Critical cyber security factors in the UK water industry

UK water companies are realising that one of the biggest threats they face today are state-controlled cyber-attacks designed to shut down key national infrastructure.

The vulnerability of water supply and treatment has been highlighted in a number of recent attacks in the US, including an attempt to poison drinking water by hijacking a water treatment control system in Florida and a similar attack on a treatment plant in San Francisco. Every day, UK water companies are being targeted; are their defences ready?

UK water companies now have to work out how to leverage the UK Government’s recent National Cyber Security Strategy 2022 to detect, disrupt and deter cyber adversaries. In our experience, it will be critical to take a whole business view on how best to balance strong defences with the ability to harness the latest digital innovations and connected technologies.

Two elements will be fundamental to cyber security success:

1. Realising that cyber has no boundaries

Effective cyber security runs through every aspect of the business, and it is there to facilitate and drive business change and improvement by enabling confidence and trust. It is not a silo staffed by experts who want to hold back innovation, and it should not be considered after the fact, because retrofitting is risky, more expensive and time consuming.

Organisations need to realise increasing interconnectivity of assets and systems makes embedding cyber security ever more important. Every touch point must be included in cyber security plans, from pipe infrastructure and software-based treatment systems to mobile devices and large servers, and from physical OT equipment to cloud enabled IT and IOT integration. 

This can involve driving a shift in attitude, so that the whole organisation sees cyber security as a means to empower business. Leading organisations see cyber security and innovation as intwined factors. Developing one alongside the other means water companies will be able to boldly exploit a surge in data, artificial intelligence and machine learning, confident that the service is secured.

It is also a whole life activity, with a focus on understanding and managing risk, protecting the business and operating with confidence - as reflected in the objectives laid down in the National Cyber Security Centre’s Cyber Assessment Framework. In an ever more agile world, this cycle is continuous and frequent with ongoing measurement, feedback and response.

 2. Building strong, effective relationships

On the surface, robust cyber security for water companies depends upon forging partnerships that bring in expertise in protecting critical national infrastructure. However, we believe organisations should be looking for more from their partners. The right partner will share the water company’s ethos, will understand the critical nature of the business, and will focus on delivering budgetary value rather than technology for technology’s sake.

Cyber security programmes introduced in partnership are more likely to have longevity, pushing continuity throughout the business. A good partnership drives a longer-term viewpoint, and this builds trust that the partner is invested in building the future success of the water company with ‘skin in the game’. This approach allows us to do our best work.