The security breaches that recently disrupted UK retailers and Spanish power grids serve as a stark reminder of mounting cyber threats facing both private and public sectors. While these attacks have caused logistical chaos and financial losses, they pale in comparison to the potential impact of a coordinated cyber attack on critical public infrastructure, like the water sector. Several high-profile hacks of water utilities have taken place in the US and Europe in recent years, which cyber security experts warn underscores the vulnerability of the sector to sophisticated cyber attacks.
According to Tobias Nitzsche, Global Cyber Security Practice Lead at ABB, the existence of legacy systems – defined as outdated or obsolete hardware and software – is a potential Achilles Heel. “Like any other distributed control system (DCS) environment, you will find a lot of legacy systems so in that respect the water industry is no different to any other,” says Nitzsche. “But what we’re seeing in the water sector is that smaller companies are most vulnerable. They have less dedicated resources for specific tasks, especially when it comes to cyber security, which often means that one person or one department must cover a lot of ground.”
Nitzsche warns that legacy systems are more exposed to cyber attacks because they often lack modern security features, are not regularly updated, and may have vulnerabilities that are well-known to attackers.
“This is a significant factor contributing to the increase in cyber attacks on the water sector,” he said. “We are also hearing from utility firms that they are struggling to bridge the gap between old and new systems, making them vulnerable to attack.
“Our approach, and how we support organisations we work with, is to take a proactive view of cyber security, ensuring systems are in good health and resilient against attack. Through our ABB AbilityTM Cyber Security Workplace solution, we enable a shift from multiple siloed security tools to one simplified platform. This means that individuals and teams are empowered to take charge of their own security programs. There are foundational actions they can take, from conducting risk assessments to incident response planning and on to training employees to be aware of the dangers.”
He also believes that it is imperative to integrate cyber security during the design phase of system integrations, especially within existing infrastructure. A failure to do so can leave organisations vulnerable to hackers seeking to exploit unsecure systems.
Technical debt
The accumulation of outdated systems badly in need of modernising is known as technical debt, and major sectors, such as water infrastructure, are particularly prone. Some utilities are still using operational technology (OT) systems that date back to the 1990s and have long been declared obsolete. However, the oldest OT systems are not necessarily the problem.
“The big risk is systems that are not so old – so perhaps 15 to 20 years old where you might find equipment such as old Windows computers or outdated Linux computers, Unix systems that are already interconnected,” says Nitzsche. “These pose the highest risk in my opinion, not the very old OT environment that isn’t connected.”
While the scale – and cost – of overhauling OT systems might seem daunting, the water sector, which relies heavily on OT systems, is under growing pressure to act. In the EU, the NIS2 directive places significant importance on the protection of critical infrastructure, including dams, and requires water utilities to implement risk management processes specifically for their OT systems, to ensure they are adequately protected against cyber threats. In the US, the Environmental Protection Agency released updated cyber security guidance earlier this year highlighting that using unsecured human machine interface (HMI) devices is a common cyber security vulnerability at water systems.
“One of the biggest threat vectors for OT systems beside removable media and mobile devices is the company’s own enterprise information technology environment,” said Nitzsche. “This is where nearly all the ransomware cases we know started and spread into operational environments.”
According to Nitzsche, the water industry is moving to meet such threats head on amid growing awareness of the need for robust cyber security measures. Rather than a burden, these directives should be viewed positively as they present an opportunity to evaluate and, if necessary, improve an organisation’s digital health.
“Incident detection and reporting obligations will drive implementations of solutions like ABB AbilityTM Cyber Security Event Monitoring because you cannot report in time if you cannot detect OT incidents. Our solutions provide the relevant elements for well-tuned monitoring. We do this by supplying pertinent event information from all layers of the OT system provided, context-aware detection rules and incident response playbooks that work within the operational constraints of an OT environment, and where available, allowing for integration into an existing enterprise monitoring system. It leverages ABB’s global network of industrial cyber security experts to monitor, detect and respond to threats in real-time.
“However, more investment in training, technology and collaboration is needed to enhance preparedness for cyber incidents,” Nitzsche says.
In the coming years, water utilities will need to invest in cyber security measures to ensure that they remain resilient. According to IBM’s Cost of a Data Breach report 2024, the global average cost of a data breach in 2024 was $4.88 million. That is a 10% increase over 2023 and the highest total ever.
And with the average cost saving for organisations that used security AI and automation extensively in prevention versus those that didn’t being $2.22 million, the investment in cyber security should be a clear choice, says Nitzsche.
