- Drinking Water 2024 – Summary of the Chief Inspector’s report for drinking water in England
- Foreword
- Water supplies and testing
- Compliance with water quality standards
- Water quality events
- Asset health and service reservoir integrity
- Consumer contacts
- Water safety planning and risk assessment
- Perfluoroalkyl and polyfluoroalkyl substances (PFAS)
- Audit programme completed by the Inspectorate
- Enforcement, transformation and recommendations
- Lead in water
- Materials in contact with drinking water (Regulation 31)
- Security and Emergencies (SEMD)
- Network Information systems (NIS)
- Research publications
- Raw water data
- Whistleblowers
- Working with stakeholders
- Annex A – Number of tests carried out by companies
- Annex B – Compliance with standards
- Annex C – Compliance failures and events
Network Information systems (NIS)
The Network and Information Systems Regulations (2018) is a regulation to ensure the operational technology which maintains the production of drinking water remains robust and operational, to ensure water is delivered at all times. In England, the implementation and operational delivery of the NIS Regulations is delegated to the Drinking Water Inspectorate. The strategic purpose is to ensure that water companies deliver the essential service of providing uninterrupted, wholesome water supplies to consumers in England.
Operational Technology (OT) refers to the hardware and software systems used to monitor and control physical devices, processes, and infrastructure in industrial operations. It differs from Information Technology (IT) by focusing on the physical world and its control rather than data processing and management. Such technology controls the operation and automation of equipment used for the abstraction, treatment and distribution of drinking water (e.g. forwarding pumps, chemical dosing pumps, valves, water quality protection shut-down systems, as well as automated safety systems). OT is a critical component for the automated, safe, cost-efficient production of wholesome drinking water. To protect the essential service, the technologies employed need to be suitable, secure, and fit for purpose to ensure continuous reliable production and to simultaneously defend against continually evolving threats to our critical national infrastructure
Examples of OT include industrial control systems (ICS) such as Supervisory Control and Data Acquisition (SCADA) systems for drinking water treatment and distribution. SCADA is a system of software and hardware components that allow the automated operation of industrial processes locally or at remote locations. It is used to monitor, gather, and process real-time data; directly interact with devices such as sensors, valves, pumps, and motors. Other examples of OT include Human Machine Interfaces (HMI) which are screens, or interfaces that connect humans to a machine, system, or device. Programmable Logic Controllers (PLCs) are small industrial computers, with various inputs and outputs, used to control and monitor industrial equipment based on custom programming. Access to such technology by threat actors with disruptive intent would have potentially serious consequences.
Water companies serving a population of 200,000 people or more must implement a risk assessment to improve the resilience of OT. The sector uses the NCSC Cyber Assessment Framework (CAF) at the request of the DWI. Since 2018, the Inspectorate has received a CAF return annually from each company falling within the NIS regulations.
The companies map their resilience to threat actor capability against 39 contributing outcomes of good cyber practice. This risk assessment informs investments plans and areas requiring additional controls.
Between 2023-2024 every water company has been subject to a DWI cyber resilience audit to verify each company’s self-assessed CAF assessment. Two companies were issued with legal notices to improve their risk assessments in response to the audits. Every company in England (and Wales) has a regulation 18 notice to address residual cyber risk and their PR24 cyber improvement plans. Ofwat Price Control Deliverables are tied to these notices being met in full. Failure to meet the notice requirements may attract Ofwat penalties in addition to any DWI enforcement.