Content
Since the start of last year, Britain's drinking water suppliers have been targeted by hackers in five recorded cyberattacks. These incidents were reported to the Drinking Water Inspectorate (DWI) and partially revealed to Recorded Future News via freedom of information requests. While none of these attacks compromised the actual supply of safe drinking water, they did impact the organizations managing the water systems. This uptick in cyber activity, the highest in any two-year period, underscores warnings from British intelligence about the growing threat posed by malicious cyber actors to the nation's critical infrastructure.
Between January 2024 and October 2025, the DWI received 15 reports from water suppliers under the Network and Information Systems (NIS) Regulations, part of the legal framework overseeing water security in the UK. Five of these reports concerned cybersecurity incidents related to systems outside the strict NIS scope, while the remaining cases were operational issues not linked to cyberattacks. Due to the current NIS rules, only cyber incidents causing direct disruption to essential services must be reported. This means that if suppliers were hacked in ways like the Volt Typhoon pre-positioning campaign, they wouldn't be legally required to disclose it. The DWI clarified that the five cybersecurity reports were voluntarily shared because they posed potential risks to water supply resilience.
Officials in the UK expect to amend these reporting requirements through the upcoming Cyber Security and Resilience Bill, which aims to strengthen cyber defenses and improve transparency. A government spokesperson emphasized that the bill, set to be introduced to Parliament later this year, is designed to protect vital public services from increasingly sophisticated and relentless cyber threats.
Cybersecurity experts see the voluntary reporting as a positive sign. Don Smith, vice president of threat research at Sophos, pointed out that critical infrastructure providers face daily attacks from criminal groups, so incidents are inevitable despite compliance efforts. Sharing reports beyond what regulations require helps all operators better understand both common and advanced cyber threats, fostering a culture of information exchange that broadens overall awareness.
Though ransomware attacks against IT systems of water companies have occurred, such as at South Staffs Water in the UK and Aigües de Mataró in Spain, disruptions to actual water supply remain rare. One notable exception happened in December 2023 when a pro-Iranian hacking group caused several days without water in a remote part of Ireland by targeting operational technology (OT) equipment. The US government had issued warnings about vulnerabilities in Unitronics programmable logic controllers (PLCs), widely used in water sector infrastructure, which are a key concern for defenders of critical infrastructure.
Efforts to boost water system security in the US have faced setbacks, notably when water industry groups worked with Republican lawmakers to block federal initiatives despite rising ransomware and state-sponsored attacks. Meanwhile, Canadian authorities recently reported hacktivists manipulating water pressure at a local utility amid a series of industrial control system intrusions.
In the UK, the National Cyber Security Centre advises water providers to keep their IT and OT systems properly segmented to limit the impact of cyber intrusions. The agency also published a Cyber Assessments Framework in August to help organizations enhance resilience. Smith advises prioritizing defenses against everyday, commodity cyber threats rather than focusing excessively on rare, exotic attacks. He warns that the bigger risk might come from ransomware knocking out critical infrastructure simply because basics weren’t properly secured, rather than from highly sophisticated adversaries.
