The Government has set out a cyber security strategy for the water sector summarising what water and sewerage companies need to do to reduce the risks of cyber attacks.
Published by the Department for Environment, Food and Rural Affairs, the strategy, which focuses on attacks based around computers, computerised systems or networks, is mainly aimed at water and sewerage companies in England.
The strategy paper says:
“There are credible cyber threats to UK Critical National Infrastructure, including the water sector. These could lead to serious consequences, particularly as increased automation and connectivity reduces the scope for standalone or manual operation of the water supply system.”
Recent cyber risk reviews by government cyber experts, identified significant opportunities for the water sector to operate at a higher-level of cyber security maturity.
The water-specific strategy is part of a government-wide response to the cyber threat, which complements the National Cyber Security Strategy (2016). The strategic vision and objectives have incorporated significant contributions from the sector and aim to guide activities across the sector, including water companies and government.
To realise the vision for 2021 of a secure, effective, and confident water sector, resilient to an ever-evolving cyber threat, the government and the water sector will work towards a number of key objectives:
1. Understand threats: Build on joint work to develop a shared understanding of the cyber threats facing the water sector as they evolve.
2. Manage risks: Develop and implement approaches to manage risks and address cyber security vulnerabilities in the water sector, now and in the future.
3. Manage incidents: Respond effectively, with industry, to any serious cyber incidents, including those that compromise critical water infrastructure.
4. Develop capabilities: Government and sector enhance the cyber skills and capabilities of the water sector to meet future needs.
Water companies “must own, understand and manage the risks to their assets"
The strategy paper says the water companies “must own, understand and manage the risks to their assets, including Critical National Infrastructure.”
The paper describes cyber security as presenting "an enduring challenge for the water sector" and that vulnerabilities are easily transferred between organisations. The strategy has therefore adopted a broad definition of the water sector, which encompasses water companies, their supply chains and representative organisations.
It suggests that “capable adversaries” could also seek to employ cyber methods as part of a ‘blended attack’ to enable or reinforce a physical attack, or to seek to control industrial plant and control systems at a water plant.
“Over time, exploitation of cyber vulnerabilities in the UK’s water sector, either to access and remove sensitive information or support more complex attacks, will become more likely as will the potential for greater resultant impact.” the paper says.
It also points out that the ongoing implementation of automated Industrial Control Systems (ICS) with the increasing interconnection of information systems, remote connections with reliance on third party suppliers and integrators has broadened the attack surface of information systems within water companies.
To address the risks the cyber risk reviews identified a number of key areas in which the sector should focus its cyber security activities.
Commenting on architectural design/separation of Information Technology (IT) and Operational Technology (OT), the paper says that ideally IT and OT systems or networks should be completely separated to prevent infections in IT systems spreading and impacting processes that could cause physical damage.
It also flags up the cyber risk from third parties, with company networks increasingly accessed by third parties such as equipment suppliers, software suppliers and contractors who require the ability to upload software onto systems, make alterations and plug their equipment into the host network.
The paper says policies need to be in place to manage this risk, for instance by restricting the number of people with external accesses to a network and ensuring that devices plugged in to the host network are not carrying malware.
The strategy is one of a number produced by the government following the National Cyber Security Strategy (2016). Defra has secured funding from the National Cyber Security Programme to deliver further support and increase capability within the sector.
Click here to download Water Sector Cyber Security Strategy 2017-2021
With the UK government demanding a 50% reduction in storm overflow spills by 2029, the era of reactive management is over. Speaking in the House of Commons on 21 July 2025, then environment secretary Steve Reed said, “This Government will cut water companies’ sewage pollution in half by the end of the decade.”
ERG, the leading supplier of odour control systems and industrial gas cleaning & thermal systems, has been awarded the coveted King’s Award for Enterprise.
Welsh Water’s new artificial intelligence-driven tool, ORAI, has been shortlisted for three categories at the prestigious British Data Awards 2026 – underscoring the company’s commitment to using cutting-edge technology to deliver better outcome for customers.
Barhale has completed work on two separate Rapid Action Taskforce Spills projects it is carrying out for Severn Trent.
Hear how Scottish Water has completed its £235 million Ayrshire Glasgow Resilience Project - customers across Greater Glasgow, Ayrshire and East Renfrewshire will now benefit from a more secure and resilient water supply.
Hear how United Utilities is accelerating its investment to reduce spills from storm overflows across the Northwest.
Find out more about the remarkable career opportunities on offer at WSP - scroll down to watch the inspirational video.