Water firms grasp of cyber threat weak as government looks to fine security laggards

Consultant Black& Veatch has warned that the UK water sector may be underestimating the threat to its security that comes with its growing reliance on technology. And the alert comes as the government has consulted on its introduction of stiff penalties as part of its implementation of new rules from Brussels to ensure vital infrastructure has sound cyber security.

In it consultation the Department for Digital, Culture, Media and Sport outlined proposals for a two-tier penalty for water firms and other “essential services” who fail to meet the requirements of the Network and Information Systems (NIS) Directive. He described a top level fine of up to the greater of €20m or 4% of global turnover “for failure to implement appropriate and proportionate security measures.” And he put forward a lesser penalty of the greater of €10m or 2% of global turnover offences, such as failure to cooperate or comply with an instruction from a competent authority.

Digital minister, Matt Hancock, in his forward to his department’s consultation said given the risk of a high health and economical impact on from loss of an “essential service” such as water, “The government believes that the NIS Directive needs to set a high bar for the maximum level of penalty."

He said the proposed penalty regime for NIS was “similar to that of the General Data Protection Regulation”. Hancock pointed to recent instances of cyber attacks overseas including a 2016 attack on US water companies as indicators of “a need to improve the security of network and information systems across the UK, with a particular focus on essential services (energy, health, transport, water, and digital infrastructure).”

The government has put forward a national threshold above which the penalties will apply to drinking water suppliers and distributors to households which it said will capture “only the most important operators, rather than the whole sector.” It has proposed that the regime should apply only to sites serving 350,000 or more people.

Meanwhile, according to Black & Veatch’s 2017 Strategic directions – water industry report: “Some consider physical security to be the weak link in ensuring a well-protected water supply; while others worry that the Internet of Things has created an incalculable number of entry points for hackers to create mischief.”

The report survey found that 57% of respondents were spending less than $1 million a year on physical security for water treatment plants and large remote facilities, while another 59% said their cybersecurity budget was less than $1 million a year. Meanwhile one third of those polled were spending more than $5m annually on physical and cyber security and one half had undertaken risk assessments in the past five years.