Cyber risk to the UK's water network, NCSC warns
The cyber security agency is advising water companies to take action following an attack on a facility in the US
The UK's National Cyber Security Centre (NCSC) has warned of the active exploitation of Unitronics programmable logic controllers (PLCs), used extensively across the water sector.
The statement follows a similar alert from the US Cybersecurity & Infrastructure Security Agency (CISA) earlier this week, with the NCSC recommending that organizations should follow its guidance.
"The NCSC has warned for some time of the enduring threat to the UK’s critical national infrastructure," says Jonathon Ellison, NCSC director for national resilience and future technology.
"Our US counterparts, CISA, have issued an advisory outlining a threat against the water sector. We are notifying UK providers of this threat, and recommend they protect consumers by following the mitigation advice set out by CISA."
Water and waste water facilities use PLCs to control and monitor various processes, including turning on and off pumps to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations.
While the NCSC says that the exploitation is of ‘limited sophistication’ and is highly unlikely to cause any disruption to water supplies, there is a potential risk to some small suppliers.
The CISA advisory follows an attack on an unidentified US water facility, in which the attackers appear to have accessed the affected device — a Unitronics Vision Series PLC with a Human Machine Interface (HMI) — by exploiting poor password security and exposure to the internet.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
The facility, says CISA, immediately took the system offline and switched to manual operations, meaning that there was no known risk to the drinking water or water supply.
But to prevent other attacks, it says, users should change all default passwords on PLCs and HMIs, require multifactor authentication for all remote access, including from the IT network and external networks, and disconnect the PLC from the open internet.
RELATED RESOURCE
Want a better CASB and stronger DLP? Starts with the right foundation.
They should also back up the logic and configurations on any Unitronics PLCs to enable fast recovery, where possible utilize a TCP port other than the default TCP 20256 port and update PLC/HMI to the latest version.
The alert follows a recent NCSC report that warned that the UK’s critical sectors, including the water industry, are facing an 'enduring and significant’ threat.
"The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine but also from the availability and capability of emerging tech," says NCSC CEO Lindy Cameron.
"Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities."
In summer last year, South Staffs Water fell victim to hackers who were able to access the names and addresses of account holders, along with the sort codes and account numbers used for direct debit payments. Shortly after, a ransomware group claimed it was possible to tamper with water supplies.
And in the US, there have been a number of attacks, including the breach of a water authority near Pittsburgh which affected the water pressure in nearby towns. The attack is believed to have been carried out by hacktivists aligned with the government of Iran.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
UK’s Cyber Resilience Pledge gathers momentum as 60 firms sign up to bolster capabilitiesNews The voluntary pledge sees organizations tightening up their defences, particularly against supply-chain attacks
-
Hostile states behind three-quarters of UK critical infrastructure attacksNews NCSC CEO warns that with the rise of AI, the danger is only set to get worse
-
NCSC urges organizations to shore up supply chain security practicesNews With attackers increasingly compromising open source packages to spread malware, organizations need to be on their guard
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
The NCSC touts honeypots and ‘cyber deception’ tactics as the key to combating hackers — but they could ‘lead to a false sense of security’News Trials to test the real-world effectiveness of cyber deception solutions have produced positive results so far