Thames Water’s Aging IT Infrastructure Exposes Critical Cybersecurity Risks
Thames Water, the UK’s largest water and waste treatment provider, is grappling with severe vulnerabilities in its IT infrastructure, leaving it exposed to cyber threats. Serving 16 million customers across London and the Thames Valley, the company relies on outdated systems some dating back to the 1980s including obsolete Lotus Notes software and 30-year-old hardware. Employees describe a fragile network held together by makeshift repairs, with some machines unable to be powered down for fear they won’t restart.
The risks are acute. Sources reveal that state-linked cyber groups from Russia, China, Iran, and North Korea have targeted Thames Water, with some attacks partially succeeding in disrupting operations. The National Cyber Security Centre (NCSC), part of GCHQ, has warned of heightened threats to the UK’s water sector, particularly from actors sympathetic to Russia’s invasion of Ukraine. Despite these warnings, Thames Water has denied experiencing any cyberattacks, though insiders report an inability to conduct essential security protocols like "dark testing" due to system instability.
Physical security gaps compound the digital risks. Contractors without clearance have reportedly accessed areas housing sensitive IT equipment, raising concerns about unauthorized hardware tampering. While Thames Water insists all sites have "stringent security measures," the Drinking Water Inspectorate (DWI) has already issued an enforcement notice over physical security lapses at one facility this year.
Regulators are under pressure to address the issue. Ofwat, the economic regulator, is reviewing Thames Water’s £20.7 billion investment plan for 2025–2030, which includes funding for asset upgrades. The DWI, responsible for drinking water safety, has emphasized its role in investigating risks to water supply but operates with limited staff. Meanwhile, Thames Water acknowledges an "asset deficit" but maintains that its water quality remains among the world’s highest.
The situation underscores broader concerns about underinvestment in critical national infrastructure, where aging systems and cyber threats intersect, leaving essential services vulnerable to disruption.
Thames Water cybersecurity rating report: https://www.rankiteo.com/company/thames-water
"id": "THA1774745423",
"linkid": "thames-water",
"type": "Vulnerability",
"date": "11/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': '16 million',
'industry': 'Utilities',
'location': 'UK (London and Thames Valley)',
'name': 'Thames Water',
'size': 'Serves 16 million customers',
'type': 'Water and waste treatment provider'}],
'description': 'Thames Water, the UK’s largest water and waste treatment '
'provider, is grappling with severe vulnerabilities in its IT '
'infrastructure, leaving it exposed to cyber threats. The '
'company relies on outdated systems, including obsolete Lotus '
'Notes software and 30-year-old hardware, with employees '
'describing a fragile network held together by makeshift '
'repairs. State-linked cyber groups from Russia, China, Iran, '
'and North Korea have targeted Thames Water, with some attacks '
'partially succeeding in disrupting operations. Physical '
'security gaps and regulatory scrutiny further exacerbate the '
'risks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security vulnerabilities',
'operational_impact': 'Partial disruptions to operations, '
'inability to conduct essential security '
'protocols',
'systems_affected': 'Water and waste treatment operations, IT '
'infrastructure'},
'investigation_status': 'Ongoing regulatory scrutiny; partial disruptions '
'reported but not confirmed by the company',
'lessons_learned': 'Aging IT infrastructure and underinvestment in critical '
'national infrastructure pose significant cybersecurity '
'risks. Physical and digital security gaps must be '
'addressed to prevent disruptions to essential services.',
'motivation': 'Cyber espionage, potential disruption of critical national '
'infrastructure',
'post_incident_analysis': {'corrective_actions': 'Proposed £20.7 billion '
'investment plan for asset '
'upgrades (2025–2030); '
'regulatory enforcement '
'actions',
'root_causes': 'Aging IT infrastructure, lack of '
'investment in cybersecurity, '
'physical security lapses'},
'recommendations': 'Upgrade outdated IT systems, implement robust '
'cybersecurity protocols, enhance physical security '
'measures, and allocate sufficient funding for asset '
'upgrades and monitoring.',
'references': [{'source': 'The Guardian'}],
'regulatory_compliance': {'legal_actions': 'Enforcement notice issued by the '
'Drinking Water Inspectorate (DWI) '
'over physical security lapses',
'regulatory_notifications': 'Ofwat reviewing £20.7 '
'billion investment '
'plan; DWI '
'investigating risks to '
'water supply'},
'response': {'communication_strategy': 'Denied experiencing any cyberattacks '
'despite insider reports'},
'stakeholder_advisories': 'National Cyber Security Centre (NCSC) has warned '
'of heightened threats to the UK’s water sector.',
'threat_actor': ['State-linked cyber groups from Russia',
'China',
'Iran',
'North Korea'],
'title': 'Thames Water’s Aging IT Infrastructure Exposes Critical '
'Cybersecurity Risks',
'type': 'Infrastructure Vulnerability',
'vulnerability_exploited': 'Outdated IT infrastructure, obsolete software '
'(Lotus Notes), aging hardware'}