People of Bournemouth, is Your Drinking Water Secure?


Blog by Bournemouth 2600
Cybersecurity poses a significant and escalating concern for water companies as they increasingly incorporate advanced technologies into their operations. The adoption of data-logging equipment, digital smart meters, and the integration of various systems to enhance efficiency exposes the attack surface of these companies to potential cyber threats. While certain components of water treatment facility systems are traditionally segregated from the broader corporate IT infrastructure, there is a growing trend toward closer integration, often driven by the pursuit of operational efficiency.

A critical issue then arises whereby cybersecurity vulnerabilities in these integrated systems are exploited by threat actors. If an adversary can gain access to the operational technology (OT) systems used in the water treatment process, there is a substantial risk of disrupting the normal functioning of drinking water and wastewater treatment facilities. Such disruptions can have severe consequences for public health, environmental safety, and overall societal well-being.

Southern Water attacked by BlackBasta

On 22 January 2024, Southern Water confirmed it was attacked by the BlackBasta ransomware gang and appeared on their data leak site (see below). Southern Water is a private UK utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area.


BlackBasta claims to have stolen 750 GB of sensitive data, including users’ personal documents and corporate documents. BlackBasta also published some screenshots as proof of the attack, including passports, ID cards, and personal information of some employees.

Southern Water shared that its launched an investigation, working with the government, and is aware of BlackBasta’s claims and that a limited amount of data has been published. Southern Water stated that they believe customer data and their financial systems were not exposed to the ransomware gang. Southern Water also said their services were not impacted. 

Veolia Water attacked by ransomware

On 19 January 2024, the North American subsidiary of Veolia Water also reported it had experienced a ransomware incident, which “affected some software applications and systems.” Veolia also shared that some customers experienced delays in paying bills online due to the targeted back-end systems and servers being temporarily taken offline.

South Staffs Water and Cambridge Water attacked by CL0P

On 15 August 2022, South Staffordshire PLC, is the UK parent company of South Staffs Water and Cambridge Water, which is responsible for supplying drinking water to 1.6m consumers daily was the target of a cybercriminal extortion attack. It did not impact its ability to supply safe water. But did affect its corporate IT network. Interestingly, the CL0P ransomware gang mistakenly announced Thames Water as their victim instead of South Staffordshire via their Tor data leak site, alleging to have accessed their industrial control system (ICS) equipment (see below) that could manipulate water management controls to cause harm to 15 million customers.


It’s currently unclear if South Staffordshire paid the ransom or recovered without doing so. The last thing we heard was that the company is working closely with the relevant government and regulatory authorities and has put additional security measures in place. Credit rating agency Moody’s agency said that South Staffordshire Water costs related to the hack, including potential civil claims, could reach £10m.

Bournemouth 2600 quizzed South West Water over their cybersecurity

At the South West Water Customer Annual General Meeting on Friday, 13 October, 2023 at the Hilton Hotel, Bournemouth 2600 asked them: “Following the cybersecurity incident at South Staffs Water by a Russian cybercrime group in August 2022, what investments has Bournemouth Water taken to prevent such cyberattacks?”

The response we received from South West Water:

  • "In response to your question: I’d like to assure you that the [South West Water] Group has a strong information security framework and ensures that robust measures are in place, aligned to guidance issued by the National Cyber Security Centre (NCSC). This ensures we keep up with the fast changing cyber risk landscape.
  • We regularly run internal and external testing and maintain formal ISO27001 certification and security strategies reflect the fact that we operate two discrete technology environments: corporate (IT) and operational (OT), each with specific information security threats and requirements.
[We] have a risk based strategy that utilises a combination of:

  • ISO27001, the Information Security standard: South West Water have been certified to this standard since November 2009.
  • The UK NCSC's Best Practice Guides.
  • South West Water is obliged to comply with the Security of Network and Information Systems (NIS) Directive.
  • We are assessed annually by our NIS regulator; DWI; on our compliance.
  • As part of the [SSW] Group IT department, we maintain a dedicated information security function reporting to the Digital and IT Director with key team members that are certified Information Security Professionals.
  • Cyber Security Awareness continues to be promoted across the [SSW] Group using presentations, email and online computer based training, including specific training for all staff on the General Data Protection Regulation (GDPR).
  • External threat monitoring is achieved through close engagement with industry peers, suppliers and third parties.
  • Independent assurance is provided by engaging with 3rd party cyber security specialists and external auditors to test and validate the security controls.
  • Utilise government bodies including DEFRA, NCSC and CISP (Cyber Security Information Sharing Partnership), a joint industry government initiative to share cyber threat and vulnerability information.
  • Cyber security incidents are captured and reported on. External incidents and threats are regularly reported to the Executive Team.
  • Incident response policies and procedures are in place and clearly defined.
  • SWW maintain dual data centres with critical systems duplicated for resilience. Regular testing of these systems is completed.
  • Governance processes are in place to mitigate risks from 3rd parties and key suppliers; IT procured services assessed against a common set of risk based security criteria to ensure adequate security protocols.

Since last year:

  • We have conducted a 3 day cross company cyberattack exercise testing all aspects of our incident response.
  • We conducted purple team testing where a specialist third party company attempts to breach our defences whilst working closely with the SWW Information Security team who will attempt to detect and defend.
  • We have procured a third party cyber security incident response on a retainer to provide expert support in the event of an incident.
  • Our governance on our Supply Chain has increased by using a third party tool to manage security due diligence.
  • Extending our monitoring to increase visibility of growing technology estate to detect malicious or suspicious activity.
  • Continue to manage software vulnerabilities by updating or removing applications through patching or investment."

Outlook

We appreciate South West Water responding to our concerns and their list of practices was reassuring. Overall, Bournemouth 2600 approves! It seems our drinking water is secure, for now.

However, in December 2023, the UK’s NCSC warned the UK water sector firms to apply best practice security measures amid increasing targeting of water critical national infrastructure (CNI). US cybersecurity officials also published a new incident response guide for the water and wastewater systems sector on 18 January 2024. Also in January 2024, the credit rating agency Moody’s has warned that water companies face an “elevated” risk from cyber attackers targeting drinking water.

Water companies nationally, but also in Bournemouth, need to focus on mitigating the risks associated with the growing digitalization of water infrastructure. Moody’s analysis also showed companies hope to increase spending on security from less than £100m collectively to nearly £700m over the next five years.

As society relies more on interconnected technologies, the need for vigilant cybersecurity practices by water companies becomes increasingly imperative to ensure the resilience and security of essential water treatment processes.