News

Water Companies ‘At Risk’ Of Cyber Attacks

Why is water efficiency important - H2O Building Services

 

Cyber attacks are a concern for all businesses, no matter what sector or industry they’re in – and such incidents can have incredibly serious consequences, including financial losses, reputational damage, legal ramifications, intellectual property theft, disruption to operations and increased security costs in the future.

 

No organisation is safe and it’s essential that robust security measures are implemented to reduce the risks of an attack, as well as building resilience into systems and networks so that any potential impact of an attack can be minimised as far as possible.

Concerningly, new research from AI-powered identity security and cyber resilience specialist Semperis shows that critical infrastructure like water and electricity is also at risk, with 62 per cent of such energy providers targeted by cyber criminals in the last 12 months.

 

Some 80 per cent faced multiple attacks, while 54 per cent saw permanent corruption or destruction of data and systems as a result.

 

Interestingly, however, it seems that many cyber attacks appear to be going unnoticed, with breaches potentially taking place without companies even realising, as 38 per cent of utility operators say they believe they haven’t been targeted as yet… which cyber security experts consider to be an alarmingly high statistic.

 

This latest study indicates that customers in both the US and the UK have been relatively fortunate and escaped the worst impacts of cyber attacks. Potential public impacts of suddenly being without clean water, heat or electricity, even for short periods of time, can be significant.

 

Chris Inglis, Semperis strategic adviser and US national cyber director, commented on the findings, saying: “Many public utilities likely don’t realise that China has infiltrated their infrastructure.

 

“Chinese-sponsored threat actors like Volt Typhoon are known to prefer Living off the Land attacks, which are difficult to detect and can remain dormant, planting backdoors, gathering information, or waiting to strike for months or even years.”

 

“The systems that supply our power grids and our clean drinking water are the underpinning of everything we do,” he continued. “And yet we go about our business, confident that somebody else is going to handle it. Someone else isn’t going to handle it. We need to harden our systems and extract criminal elements – now.”

 

The report found that almost 60 per cent of all attacks were conducted by nation state groups, with identity systems like Entra ID, Okta and Active Directory compromised in 81 per cent of incidents.

 

Semperis CEO Mickey Bresman made further comments, saying that attackers will continue to target businesses if resilience isn’t improved – but utility firms now have a chance to tackle this challenge. Assuming that breaches are inevitable, tabletop exercises can be carried out so that attack scenarios can be practised and response procedures fully tested out.

 

High profile water firm cyber attacks

Various high-profile cyber attacks targeting water companies have come to light over the years.

 

In 2024, for example, Southern Water announced that a data breach had exposed both personal and operational data, with hackers targeting its IT systems to gain unauthorised access to the personal details of both customers and employees.

 

Meanwhile, over in the US, American Water – the biggest publicly traded water and wastewater utility company in the country – faced down a cyber attack that forced it to disconnect its key systems, including the customer billing platform and portal.

 

And back in 2022, South Staffordshire PLC – parent company of South Staffs Water and Cambridge Water – came under attack, with the corporate IT network disrupted by the Clop ransomware gang, a group that has consistently targeted high profile organisations, including pharma providers, energy conglomerates, educational establishments and even the cyber security sector itself.

 

And in November of that year, information obtained by Recorded Future News revealed that a record number of cyber incidents affected the UK’s critical drinking water supplies without being publicly disclosed, with at least six such cases affecting potable water infrastructure.

 

Incidents such as these are, naturally, hugely concerning, making it clear just how vulnerable critical infrastructure is. Without water, life simply grinds to a halt relatively quickly.

 

As such, it may now be time to consider:

 

How can businesses become more water resilient?

While there isn’t much you can do about hackers targeting utility providers, you can reduce your reliance on mains water supplies so that if the taps do run dry as a result of an attack, you have systems in place to mitigate the effects.

 

There are various water efficiency measures you can implement, everything from rainwater harvesting and water recycling to water leak detection and repair.

 

If you’d like to find out more about how to identify the most appropriate water-saving solutions for your business, get in touch with the H2o Building Services team today.

Share: