Is Water Digitisation Creating Its Own Achilles' Heel?

The War on Water

Since February, both sides of the Iran War have traded missiles and drones on desalination plants. We’re talking about countries like Kuwait and Bahrain, where over 90% of municipal water comes from desalination. Suddenly, infrastructure we rarely think about becomes a strategic target.

The region is dependent on desalination for water supply, especially in the south side of the Gulf. Source: Guardian.

Attacks Are Already Here

Since 2024, the UK water sector has reported 15 digital incidents. Five confirmed as direct cyber-attacks. Across an industry of fewer than 30 major water companies.

The standout case is the 2022 attack on South Staffordshire Water by the Cl0p ransomware gang. Not only did the hackers steal data belonging to 249,000 customers, they even claimed to have access to the chemical control systems. Alarming enough. But the detail that should keep us up at night is this: Cl0p had been inside the network for months before anyone noticed.

The UK number probably isn’t telling the whole story. Across the ocean, the US generally has a more robust, centralised ransomware reporting structure compared to the UK. Source: Stantec.

In retail or finance, dwell time means more personal information stolen. In a water facility, it means the opportunity to dive deep into the network that impacts lives of thousands or millions.

Every New Connection Opens a New Door

The UK water industry is going through its biggest digital transformation towards “Water 4.0”. AMP8 has allocated billions for IoT sensors, AI-powered leak detection, and digital twins of entire network systems. The benefits are significant. But so is the exposure.

The historical “air-gap” — the physical separation between office IT and the operational technology (OT) controlling pumps, valves, and treatment processes — is closing. What once required physical presence can now be accessed remotely.

In February 2021, an attacker got into the water treatment plant in Oldsmar, Florida. No sophisticated exploit. No custom malware. Just TeamViewer, the same remote access tool the plant’s own engineers used every day.

Once inside, they moved the sodium hydroxide level from 111 to 111,000 parts per million, corrosive enough to cause serious harm to anyone who drank it.

In the water treatment process, sodium hydroxide, also known as caustic soda, is used for adjusting the pH. In our daily life, it’s commonly used to unblock drains.

One operator happened to be looking at his screen and noticed his cursor move on its own. He reversed it within seconds and saved thousands of lives.

That’s how close it got.

Don’t Forget Water is Everywhere

Look at the UK’s critical national infrastructure list and notice how many sectors depend on water.

Take data centres for example. They consume millions of litres daily for server cooling and increasingly manage that through the same kind of networked OT systems being rolled out across water utilities. A successful attack on a facility supplying a major data centre, or on the data centre’s own water management system, can force a controlled shutdown at the minimum. With UK data centres now underpinning NHS, financial infrastructure, and emergency communications, the damage can be far reaching.

In 2022, a cooling system failure at a UK data centre cost the NHS £1.4 million, caused over 100 procedure delays, and left one patient unable to receive an organ transplant. This wasn't a cyber attack, but the outcome of one could look like this. Source: Techerati.

Water is a dependency that runs through critical infrastructure, and those dependencies are increasingly digitised and networked. The regulatory landscape is shifting in ways that make this harder to ignore. The Cyber Security and Resilience Bill will bring data centres, NHS trusts, and managed service providers into scope for the first time — requiring them to manage cyber risk across their supply chains. Fines of up to £17 million or 4% of global turnover for serious breaches mean these are now board-level conversations.

Now that the regulatory pressure is up, so is the demand for people who can respond to it.

You Could Be the Digital Water Defenders

Most cybersecurity professionals are trained in IT security. But defending increasingly connected water networks requires something harder to teach: understanding how operational technology actually works. It comes from hands-on experience in the industry, not a classroom.

If you already work in water — as a process engineer, I&C technician, or operations professional — you may be further ahead than you realise. The domain knowledge is there. What you’re adding is a layer of cyber on top. The GICSP certification (Global Industrial Cyber Security Professional) is designed precisely for people making this transition. It’s the most widely recognised entry credential across utilities and critical infrastructure.

If you’re coming from a computer science or cybersecurity background, OT and ICS security in water offers something increasingly rare: a less saturated pathway where the work has direct consequences for public safety. GICSP is a strong entry point here too, with more specialised paths opening up from there.

The compensation reflects the specialism. OT security roles in the UK typically command a 20–35% premium over equivalent IT security positions at the same seniority level.

And the skills travel. Energy, pharmaceutical manufacturing, transport… anywhere a cyberattack can have physical consequences. A career that begins protecting a water treatment plant is a career at the intersection of digital and physical security. That intersection is only going to matter more.

Final Random Thoughts

I admit I’m an avid sci-fi reader, but cyber attacks on critical infrastructure, including water, are not fictional at all.

The water industry has never been the fastest at adopting new technology. Hackers don’t have that problem. With autonomous AI agents, they can already probe and evolve around the clock. The asymmetry is brutal: defenders have to protect everything. Attackers only need to find one crack.

And there’s the black box of quantum computing. When it arrives at scale, much of today’s encryption won’t hold. What’s particularly unsettling is hackers can harvest encrypted data from critical infrastructure right now, banking it for the day they can decrypt it. In cybersecurity circles, it’s called “harvest now, decrypt later.”

Now think about the dwell time mentioned earlier.

We really can’t afford to be careless.

Somehow I can't find any attack on water infrastructure on screen. The closest might be Batman Begins (2005), where the antagonist uses a microwave emitter to vaporise Gotham's water supply and disperse fear toxin through the air. In my opinion, that's a massive bug: the adult human body is roughly 60% water. If that machine works, there's really no need for the toxin.