The Network and Information Systems Regulations (2018) ensure the operational technology which maintains the production of drinking water remains robust and operational. This is to ensure that wholesome water is delivered all the time without disruption. In England, the implementation and operational delivery of the NIS regulations is delegated to the Inspectorate. The strategic purpose is to ensure that water companies deliver the essential service of providing uninterrupted, wholesome water supplies to consumers in England. This is achieved by regulating and overseeing compliance with the NIS regulations by assessing cyber resilience and operational technology security.

Operational Technology (OT) refers to the hardware and software systems used to monitor and control physical devices, processes, and infrastructure in industrial operations. It differs from Information Technology (IT) by focusing on the physical world and its control rather than data processing and management. Such technology controls the operation and automation of equipment used for the abstraction, treatment and distribution of drinking water (for example forwarding pumps, chemical dosing pumps, valves, water quality protection shut-down systems, as well as automated safety systems).  OT is a critical component for the automated, safe, cost-efficient production of wholesome drinking water. To protect the essential service, the technologies employed need to be suitable, secure, and fit for purpose to ensure continuous reliable production and to simultaneously defend against continually evolving threats to our critical national infrastructure

Examples of OT include industrial control systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) systems for drinking water treatment and distribution. SCADA is a system of software and hardware components that allow the automated operation of industrial processes locally or at remote locations. It is used to monitor, gather, and process real-time data; directly interact with devices such as sensors, valves, pumps, and motors. Other examples of OT include Human Machine Interfaces (HMI) which are screens, or interfaces that connect humans to a machine, system, or device.  Access to such technology by threat of actors with disruptive intent would have potentially serious consequences.

Water companies serving a population of 200,000 people or more must implement a risk assessment to improve the resilience of OT. The sector uses the NCSC Cyber Assessment Framework (CAF) at the request of the Inspectorate. Since 2018, the Inspectorate has received a CAF return annually from each company falling within the NIS regulations.

The companies map their resilience to threat actor capability against contributing outcomes of good cyber practice. This risk assessment informs investments plans and areas requiring additional controls.

Between 2023-2024, every water company was subject to an Inspectorate cyber resilience audit to verify each company’s self-assessed CAF assessment. Two companies were issued legal notices to improve their risk assessments in response to the audits. Every company in England (and Wales) has a regulation 18 notice to address residual cyber risk and their PR24 cyber improvement plans. Ofwat Price Control Deliverables are tied to these notices being met in full. Failure to meet the notice requirements may attract Ofwat penalties in addition to any Inspectorate enforcement.