Thames Water's outdated IT infrastructure threatens water supply

Some of Thames's critical systems still rely on versions of Lotus Notes software

An investigative report has unveiled the alarming state of Thames Water's IT systems, sparking serious concerns about the security and reliability of the water supply to London and the home counties.

The report by The Guardian has brought to light some serious concerns. Insiders allege that outdated technology and major security gaps have left the utility vulnerable to cyberattacks and operational breakdowns.

According to the report, some of Thames Water's critical infrastructure still relies on technology dating back to the 1980s. Employees described a desperate struggle to keep these aging systems operational, often resorting to makeshift repairs and salvaging parts from other outdated machines.

"The hardware really is properly falling apart in front of your eyes," one employee, who is in his 20s, told The Guardian.

"We've been keeping machines going by using parts from similar old ones, once those give up the ghost. But we've run out of our stores. We're not just holding things together with tape and glue. We're actually unable to turn things off, because we find we can't turn them on again."

Some of Thames's critical systems still rely on versions of Lotus Notes software from the early 1990s, which haven’t been supported for years. This heavy dependence on antiquated technology has rendered the company an appealing target for cybercriminals.

Cybersecurity experts have warned of the growing threat to critical infrastructure, including water utilities. Neighbouring Southern Water has been attacked and Thames Water has reportedly been targeted by state-sponsored hacking groups, with some attacks successfully compromising its systems. The inability to conduct routine security tests, such as "dark testing," further exacerbates the company's vulnerability to cyberattacks.

The investigation also raises serious questions about the effectiveness of regulatory oversight.

While the Drinking Water Inspectorate (DWI) is responsible for monitoring water quality and security, its limited resources and capacity have been criticised.

In a statement to The Guardian, DWI said it is committed to ensuring a safe and continuous water supply, adding that it will investigate any concerns raised and take appropriate action to maintain high water quality standards.

Thames Water's economic regulator Ofwat acknowledged the serious allegations and stated that it will act if evidence of breaches is found. Ofwat is currently reviewing Thames Water's request for a substantial increase in customer bills and will announce its decision in December.

Thames Water says it is committed to customer wellbeing and water quality. It acknowledged its infrastructure challenges and outlined an ambitious investment plan to address these issues.

"We take our requirements to protect customers' personal data and maintain essential services extremely seriously," a spokesperson for Thames Water said. "We regularly review our systems to ensure their continued reliability."

Commenting on the findings, Dr. Jared Smith, Global Threat Intelligence lead for SecurityScorecard, a security ratings and response company, said: "The reports of Thames Water's IT insecurities are not overblown - as of today, SecurityScorecard's Attack Surface Intelligence shows Thames Water is exposing dozens of vulnerable servers to the Internet, including several where there are multiple high severity CVEs, vulnerabilities with public exploits available used in previous ransomware attacks, and numerous extremely outdated versions of PHP, Microsoft IIS, and Apache Tomcat."

"For the highest risk devices exposed, I verified the servers are still online and present the vulnerable versions of the software.”