Critical infrastructure is once again in the spotlight, as it is revealed that several UK water suppliers have reported cybersecurity incidents over the last two years.
The disclosure that attackers are probing the systems relied on to manage the delivery of safe drinking water to millions of households comes in newly-released information from the Drinking Water Inspectorate (DWI), following a freedom of information request from The Record.
Between January 2023 and late October 2024, the DWI - which ensures the safety and acceptability of drinking water supplies in England and Wales - received 15 notifications of incidents involving water companies' digital systems. Five of these were confirmed to be cybersecurity-related.
Under the NIS regulations, which aim to enhance the security of essential services such as water, those five incidents were described as affecting "out-of-NIS-scope systems."
That suggests that none of the attacks actually impacted the safe supply or treatment of the public's drinking water, but rather that the organisations behind those supplies were affected in other areas of their business, such as administration.
And that clearly suggests that things could have been much worse.
However, it is worth bearing in mind that water suppliers operate two separate but increasingly connected environments. They utilise administrative IT systems for billing, scheduling, email, and other purposes. And they have operational technology (OT) systems that manage the flow and treatment of the water itself.
The fear is that hackers may compromise business networks initially to find pathways towards the systems that control physical processes.
In May 2024, the US Environmental Protection Agency (EPA) issued an alert warning that more than 70% of inspected water systems were not meeting basic cybersecurity requirements, including controls around account management and network access.
A later report, published by the Government Accountability Office (GAO) in August 2024, also highlighted the longstanding cybersecurity gaps in the water sector.
Then, in October 2024, American Water Works, the largest publicly traded water utility in the United States, admitted that attackers had gained unauthorised access to its corporate IT network.
The systems responsible for treating and delivering water at American Water were thankfully not affected, but the company still had to disable customer-facing services and launch incident response procedures.
All of this has happened against a backdrop of CISA warning that pro-Russian hacking groups are increasingly targeting industrial control systems within water utilities, exploiting unsecured remote access points and default passwords.
Although the headlines are more likely to be grabbed by hypothetical attacks on water supplies and treatment processes, the reality is that the most immediate risks are well-established threats such as ransomware.
However, water companies should understand that what is required is not just the defence of their specialised industrial systems, but also the overall cybersecurity posture of the firms that operate them.
As the UK's National Cyber Security Centre (NCSC) advises in its Cyber Assessment Framework, there is a clear need for robust network segmentation, monitoring for unusual activity between internal systems, and meticulous control of remote access.
The time for essential service providers to build resilient systems is not after operations are disrupted. Malicious hackers are already probing their perimeters, and business systems - which can often be overlooked in discussions of critical infrastructure - are increasingly the point of entry.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
Your industry is unique. Your cybersecurity stack should be, too.
Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
