In recent years we have seen businesses across the globe adopt digital operating models – and utilities companies are no exception. These national companies – that are keeping critical infrastructure afloat providing water, gas, electricity, and waste treatment services – are using a plethora of different systems, online platforms, and applications to run their businesses. These systems bring a wealth of benefits, they make it simple for customers to track their usage and bills online and arrange payments, they streamline operating models, and make it easy to structure processes and collect & share data across the organisation. But this reliance on digital infrastructure has also increased the scope for cyber-attacks and provided new entry points.
Recent warnings from credit rating agency Moody’s have shed light on the elevated risk that utilities companies face from cyber attackers targeting their operations. Moody’s stated that “Critical infrastructure sectors like electric, water and other utilities have the highest risk exposure” due to a “growing reliance on digitisation”. They highlight that it “doesn’t necessarily mean they lack strong cyber defenses. However, a successful attack on their assets and services can have significant consequences” for both homes and businesses.
The utilities sector is becoming increasingly digitised through the introduction of smart meters, online portals and third-party software applications – broadening the attack surface for cyber criminals as they seek to infiltrate systems, compromise data, and disrupt supplies. It’s not just customer data that hackers are looking to steal and exploit, they are also looking to target insecure operational technology to interrupt supply – causing widespread disruption like power cuts and contaminated drinking water.
Cyber Attacks on Water Companies are Hitting the Headlines
The report from Moody’s has sent a clear message, cyber-attacks on water companies have been prevalent and nobody is immune. Recent attacks have hit well known players who likely already have a strong cyber security posture. Recently Southern Water – who supply over 4 million customers in the UK – stated that Black Basta ransomware group claimed to have accessed their systems and posted a “limited amount” of their data on the dark web. In addition, Staffordshire Water issued an apology after hackers stole personal data relating to their customers – Moody’s estimate that the costs related to the hack – including potential civil claims – could reach £10m. In Ireland, 180 people were left without water when hackers targeted a water pumping system by taking control of a poorly protected industrial control system.
Over in the US they are facing similar problems. In 2023 hackers attacked Aliquippa’s municipal water system and managed to shut down a pump on a supply line serving over 6k customers. News also leaked of a cyber security incident at Veolia North America who supply water to the city of Rahway in New Jersey. Moody’s pointed out that the use of artificial intelligence (AI) could further accelerate this worrying trend of cyber-attacks on utilities providers.
However, Moody’s cautioned although cyber-attacks like data breaches have a significant impact on data privacy & reputation, “The greater risk for the sector, and society, is if malicious third parties are able to access operational technology systems to impair drinking water or wastewater treatment facilities.” These systems often rely on older Operational Technology (OT) and control gear which was created prior to the internet that has often been retrofitted for remote access. This makes them easier to hack as this older equipment lacks modern cyber security protocols. If supplies of drinking water are contaminated or stopped all together this can cause a significant impact to the health of the population and can cause threat-to-life – creating maximum disruption & impact from these malicious attacks.
How are regulators addressing the cyber-threats facing utilities companies?
Recognising the criticality of the situation, water suppliers, government bodies, and regulators have acknowledged the need to strengthen cyber defences. Ofwat who regulate the water sector in the UK, is assessing plans to raise bills from 2025 to 2030 to cover additional costs – enabling water companies to deliver a better service for customers and improve the environment – and part of this will likely include cybersecurity investments. This direction comes at a time, when the water industry is facing additional scrutiny for various issues, including sewage dumping and executive pay.
In the aftermath of the cyber-attacks on the water sector, the Environmental Protection Agency (EPA) is advocating for water companies to voluntarily integrate fundamental cyber measures into their planning and operational processes. The EPA water Sector Cyber Security brief suggests a number of controls that water companies can implement to protect themselves from ransomware attacks.
Recent regulatory changes have introduced new cyber regulations for organisations providing Critical National Infrastructure (CNI), these include the Telecoms Security Act introduced in 2021, DORA the Digital Operational Resilience Act that will impact financial services organisations and their Information & Communication Technology (ICT) service providers, and the eagerly anticipated NIS 2 directive.
It is essential for water companies and others in the utilities sector to recognise these vulnerabilities highlighted by regulators and take proactive steps to protect their operations and customer data.
What can utilities companies do to bolster cyber security measures?
There are a number of steps utilities companies can take to get visibility of cyber security threats, strengthen IT infrastructure, and reduce the impact when incidents occur.
Of course, there are technical provisions companies can take like installing security updates & patches, limiting access to unknown devices and IP addresses, and restricting data sharing between devices to reduce the attack surface. But companies also need to identify cyber threats upfront and implement controls to mitigate them. They must implement strict cyber security policies and training, manage compliance to data privacy regulations, implement processes to resolve cyber incidents quickly, and ensure all software, hardware, and licences are up to date and have the correct security measures.
To help take control of their cyber security risks and protect their IT infrastructure utilities firms should implement strict governance procedures, introduce a best-practice cyber risk management programme, apply strict compliance procedures to ensure alignment with data privacy laws, and implement robust business continuity plans.
The latest GRC technology solutions can formalise these procedures. The software allows firms to manage all aspects of IT risk & compliance in one centralised platform and offers the following capabilities:
Risk Management – Teams can create a cyber risk register to capture digital risks, create customised online risk assessment forms, and set controls & perform control testing.
Compliance – Organisations can create a compliance obligations library to manage data privacy and cyber-related regulatory requirements. They can Implement strict governance procedures & policy management workflows, manage regulatory change, and access out-of-the-box frameworks to align processes with data privacy requirements like GDPR, ISO 27001 and the NIS directive.
Third-Party Risk management – Firms can create an online vendor library, making it easier to manage and track vendor relationships & understand the risks they pose. They can roll out vendor risk assessments, streamline the vendor benchmarking process, and implement automated monitoring of key metrics like SLAs, KPIs, and industry benchmark standards.
Asset Management – Online asset management registers enable teams to track the age and usage of hardware, software licenses, and physical assets – ensuring all equipment & licences are up to date and fit for the job. Teams can get a comprehensive view of out-of-date equipment & licences – simplifying budget planning.
Policy Management – All IT policies and procedures can be managed consistently and stored in a central online repository with workflows to flag expiry dates and automate signoffs, approval processes, and attestations.
Strategic Planning – Create an IT strategy, break down top-line goals into smaller tasks, projects and actions that can be allocated out across the organisation for completion. As tasks are fulfilled, progress is indicated – making it easy to see how the strategy is progressing at all levels of the business.
Audits – Firms in the utilities sector are subject to a wide variety of audits, inspections, and checks. Using GRC software, organisations can schedule and manage cyber audits and formalise the results and required actions – providing a complete history of all audits and their findings and outstanding actions.
BCM & Operational resilience – Software can support the creation of BCM plans, business impact assessments, and business process modelling – making it easy to understand the impact of an incident in terms of cost, downtime, and man hours lost and BCM plans can be triggered based on incidents logged.
Utilities Firms Must Act Now to Secure Their IT Infrastructure
The recent warnings from Moody’s and the escalating cyber threats to utility companies highlights the urgency of prioritising cybersecurity. As the sector faces the need for massive cybersecurity investments – safeguarding critical infrastructure is paramount.
At Camms, we understand the importance of managing cyber risks effectively and ensuring data privacy compliance. Our expertise in IT Governance, Risk, and Compliance (GRC) enables us to offer tailored solutions to address the specific challenges faced by the water & utilities sectors.
By collaborating with Camms, utilities companies can stay ahead of emerging threats and ensure the security of their critical infrastructure. We can support those in the utilities sector to manage and mitigate cyber risk while ensuring compliance with data privacy regulations. Reach out to us for a demo today.