Thames Waterâs IT âfalling apartâ and is hit by cyberattacks sources claim Thames Water The Guardian

pExclusive Company relies on obsolete tech and there are troubling security gaps Guardian investigation suggestsppâThe software we use is older than me and some of the hardware is older than my dadâ says Siddharth He is one of a team fighting a daily battle to sustain ancient IT infrastructure at Thames WaterppSometimes the defences are breached Thames the UKâs largest water and waste treatment company is on a âknifeedgeâ according to sources with its resilience in doubt because it depends on an array of creaking â often Victorian â infrastructureppWhile plenty of attention has been paid to its pipes trunk mains and sewage overflows less well understood is another big problem its computer systems Some IT systems date back to the 1980s and have long been declared obsoleteppAccording to sources who spoke to the Guardian the systems are so antiquated they have been easy for cybercriminals to attackppâThe hardware really is properly falling apart in front of your eyesâ says Siddharth who is in his 20s âWeâve been keeping machines going by using parts from similar old ones once those give up the ghost But weâve run out of our stores Weâre not just holding things together with tape and glue Weâre actually unable to turn things off because we find we canât turn them on againâppIn an age of heightened risk with espionage and attacks on critical national infrastructure reaching news heights Thames and other companiesâ vulnerabilities are causing increased concern within Whitehall and beyond With 16 million customers across London and Thames Valley relying on it they fear the repercussions from a serious breach or systems failureppThe controversies around Thamesâs finances as dividends piled up and its debt burden ballooned as well as wider criticism of water companiesâ sewage treatment overflows have often crowded out more detailed examination of its operationsppIts economic regulator Ofwat has a responsibility towards ensuring water companies including Thames are resilient Other aspects of its work such as clean drinking water and security of its sites and systems including cybersecurity fall to a lesserknown small regulator the Drinking Water Inspectorate DWIppThe pressure on the 50 or so staff that work at the DWI is acute They are ultimately tasked with monitoring whether the water Thames and other companies in England and Wales provide is safe to drinkppThe DWI served Thames with an enforcement notice over the physical security at one of its sites earlier this yearppSome of Thamesâs essential systems are still run on forms of Lotus Notes software from the late 1980s and early 1990s that can no longer be updated Siddarth and other insiders at Thames Water sayppThames confirmed that it still uses Lotus Notes but a source close to the company said that it was only for âdatabasesâ and not âcriticalâ systemsppThe use of Lotus Notes is a signal of how starved of investment technology at the company has been since it was privatised in the late 1980s Other examples of obsolete or near obsolete technology include wide reliance on 2G technologies arrays of meters that remain analogue and require manual checks and hardware that is often more than 30 years oldppUnderinvestment in IT systems that are critical to the security of London and the southeastâs water has left it prey to cyberattacks from Russia China Iran and North Korea linked groups There have been attempts on Thamesâs systems from groups believed to be linked to Russia some of which have been at least partly successful temporarily disabling some operations according to three sources familiar with the companyâs operationsppThames declined to comment on the record about cyberattacks but a source at the company said it had ânot experienced any cyberattacks full stopâppSources added the inability to turn things off â âdark testingâ â means that basic cybersecurity protocols and service resilience cannot be establishedppThe cyber arm of GCHQ the National Cyber Security Centre has warned of specific threats to Britainâs water industry from attacks by âstatealigned actors who are often sympathetic to Russiaâs further invasion of UkraineâppSources claim that some areas containing IT equipment are not secure and laid out a detailed list of areas within sitesppSign up to Business TodayppGet set for the working day â well point you to all the business news and analysis you need every morningppafter newsletter promotionppThey claim that it was possible to access some sensitive IT equipment within one particular site â which the Guardian named in correspondence with Thames â without appropriate security checksppA contractor without any requirement to enter areas with sensitive IT equipment was able to pass freely through areas containing it and would have been able to access or insert hardware into some computersppThames declined to comment on the record when asked specific questions by the Guardian about buildings housing computer hardware such as whether they were readily accessible by contractors or staff with no requirement to enter them It also declined to comment on whether hardware could be easily removed or inserted into IT infrastructure A company source said âall sites have stringent security measures in placeâ and that claims otherwise were âincorrectâppA spokesperson for the Drinking Water Inspectorate said âThe Drinking Water Inspectorate considers the provision of a continuous safe supply of clean drinking water to be the highest priority of a water company Furthermore this is a duty under the regulations Where there are any circumstances which give rise to a concern to drinking water the company are required to notify the inspectorateppâSimilarly water company staff are able report matters directly to the inspectorate In both cases the inspectorate will carry out an investigation and will take action as necessary to maintain the high standard of drinking water in England The inspectorate carry out a programme of riskbased audits to identify monitor and verify areas of concern and take enforcement action based on our enforcement policiesâppA spokesperson for Thames Water said âThe wellbeing and safety of our colleagues and customers is our highest priority We supply 26bn litres of water every day rated among the highest quality of drinking water anywhere in the worldppâWeâve been very open about the âasset deficitâ we face and the challenges we will have meeting future demand if itâs not addressed Thatâs why we have set out an ambitious plan for 202530 which asks for Â207bn of expenditure and investment with an additional Â3bn through gated mechanisms so that we can meet our customersâ expectations and environmental responsibilitiesppâFurther we take our requirements to protect customersâ personal data and maintain essential services extremely seriously We regularly review our systems to ensure their continued reliabilityppâWe take a rigorous approach to financial discipline throughout the company in order to operate within budget as any business in turnaround would be expected to doâppAn Ofwat spokesperson said âThe Guardian has raised a number of serious allegations about Thames Water We will take action if there is evidence of breach of the companyâs obligationsppâWe have been pushing Thames Water to make significant improvements in its operational performance and financial resilience for some time It is of course essential that all water companies provide a safe and reliable water supply The company has made a request for a substantial increase in expenditure including to address issues of asset health as part of the current price review process We are reviewing that request and the supporting information provided and will announce our final decisions in DecemberppâIn assessing the business case put forward by companies and in our enforcement work we work closely with other regulators where needed and seek their views This includes the Drinking Water Inspectorate in regard to security and cyber measures related to water services and the Health and Safety Executive and National Cyber Security Centre on matters relating to safety and cybersecurityâ
Names have been changedp