Cyber security – how real is the threat to the UK water industry?

The UK has one of the most advanced water management systems in the world and we have the Victorians to thank for placing us on such a pedestal.

One hundred and fifty years ago our Victorian ancestors undertook a feat of engineering so spectacular that it was the envy of the world. The vast London sewerage system was unprecedented in scope and scale, and became the blueprint for similarly advanced cities across the globe. And their influence wasn’t confined to the capital. The Victorian era water grid stretches the length and breadth of the UK, incorporating dazzling aqueducts and vast reservoirs, the majority of which is still utilised today.

However, as time has gone on our Victorian water management systems have become more and more antiquated, and so our regional water companies have been investing many billions in a sustained decades-long programme of modernisation designed to bring our water infrastructure in line with the needs of the modern world.

Much of this new infrastructure, including purpose built, state-of-the-art treatment works and enormous new subterranean networks (including London’s multi-billion Thames Tideway scheme), are controlled by advanced cyber networks, dedicated to controlling the quality of our water and ensuring that our towns and cities remain above the water line – safe from both flooding and sewage.

This technology represents the latest in ‘Industry 4.0’ tech. Industry 4.0 (or the fourth industrial revolution as it is often known) effectively creates what has been called a ‘smart factory’, or another type of system, for example a water treatment works, which utilises up-to-the-minute technology, including cyber-physical systems, the Internet of things and cloud computing, in order to monitor the physical processes of a factory, or system, and make informed, decentralised decisions.

Within these new smart factories, cyber physical systems (a mechanism controlled or monitored by computer-based algorithms, tightly integrated with the internet) create virtual copies of the physical world, in order to communicate with each other, and humans, via the Internet of Things – a relatively recent advancement in the internet age in which everyday objects like fridges, cars and entire buildings, all have network connectivity, allowing them to send and receive data.

And in terms of the newly developed areas of the water sector, Industry 4.0 technology certainly works and is already in place, particularly in the following areas:

Decentralization – The ability of the treatment works and network systems to control themselves.

Real-time capability – The capability to collect and analyse data and provide the insights immediately.

Virtualization – A virtual copy of the ‘Smart Factory’ — Advanced’ wastewater treatment works have process models that control aspects of the treatment works; and in both advanced distribution and collection systems, they have model-based simulation models.

So far so good. However, with the increased reliance on advanced technology based systems comes the amplified threat to our cyber security. The NHS recently discovered this to their great cost when in May the organisation became the highest-profile victim of a global ransomware attack which paralysed their systems for days. It now faces renewed concern about the ongoing strength of its infrastructure.

And much like our beloved NHS our water networks are integral to life as we know it. So how safe are they?

Well the truth of the matter is that the technology based systems that monitor, control and regulate our water management infrastructure are just as susceptible to attack as any other network, a fact quite clearly recognised by the UK government who earlier this year published a cyber security strategy for the water sector, summarising what water and sewerage companies need to do to reduce the risks of cyber attacks.

 

Published by the Department for Environment, Food and Rural Affairs (DEFRA), the strategy, which focuses on attacks based around computers, computerised systems or networks, is mainly aimed at water and sewerage companies in England.

The report identifies “credible cyber threats to UK Critical National Infrastructure, including the water sector,” which could lead to “serious consequences, particularly as increased automation and connectivity reduces the scope for standalone or manual operation of the water supply system.”

It advises that the UK water sector needs to operate at a greater level of cyber maturity and aims to achieve a vision by 2021 of a “secure, effective, and confident water sector, resilient to an ever-evolving cyber threat.”

But what does this mean in practice?

In essence to realise the vision, the government and water sector will work towards five objectives: understanding threats, managing risks, developing capabilities, managing incidents and strengthening capabilities.

As a snapshot the report identifies a number of key areas in which the sector should focus its attention. One of these is the architectural design/separation of Information Technology (IT) and Operational Technology (OT). The ideal scenario is that IT and OT systems, or networks, should be completely separated to prevent an attack on IT systems spreading into the operational software of a network and impacting on processes that could cause physical damage.

Additionally it recommends policies to manage the risk from third parties, something that is increasingly relevant as company networks are continually accessed by outside parties, such as equipment suppliers and contractors who have a requirement to upload software onto systems and plug their equipment into host networks, thus providing a fertile breeding ground for malware.

And the onus is not just on the water companies. For the water industry supply chain, it’s likely that water companies will have higher expectations that the goods and services they procure will include cyber security as an integral part of their design, raising the prospect of even more convoluted, lengthy and expensive procurement processes.

It’s important to note here that DEFRA is keen to place the accountability for all of this firmly on the shoulders of the private sector, stating: “Water companies must own, understand and manage the risks to their assets, including Critical National Infrastructure. Industry, therefore, has responsibility for the security of their systems. Government will help set the strategic direction and ensure the legal framework supports industry, as well as providing technical advice and where necessary, training.”