The water sector must step up the fight against malicious cyberattacks and ‘hacktivists’, says Daniel dos Santos, Vice President of Research at Forescout.
Recent reports have revealed that Britain’s drinking water suppliers have faced a new wave of cyber incidents, with hackers launching five cyberattacks against water organisations since the beginning of last year.
The attacks, partially disclosed under freedom of information laws and recorded by the Drinking Water Inspectorate (DWI), did not compromise the safe supply of drinking water itself.
However, they did impact the companies responsible for treatment and distribution, further validating what British intelligence has consistently warned: malicious cyber actors are increasingly focusing on the UK’s critical infrastructure.
Between 1 January 2024 and 20 October 2025, the DWI received 15 incident reports under the NIS Regulations, the legal framework governing the security of essential services.
The fact that five of these were related to direct cyberattacks on water suppliers represents a record number in any two years. Although the public was spared disruption to drinking water, the attackers’ intent was clear; the systems, operations, and digital assets underpinning water services are incredibly attractive targets.
The Growing List of Water-Sector Cyber Incidents
Water utilities across the world, not just in the UK, have been under sustained cyber pressure. A notable British example was the ransomware attack on South Staffordshire Water in 2022.
The Cl0p group claimed to have gained access to both IT and OT systems, dangerously close to being able to alter water treatment operations. Like the incidents above, although water quality was not compromised, it marked a turning point in awareness.
Since then, global ransomware groups such as Medusa, BlackByte, DragonForce, BlackBasta, Akira, Hunters International, Qilin, and Royal have repeatedly targeted water utilities. One of the most prolific claimed attacks was by the Medusa group in September ‘24 and affected the Starr-Iva Water & Sewer District in South Carolina, disrupting business systems and resulting in stolen data.
The United States remains the most heavily impacted nation, with at least seven attacks against the water sector in 18 months alone. Many resulted in encrypted files and data leaks, disrupting operations, billing, and customer communications.
Hacktivism has also surged. Several groups have exploited exposed OT devices worldwide, especially those using Israeli-made Unitronics PLCs.
Recently, the Cyber Army of Russia Reborn (CARR) targeted water storage tanks in Texas, causing them to overflow, and another group tampered with water pressure on a Canadian water facility, resulting in degraded service. These attacks demonstrate how even basic intrusion can translate into dangerous real-world consequences.
Trapping the Cybercriminals
Recently, we observed a pro-Russian hacktivist group claiming an attack on a ‘honeypot’ set up by the Forescout research team to simulate a water treatment facility.
That attack was a good example of how these threats unfold: the attackers logged in using default credentials, defaced the system, and tampered with variables displayed on a human-machine interface.
In a real system, that kind of attack could have disrupted the supply of clean water. We expect these kinds of events to become even more common in the future, as more groups align themselves with geopolitical events.
The implications are not only for the water sector, but for the wider landscape of critical infrastructure, including energy and transportation. To meet these rising risks, organisations must prioritise visibility of their critical assets and improve their detection capabilities for threats targeting operational technology (OT).
Why Water Utilities Are Vulnerable
Water utilities remain prime targets, often because security investment and accountability have lagged behind other sectors. Research across water environments continues to show that threat actors are actively probing for weaknesses, reinforcing that proactive defence is essential.
Water companies typically operate a complex blend of IT and operational technology; in many organisations, these environments remain poorly segmented.
That lack of separation allows attackers to move laterally across networks if even a single device is breached. Our research shows that typical water utilities comprise around 69% traditional IT equipment and 31% unmanaged devices: 19% IoT or OT assets and 12% network equipment.
With so many unmanaged or internet-exposed devices in play, it becomes far easier for malicious actors to exploit weaknesses through stolen credentials, default passwords, phishing emails or exposed remote desktop services.
To build resilience, water utilities must adopt a layered approach to prevention and detection across the common stages of a cyberattack. Reducing initial access opportunities begins with restricting remote access tools like RDP to trusted networks and enforcing authentication with unique passwords and multifactor authentication.
If an attacker gains a foothold, limiting persistence requires close monitoring of account activity, least-privilege permissions, and scrutiny of scheduled tasks.
Network segmentation and restricted access to administrative tools can prevent attackers from discovering or moving across systems, while strict separation between IT and OT environments reduces the impact of a compromise. Finally, organisations should implement file integrity monitoring and watch for unusual network traffic that may indicate data exfiltration.
Staying Ahead
The message for the UK water sector is clear: vigilance is paramount. A robust cybersecurity posture, combining visibility, segmentation, proactive monitoring, and threat detection, is essential to safeguard public health and national security.
As cyber criminals and state actors continue to target the services that people depend on, the industry has a responsibility to stay ahead of adversaries and protect the public. Though systems may not have been compromised this time, the intent is already visible. The next attempted breach could have far greater consequences if the sector fails to act.
