Water sector

Water Sector Under Pressure From Cyber Attacks

Published 17 February 2021

Organisations demonstrate strong appetite for digital transformation but misplaced confidence could be putting them at risk.

92% of organisations in the water sector have detected cyber attacks on their Operational Technology (OT) or Industrial Control Systems (ICS) in the last 12 months, with 96% of these encountering at least one successful attack, according to new research from independent cyber security services company Bridewell.

These findings come despite over two thirds (68%) of water sector organisations saying they are confident that their OT systems are protected from threats, highlighting a degree of misplaced confidence in CNI cyber security in the sector.

The research, which surveyed 250 UK IT decision makers in the aviation, chemical, energy, transport, and water sectors, found that water is the least confident sector when it comes to cyber security. Confidence levels align with the volume of attacks, with water experiencing the highest volume of successful attacks among the sectors, alongside transport.

Ageing Legacy Infrastructure

Organisations are facing increasing risks posed by ageing legacy infrastructure that is becoming increasingly connected. The majority (90%) of water organisations rely on OT systems that are between 6-20 years old, with nearly a quarter (24%) between 11-20 years old. Systems are also increasingly accessible with 84% confirming that their OT / ICS environments are accessible from corporate networks. While nearly half (48%) say systems are not currently accessible from the Internet, of those, 42% plan to make them accessible in the future, potentially widening the attack surface and introducing new threats.

“The report highlights some nuances between how some organisations in the water sector perceive their cyber security posture versus reality” says Scott Nicholson, Co-CEO at Bridewell. “Security vulnerabilities, whilst sometimes challenging to remediate, could have serious implications, not just in terms of substantial monetary fines but also risks to public health and safety. We saw that just recently with the Florida water supply hack, which clearly demonstrates why organisations simply cannot afford to be complacent.”

Covid-19 has also intensified cyber threats with over half (56%) of organisations in the water sector experiencing increased attacks since the pandemic began. Yet over a third (36%) have reduced their cyber security budgets in response. This is putting increasing pressure on IT and security teams with 92% agreeing they have felt an increasing pressure to improve cyber security controls for the OT / ICS environment in the last 12 months.

Security Measures

Encouragingly, all organisations are carrying out some form of security assurance activities. However, only a third (38%) conduct penetration testing and less than half (42%) conduct red, blue or purple team exercises, vital activities that can identify vulnerabilities and reduce the likelihood of attacks.

This could be due to mounting workloads and pressures, with an increase in duties and responsibilities cited as the top challenge facing teams today (cited by 26% of respondents), followed by understanding new technology (24%) and meeting regulation requirements (24%). Lack of skills is also a big concern, with only two thirds believing they have the right skills in place to maintain and secure their OT environment. Furthermore, 90% agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next 3 to 5 years.

Bridewell is a cyber security services company providing global, 24×7 managed detection and responses services and cyber security consultancy.

With extensive experience in delivering large-scale transformational projects in highly regulated environments, Bridewell enables organisations to drive strategic change securely, providing a full breadth of end-to-end cyber security services. Its expert team comprises of a diverse range of highly skilled consultants, supported by industry leading technology, deep technical expertise, accredited methodologies and a client-centric business driven approach.

Bridewell delivers a vast number of services across critical national infrastructure, aviation, financial services, government and oil and gas.  The company hold a number of industry accreditations including NCSC, CREST, ASSURE, IASME Consortium, Cyber Essentials Plus, ISO27001, ISO9001 and are PCI DSS QSA Company.