Cyber risk to the UK's water network, NCSC warns
The cyber security agency is advising water companies to take action following an attack on a facility in the US


The UK's National Cyber Security Centre (NCSC) has warned of the active exploitation of Unitronics programmable logic controllers (PLCs), used extensively across the water sector.
The statement follows a similar alert from the US Cybersecurity & Infrastructure Security Agency (CISA) earlier this week, with the NCSC recommending that organizations should follow its guidance.
"The NCSC has warned for some time of the enduring threat to the UK’s critical national infrastructure," says Jonathon Ellison, NCSC director for national resilience and future technology.
"Our US counterparts, CISA, have issued an advisory outlining a threat against the water sector. We are notifying UK providers of this threat, and recommend they protect consumers by following the mitigation advice set out by CISA."
Water and waste water facilities use PLCs to control and monitor various processes, including turning on and off pumps to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations.
While the NCSC says that the exploitation is of ‘limited sophistication’ and is highly unlikely to cause any disruption to water supplies, there is a potential risk to some small suppliers.
The CISA advisory follows an attack on an unidentified US water facility, in which the attackers appear to have accessed the affected device — a Unitronics Vision Series PLC with a Human Machine Interface (HMI) — by exploiting poor password security and exposure to the internet.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The facility, says CISA, immediately took the system offline and switched to manual operations, meaning that there was no known risk to the drinking water or water supply.
But to prevent other attacks, it says, users should change all default passwords on PLCs and HMIs, require multifactor authentication for all remote access, including from the IT network and external networks, and disconnect the PLC from the open internet.
RELATED RESOURCE
Want a better CASB and stronger DLP? Starts with the right foundation.
They should also back up the logic and configurations on any Unitronics PLCs to enable fast recovery, where possible utilize a TCP port other than the default TCP 20256 port and update PLC/HMI to the latest version.
The alert follows a recent NCSC report that warned that the UK’s critical sectors, including the water industry, are facing an 'enduring and significant’ threat.
"The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine but also from the availability and capability of emerging tech," says NCSC CEO Lindy Cameron.
"Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities."
In summer last year, South Staffs Water fell victim to hackers who were able to access the names and addresses of account holders, along with the sort codes and account numbers used for direct debit payments. Shortly after, a ransomware group claimed it was possible to tamper with water supplies.
And in the US, there have been a number of attacks, including the breach of a water authority near Pittsburgh which affected the water pressure in nearby towns. The attack is believed to have been carried out by hacktivists aligned with the government of Iran.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
European financial firms are battling a huge rise in third-party breaches
News Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potential
News The UK remains a “priority market” for Salesforce, according to its regional CEO
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategy
News Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Cyber attacks have rocked UK retailers – here's how you can stay safe
News Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilities
News Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
"Thinly spread": Questions raised over UK government’s latest cyber funding scheme
The funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
State-sponsored cyber crime is officially out of control
News North Korea is the most prolific attacker, but Russia and China account for the most disruptive and tightly-targeted campaigns
-
Modern enterprise cybersecurity
whitepaper Cultivating resilience with reduced detection and response times
-
IDC InfoBrief: How CIOs can achieve the promised benefits of sustainability
whitepaper CIOs are facing two conflicting strategic imperatives
-
The NCSC and FBI just issued a major alert over a state-backed hacker group – here’s what you need to know
News State-affiliated attackers are targeting individuals via spear-phishing techniques, according to the NCSC