How is the UK Water Sector responding to the release of the NCSC annual report?

Gordon Robinson, Shernal brookhouse.

Gordon is the chair of our IT/OT, Cyber Security and Resilience working group. 


The National Cyber Security Centre (NCSC) has recently issued a stark warning about a persistent and significant threat to the critical infrastructure of the United Kingdom. This raises concerns about the potential impacts on various sectors, with the water industry finding itself at the forefront of these challenges. As we explore the aftermath of recent cyber attacks and delve into the response strategies, it becomes imperative to understand the implications for the future of the water industry.


The water companies’ unpreparedness for cyber attacks stems from a lack of understanding of their Operational Technology (OT) computer networks and endpoints. Additionally, they find themselves under-resourced in OT and struggle to comply with the requirements set by the Cyber Assessment Framework regulated by the Drinking Water Inspectorate (DWI). The tight timeline for compliance with the Enhanced Cyber Assessment Framework Plus (CAF+) adds another layer of complexity to the situation.

Lessons Learned

Fortunately, lessons have been learned, albeit later than desired. The introduction of the NIS directive in 2018 spurred a realization of the need for enhanced cybersecurity measures in the water sector. While this work should ideally have happened in Amp 7, the acknowledgment of the current threat landscape is paving the way for necessary changes.

What is Changing?

The water industry is now making significant investments in new technical jobs, some of which are contracted out. A notable example is Scottish Water’s recent tender for a cybersecurity provider issued on January 12, 2023. The selected provider will play a crucial role in fortifying the operational security of Scottish Water’s infrastructure. The collaboration aims to deliver security improvement projects, optimize costs, and introduce innovative technologies to address the convergence of Information Technology (IT) and OT security.

Delays, unfortunately, remain a persistent challenge, with every negative headline leading to setbacks in implementation. The urgency to tackle Nation State-sponsored cyber attacks is clear, emphasizing the need for swift action.

New High-Paid Technology Jobs and Wage Inflation

The demand for cybersecurity professionals in the water sector is evident, with examples like the Anglian Water Operational Technology Services Framework, valued at £82 million over an 8-year duration. There is currently an estimated shortfall of 11,200 people to meet the demand for the cyber workforce, leading to wage inflation and retraining programs. The shortage is significant, considering the current average salary for a software developer is £40,228, according to Glassdoor.

A Shift in Roles and the Rollout of AI

As technological advancements continue, existing roles may become redundant, necessitating a shift in the workforce. The rollout of Artificial Intelligence (AI) is a noteworthy example, as water utilities explore ways to optimize services. Anglian Water’s exploration of advanced software systems within its OT and IT architecture reflects the industry’s commitment to enhancing operational efficiency and risk management.

Demand for Supply Chain Standards

The adoption of OT technology in the water sector also brings forth the need for supply chains to meet relevant standards. Ensuring the quality of data and data protection becomes paramount, with adherence to ISO 27001 series standards across all internal departments and the supply chain.


The evolving landscape of cybersecurity in the UK’s water sector presents both challenges and opportunities. While the industry grapples with immediate threats, there is a concerted effort to fortify defenses, invest in skilled professionals, and embrace technological advancements. The journey towards a secure and resilient water infrastructure is underway, emphasizing the importance of collaboration, innovation, and adaptability in the face of cyber threats.