UK Government sets out water sector cyber security strategy

The Department for Environment, Food and Rural Affairs (Defra) has set out a new strategy to reduce the risks of cyber-attacks in the water industry. The ‘Water Sector Cyber Security’ […]

Register now!

By Priyanka Shrestha

The Department for Environment, Food and Rural Affairs (Defra) has set out a new strategy to reduce the risks of cyber-attacks in the water industry.

The ‘Water Sector Cyber Security’ strategy incorporates contributions from the sector and aims to guide activities across water companies and government.

To realise the vision, the government and water sector will work towards five objectives: understanding threats, managing risks, developing capabilities, managing incidents and strengthening capabilities.

Defra says the scale and complexity of cyber attacks against the UK is growing, with security presenting an enduring challenge for the water sector.

It adds cyber threats should not be viewed in isolation but conflicts “could seek to employ methods as part of a blended attack to enable or reinforce a physical attack or to seek to control industrial plant and control systems at a water plant”.

Recent cyber risk reviews by government experts found “significant opportunities” for the water sector to operate a higher level of cyber security maturity.

The ongoing implementation of automated Industrial Control Systems (ICS) with the increasing interconnection of information systems and remote connections with reliance on third party suppliers has broadened the attack surface of information systems within water companies.

To address the risks, a number of key areas in which the sector should focus on were identified:

  • Information Technology (IT) and Operational Technology (OT) systems or networks should be completely separated to prevent IT systems spreading and impacting processes that could cause physical damage
  • Common cyber security management of IT and OT: The two networks should come under a single set of security policies
  • Using sensors and software to provide information about what is happening within a network or device
  • Awareness campaigns for cyber-attacks should be implemented
  • Putting plans and procedures to implement in the event of a cyber-attack
  • Policies to manage the risk from third parties such as equipment and software suppliers and contractors

Defra states: “Water companies must own, understand and manage the risks to their assets, including Critical National Infrastructure. Industry, therefore, has responsibility for the security of their systems. Government will help set the strategic direction and ensure the legal framework supports industry, as well as providing technical advice and where necessary, training.

“Industry will need to develop a security-conscious culture amongst staff and third party providers and integrate this into their governance structures.”

Defra is also inviting views on its strategic priorities for Ofwat’s regulation of the water sector in England.