Skip to main content
Search

SEMD

2024 was the third reporting year for companies since the Inspectorate has regulated the Security and Emergency Measures Direction 2022 (the Direction). Companies have demonstrated an overall improvement in recognising the areas that they need to improve and move towards compliance with the Direction, resulting in significant investment in PR24 over a range of schemes consisting of security and emergency planning improvements.

During 2024, the Inspectorate observed increased engagement from the industry looking to proactively enhance compliance with the Direction, for example the Inspectorate hosted an emergency planning specialist from a water company who was seconded to the Inspectorate for a six-month period, under our better regulation programme. This enabled the company to gain firsthand knowledge and regulatory understanding of the Inspectorate’s expectations of water companies’ compliance with the Direction as well as the Inspectorate gaining an insight into the practicalities experienced by water companies when planning and running emergency incidents. The Inspectorate undertook a program of audits as well as event assessments and company interaction which resulted in a range of enforcement activity to secure improvement and compliance as demonstrated in Figure 37.

Figure 37 : SEMD enforcement overview

Enforcement orders made 2
Undertakings served 4
Recommendations made 86

The industry has fed back that this enforcement led approach is a notable change from the previous regulatory approach, prior to the Inspectorate’s involvement.

Water companies have made notable progress in complying with Direction requirements, with evidence of improved outcomes and compliance emerging, with more to deliver in AMP8.

RAG (Red/Amber/Green) submission

2024 was the third year for the risk assessment RAG returns, as companies continued to work to benchmark against the expectations of the Direction and the rest of the industry.

Overview of RAG movements

  • Since 2022, the companies’ red and amber self-classifications have increased, as expected in the initial years of assessment following feedback of events and audits and peer to peer benchmarking:

Figure 38 RAG changes by year

  2022 2023 2024
Green 433 454 392
Amber 80 84 96
Red 18 9 30
  • The most significant shifts in RAG status typically follow an audit or major event.
  • In contrast to previous years, the greatest movement in 2024 was observed in the Testing and Exercising category, coinciding with industry-wide audits being submitted alongside RAG assessments.
  • Inset appointees are not represented in the datasets, as they follow a different reporting mechanism.

Notable RAG outcomes include:

Vulnerable consumers

Like last year, many companies reported amber and red for vulnerable customers. Several companies cited problems with linking existing Priority Service Register (PSR) customer data with customer systems as well as highlighting issues of data sharing agreements and varying support from external agencies, such as Local Resilience Forum (LRF) partners, providing uncertainty about the ability to meet the demand for vulnerable consumer deliveries.

Several companies have developed systems to improve liaison with vulnerable consumers. South East Water introduced a new SMS text messaging system of informing vulnerable consumers of water disruptions. Companies reporting green had detailed information on vulnerable sites in their remit, for example using tactical mapping processes to identify vulnerable customers such as hospitals, schools, nursing/care homes and prisons. Several companies had hospital and prison plans in place containing key information to increase understanding and support of these customers during any incidents.

Testing and exercising

The 2024 RAG submission coincided with an industry wide audit of testing and exercising, and the 2024 submission saw numerous companies move to amber in their RAG status for these outcomes. Several companies reporting amber had not exercised their reasonable worst-case scenario in terms of alternative water provision. We saw one company recognising this and they are now looking to exercise their biggest island zone. Other companies noted a lack of testing of vulnerable sites such as prisons and hospitals.

Some companies listed several ‘live incidents’ as testing and exercising but did not identify which objectives were met and which were still outstanding, with limited post incident reviews to maximise the learning. Some companies have implemented a post incident review process to capture learning after each incident and exercise, which is supported by centralised action trackers to monitor progress of actions and a governance framework in place to escalate overdue actions; this was welcomed by the Inspectorate. Most companies carried out testing and exercising with LRF partners, however other companies only took part in LRF organised exercises and took limited learning from these, whilst others proactively organised and engaged with the LRF in water related incident scenarios, this was also welcomed by the Inspectorate.

Those companies reporting green for the testing and exercising outcome typically undertook live emergency planning testing with external stakeholders as well as several companies testing a variety of alternative water deployment, from setting up alternative water stations, deployment of static tanks and tankering exercises. These exercises had clear aims and objectives with documented learning embedded in the company. In addition, several companies reporting green had undertaken a variety of security testing including penetration testing of sites and assets, bug sweeps, email phishing tests, as well as the placement of dummy signs at a site to test security reporting exercises.

Identification of external suppliers

Companies reporting green used tools such as risk ledger where businesses with heightened security risks are signed up to the platform providing an assessment of the security risks posed by these organisations. In addition, other companies mandated that their supply chain are required to complete criminal declarations, and identification checks before work on operational assets with access to sites being a controlled process requiring sign off. One company implemented personnel security checks for temporary employees delivered to the same standard as those conducted on employees.

Events and incidents

Social media auditors have presented a challenge for several companies during 2024, and whilst they are normally legal, this has highlighted several issues for the companies involved. There were, however, a few examples of positive behaviours around challenging and engaging with the social media auditors.

Over the year the Inspectorate engaged with several companies regarding revealing too much information about sensitive sites, this can be from site tours which are specifically prohibited, to industry write-ups on large construction projects. The Inspectorate reminded and continues to remind companies of their obligations to keep critical information secure.

Notable events include:

Southern Water – Hastings loss of supply

Between 2 May 2024 and 7 May 2024, consumers supplied from a treatment works in Hastings lost drinking water supplies due to a burst on the incoming raw water main supplying the works. This was notified to the Inspectorate as drinking water quality event 2024/9637. During the event, the company failed to comply with the requirements of paragraphs 3 and 4(4) of the Direction.

The company has previously acknowledged that the main required replacing, but this was not done due to cost. It was noted on the company water safety plan as a ‘DWI category D’ requiring further mitigation as well as being the cause of a previous loss of supply and burst event. Therefore, the Inspectorate concluded that the company did not have in place adequate resilience plans to ensure the continuance of all its water supply functions, which is a breach of paragraph 4(4)(a) of the Direction, that states that plans for water supply must be prepared on the basis that the company must (a) continue to carry out (i) all of its water supply functions.

Therefore, following the event, the Inspectorate enforced, and the company has offered as section 19 undertaking to replace the main and improve resilience to the area.

Affinity Water YouTube incident

The event concerned YouTube content creators gaining unauthorised entry and filming water company tunnels at a reservoir and borehole site, bypassing security measures and entering through an insufficiently secured door. The resulting video, uploaded in January 2024, prompted the company to investigate and report the incident to the Inspectorate. The security breach was attributed to a faulty lock, and the company acknowledged delays in alarm response. Remedial actions included securing the door with additional locks, installing a secondary security detector, and implementing regular maintenance checks as a short-term measure. The door was subsequently replaced with measures put in place to address the alarm response.

The Inspectorate recommended a comprehensive review of the company’s security maintenance strategy and communication protocols. The Inspectorate emphasised the need for timely alarm responses and thorough checks of all access points. The company was required to submit a detailed review of site security, confirm the security rating of new door fittings, and ensure that future breaches are detected and addressed promptly.

Thames Water Guildford loss of supply

Following an extreme weather incident at the end of 2023 (storm Ciaran), the company experienced power outages at eight pumping and treatment sites across the Guildford supply system and a subsequent widespread loss of supply was experienced across the Guildford area. This was due to the number and duration of power outages at Shalford treatment works during this period, as well as the lack of water/power supply resilience within the Guildford system.

Following the Inspectorate’s assessment of the event, the company was sent a ‘minded to enforce letter’ requesting a section 19 undertaking to be signed by the company to deliver improvements to emergency planning and power resilience within the Guildford area. The company accepted the section 19 undertaking in November 2024 which requires the company to carry out action to improve resilience in the Guildford area.

Southern Water Testwood loss of supply

A significant water quality event at Testwood works occurred on December 18, 2024, involving plant failure and loss of supply. The event led to elevated turbidity levels and subsequent shutdowns, causing a loss of supply for 130,920 consumers. The company took various actions, including forming an incident team, setting up bottled water stations, and rezoning their network to bring in water from other areas. The company stated they faced challenges in setting up bottled water stations and ensuring timely deliveries, impacting their ability to provide the required minimum water supply to affected consumers.

The Inspectorate in its investigation, highlighted the need for better planning and execution of alternative water provisions during emergencies and recommending reviewing the company’s methodology for assessing bottled water station locations and improving the resilience of alternative water supplies, particularly for vulnerable sites like hospitals. Additionally, the need to review network storage and response capabilities to handle similar incidents more effectively in the future was highlighted. A ‘minded to enforce’ letter, requesting a section 19 undertaking was sent as part of the event write up, requiring the company to undertake works to increase resilience at the site.

Southern Water secure minded communications

In January 2024 the Inspectorate wrote to Southern Water regarding an online article that showed detailed valve drawings of a Critical National Infrastructure (CNI) site. There were several concerns with this article including that it revealed locations of sensitive assets and listed names of the key supply chain used to deliver this project.

The Inspectorate formally recommended the company ensure that future publications do not reveal sensitive information within the article, and suggested that the company removed this existing article from the website. The company responded by removing the article, stating no further articles relating to CNI sites will be published and relevant processes and procedures reviewed around publication of information.

Table 17 – Audits undertaken by the SEMD team in 2024

Company

Audit area

  

TMS

Physical

CNI Security

Jan-24

TMS

Physical

CNI Security

Jan-24

TMS

Physical

CNI Security

Jan-24

AFW

Physical

CNI Security

Jan-24

SRN

Physical

CNI Security

Feb-24

AFW

Desktop

Testing and Exercising

Apr-24

ANH

Desktop

Testing and Exercising

Apr-24

DWR

Desktop

Testing and Exercising

Apr-24

HDC

Desktop

Testing and Exercising

Apr-24

NES

Desktop

Testing and Exercising

Apr-24

PRT

Desktop

Testing and Exercising

Apr-24

SES

Desktop

Testing and Exercising

Apr-24

SEW

Desktop

Testing and Exercising

Apr-24

SRN

Desktop

Testing and Exercising

Apr-24

SST

Desktop

Testing and Exercising

Apr-24

SVT

Desktop

Testing and Exercising

Apr-24

SWB

Desktop

Testing and Exercising

Apr-24

TMS

Desktop

Testing and Exercising

Apr-24

UUT

Desktop

Testing and Exercising

Apr-24

WSX

Desktop

Testing and Exercising

Apr-24

YKS

Desktop

Testing and Exercising

Apr-24

BRL

Physical

CNI

May-24

SES

Physical

Command and Control

Jul-24

HDC

Physical

CNI Security

Oct-24

YKS

Physical

CNI Security

Nov-24

Back to top
Print all pages