In an Experrt Focus article for WaterBriefing, Doug McGeachie, Director of Enterprise Sales, Fortinet takes an in-depth lookt at at strengthening cybersecurity in the utilities sector.

Doug McGeachie: From the introduction of the Eighth Asset Management Period (AMP8) to deeper alignment with the Network and Information Systems Directive (NIS2), the UK&I regulatory landscape for the utilities industry is continuing to evolve.

So why is this important? Ultimately, it means companies will need to adapt their operations in line with these regulations or risk falling short of compliance and suffer the subsequent business ramifications. All this, whilst leaders are having to contend with the adoption and integration of new and existing technologies – including Artificial Intelligence (AI), the Internet of Things (IoT) and Operational Technology (OT) – as they look to drive efficiencies and innovation across their networks at scale.

So what can utilities companies do to strengthen their cybersecurity posture in line with these regulatory requirements, protect their networks now and in the future, whilst also embracing AI adoption and protecting their ever-expanding footprint of IT, IoT & OT ?

The current landscape

In January 2023, the European Union adopted the NIS2 Directive to enhance cybersecurity by harmonising security measures across member states, impacting various industries, including the utilities sector. This regulation requires companies to implement comprehensive cybersecurity risk measures and mandated incident reporting, as well as implementing information sharing to enhance ability to prevent, detect and respond to cybersecurity threats.

The UK government is expected to introduce the Cybersecurity and Resilience Bill, which aims to mirror the requirements set out within NIS2 for companies operating in the UK. With securing the UK’s critical national infrastructure, specifically utilities, such a priority, this Bill aims to protect these public services by mandating incident reporting and expanding NIS2’s remit to protect wider supply chains.

Companies operating in the water sector specifically have now also had to submit their plans to Ofwat, the Water Regulatory Services Authority, for AMP8, which runs until 2030. Alongside investing in infrastructure, reducing their carbon footprint and creating robust supply chains, this requires water companies to implement technology designed to improve operational efficiency and service delivery. This could include anything from smart monitoring systems to data analytics to drive informed decision-making.

But what does this mean for cybersecurity?

Cybersecurity must be a priority

Leaders in the utilities industry are becoming increasingly scrutinised against these regulatory requirements and as such are reviewing and strengthening their cybersecurity defences. This positive direction change driven by stronger more granular regulations, in turn forcing a change in mentality, where cybersecurity cannot just be an add-on anymore but built from the core to support transformation and with an inherent focus of being secure by design, i.e. built with security in mind and not an afterthought. Failure to do so though could not only lead to reputational damage but substantial penalties and legal ramifications. NIS2, for example, sets out a series of penalties for non-compliance, including security auditing and administrative fines. Ensuring accordance with these regulations across the utilities industry is therefore crucial to future operation.

What’s more, the utilities sector continues to be a prime target for cyber attacks. It’s role in supporting critical national infrastructure and the impact an attack would have – not only causing widespread disruption to services but devastating consequences for citizens and political fallout – put it at huge risk. The adoption and connection of new and existing technologies, especially IoT and OT, also mean the industry is becoming increasingly interconnected and vulnerable to potential attacks. In fact, Fortinet’s 2024 State of Operational Technology and Cybersecurity Report shows attacks on the wider critical infrastructure are continuing to surge.

Putting this into practice

So how can we ensure the utilities sector remains compliant with these regulations, and secures its operations from growing cybersecurity threats?

The first step is making sure basic cybersecurity measures are in place, underpinned by a platform approach of interconnected technologies, harmonised as part of total ecosystem, working together to provide strength and depth across the whole organisation. The important thing to recognise though is that a platform, much the same as train station platforms, are all different. Yes there is a common theme that runs through them and they are built in a similar way, but each is specific and unique to its area, in this case each utility organisation.

Some of the areas I would consider standard for any platform includes multi-factor authentication (MFA), which works by reducing the risk of unauthorised access and adds an extra layer of security as a result. Secondly, implementing managed detection and response (MDR), which uses advanced analytics, AI-driven threat intelligence and human expertise to provide 24/7 network monitoring, allows IT teams to proactively detect, identify and neutralise cybersecurity threats before they escalate and impact the wider network. These technologies must be included within a wider Incident Response (IR) plan. This should define clear processes for identifying, mitigating and recovering from an attack, helping to minimise the financial, reputational and regulatory impacts of an incident.

Protecting data also remains a critical factor due to the vast amount of sensitive information utility companies are responsible for. Encrypting data both at rest and in transit means that, even if a cybercriminal gains access, they cannot exploit the information at hand. Underpin this with continuous vulnerability monitoring and tracking, which will help IT teams identify and address gaps in the network before they are exploited.

The weakest link is always the human, as such employees play a crucial role in cybersecurity protection. As a ‘human firewall’, they provide an important extra layer of protection. This however is only achieved when they are educated correctly around the importance of securing networks. Introducing and maintaining a program of regular cybersecurity training, which teaches employees to spot the key signs of an attack adds another layer of defence on top of the above steps and is an imperative for any utility.

The final area of consideration is that leaders must assess the potential vulnerabilities posed by third parties. Any supplier, partner, contractor etc. must have their cybersecurity posture reviewed. Continually evaluating supplier risk with a Zero Trust framework and using tooling like endpoint detection and response (EDR) can prevent attacks on one organisation spreading to the wider supply chain. Introducing supply chain passports, which requires vendors or partner firms to meet a specific set of cybersecurity standards before joining a network, can also help.

With regulations changing, technologies evolving and cybersecurity threats increasing, the utilities sector stands at a crossroads. By implementing basic cybersecurity measures, assessing supply chain security and introducing employee training, companies can remain compliant with current and future legislation and protected against the future threat landscape – ultimately staying one step ahead.