- Drinking Water 2024 – Summary of the Chief Inspector’s report for drinking water in England
- Foreword
- Water supplies and testing
- Compliance with water quality standards
- Water quality events
- Asset health and service reservoir integrity
- Consumer contacts
- Water safety planning and risk assessment
- Perfluoroalkyl and polyfluoroalkyl substances (PFAS)
- Audit programme completed by the Inspectorate
- Enforcement, transformation and recommendations
- Lead in water
- Materials in contact with drinking water (Regulation 31)
- Security and Emergencies (SEMD)
- Network Information systems (NIS)
- Research publications
- Raw water data
- Whistleblowers
- Working with stakeholders
- Annex A – Number of tests carried out by companies
- Annex B – Compliance with standards
- Annex C – Compliance failures and events
Security and Emergencies (SEMD)
2024 was the third reporting year for companies since the Inspectorate has regulated the Security and Emergency Measures Direction. Companies have demonstrated an overall improvement in recognising the areas that they need to improve and move towards compliance with the Direction, resulting in significant investment in PR24 over a range of schemes consisting of security and emergency planning improvements.
During 2024, the Inspectorate observed increased engagement from the Industry looking to proactively enhance compliance with the Direction, for example the Inspectorate hosted an emergency planning specialist from a water company who was seconded to the Inspectorate for a six-month period, under our better regulation programme. This enabled the company to gain first hand knowledge and regulatory understanding of the DWI’s expectations of water companies’ compliance with SEMD as well as the Inspectorate gaining an insight into the practicalities experienced by water companies of planning and running emergency incidents.
The Inspectorate undertook a program of audits as well as event assessment and company interaction which resulted in a range of enforcement activity to secure improvement and compliance as demonstrated below.
Figure 37 Table 42 – SEMD enforcement overview
The industry has fed back that this enforcement led approach is a step change from the previous SEMD regime prior to DWI’s involvement.
Water companies have made notable progress in complying with SEMD requirements, with evidence of improved outcomes and compliance emerging, with more to deliver in AMP8.
SEMD Audits
During 2024, the Inspectorate undertook 25 SEMD audits of water companies across the industry. The purpose of the audits was to review companies’ security measures at water sites including an analysis of procedures and physical site security measures, an industry wide testing and exercising audit looking at companies exercising programs and emergency response as well as a command-and-control audit of a water companies emergency planning function. The findings and recommendations resulting from these audits were formally shared with security and emergency planning managers from the relevant companies. In several cases, enforcement was required for non-compliance with the Direction, ranging from the service of Section 19 Undertakings to Final Enforcement Order.
RAG (Red/Amber/Green) submission
2024 was the third year for the risk assessment RAG returns, as companies continued to work to benchmark against the expectations of SEMD 2022(as amended) and the rest of the industry.
Overview of RAG Movements
- Since 2022, the companies red and amber self-classifications have increased, as expected in the initial years of assessment following feedback of events and audits and peer to peer benchmarking:
- The most significant shifts in RAG status typically follow an audit or major event.
- In contrast to previous years, the greatest movement in 2024 was observed in the Testing and Exercising category, coinciding with industry wide audits being submitted alongside RAG assessments.
- Inset Appointees are not represented in the datasets, as they follow a different reporting mechanism.
Notable RAG outcomes include:
Vulnerable Customers
Similar to last year, many companies reported Amber and Red for vulnerable customers. Several companies cited problems with linking existing Priority Service Register (PSR) customer data with customer systems as well as highlighting issues of data sharing agreements and varying support from external agencies, such as Local Resilience Forum (LRF) partners, providing uncertainty about the ability to meet the demand for vulnerable customer deliveries.
Several companies have developed systems to improve liaison with vulnerable consumers. South East Water introduced a new SMS text messaging system of informing vulnerable customers of water disruptions. Companies reporting Green had detailed information on vulnerable sites in their remit for example using tactical mapping processes to identify vulnerable customers, hospitals, schools, nursing/care homes and prisons. Several companies had hospital and prison plans in place which containing key information to increase understanding and support of these customers during any incidents.
Testing and Exercising
The 2024 RAG submission coincided with an industry wide audit of testing and exercising, and the 2024 submission saw numerous companies move to amber in their RAG status for these outcomes. Several companies reporting amber had not exercised their reasonable worst case scenario in terms of alternative water provision. We saw one company recognising this and they are now looking to exercise their biggest island zone. Other companies noted a lack of testing of vulnerable sites such as prisons and hospitals.
Some companies listed a number of “live incidents” as testing and exercising but didn’t identify which objectives were met which were still outstanding with limited post incident reviews to maximise the learning. Some companies have implemented a post incident review process to capture learning after each incident and exercise, which is supported by centralised action trackers to monitor progress of actions and a governance framework in place to escalate overdue actions, this was welcomed by the Inspectorate. Most companies carried out testing and exercising with Local Resilience Forum (LRF) partners, however other companies just took part in LRF organised exercises and took limited learning from these, whilst others proactively organised and engaged with the LRF in water related incident scenarios, this was also welcomed by the Inspectorate.
Those companies reporting Green for the testing and exercising outcome typically undertook live emergency planning testing with external stakeholders as well as several companies testing a variety of alternative water deployment, from setting up alternative water stations, deployment of static tanks and tankering exercises. These exercises had clear aims and objectives with documented learning embedded in the company. In addition, several companies reporting green had undertaken a variety of security testing including penetration testing of sites and assets, bug sweeps, email phishing tests, as well as the placement of dummy signs at a site to test security reporting exercises.
Identification of external suppliers
Companies reporting green used tools such as risk ledger where businesses with heightened security risks are signed up to the platform providing an assessment of the security risks posed by these organisations. In addition, other companies mandated that their supply chain are required to complete criminal declarations and identification checks before work on operational assets with access to sites being a controlled process requiring sign off. One company implemented personnel security checks for temporary employees delivered to the same standard as those conducted on employees.
Events and Incidents
Social media auditors have presented a challenge for several companies during 2024, and whilst they are normally legal, this has highlighted a number of issues for the companies involved. We did however see a few examples of positive behaviours around challenging and engaging with the social media auditors.
Over the year we also spoke to several companies regarding revealing too much information about sensitive sites, this can be from site tours which are specifically prohibited, to industry write ups on large construction projects. The Inspectorate reminded and continues to remind companies of their obligations to keep critical information secure.
Notable events include:
Southern Water – Hasting loss of supply
Between 2 May 2024 and 7 May 2024, consumers supplied from a treatment works in Hastings lost drinking water supplies due to a burst on the incoming raw water main supplying the treatment works. This was notified to the Inspectorate as drinking water quality event 2024/9637. During the event, the company failed to comply with the requirements of paragraphs 3 and 4(4) of the Direction.
The company had previously acknowledged that the main required replacing, but this was not done due to cost, it was noted on the company risk water safety plan as a category D requiring further mitigation as well as being the cause of previous loss of supply and burst event. Therefore, the Inspectorate concluded that the company did not have in place adequate resilience plans to ensure the continuance of all its water supply functions, which is a breach of paragraph 4(4)(a) of the Direction, which states that plans for water supply must be prepared on the basis that the company must (a) continue to carry out (i) all of its water supply functions.
Therefore, following the event, the Inspectorate enforced, and the company have offered a Section 19 Undertaking to replace the main and improve resilience to the area.
Affinity Water-YouTube Incident
The event concerned YouTube content creators gaining unauthorised entry and filming water company tunnels at a reservoir and borehole site, bypassing security measures and entering through an insufficiently secured door. The resulting video, uploaded in January 2024, prompted the company to investigate and report the incident to the Inspectorate. The security breach was attributed to a faulty lock, and the company acknowledged delays in alarm response. Remedial actions included securing the door with additional locks, installing a secondary security detector, and implementing regular maintenance checks as a short-term measure. The door was subsequently replaced with measures put in place to address the alarm response.
The Inspectorate recommended a comprehensive review of the company’s security maintenance strategy and communication protocols. The Inspectorate emphasised the need for timely alarm responses and thorough checks of all access points. The company was required to submit a detailed review of site security, confirm the security rating of new door fittings, and ensure that future breaches are detected and addressed promptly.
Thames Water – Guildford loss of supply
Following an extreme weather incident at the end of 2023 (Storm Ciaran), the company experienced outages at eight pumping and treatment sites across the Guildford supply system and a subsequent widespread loss of supply was experienced across the Guildford area. This was due to the number and duration of outages at Shalford treatment works during this period, as well as the lack of water/power supply resilience within the Guildford system.
Following the Inspectorate’s assessment of the event, we wrote to the company with a minded to enforce letter requesting a Section 19 Undertaking to be signed by the company to deliver improvements to emergency planning and power resilience within the Guildford area. The company accepted the Section 19 Undertaking in November 2024 which requires the company to carry out action to improve resilience in the Guildford area.
Southern Water- Testwood loss of supply
A significant water quality event at Testwood water treatment works occurred on December 18, 2024, involving plant failure and loss of supply. The event led to elevated turbidity levels and subsequent shutdowns, causing a loss of supply for 130,920 consumers. The company took various actions, including forming an incident team, setting up bottled water stations, and rezoning their network to bring in water from other areas. The company stated they faced challenges in setting up bottled water stations and ensuring timely deliveries, impacting their ability to provide the required minimum water supply to affected consumers.
The Inspectorate in their investigation highlighted the need for better planning and execution of alternative water provisions during emergencies and recommending reviewing the company’s methodology for assessing bottled water station locations and improving the resilience of alternative water supplies, particularly for vulnerable sites like hospitals. Additionally, we highlighted the need to review network storage and response capabilities to handle similar incidents more effectively in the future. A ‘minded to enforce’ letter, requesting a Section 19 Undertaking was sent as part of the event write up, requiring the company to undertake works to increase resilience at the site.
Southern Water – Secure minded communications
In January 2024 we wrote to Southern Water regarding an online article that showed detailed valve drawings of a CNI site. There were several concerns with this article such as it revealed locations of sensitive assets and listed names of the key supply chain used to deliver this project.
We formally recommended the company ensure that future publications do not reveal sensitive information within the article, and we suggested that the company removed this existing article from the website. The Company responded by removing the article, stating no further articles relating to CNI sites will be published and relevant processes and procedures reviewed around publication of information
Audits undertaken by the SEMD team in 2024
| Company | Audit area | Audit theme | Date of audit |
|---|---|---|---|
| TMS | Physical | Security | Jan-24 |
| TMS | Physical | Security | Jan-24 |
| TMS | Physical | Security | Jan-24 |
| AFW | Physical | Security | Jan-24 |
| SRN | Physical | Security | Feb-24 |
| AFW | Desktop | Testing and Exercising | Apr-24 |
| ANH | Desktop | Testing and Exercising | Apr-24 |
| DWR | Desktop | Testing and Exercising | Apr-24 |
| HDC | Desktop | Testing and Exercising | Apr-24 |
| NES | Desktop | Testing and Exercising | Apr-24 |
| PRT | Desktop | Testing and Exercising | Apr-24 |
| SES | Desktop | Testing and Exercising | Apr-24 |
| SEW | Desktop | Testing and Exercising | Apr-24 |
| SRN | Desktop | Testing and Exercising | Apr-24 |
| SST | Desktop | Testing and Exercising | Apr-24 |
| SVT | Desktop | Testing and Exercising | Apr-24 |
| SWB | Desktop | Testing and Exercising | Apr-24 |
| TMS | Desktop | Testing and Exercising | Apr-24 |
| UUT | Desktop | Testing and Exercising | Apr-24 |
| WSX | Desktop | Testing and Exercising | Apr-24 |
| YKS | Desktop | Testing and Exercising | Apr-24 |
| BRL | Physical | Security | May-24 |
| SES | Physical | Command & Control | Jul-24 |
| HDC | Physical | Security | Oct-24 |
| YKS | Physical | Security | Nov-2 |
24 Audits were undertaken in total with 3 carried out in Wales.