The cyber fundamentals for UK water are quite simple, says David Bean, Business Development Group Manager, Mitsubishi Electric Automation Systems Division.
Infrastructure is deemed critical when disruption has severe consequences for public safety, economic stability and national security.
Whilst there is no official ranking against this definition, few would argue with water sitting top of the category.
A safe and reliable service is vitally needed to enable society to function and is essential for sustaining life.
And yet our water infrastructure is now having to fend off a growing number of intrusions from hackers and malicious actors.
According to a probe by the ‘Drinking Water Inspectorate’, five serious cyber attacks were launched against Britain’s suppliers over 2024/2025 – a record in any two-year period since records began.1
Shifting sands
Whilst no attack impacted the safety of the drinking water itself, these attempts demonstrate the industry’s increasingly exposed position to digital threats. It’s not unfeasible to imagine a more sophisticated or determined effort spilling over into the OT realm, where genuine harm can be done.
This unthinkable scenario provides the rationale for the NIS regulations. These compel the sector to implement both technical and organisational measures to manage network risks and minimise the impact of service disruptions.
Those working in the UK must also contend with the ‘Cyber Security and Resilience Bill’, which is currently making its way through parliament. Reaching further than NIS requirements, this bill has created a regulatory landscape with much sharper teeth and greater accountability than before.
Beyond this, any organisation involved with the delivery of drinking water should now be implementing intrusion detection software within their OT networks to flag the activity of unauthorised users. It’s expected this requirement will eventually extend to wastewater facilities once the current AMP period ends in 2030.2
It’s a complex, shifting picture with some aspects of compliance open to interpretation. And this situation is only made harder by the age, range and condition of assets found across different sites. Getting on a better footing will be challenging for those without the right technical knowledge and experience. But, as with any complex exercise, it’s often best to return to first principles.
Resilient by design
For all the noise around cyber, the fundamentals for UK water are quite simple.
1. Auditing
The first step is a full and structured audit of the IT and OT network, because you cannot protect what you don’t know you own or operate.
For most water companies, years of incremental change will mean a patchwork of legacy control systems, bolt‑on telemetry and cloud‑hosted applications that haven’t been mapped end‑to‑end.
Understanding where the vulnerabilities are in this environment is about asking the right questions:
What assets does the site have – sites, systems, networks, endpoints, vendors?
How are these assets connected, and where do data and control signals really flow?
Which assets are critical to safe, reliable drinking water services?
This is not just a paperwork exercise. A clear inventory and network map becomes the reference point for risk assessments, architecture changes and incident response protocol.
2. Measuring
The next step is to gauge the site’s cyber-maturity against a clear framework, so a credible action plan can be developed. Good plans will do three things:
Set target outcomes in plain language (e.g. ‘no single compromise can take out disinfection at multiple works’).
Identify the gaps that matter most to service continuity, safety and compliance, not just the easiest fixes
Sequence actions over time, aligned with existing investment cycles, AMP programmes and operational constraints
The output should look less like a one‑off ‘cyber project’ and more like a rolling change programme that links risk, spend and service outcomes in a way boards, regulators and engineers can all live with.
3. Deploying
It’s only at this point technology really enters the frame.
For most water companies, the first wave of interventions will be about access, segregation and visibility. That means replacing shared engineer logins with named accounts and multi‑factor authentication on remote access into SCADA and telemetry, locking down third‑party access so vendors can only reach the specific assets they support for the time they need.
Then it’s about creating proper separation between corporate and plant networks with controlled ‘choke points’ and monitoring in between. Centralised logging and alerting that covers both IT and OT gives you a fighting chance of spotting suspicious activity on a plant network, rather than waiting for the next ops call.
Around these interventions will be targeted training for operators and maintenance teams and tested back-ups in the event of an intrusion. Ultimately, these solutions are not ‘install and forget’ but are instead anchored to the way water services actually run each day. This is the only approach that recognises the evolving nature of cyber threats.
References
1 https://therecord.media/britain-water-supply-cybersecurity-incident-reports-dwi-nis
2 https://www.cvwaterconsultancy.co.uk/post/what-is-amp8-how-the-uk-water-industry-is-transforming-from-2025-to-2030
