In a startling revelation, sources close to Thames Water, the UK’s largest water and waste treatment company, have exposed the precarious state of its IT systems. The company, responsible for supplying water to 16 million customers across London and the Thames Valley, is reportedly relying on technology that dates back to the 1980s, leaving it vulnerable to cyber attacks.
A Patchwork of Outdated Systems
Insiders paint a grim picture of Thames Water’s IT infrastructure, describing it as a patchwork of obsolete systems barely held together. One source, who requested anonymity, stated:
The software we use is older than me, and some of the hardware is older than my dad. We’ve been keeping machines going by using parts from similar old ones, once those give up the ghost. But we’ve run out of our stores.
The outdated technology includes Lotus Notes software from the late 1980s and early 1990s, which can no longer be updated, as well as a heavy reliance on 2G technologies and analog meters that require manual checks. Much of the hardware is over 30 years old, with some systems so antiquated that they cannot be turned off for fear of not being able to turn them back on again.
Cybersecurity Nightmares
The aging infrastructure has made Thames Water a prime target for cyber attacks. Sources claim that the company has been hit by attacks from groups believed to be linked to Russia, China, Iran, and North Korea, with some attempts being at least partially successful in temporarily disabling operations.
The inability to perform basic cybersecurity protocols, such as “dark testing” (turning systems off to check resilience), has left Thames Water’s systems exposed. The National Cyber Security Centre has warned of specific threats to Britain’s water industry from state-aligned actors sympathetic to Russia’s invasion of Ukraine.
Regulatory Pressure Mounts
As concerns grow, regulators are beginning to take notice. The Drinking Water Inspectorate (DWI), tasked with ensuring the safety of drinking water, has already served Thames Water with an enforcement notice earlier this year regarding physical security at one of its sites.
Ofwat, the economic regulator for the water industry in England and Wales, has also weighed in, with a spokesperson stating:
The Guardian has raised a number of serious allegations about Thames Water. We will take action if there is evidence of breach of the company’s obligations.
A Call for Investment and Modernization
Thames Water has acknowledged the challenges it faces, with a spokesperson stating that the company has been “very open about the ‘asset deficit'” and has set out an ambitious plan for 2025-30, which includes a request for £20.7 billion in expenditure and investment.
However, insiders argue that the company’s approach to financial discipline has left critical systems starved of investment, with one source noting:
We take a rigorous approach to financial discipline throughout the company in order to operate within budget, as any business in turnaround would be expected to do.
As the threat of cyber attacks continues to grow, the pressure is on for Thames Water to modernize its IT infrastructure and shore up its defenses. With millions of customers relying on the company for their water supply, the stakes couldn’t be higher.
The revelations about Thames Water’s IT vulnerabilities serve as a stark reminder of the importance of investing in modern, secure systems for critical infrastructure. As one insider put it, “We’re not just holding things together with tape and glue. We’re actually unable to turn things off, because we find we can’t turn them on again.” It’s a situation that cannot be allowed to continue.
