By Doug McGeachie, Director of Enterprise Sales, Fortinet
From the introduction of the Eighth Asset Management Period (AMP8) and the Directive on Security of Network and Information Systems (NIS2), to the National Cybersecurity Centre’s Cyber Assessment Framework, the regulatory landscape for the water industry is continuing to evolve. Doug McGeachie, Director of Enterprise Sales, Fortinet, investigates.
Organisations must comply with these regulations (those who don’t risk ramifications later down the line) and, at the same time, look to implement emerging technologies – including AI and the Internet of Things (IoT) – to drive efficiencies at scale. So, how can water companies best comply with regulatory requirements, improve their cybersecurity posture and embrace innovative technology in the months ahead?
Regulations are changing
In January 2023, the European Union adopted the NIS2 Directive to enhance cybersecurity across member states. The directive applies to several industries, including water, and requires companies to implement comprehensive cybersecurity risk measures and incident reporting, as well as information sharing to improve their ability to detect and respond to cybersecurity threats.
Mirroring the requirements of NIS2 is the upcoming Cybersecurity and Resilience Bill, which the UK government is expected to introduce this year. Securing the UK’s critical national infrastructure is a key priority within the Bill, which sets out to protect these services by expanding NIS2’s initial remit to safeguard wider supply chains.
Further to NIS2 and the Cybersecurity and Resilience Bill, companies operating in the water sector must also submit their plans to the Water Regulatory Services Authority (Ofwat) for AMP8, which began last April. Alongside investing in infrastructure and creating robust supply chains, AMP8 requires water companies to implement technology designed to improve operational efficiency and service delivery.
The question is, though, how do these regulations really impact cybersecurity for water organisations?
Prioritising cybersecurity
Leaders in the water industry are becoming increasingly scrutinised against regulatory requirements and so are continually reviewing and improving their cybersecurity defences. This has initiated a change in mentality whereby security is no longer an add-on, but is built from the core as part of a wider emphasis on security by design. Failure to do this can not only lead to reputational damage but also significant legal ramifications, with NIS2 setting out a series of penalties for non-compliance. Ensuring your company is compliant is therefore crucial to future operation.
The water sector also continues to be a prime target for cyber attacks. Its role in supporting critical national infrastructure and the impact an attack would have – not only causing widespread disruption to services but devastating consequences for citizens and political fallout – puts it at substantial risk. The adoption and connection of new and existing technologies, especially IoT and OT, mean the industry is becoming increasingly interconnected and vulnerable. In fact, Fortinet’s 2024 State of Operational Technology and Cybersecurity Report proves attacks on wider critical infrastructure are continuing to surge. So how can we ensure the water sector remains compliant while securing operations from threats?
Seeing this in practice
The first step is making sure basic cybersecurity measures are in place. This should be underpinned by a platform approach of interconnected technologies which work in tandem as part of a wider ecosystem. It’s also important to recognise that, while built in a similar way, no two platforms are the same, with all unique to the organisation they belong to.
Some of the areas I would consider standard for any platform includes multi-factor authentication (MFA) which reduces the risk of unauthorised access and adds an extra layer of security. Secondly, managed detection and response (MDR) provides 24/7 network monitoring and allows IT teams to proactively detect, identify and neutralise cybersecurity threats before they escalate and impact the wider network. These technologies must, however, be implemented within a wider incident response (IR) plan. This should define clear processes for identifying, mitigating and recovering from an attack, helping to minimise the financial, reputational and regulatory impacts of an incident in both the short and long-term.
Protecting data is also critical. With water companies responsible for a vast amount of sensitive information, encrypting data at rest and in transit means, even if a cybercriminal gains access, they cannot exploit the information at hand. It is important to underpin this with continuous vulnerability monitoring to help IT teams identify gaps in the network before they are exploited.
As a ‘human firewall’, employees also play a crucial role in cybersecurity protection. However, this is only achieved when they are educated around the importance of securing networks. Introducing and maintaining a programme of regular cybersecurity training which teaches employees how to spot the key signs of an attack, adds another layer of defence on top of the above steps. Water companies must also consider the potential vulnerabilities posed by third parties. Any supplier, partner or contractor must have their cybersecurity posture reviewed and continually evaluated. This can be done by adopting a Zero Trust framework and using tooling like endpoint detection and response (EDR) to prevent attacks targeting one organisation from spreading to the wider supply chain.
With the regulatory and cybersecurity landscapes continuing to evolve, the utilities sector stands at a crossroads. Yet, by following the above steps, companies operating in the sector can remain compliant and protected against the threat landscape while one step ahead.
