The credit rating agency Moody’s has warned that water companies face an “elevated” risk from cyber attackers targeting drinking water, as suppliers wait on permission from the industry regulator to ramp up spending on digital security.
Moody’s said, in a report to investors, that hackers are increasingly zeroing in on infrastructure companies, including water and wastewater treatment companies, and the use of AI (artificial intelligence) could accelerate this trend.
Last month, Southern Water, which supplies 4.6 million customers in the south of England, said the Black Basta ransomware group had claimed to have accessed its systems, posting a “limited amount” of data on the dark web. The same group hacked outsourcing firm Capita last year.
Separately, South Staffordshire Water apologised in 2022 after hackers stole customers’ personal data.
Moody’s warned that the growing use of data-logging equipment to monitor water consumption, and the use of digital smart meters, made companies more vulnerable to attacks. It said systems used in water treatment facilities were typically separated from the rest of the companies’ IT – including customer databases – but some systems had been more closely integrated to improve efficiency.
After a hack, companies typically have to employ specialist cybersecurity firms to repair systems, spend on communicating with customers, and face potential penalties from regulators. The UK’s Information Commissioner’s Office can fine firms up to 4% of group turnover, or €20m (£17m), whichever is higher.
Moody’s said that the cost of fixing systems, including resecuring and strengthening existing cyber defences and paying potential fines, will typically result in only a “modest increase” in debt levels if the incident is short-lived.
However, Moody’s cautioned: “The greater risk for the sector, and society, is if malicious actors are able to access operational technology systems to impair drinking water or wastewater treatment facilities.”
The agency said that water suppliers, the government and regulators had acknowledged the need to bolster cyber defences “given the growing sophistication of attacks on critical infrastructure, with state-aligned actors a recent but growing class of cyber adversary”.
There are wider concerns about the digital security of British infrastructure assets, including the £50bn project to build a vast underground nuclear waste store and the Sellafield nuclear site in Cumbria, where the Guardian revealed a string of problems with cybersecurity.
The Moody’s report comes as water companies in England and Wales hope to increase their spending on cyber defences by gaining allowances from Ofwat. The regulator is assessing their plans to raise bills from 2025 to 2030 to cover investments.
Ofwat’s determination, due later this year, comes at a critical juncture for an industry under fire for sewage dumping, poor leakage records and big executive pay packets.
Last October, companies submitted five-year business plans detailing their planned bill increases, needed to fund a record £96bn investment to fix raw sewage leaks, reduce leaks and build reservoirs.
Moody’s analysis showed companies hope to increase spending on security from less than £100m collectively to nearly £700m over the next five years. The increased scrutiny of the sector, and the hack at Southern Water, may strengthen its case, the credit agency said.
The agency said that South Staffordshire Water costs related to the hack, including potential civil claims, could reach £10m.
Moody’s warnings over the potential impact on water companies’ debts come amid wider concerns over leverage in the water sector, with up to 28% of bill payments used to service debts in areas of England.
Last week, the industry body, Water UK, said that average annual bills will go up by 6% from April, outstripping the current rate of inflation.