News Hub

Concerns over cybersecurity threats to UK water supply raised in new report

Written by Mon 5 Feb 2024

Credit rating agency, Moody’s Investors Service, has warned water utilities are becoming attractive targets for malicious cyber actors, as water companies seek approval to improve cybersecurity.

Moody’s found in a report that hackers are concentrating on infrastructure companies and the use of artificial intelligence (AI) has the potential to accelerate this trend.

“The water sector’s exposure is rising as the sector is becoming increasingly digitalised through the installation of data logging equipment and smart meters, a trend we expect to continue given the need to reduce per capita consumption,” said Moody’s.

Greater digitalisation is expected to introduce new vectors of attack for malicious actors. For example, a malicious actor could pivot an attack from the third-party vendor used to provide some of the digitalisation services.

Moody’s primary concern is the infiltration of operational technology (OT) systems by malicious actors, which could disrupt drinking or wastewater treatment facilities. OT encompasses hardware and software used to monitor and control devices, processes, and infrastructure.

As a security measure, water and wastewater entities typically implement the method of ‘air gapping’. This process involves physically or logistically isolating networks to prevent unauthorised access. However, Moody’s cautioned that ‘air gapping’ can be undermined by other cybersecurity vulnerabilities.

Crucially, some organisations aim to enhance operational efficiency by integrating IT and OT systems more closely. However, Moody’s said this integration could inadvertently increase the vulnerability of the overall system. Tighter integration may create more points of entry for cyberattacks.

Consequences of Cyber Attacks 

Moody’s highlighted nation-state attacks pose higher risks due to their generous funding and expertise, often targeting sectors beyond finance for disruption. The report indicated that larger, investor-owned utility companies generally excel in resource allocation for cyber defences and implementing robust mitigation strategies compared to smaller entities.

Companies’ vulnerability may be heightened due to the increased use of data-logging equipment for water consumption monitoring. The adoption of digital smart meters was highlighted as another factor contributing to this susceptibility to attacks.

When a hack occurs, companies often have to enlist the help of cybersecurity firms to repair their systems and communicate with affected customers. They may be subject to penalties from regulatory bodies such as the UK’s Information Commissioner’s Office (ICO), which can impose fines of up to 4% of the company’s group turnover or £17 million ($21.3 million), whichever is higher.

Despite these costs, Moody’s said the overall impact on the company’s debt levels is not expected to be significant if the breach is resolved quickly. Moody’s referred to this impact as a ‘modest increase’ in debt levels, suggesting that while there is financial strain, it is manageable for the company in the short term.

“The greater risk for the sector, and society, is if malicious actors are able to access operational technology systems to impair drinking water or wastewater treatment facilities,” said Moody’s in the report.

Water companies seek to increase security spending

The credit agency added that water suppliers, the Government, and regulators recognised the need to strengthen cybersecurity due to the increasing sophistication of attacks on critical infrastructure. This included the growing state-aligned cyber threats.

Moody’s analysis showed companies hope to increase spending on security from less than £100 million ($125 million) collectively to nearly £700 million ($879 million) over the next five years. 

They aim to increase spending on cyber defences by seeking allowances from the Water Services Regulation Authority (Ofwat). The regulator is currently evaluating its proposals to raise bills between 2025 and 2030 to fund these investments. Ofwat’s determination is due later this year.

In October, Ofwat called on water companies to use the next 12 months to prove to customers they can deliver better services. 

The latest Water Company Performance Report revealed after three years of the 2020-25 period, 13 out of the 17 water and wastewater companies had not spent their forecast enhancement allowance. At a sector level, water companies spent 73% of their forecast enhancement allowance.

Water companies cited COVID-19’s impact, cost challenges from high inflation, and planning delays related to investigations as reasons for the delays in their programming.

In January, UK utility company, Southern Water, confirmed it is investigating a cybersecurity incident after the Black Basta ransomware group claimed it had accessed its systems. Southern Water provides water services to 2.5 million users, and wastewater services to more than 4.7 million users across Sussex, Kent, Hampshire, and the Isle of Wight.

Black Basta claimed to have acquired 750GB of data, including scanned identity documents such as passports and driving licenses, along with personal information like home addresses, dates of birth, email addresses, and corporate car-leasing documents.

In 2022, More than five terabytes of data from South Staffs Water were reportedly accessed by the ransomware group Cl0p.

A wide range of stolen files, including scans of passports and driver’s licenses, were published by the hackers on their blog. Most concerningly, Cl0p claimed it gained access to the systems that control the chemical composition of water supplies, indicating that even security to the most sensitive networks has been breached.

Join Cloud & Cyber Security Expo

6-7 March 2024, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Mon 5 Feb 2024

Send us a correction Send us a news tip