Transitioning from cyber  compliance to cyber resilience:  will the water industry sink or swim?

Following on from her presentation at the Water, Wastewater and Environmental Monitoring Conference (WWEM), AtkinsRéalis’ Della-Maria Marinova explores the real-world impact of cyber security on water utilities’ operations.  

Picture the scenario: a water company has installed new operational technology (OT) equipment, for example upgraded Programmable Logic Controllers (PLCs), without considering their cyber security. The company is hit by a cyber-attack – hackers exploit publicly available default passwords on the PLCs, causing widespread water supply outage across the customer base, and necessitating a switch to manual pumping. 

With limited resource to perform and manage this, operations become more challenging and costly, leading to reputational damage and a loss of customer trust. It gets worse: the organisation is fined up to £17 million by the regulator, for a ‘significant event’ under the Network and Information Systems Regulations (NIS-R) 2018. A worst-case scenario could even see public safety implications if, for example, the cyber-attacker were to alter the water’s chemical composition. 

Sounds far-fetched? Attacks like this are becoming more commonplace across the water sector, in the UK and globally. The UK’s National Cyber Security Centre (NCSC) responded to 50% more ‘significant events’ across Critical National Infrastructure (CNI) in 2024 than in 2023. Six cyber incidents were reported to DEFRA in 2024, a 300% increase on the period from 2018-2023. The frequency of cyber-attacks on the water sector may not be the highest across CNI, but it is increasing as highlighted by the Sir Jon Cunliffe led Independent Water Commission. So, why is this this happening? And what can water companies do to protect themselves against cyber threat?

Evolving threat landscape

As the water sector evolves, so too does the landscape of potential and actual cyber threats facing it. New cyber threats emerge daily, constantly shifting this threat landscape, with geopolitics playing a role in the rise of politically-motivated cyber-attacks. The evolution of ‘ransomware-as-a-service’, and the use of new technologies such as artificial intelligence (AI) by cyber-attackers add an element of unpredictability and complexity to the threat landscape – making it harder for targets to identify social engineering including deep fakes, facilitating attackers’ reconnaissance, lowering the barrier to entry for attacks, and speeding up the exploitation of identified vulnerabilities. 

New vulnerabilities are being inadvertently introduced into utilities’ operational environments, through pressure to implement emerging technologies at pace. Water companies are upgrading their technology, becoming more data driven, and looking to automation to generate efficiencies. Interconnected Internet of Things (IoT) devices, such as sensors, are entering the operational environment; and many new technologies are being linked to the internet due to the increasingly remote nature of control, maintenance and monitoring functionalities. 

However, what appears to be a step forward may actually be two steps back, as difficult-to-update legacy equipment, in previously isolated environments, is becoming connected to enterprise networks – opening it up to vulnerabilities it was never designed to face. 

Moreover, with no minimum global standard, the onus falls on the water company to manage its supply chain – organisations must now pay even more attention to the origin and security features of the new technology and tools they procure in order to avoid becoming inadvertent targets of cyber-attack.

Changing legislative and regulatory landscape

The increase in cyber-attacks, and the widening gap between cyber threats and defences, appear to be prompting legislative and regulatory changes – most notably, the proposed introduction of the Cyber Security and Resilience (CS&R) Bill in the UK by the end of 2025, and the implementation of NIS2 across the EU. These build upon NIS-R 2018, the UK’s only cross-sector cyber legislation aimed at boosting cyber and physical security. For water companies, these changes will likely introduce new obligations, including extending the scope of requirements to wastewater and introducing more stringent requirements on supply chain management, enhanced powers for regulators, shorter incident reporting timelines, and greater board-level accountability.

The sector regulator has already set targets for water companies, through the cyber assessment framework (CAF) sector-specific profile (SSP) by March 2025, and an enhanced cyber assessment framework (eCAF) by March 2028. The eCAF increases expectations on water companies across privileged user management, secure by design, secure configuration, monitoring coverage, generating alerts, and monitoring tools and skills. Failure to meet these enhanced requirements will result in fines and enforcement notices.  

Operational needs and cyber resilience: a balancing act

Continuing to fulfil day-to-day duties as an operator of essential services, while adapting to these changes and building resilience in an evolving threat landscape is challenging. Resource constraints, combined with a lack of understanding of cyber security’s importance – particularly in the operational environment – nudge companies towards a compliance-centred mindset. Enhancing cyber security and building organisational resilience takes time and effort; it can’t be achieved overnight.

Adding to the complexity, the varying size and scale of water companies means a one-size-fits-all approach is not feasible. Attack surfaces are not universal, and neither are accompanying mitigations. But challenges can open up opportunities, and the solution may not be as complex as it first appears. The evolving threat, legislative and regulatory landscapes present an opportunity for all water operators to implement new policies, procedures and tools, to enable them to become more cyber resilient, and to meet the new targets set by the regulator. 

Cyber risk is a business risk that needs to be clearly understood and prioritised. Cyber risk assessments build a cohesive understanding of cyber risk and contribute to board buy-in. Maintaining a current understanding of the evolving threat landscape underpinned by candid knowledge sharing across the sector will enable water companies to better mitigate against cyber risks, in line with their risk appetite. 

The majority of cyber attacks rely on techniques and vulnerabilities that are well known. This means that improving cyber security is not just a technical issue. The technical element does play a role: for example, using asset discovery and anomaly detection tools to gain a detailed, up-to-date picture of assets (and associated vulnerabilities) across operational sites. This can enable water companies to better understand their assets and asset interdependencies across a vast asset base. However, introducing new tools and technology carries complexities in terms of product security features, remote maintenance and support, and increasing the volume of data. 

People and processes are important too. Cyber awareness campaigns support cultural change, shifting the narrative of cyber security from a ‘necessary evil’ or compliance function, to a driver for operational resilience and business growth. Gamification, such as the interactive, scenario-based game ‘Intrusions and Impacts’ we showcased at the Water, Wastewater and Environmental Monitoring Conference (WWEM), highlight the real-world impact of cyber-attacks on water utilities’ operations. 

Training operational staff can help identify and enable security features in products they are procuring and put pressure on the supply chain to build security into their products. Incident response tabletop exercises help reduce siloed working, by building resilient processes and raising awareness of the different ways people across the organisation can contribute. Crucially, to ensure a scenario where the organisation swims rather than sinks, cyber resilience must be built in at every stage of the new technology lifecycle.