OT & Critical Infrastructure Security

Your training isn't working. Your environment can't afford that.

We build immersive cyber experiences for operational technology environments, designed to rehearse the decisions that matter before a real incident makes them for you.

Book a 20-minute call
The Threat Landscape

The wall between IT and OT is gone.

For years, the air gap held. OT was separate. Different protocols, different vendors, different risk profile. That assumption is gone. The pressure to connect operational systems to remote access, vendor portals, and enterprise dashboards has accelerated. The threat has followed. 

In December 2025, a threat actor targeted around 30 distributed renewable assets across Poland: wind farms, solar installations, a combined heat and power plant. The NCSC's own assessment: it was not a sophisticated attack. The actor used known vulnerabilities and weak defences, most of which could have been prevented by basic cyber hygiene. It nearly disrupted supply to over 500,000 customers. 

Colonial pipeline. Ukraine's power grid. Oldsmar water treatment. In each case, the entry point was a human decision. Not a vulnerability in the OT system itself. A habit. An assumption. A password shared across systems.

Ofgem & Desnz - March 2026

The proposed baseline cyber resilience requirements explicitly note that technical controls alone are not sufficient. "Mature cyber resilience requires the implementation of controls across the people, process and technology areas of an organisation."

Reshaping Cyber Regulation in Downstream Gas and Electricity, March 2026

4

nationally significant cyber attacks on the UK every week, according to the NCSC.

Reshaping Cyber Regulation in Downstream Gas and Electricity, March 2026

204

nationally significant incidents last year, a 130% increase on the 89 handled the previous year. Nearly half were aimed directly at national infrastructure.

NCSC Annual Review 2025

95%

of UK CNI organisations have suffered a data breach. 25% only found out because the attacker told them.

Bridewell CNI Security Survey, 2025

£210K

average cost of a significant cyber attack in the utilities sector - higher than the UK-wide average of £195k.

KPMG / DSIT Economic Modelling, 2025

The Real Problem

This isn't an awareness problem. It's a behaviour problem.

96% of employees who took a risky action (plugging in an unknown USB, bypassing a check, acting on an unverified request) knew it was risky when they did it. They knew. They did it anyway

Proofpoint State of the Phish, 2024.

Your operators aren't ignorant. They know the procedures. They can recite the policy. But it's the end of a twelve-hour shift. There's a fault on the line. A contractor is on the phone telling them it's fine to bypass the check. He's done it a hundred times.

The instinct that training was supposed to build is not there. The pause. The hesitation. The 'wait, something's off here.' It was described in a module. It was never rehearsed.

1.7%

the difference mandatory annual training makes to behaviour.

Randomised control study. Ho et al. 2025. UC San Diego / University of Chicago.

86%

reduction in phishing susceptibility with continuous immersive training over 12 months.

KnowBe4, 2025. 14.5M users. 67.7M simulated phishing tests.

5 Years

how often the US Army now requires mandatory cyber training

US Army's analysis of training, March 2026.

Our Approach

You cannot train instinct by describing it.

Think about how pilots train. They don't watch videos about turbulence. They use simulators that put them in it. Repeatedly. Until the right response stops being a decision and starts being a reflex. That's what we build. 

01

Engagement

Earn attention from people who think they've heard it all. Your operators are technically experienced and probably sceptical of anything that looks like corporate training. We build experiences that make them pay attention because something is actually happening.

02

Culture

Normalise the behaviour across the shift, not just in the session. Culture doesn't form in the training room. It forms in the conversations afterwards. In the shared language. In the "remember when we nearly missed that." That's what makes behaviour stick.

03

Instinct

Make the right call fast enough to matter. At 2am. With a fault on the line. When the information is incomplete and a contractor is telling you it's fine. Instinct isn't taught, it's rehearsed. Repeatedly. Under pressure. Until it runs without instruction.

The obvious question

An escape room. Really?

Fair. It's a legitimate challenge. So let's be direct about what we're not claiming. 

We're not claiming our approach replicates a real incident. The systems aren't real. The people aren't real. Nobody's pipeline is actually offline. You do need to use a bit of imagination. 

What we are claiming is that the cognitive and behavioural conditions it creates are real. When the clock is running and the information is incomplete and your team needs to communicate clearly and someone is making an assumption that takes you in completely the wrong direction. That is not a metaphor for an OT incident. That is structurally identical to one. 

What we've learned from running this with utlities, energy and CNI teams:

People don't reveal how they behave under pressure in a classroom. They do reveal it with us. The person who goes quiet under pressure. The person who skips the verification step because they're confident they know the answer. The person who notices something is wrong but doesn't say it because they assume someone else has already clocked it. 

Those behaviours don't show up in compliance training. They show up here. And once you've seen them, you can work on them. Which is the entire point.

The Experience

Build for operational
environments.

Your team walks into a live cyber incident. CCTV is down. The local equipment room is locked. Critical machinery has gone offline.

You're the on-site response. Physical clues. Partial information. A lock.

The attack vectors aren't invented. They're the same entry points that have taken down real OT environments. And the same ones cited by the Ogfem and DESNZ consultation as the top attack avenues for OT: not zero-day exploits, not nation-state tradecraft. Cloud services. Web browsing. Human decisions, made a hundred times a day, by people who do know better.

What we're watching for, and what we want your team to notice about themselves, isn't whether they solve the puzzle. It's how.

  • Weak and shared credentials
  • Removable media and physical access
  • Social engineering and unverified requests
  • IT/OT crossover and remote access points
  • Information oversharing and OSINT exposure

Session Details

Duration 45 minutes
Team size Up to 5 players
Setting Operational environment
Facilitation Fully facilitated
Debrief Included
Delivery On-site or hosted
Suitable for OT teams, SOC, leadership
The Regulatory Context

The regulator is asking about the human layer.

In March 2026, Ofgem and the Department for Energy Security and Net Zero published a consultation on reshaping cyber regulation across downstream gas and electricity. The direction of travel is clear: every Ofgem licensee will be required to have baseline cyber resilience in place.

The consultation is explicit that technical controls alone are not enough. It flags the need for resilience across "people, process and technology" and notes that the Cyber Essentials scheme it is proposing as a starting point is primarily designed for IT, with its application to OT environments described as potentially "unsuitable."

The gap it identifies is exactly the gap we fill. The technical controls that compliance frameworks cover are necessary. They are not sufficient. The human decisions made in your operational environment, under pressure, with incomplete information, on a normal Tuesday, are not covered by any certification scheme.

Mature cyber resilience requires the implementation of controls across the people, process, and technology areas of an organisation. The Cyber Essentials scheme controls are focused on technical measures and may not drive increased maturity in other areas like organisational governance, personnel security... or other non-technical aspects of cyber resilience.

What the consultation requires — and where we fit

Technical controls (Cyber Essentials)

Firewalls, secure configuration, access controls, malware protection, patch management. Covered by CE/CE+ certification.

People & behaviour (TCERC)

THIS IS WHERE WE FIT

The human decisions made under pressure. The instinct built through rehearsal. The shared language that makes security behaviour durable. Not covered by any certification scheme. Covered by us.

Process & governance

Incident response, supply chain security, recovery processes. Covered by NIS, CAF and sector-specific frameworks.

Trusted by OT & critical infrastructure teams

RWE National Highways Scottish Power Thames Water Ocean Infinity

The Cyber Escape Room experience was a game changer for our security awareness training. Our teams were fully engaged. Participants described the sessions as 'actually fun', something you rarely hear about cyber security training. It's not just training. It's an experience that genuinely changes behaviour.

Sally Bolton, Cyber Human Risk Manager

Scottish Power Energy Networks

Let's Talk

The training hasn't changed. Let's fix that.

If you're responsible for human risk in an OT or critical infrastructure environment, and you're asking whether your current programme is doing what it needs to do, we want to have that conversation.

Get in Touch