Whilst environmental performance, leakage reduction and asset health continue to dominate regulatory focus in the UK water sector, a new dimension of resilience is rising in importance. This one is not built on pipes or pumps, says Mark Edgeworth, Hicomply, but on the digital systems now fundamental to how water is produced, treated and delivered.
The Cyber Assessment Framework (CAF) is emerging as the quiet but critical pillar helping water companies make sense of their evolving risk landscape and strengthening operational resilience at a time when the sector’s digital dependencies are evolving.
A sector modernising faster than traditional controls can keep up
Digital water has opened the door to enormous opportunity. Smarter networks, cloud-based monitoring, IoT sensors, advanced control systems and data-driven optimisation are transforming how water quality is assured and how networks are managed.
But this progress comes with increasing complexity. Systems that were once isolated are now connected across large geographical areas and intricate supply chains. Operational technology and IT are becoming deeply intertwined.
This convergence is forcing water companies to rethink what resilience actually means. Operational resilience is no longer just about engineering strength and physical assets. It’s about understanding how digital processes support those assets and where the weak points sit. CAF is giving water companies a structured way to identify those weak points and address them before they turn into problems.
A clearer picture of risk and why water companies are paying attention
Clarity around risk is becoming essential. Recent studies show that water and electricity utilities across the UK and US have faced a notable rise in cyberattacks over the last year, and the Drinking Water Inspectorate has recorded multiple cybersecurity-related incident reports in the same period. These numbers underline something the sector increasingly understands: digital risk is now operational risk.
For many water companies, the real challenge hasn’t been a lack of controls, but the difficulty of seeing the full picture. CAF brings structure to that challenge. Its four core objectives (risk management, protection, detection and minimisation) provide a practical framework to assess how well an organisation understands its digital estate, how effectively it is protected, and how prepared it would be to recover if something did go wrong.
Early adopters are finding that CAF is helping them uncover issues that were previously hidden in the complexity of ageing OT systems, fragmented operational responsibilities and supply chains that hold more access than expected. In many cases, incident response plans exist but haven’t been tested against real-world operational conditions, or digital control ownership looks clear on paper but becomes less so at the intersection of engineering, IT and vendor responsibilities.
These are not failings. They are the realities facing a sector undergoing rapid digital evolution. CAF is simply providing the clarity needed to address them.
Moving from reactive to proactive resilience
For organisations operating in critical national infrastructure, the move from reactive compliance to proactive resilience is one of the most significant shifts. CAF is a catalyst for this change. It gives boards, CISOs, engineering leads and operational teams a shared vocabulary for understanding digital risk and making informed decisions about investment and prioritisation.
This clarity is particularly valuable at a time when cybersecurity investment across the sector has been under pressure. A recent submission to regulators highlighted concerns that cyber budgets may not be keeping pace with digital adoption. CAF is helping companies demonstrate precisely why certain digital resilience measures cannot be deprioritised without affecting service continuity, not because cybersecurity is a regulatory expectation, but because it is now inseparable from operational performance.
A strategic advantage for those who act early
Some water companies are already using CAF insights to shape their long-term planning, improve board-level reporting on resilience and refine supplier assurance processes. Others are integrating CAF into broader asset strategies, recognising that digital and physical resilience are now two sides of the same coin. The organisations moving early are finding that CAF is reducing complexity by focusing attention on what matters most.
The growing momentum across the sector is creating a subtle but important shift. Water companies talk to each other. Regulators watch the sector as a whole. And suppliers increasingly expect clients to demonstrate a minimum level of digital maturity. As more organisations embed CAF into their operational frameworks, the question is no longer “should we do this?” but “how quickly can we get there?”
A pillar of future performance
Water companies face a future where digital systems will continue to expand, data flows will multiply and interdependencies will deepen. In that context, CAF offers something uniquely valuable: a clear, structured and industry-aligned way to strengthen operational resilience from the inside out.
It does not replace engineering excellence or environmental stewardship. Instead, it reinforces them by strengthening the digital backbone underpinning the sector’s infrastructure.
Water companies that see CAF as an operational advantage, not an administrative requirement, will be the ones leading the sector as digital resilience becomes as fundamental as the water quality itself.
