: 


  1. China’s use of commercial entities to obtain access to UK entities. Once access is obtained, this is paid for and handed over to the Chinese state, who deploy nation-state-level complex cyber attacks 

  2. Continued targeting of the UK and Europe by Russia-linked actors 

  3. Higher ransom payments – threat actors can now buy credential access for initial VPN footholds to many companies via criminal marketplaces, and then deploy ransomware more broadly. Recent reviews have seen an increase in the systematic undermining of disaster recovery plans prior to triggering the ransom request. 

 

  1. The National Cyber Security Centre is a great resource


Very useful website with lots of free tools to help, including: 

  1. Cyber Security toolkit for boards to ensure risks are visible at board level 

  2. Early Warning Alerts 

  3. Cyber Assessment Framework 

  4. Other easy-to-read how-to guides and advice on preparing for and responding to a cyber attack 

 

  1. Get clear on who owns the risk 


Many speakers highlighted how simultaneously important and difficult it is to identify who owns each cyber security risk – is it the owner, the operator or the infrastructure provider. Preparing a RACI matrix and running a table-top trial run of an event are the most useful ways to try and bring clarity to this.  

 

For development projects, getting clear on this early in contracts is critical, but also needs to be accompanied by detailed RACI matrices to avoid confusion (and resulting missed responsibilities) at operational stage. 

 

  1. Make sure firewalls are configured correctly


This was one of the key learnings from Russia’s successful attack on 30 Polish wind and solar farms last December 2025. Attackers gained access using default usernames and passwords. Even though the right equipment was specified, it hadn’t been configured correctly. 

 

  1. Avoid friendly fire


Use separate laptops for Operations Technology configuration and testing. There are many more examples of malware being inserted by technicians using the same laptops in the Operations Technology (OT) environment as they use in the Information Technology (IT) environment. 

 

  1. Map what’s in your substation and disconnect anything that does not absolutely need to be connected. 

 

  1. Use the NSCS Cyber Assessment Framework (CAF) 


This is a great start for the renewable energy supply chain. If pushed on improving, focus on Operations Technology, where more detailed technical standards may be required in addition to CAF. 

 

  1. Ensure suppliers ship hardware “secure by default.” 


Where possible, specify hardware to be secure by default. Similar to your home wireless router, which no longer arrives with default usernames and passwords, look to have substation infrastructure shipped with customised usernames, passwords and other security features to avoid gaps in inadequate commissioning and testing. 

 

Related Article 

If you enjoyed this article, you could be interested in Extending Wind Turbine Lifetimes: What Ireland Can Learn from Europe.



Ronan O'Meara

About the Author

Ronan O'Meara,

Managing Director

Ronan is a chartered engineer, renewable energy analyst and co-founder of EnergyPro

Connect on LinkedIn

bottom of page