What is Critical National Infrastructure (CNI) and why is it important?

CNI refers to assets, systems, and networks that are essential for the functioning of a country, such as energy grids, water supplies, transport networks, and healthcare. Their disruption would have serious consequences for national security, economic stability, and public safety. Protecting CNI is a top priority for governments because attacks can cause physical damage, loss of life, or widespread chaos.

How does cyber security for CNI differ from regular cyber security?

CNI cyber security focuses on operational technology (OT) that controls physical processes, whereas regular cyber security often deals with information technology (IT) and data. OT systems have different priorities: safety and availability are critical, as downtime can lead to physical harm. Additionally, OT systems are often older and harder to patch, making them more vulnerable to targeted attacks.

What are the main threats to Critical National Infrastructure?

The main threats include state-sponsored attacks (e.g., for espionage or sabotage), ransomware (e.g., Colonial Pipeline), supply chain compromises (e.g., SolarWinds), and insider threats. Attack vectors often involve phishing, exploiting unpatched vulnerabilities, or targeting remote access tools. These threats aim to disrupt services, steal intellectual property, or cause physical damage.

What laws and regulations protect CNI in the UK?

The key regulation is the Network and Information Systems (NIS) Regulations 2018, which implements the EU NIS Directive. It requires operators of essential services (energy, transport, water, health, digital infrastructure) to implement appropriate security measures and report incidents. The National Cyber Security Centre (NCSC) provides guidance and support. Non-compliance can result in fines up to £17 million or 4% of global turnover.

How can I start a career in CNI cyber security?

Start by gaining a foundation in general cyber security through qualifications like this ProQual Level 2 Award. Then, specialise by learning about OT systems, SCADA, and industrial control systems (ICS). Certifications such as CISSP, CISM, or GIAC (e.g., GICSP) are valuable. Experience in IT security, engineering, or risk management also helps. Look for roles in energy, water, or transport companies, or government agencies like the NCSC.

What is the difference between IT and OT in CNI?

IT (Information Technology) deals with data processing, storage, and communication, using standard hardware and software. OT (Operational Technology) monitors and controls physical processes, such as opening a valve or switching a power line, using specialised systems like SCADA and PLCs. OT prioritises safety and availability, while IT prioritises confidentiality. OT systems often have longer lifecycles and are harder to update, creating unique security challenges.

How to Revise ProQual Level 2 Award in Cyber Security Awareness for Critical National Infrastructure — ProQual Awarding Body Vocationally-Related Qualification Computer Science

Understand the legislation associated with information assurance and cyber security within an organisation, Understand how to provide guidance and obtain resources to ensure an effective cyber awareness strategy, Know how to select and use appropriate security methods to safeguard systems and data, Understand the importance of cyber security policy compliance at all levels of an organisation, Understand how to effectively report and mitigate against further cyber attacks, 6. Understand how to ensure effective compliance with organisational acceptable usage policies within area of responsibility, Understand how to identify cyber risks specific to their organisational role or business area, Understand the principles of access control and management, Understand the importance of cyber incident response, disaster recovery and business continuity, Understanding the safe usage of social and professional networks within an organisation

Examiner Tips for ProQual Level 2 Award in Cyber Security Awareness for Critical National Infrastructure

Always ground your answers in the specific context of critical national infrastructure, using sector-appropriate examples (energy, water, transport, etc.).
When discussing legislation, name the specific Acts or Regulations and explain their relevance; avoid generic statements.
Structure your evidence around the policy lifecycle: development, implementation, monitoring, and review.
For higher marks, demonstrate how you would engage stakeholders at all levels – from board members to operational staff – to embed cyber awareness.
Use the 'people, process, technology' framework to structure your selection and justification of security methods.
In incident response scenarios, clearly separate immediate containment actions from longer-term mitigation and recovery steps.
Show that you understand the importance of testing plans (e.g., tabletop exercises) and learning from incidents, not just documenting them.
When addressing acceptable usage, provide practical examples of how you would handle common pitfalls, such as shadow IT or personal device usage.

Common Mistakes in ProQual Level 2 Award in Cyber Security Awareness for Critical National Infrastructure

Confusing cyber security policies with detailed operational procedures, leading to overly prescriptive or unworkable documents.
Failing to map policy requirements to specific legislation, resulting in non-compliance or vague references to 'the law'.
Overlooking the role of middle management and frontline staff, focusing solely on IT department or senior leadership.
Neglecting the reporting and feedback loop; students often treat incident response as a one-off event rather than a continuous improvement cycle.
Underestimating the unique risks in CNI, such as impact on safety, national security, or cascading failures across interconnected systems.
Assuming that access control is only about passwords; missing physical security, network segmentation, or role-based access concepts.

Key Marking Points

Award credit for demonstrating accurate interpretation and application of relevant legislation (e.g., NIS Directive, UK Data Protection Act) when drafting policy guidance.
Expect evidence of practical resource mobilization, such as tailored training materials or awareness campaigns, to support the cyber security strategy.
Credit should be given when selection of security methods is justified with reference to specific threats and vulnerabilities in CNI environments.
Look for explicit linkage between policy compliance and risk reduction at all staff tiers, including senior management endorsement.
Assess the quality of incident reporting procedures: they must include clear escalation paths and post-incident analysis to mitigate future attacks.
Award marks for demonstrating how acceptable usage policies are communicated, monitored, and enforced within the candidate’s area of responsibility.

← Back to ProQual Awarding Body Vocationally-Related Qualification Computer Science

ProQual Level 2 Award in Cyber Security Awareness for Critical National Infrastructure

PROQUAL-AWARDING-BODY

vocational

This topic covers cyber security risks specific to critical national infrastructure (CNI), including threats, access control, and incident response. It emphasises the importance of protecting essential services.

Learning Outcomes

Assessment Guidance

Key Skills

Key Terms

Assessment Criteria

Topic Overview

The ProQual Level 2 Award in Cyber Security Awareness for Critical National Infrastructure (CNI) introduces students to the unique cyber threats facing essential services such as energy, water, transport, and healthcare. Unlike general cyber security, CNI focuses on systems whose disruption would cause severe economic or social harm. This qualification covers threat actors, attack vectors, and the legal and regulatory frameworks that protect national assets, including the Network and Information Systems (NIS) Regulations 2018.

Understanding CNI cyber security is vital because attacks on these sectors can have cascading effects on public safety and national security. Students will learn about operational technology (OT) versus information technology (IT), the importance of resilience, and the role of organisations like the National Cyber Security Centre (NCSC). This knowledge is directly applicable to roles in security operations centres, infrastructure management, and policy development.

This award fits within the broader ProQual suite of vocational qualifications, providing a foundation for further study in cyber security or related fields. It emphasises practical awareness rather than deep technical skills, making it accessible to students from diverse backgrounds. By the end, learners should be able to identify risks to CNI and propose basic mitigation strategies.

Key Concepts

Core ideas you must understand for this topic

→Critical National Infrastructure (CNI): Sectors and assets essential for national security, economic stability, and public health, including energy, water, transport, and communications.
→Operational Technology (OT) vs Information Technology (IT): OT controls physical processes (e.g., SCADA systems), while IT manages data. OT often has legacy systems with limited security, making it a prime target.
→Threat Actors and Attack Vectors: State-sponsored groups, cybercriminals, and hacktivists target CNI via phishing, ransomware, supply chain attacks, and exploiting unpatched vulnerabilities.
→Legal and Regulatory Frameworks: The NIS Regulations 2018 mandate security measures for operators of essential services, with penalties for non-compliance. The NCSC provides guidance and incident support.
→Resilience and Incident Response: CNI organisations must have business continuity plans, regular backups, and incident response teams to minimise downtime and recover quickly from attacks.

What You Need to Demonstrate

Key skills and knowledge for this topic

Identify cyber threats to CNI and their potential impact.
Explain principles of access control and management.
Describe the importance of incident response and business continuity.
Recognise safe usage of social and professional networks.
Award credit for demonstrating accurate interpretation and application of relevant legislation (e.g., NIS Directive, UK Data Protection Act) when drafting policy guidance.
Expect evidence of practical resource mobilization, such as tailored training materials or awareness campaigns, to support the cyber security strategy.
Credit should be given when selection of security methods is justified with reference to specific threats and vulnerabilities in CNI environments.
Look for explicit linkage between policy compliance and risk reduction at all staff tiers, including senior management endorsement.

Assessment Criteria

Key criteria assessors look for in your portfolio

Identify cyber threats to CNI and their potential impact.
Explain principles of access control and management.
Describe the importance of incident response and business continuity.
Recognise safe usage of social and professional networks.
Award credit for demonstrating accurate interpretation and application of relevant legislation (e.g., NIS Directive, UK Data Protection Act) when drafting policy guidance.
Expect evidence of practical resource mobilization, such as tailored training materials or awareness campaigns, to support the cyber security strategy.
Credit should be given when selection of security methods is justified with reference to specific threats and vulnerabilities in CNI environments.
Look for explicit linkage between policy compliance and risk reduction at all staff tiers, including senior management endorsement.
Assess the quality of incident reporting procedures: they must include clear escalation paths and post-incident analysis to mitigate future attacks.
Award marks for demonstrating how acceptable usage policies are communicated, monitored, and enforced within the candidate’s area of responsibility.
Credit analysis that identifies role-specific cyber risks, such as operational technology vulnerabilities or supply chain dependencies.
Evidence of understanding access control principles should include practical implementation of need-to-know, least privilege, and segregation of duties.
The candidate must articulate the importance of a tested incident response plan, disaster recovery procedures, and business continuity arrangements.
Safe use of social and professional networks must be addressed through clear policy guidelines and real-world examples of good practice.

Assessment Guidance

Guidance for achieving higher grades

💡Learn about real-world CNI cyber incidents.
💡Understand the role of the National Cyber Security Centre (NCSC).
💡Focus on risk management and mitigation strategies.
💡Always ground your answers in the specific context of critical national infrastructure, using sector-appropriate examples (energy, water, transport, etc.).
💡When discussing legislation, name the specific Acts or Regulations and explain their relevance; avoid generic statements.
💡Structure your evidence around the policy lifecycle: development, implementation, monitoring, and review.
💡For higher marks, demonstrate how you would engage stakeholders at all levels – from board members to operational staff – to embed cyber awareness.
💡Use the 'people, process, technology' framework to structure your selection and justification of security methods.
💡In incident response scenarios, clearly separate immediate containment actions from longer-term mitigation and recovery steps.
💡Show that you understand the importance of testing plans (e.g., tabletop exercises) and learning from incidents, not just documenting them.
💡When addressing acceptable usage, provide practical examples of how you would handle common pitfalls, such as shadow IT or personal device usage.
💡Use specific examples of CNI attacks (e.g., Colonial Pipeline, WannaCry) to illustrate concepts. Examiners reward real-world application over generic definitions.
💡Understand the difference between IT and OT security priorities. In OT, availability and safety are paramount, whereas IT often prioritises confidentiality. This distinction is frequently tested.
💡Memorise key regulatory details: the NIS Regulations apply to 'operators of essential services' (OES) and 'digital service providers' (DSPs). Know the sectors covered and potential fines.

Common Mistakes

Common errors to avoid in your coursework

Underestimating the sophistication of cyber attacks on CNI.
Confusing confidentiality, integrity, and availability (CIA triad).
Failing to distinguish between personal and organisational cyber risks.
Confusing cyber security policies with detailed operational procedures, leading to overly prescriptive or unworkable documents.
Failing to map policy requirements to specific legislation, resulting in non-compliance or vague references to 'the law'.
Overlooking the role of middle management and frontline staff, focusing solely on IT department or senior leadership.
Neglecting the reporting and feedback loop; students often treat incident response as a one-off event rather than a continuous improvement cycle.
Underestimating the unique risks in CNI, such as impact on safety, national security, or cascading failures across interconnected systems.
Assuming that access control is only about passwords; missing physical security, network segmentation, or role-based access concepts.
Treating disaster recovery and business continuity as the same thing without distinguishing their objectives (recovery of IT vs. continuity of business functions).
Ignoring the human factor in social network usage; failing to address both accidental data leakage and targeted social engineering.
Misconception: CNI cyber security is the same as general IT security. Correction: CNI involves OT systems with different priorities (safety and availability over confidentiality), and attacks can cause physical damage, not just data loss.
Misconception: Only large organisations are targeted. Correction: Small suppliers in the CNI supply chain are often weaker links and frequently attacked as entry points to larger targets.
Misconception: Cyber security is solely an IT responsibility. Correction: Effective CNI security requires collaboration across engineering, management, and legal teams, as well as adherence to regulations.

Frequently Asked Questions

Common questions students ask about this topic

Before You Start

Prior knowledge that will help with this topic

•Basic understanding of cyber security principles (e.g., confidentiality, integrity, availability).
•Familiarity with common cyber threats (e.g., malware, phishing) and basic network concepts.

Key Terminology

Essential terms to know

Understand the principles of Cyber Security within a critical national infrastructure, Understand the cyber threats to organisational and personal security, Understand how to identify cyber risks specific to their organisational role or business area, Understand the principles of access control and management, Understand the importance of cyber incident response, disaster recovery and business continuity, Understanding the safe usage of social and professional networks within an organisation
Understand the legislation associated with information assurance and cyber security within an organisation, Understand how to provide guidance and obtain resources to ensure an effective cyber awareness strategy, Know how to select and use appropriate security methods to safeguard systems and data, Understand the importance of cyber security policy compliance at all levels of an organisation, Understand how to effectively report and mitigate against further cyber attacks, 6. Understand how to ensure effective compliance with organisational acceptable usage policies within area of responsibility, Understand how to identify cyber risks specific to their organisational role or business area, Understand the principles of access control and management, Understand the importance of cyber incident response, disaster recovery and business continuity, Understanding the safe usage of social and professional networks within an organisation

Ready to learn?

AI-powered learning tailored to this unit

ProQual Level 2 Award in Cyber Security Awareness for Critical National Infrastructure

Topic Overview

Key Concepts

What You Need to Demonstrate

Assessment Criteria

Assessment Guidance

Common Mistakes

Frequently Asked Questions

Before You Start

Key Terminology

Ready to learn?

Related Topics in PROQUAL-AWARDING-BODY vocational Computer Science

E2E stub topic