March 9, 2026
Calculating the impact of a cyber-attack on critical infrastructure
James Hanbury
Global Lead Director, Co-founder

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.

Quantifying the cost of cyber-attacks to the UK economy is a challenging exercise. There is no single consensus methodology, and impacts vary widely depending on the attack vector, point of vulnerability and the attacker’s objectives.

For this study, we worked with Department for Transport (DfT) and Network Rail to model a plausible systemic attack scenario: a cyber-attack on the train communications system leading to rapid system degradation and ultimately a total loss of service across the rail network.

What could a systemic cyber-attack like that cost the UK economy?

Our modelling estimates a total economic impact of approximately £1.8 billion for one week of disruption, including:

  • Direct cost to Network Rail: approximately £123 million
  • Passenger delays: approximately £281 million
  • Gross Value Added (GVA) impact: up to £1.4 billion (≈2.8% of weekly GDP; ≈0.05% annual GDP)

(See full breakdown in the DSIT report.)

Could this really happen?

Systemic disruption would require several conditions to align — making such an event rare under current circumstances. Strong security controls and national policies have helped reduce systemic risk. However, cyber maturity remains uneven across the rail ecosystem, and a compromise in one organisation could still cascade to others.

To assess this, the DSIT study used the European Systemic Risk Board (ESRB) framework, which looks at four stages:

  • Context: the structure of the sector and how organisations depend on each other.
  • Shock: the initial cyber incident that triggers disruption.
  • Amplification: knock-on effects that spread the impact through suppliers, operators and confidence channels.
  • Systemic event: the point where disruption becomes widespread and affects the economy.

Based on this approach, a systemic event would need multiple amplifiers to line up — but uneven resilience and geopolitical uncertainty mean the risk cannot be ignored. Recent UK and European incidents have mostly hit ticketing systems, causing isolated financial impacts rather than network-wide outages. In contrast, in conflict zones such as Ukraine and Russia, rail operators have been targeted by state-sponsored groups and hacktivists — showing how context can change the scale of impact.

What this means for rail organisations

The DSIT study highlights two critical points:

  • The economic stakes are significant. A single systemic event could cost billions and disrupt essential services.
  • Risk is dynamic. Even if systemic events are rare today, the conditions that enable them can change quickly.

For rail operators, this means understanding where your organisation sits in the risk chain and how a local incident could propagate. That insight is critical for prioritising investment and resilience measures.

Find out more

Our DSIT report sets out the potential economic impact of a systemic cyber incident in the rail sector and explains how disruption could spread through critical infrastructure. It provides a useful reference point for organisations assessing their own resilience.

What stands out is the scale and complexity of the risk. A single systemic event could cost billions and disrupt essential services — and while rare, the conditions that enable such events can change quickly.

To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.

Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.

For those interested in the full research, the DSIT report is available on GOV.UK.

Read the next blog in the series

No items found.
James Hanbury
Global Lead Director, Co-founder
James is the co-founder and Global Lead Director of CRI. He has spent over a decade working with cyber and risk teams, helping them bring more structure and clarity to how cyber risk is measured and communicated. James began building the earliest versions of CRI's models back in 2016, using Excel to explore how organisations could approach cyber risk in a more decision-focused way. That work has since grown into a SaaS-enabled capability now used by clients around the world. Based in London, James continues to work closely with CRI's clients and partners, focusing on how to make cyber risk quantification useful, explainable, and easier to adopt in practice.
Blog
Sector insights
Calculating the impact of a cyber-attack on critical infrastructure
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.

Quantifying the cost of cyber-attacks to the UK economy is a challenging exercise. There is no single consensus methodology, and impacts vary widely depending on the attack vector, point of vulnerability and the attacker’s objectives.

For this study, we worked with Department for Transport (DfT) and Network Rail to model a plausible systemic attack scenario: a cyber-attack on the train communications system leading to rapid system degradation and ultimately a total loss of service across the rail network.

What could a systemic cyber-attack like that cost the UK economy?

Our modelling estimates a total economic impact of approximately £1.8 billion for one week of disruption, including:

  • Direct cost to Network Rail: approximately £123 million
  • Passenger delays: approximately £281 million
  • Gross Value Added (GVA) impact: up to £1.4 billion (≈2.8% of weekly GDP; ≈0.05% annual GDP)

(See full breakdown in the DSIT report.)

Could this really happen?

Systemic disruption would require several conditions to align — making such an event rare under current circumstances. Strong security controls and national policies have helped reduce systemic risk. However, cyber maturity remains uneven across the rail ecosystem, and a compromise in one organisation could still cascade to others.

To assess this, the DSIT study used the European Systemic Risk Board (ESRB) framework, which looks at four stages:

  • Context: the structure of the sector and how organisations depend on each other.
  • Shock: the initial cyber incident that triggers disruption.
  • Amplification: knock-on effects that spread the impact through suppliers, operators and confidence channels.
  • Systemic event: the point where disruption becomes widespread and affects the economy.

Based on this approach, a systemic event would need multiple amplifiers to line up — but uneven resilience and geopolitical uncertainty mean the risk cannot be ignored. Recent UK and European incidents have mostly hit ticketing systems, causing isolated financial impacts rather than network-wide outages. In contrast, in conflict zones such as Ukraine and Russia, rail operators have been targeted by state-sponsored groups and hacktivists — showing how context can change the scale of impact.

What this means for rail organisations

The DSIT study highlights two critical points:

  • The economic stakes are significant. A single systemic event could cost billions and disrupt essential services.
  • Risk is dynamic. Even if systemic events are rare today, the conditions that enable them can change quickly.

For rail operators, this means understanding where your organisation sits in the risk chain and how a local incident could propagate. That insight is critical for prioritising investment and resilience measures.

Find out more

Our DSIT report sets out the potential economic impact of a systemic cyber incident in the rail sector and explains how disruption could spread through critical infrastructure. It provides a useful reference point for organisations assessing their own resilience.

What stands out is the scale and complexity of the risk. A single systemic event could cost billions and disrupt essential services — and while rare, the conditions that enable such events can change quickly.

To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.

Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.

For those interested in the full research, the DSIT report is available on GOV.UK.

Key messages

01

02

03

Blog
Sector insights
Calculating the impact of a cyber-attack on critical infrastructure

Summary

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.

Quantifying the cost of cyber-attacks to the UK economy is a challenging exercise. There is no single consensus methodology, and impacts vary widely depending on the attack vector, point of vulnerability and the attacker’s objectives.

For this study, we worked with Department for Transport (DfT) and Network Rail to model a plausible systemic attack scenario: a cyber-attack on the train communications system leading to rapid system degradation and ultimately a total loss of service across the rail network.

What could a systemic cyber-attack like that cost the UK economy?

Our modelling estimates a total economic impact of approximately £1.8 billion for one week of disruption, including:

  • Direct cost to Network Rail: approximately £123 million
  • Passenger delays: approximately £281 million
  • Gross Value Added (GVA) impact: up to £1.4 billion (≈2.8% of weekly GDP; ≈0.05% annual GDP)

(See full breakdown in the DSIT report.)

Could this really happen?

Systemic disruption would require several conditions to align — making such an event rare under current circumstances. Strong security controls and national policies have helped reduce systemic risk. However, cyber maturity remains uneven across the rail ecosystem, and a compromise in one organisation could still cascade to others.

To assess this, the DSIT study used the European Systemic Risk Board (ESRB) framework, which looks at four stages:

  • Context: the structure of the sector and how organisations depend on each other.
  • Shock: the initial cyber incident that triggers disruption.
  • Amplification: knock-on effects that spread the impact through suppliers, operators and confidence channels.
  • Systemic event: the point where disruption becomes widespread and affects the economy.

Based on this approach, a systemic event would need multiple amplifiers to line up — but uneven resilience and geopolitical uncertainty mean the risk cannot be ignored. Recent UK and European incidents have mostly hit ticketing systems, causing isolated financial impacts rather than network-wide outages. In contrast, in conflict zones such as Ukraine and Russia, rail operators have been targeted by state-sponsored groups and hacktivists — showing how context can change the scale of impact.

What this means for rail organisations

The DSIT study highlights two critical points:

  • The economic stakes are significant. A single systemic event could cost billions and disrupt essential services.
  • Risk is dynamic. Even if systemic events are rare today, the conditions that enable them can change quickly.

For rail operators, this means understanding where your organisation sits in the risk chain and how a local incident could propagate. That insight is critical for prioritising investment and resilience measures.

Find out more

Our DSIT report sets out the potential economic impact of a systemic cyber incident in the rail sector and explains how disruption could spread through critical infrastructure. It provides a useful reference point for organisations assessing their own resilience.

What stands out is the scale and complexity of the risk. A single systemic event could cost billions and disrupt essential services — and while rare, the conditions that enable such events can change quickly.

To understand the financial exposure specific to your own organisation, we encourage you to explore our Cyber Risk Quantification (CRQ) Accelerator, which uses our Cyber Risk Insights (CRI) platform to generate clear, actionable financial insights in just six weeks.

Reach out to the team for a free demo, or if you want support with more confident, data‑driven cyber risk decision‑making.

For those interested in the full research, the DSIT report is available on GOV.UK.

Key messages

01

02

03

Recent Insights

Cyber resilience in the North West: turning risk into regional strength

According to the Department for Science, Innovation and Technology (DSIT), over 600,000 UK businesses experiencing some form of cyber‑attack. So, if cyber risk isn’t new, why do impacts keep rising? And what can we do in the North West to change the trend?
Martin Tyley
Blog
Resilience

Making sense of cyber attack costs: A sector by sector view

What might a cyber-attack cost your business? Read more about the patterns we found in research we conducted for the Department for Science, Innovation and Technology (DSIT) – and why those patterns still matter today, even as the threat landscape evolves.
James Hanbury
Blog
Sector insights

Achieving resilience in third-party risk management

Discover the results of KPMG's latest global third-party risk management (TPRM) survey.
Thought Leadership
Resilience

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo