The Water Industry (Suppliers’ Information) Direction 2017 which came into force on 1 April 2017, has included an obligation for the first time for the water companies to report on cyber attacks.

The new Information Direction has been issued by the Drinking Water Inspectorate (DWI) to all water companies in England and Wales setting out their obligations to provide detailed data in electronic format on a wide range of operational parameters.

The Direction also requires them to report “any significant occurrence, apprehended or otherwise of where the company has identified interference with electronic systems caused by external interference (‘cyber attack’) that has or could impact quality or sufficiency of water.”

The requirement is included in a list of information the water companies must provide for events, incidents, emergencies etc. under a range of circumstances. They are also required to report on any other matter that in the opinion of the supplier, is of significance and has attracted or, in the opinion of the supplier, is likely to attract local or national publicity.

In the event of a cyber attack, the DWI expects some answers in three days.The notification must be given as soon as possible after the event or matter has come to the supplier’s attention, by telephone; and confirmed in writing (by electronic mail) no later than 3 working days after compliance.

The Direction says the notification must also include:

• a description of the geographical area affected by the event and the site reference of any assets impacted by the event
• an assessment of its effect or likely effect on the quality or sufficiency of water supplied by the supplier;
• an estimate of the population affected and whether particularly sensitive water users such as hospitals, schools, or food manufacturers are affected;
• any information available about the cause or likely cause of the event or matter;
• particulars of the action taken or proposed to be taken to inform and protect customers and to rectify the situation, and an estimate of when supplies are likely to be back to normal;
• a list of any persons (other than customers of the supplier) notified of the event or matter, and a copy of any notice issued to customers and to the press about the event or matter

Depending on the category of the event, within 20 working days of the date of the notification the water companies are also required to submit an assessment of the effectiveness of the action taken in respect of the event or matter, together with a statement of any lessons learned and of any proposals, if any, for further action that the water supplier considers necessary or desirable in the light of the event or matter.

DWI assumes water companies’ capability to detect a cyber attack and to readily understand it how happened

Commenting in the Waterbriefing LinkedIn AMP6 Discussion Group, Sheridan Morris, Principal Consultant with PA Consulting Group, who specialises in cyber security and risk management of OT systems and organisational data assets, said:

“DWI makes two key assumptions in setting this Direction: firstly that water companies have the capability to detect that such a cyber attack has occurred, and secondly that companies have the capability to readily understand how such an attack took place.”

“It can take weeks of specialist investigation to understand a compromise within organisations such as banks and defence organisations who maintain a high level of network and system security monitoring and an incident response capability.”

Deployment of cyber security measures in operational water infrastructure is “less common”

According to Morris, although a degree of such cyber security measures exist within water company corporate IT networks, their deployment in operational water infrastructure is less common.

The supporting, but critical, presence of maintained cyber incident response plans and trained staff are also less frequent for this side of the business.

“This is reflected in the fact that cyber security across the water sector was assessed as low-to-medium by Defra in 2016. Hence the identification of cyber incident response planning as one of six cyber security areas of focus for the sector in the recent release of Defra’s first Water Sector Cyber Security Strategy.” Morris said.

Water companies need to ask key questions

The cyber security expert said the water companies need to ask themselves the following questions promptly.

• Does their risk register contain a scenario that encompasses a successful cyber attack upon systems that could impact supply and/or quality?
• What are their confidence levels that they could identify such a cyber attack?
• What is the depth of their defensive security and what might it detect?
• What technical measures do they currently have in place that would enable a forensic investigation into the chain of events over the preceding month, or preceding three months?
• Do they know what these technical measures look like?
• What policy, process and people capabilities do they have in place to respond quickly and effectively once a problem is identified?

Other data the DWI also requires the water companies to provide in electronic format includes:

For each abstraction point– its designation, its type of source water such as surface, ground or mixed, the national grid reference of its location and an estimate of the average total daily volume (in cubic metres) of water that it supplies; the designation of each water treatment works that it serves.

For each water treatment works– its designation and the national grid reference of its location; the designation of each supply point (if applicable), service reservoir and water supply zone that it serves.

For each service reservoir– its designation, the national grid reference of its location and its capacity; the designation of each water supply zone that it serves.

For each supply point– its designation, the national grid reference of its location and an estimate of the average daily volume (in cubic metres) of water that it supplies;

For each water supply zone – its designation; an estimate of the number of people living within it; where a water supply zone receives a supply of water from another water supplier, for each such supply, details of the upstream water treatment works from where the water originates; and details of all other upstream assets associated with the original supply.

Provision of information for mapping

The water companies are also required to provide the drinking water quality regulator in electronic format with the following data to allow maps to be produced to an appropriate scale:

• the location of each abstraction point, water treatment works, supply point and service reservoir;
• the boundaries of each water supply zone;
• each abstraction point, treatment works, supply points, service reservoir and water supply zone must also be allocated a unique name and number.

The Direction has also been updated to make changes necessary due to the commencement of competition with respect to non-household supplies and to update requests for data to reflect needs of the Inspectorate.

Click here to download the  Water Industry (Suppliers’ Information) Direction 2017