“The software we use is older than me, and some of the hardware is older than my dad,” says Siddharth*. He is one of a team fighting a daily battle to sustain ancient IT infrastructure at Thames Water.
Sometimes the defences are breached. Thames, the UK’s largest water and waste treatment company, is on a “knife-edge” according to sources, with its resilience in doubt because it depends on an array of creaking – often Victorian – infrastructure.
While plenty of attention has been paid to its pipes, trunk mains and sewage overflows, less well understood is another big problem: its computer systems. Some IT systems date back to the 1980s, and have long been declared obsolete.
According to sources who spoke to the Guardian, the systems are so antiquated they have been easy for cybercriminals to attack.
“The hardware really is properly falling apart in front of your eyes,” says Siddharth, who is in his 20s. “We’ve been keeping machines going by using parts from similar old ones, once those give up the ghost. But we’ve run out of our stores. We’re not just holding things together with tape and glue. We’re actually unable to turn things off, because we find we can’t turn them on again.”
In an age of heightened risk, with espionage and attacks on critical national infrastructure reaching news heights, Thames and other companies’ vulnerabilities are causing increased concern within Whitehall and beyond. With 16 million customers across London and Thames Valley relying on it, they fear the repercussions from a serious breach or systems failure.
The controversies around Thames’s finances as dividends piled up and its debt burden ballooned, as well as wider criticism of water companies’ sewage treatment overflows, have often crowded out more detailed examination of its operations.
Its economic regulator, Ofwat, has a responsibility towards ensuring water companies, including Thames, are resilient. Other aspects of its work, such as clean drinking water and security of its sites and systems, including cybersecurity, fall to a lesser-known small regulator, the Drinking Water Inspectorate (DWI).
The pressure on the 50 or so staff that work at the DWI is acute. They are ultimately tasked with monitoring whether the water Thames and other companies in England and Wales provide is safe to drink.
The DWI served Thames with an enforcement notice over the physical security at one of its sites earlier this year.
Young workers, old machines
Some of Thames’s essential systems are still run on forms of Lotus Notes software from the late 1980s and early 1990s that can no longer be updated, Siddarth and other insiders at Thames Water say.
Thames confirmed that it still uses Lotus Notes, but a source close to the company said that it was only for “databases” and not “critical” systems.
The use of Lotus Notes is a signal of how starved of investment technology at the company has been since it was privatised in the late 1980s. Other examples of obsolete or near obsolete technology include wide reliance on 2G technologies, arrays of meters that remain analogue and require manual checks, and hardware that is often more than 30 years old.
Underinvestment in IT systems that are critical to the security of London and the south-east’s water has left it prey to cyber-attacks from Russia, China, Iran and North Korea linked groups. There have been attempts on Thames’s systems from groups believed to be linked to Russia, some of which have been at least partly successful, temporarily disabling some operations, according to three sources familiar with the company’s operations.
Thames declined to comment on the record about cyber-attacks, but a source at the company said it had “not experienced any cyber-attacks, full stop”.
Sources added the inability to turn things off – “dark testing” – means that basic cybersecurity protocols and service resilience cannot be established.
The cyber arm of GCHQ, the National Cyber Security Centre, has warned of specific threats to Britain’s water industry from attacks by “state-aligned actors, who are often sympathetic to Russia’s further invasion of Ukraine”.
Troubling security gaps
Sources claim that some areas containing IT equipment are not secure, and laid out a detailed list of areas within sites.
after newsletter promotion
They claim that it was possible to access some sensitive IT equipment within one particular site – which the Guardian named in correspondence with Thames – without appropriate security checks.
A contractor without any requirement to enter areas with sensitive IT equipment was able to pass freely through areas containing it and would have been able to access or insert hardware into some computers.
Thames declined to comment on the record when asked specific questions by the Guardian about buildings housing computer hardware, such as whether they were readily accessible by contractors or staff with no requirement to enter them. It also declined to comment on whether hardware could be easily removed or inserted into IT infrastructure. A company source said “all sites have stringent security measures in place” and that claims otherwise were “incorrect”.
A spokesperson for the Drinking Water Inspectorate said: “The Drinking Water Inspectorate considers the provision of a continuous, safe supply of clean drinking water to be the highest priority of a water company. Furthermore, this is a duty under the regulations. Where there are any circumstances which give rise to a concern to drinking water, the company are required to notify the inspectorate.
“Similarly, water company staff are able report matters directly to the inspectorate. In both cases the inspectorate will carry out an investigation and will take action as necessary to maintain the high standard of drinking water in England. The inspectorate carry out a programme of risk-based audits to identify, monitor and verify areas of concern, and take enforcement action based on our enforcement policies.”
A spokesperson for Thames Water said: “The wellbeing and safety of our colleagues and customers is our highest priority. We supply 2.6bn litres of water every day, rated among the highest quality of drinking water anywhere in the world.
“We’ve been very open about the ‘asset deficit’ we face, and the challenges we will have meeting future demand if it’s not addressed. That’s why we have set out an ambitious plan for 2025-30 which asks for £20.7bn of expenditure and investment with an additional £3bn through gated mechanisms, so that we can meet our customers’ expectations and environmental responsibilities.
“Further, we take our requirements to protect customers’ personal data and maintain essential services extremely seriously. We regularly review our systems to ensure their continued reliability.
“We take a rigorous approach to financial discipline throughout the company in order to operate within budget, as any business in turnaround would be expected to do.”
An Ofwat spokesperson said: “The Guardian has raised a number of serious allegations about Thames Water. We will take action if there is evidence of breach of the company’s obligations.
“We have been pushing Thames Water to make significant improvements in its operational performance and financial resilience for some time. It is, of course, essential that all water companies provide a safe and reliable water supply. The company has made a request for a substantial increase in expenditure, including to address issues of asset health, as part of the current price review process. We are reviewing that request and the supporting information provided, and will announce our final decisions in December.
“In assessing the business case put forward by companies and in our enforcement work, we work closely with other regulators where needed and seek their views. This includes the Drinking Water Inspectorate in regard to security and cyber measures related to water services, and the Health and Safety Executive and National Cyber Security Centre on matters relating to safety and cybersecurity.”
*Names have been changed