IT Essentials: Notes on a Scandal

‘Horizontal’ complacency at Thames about the prospect of cyberattack

The revelation that Thames Water is using 40-year-old technology was at once shocking and completely unsurprising.

At the launch of the Google Cloud Cybersecurity 2025 forecast, Stuart McKenzie, Managing Director of Mandiant Consulting, EMEA, Google Cloud told the assembled journalists that there was considerably more to the concept of the resilience of Critical National Infrastructure (CNI) than how fast a service could get back online following a cyberattack.

McKenzie said: “For resilience in CNI you have to think about how you are protecting it for 20 or 30 years. When we talk to energy and water providers - their tech is there for the next 50 years. It’s not meant to change.”

What none of us realised at the time was just how literal this statement actually was. It came to light last week that Thames Water is hobbling along running operations with software older than most of its employees, and hardware older than their parents.

The most colourful part of the report in The Guardian was the revelation that Thame Water still uses Lotus Notes, an email tool that I last used in <checks notes> 2001. The version I used then might well have been more up-to-date than Thames’s which apparently dates to the early 90’s or possibly late 80’s.

Thames confirmed that it uses Lotus Notes, but a source said that it was only for “databases” and not “critical” systems. What those databases are connected to is anyone’s guess.

Of course, the lack of technology investment at Thames Water should be viewed within the context of the starving of this essential service of infrastructure investment for decades and it’s loading with debt to the extent that the physical infrastructure that delivers water to homes is crumbling and the sewerage system is pouring untreated effluent into rivers and the sea.

It’s not difficult to envision some of the risks that might be posed to water supply in London and the Southeast by the collapsing shell of Thames Water, but it’s the risks posed by its ancient technology infrastructure that this latest report spelled out.

Water companies are some of the most heavily attacked in the world, and that includes Southern Water which neighbours Thames.

Camellia Chan, CEO and co-founder of Flexxon (AI cybersecurity specialist working with CNI and industry) commented that “ancient operations like this are a goldmine for cybercriminals,” which at least makes a change from water companies being a goldmine for private equity companies and sovereign wealth funds.

Old infrastructure is unsupported infrastructure which means no security updates, a fact driven home by Dr. Jared Smith, Global Threat Intelligence lead for SecurityScorecard, who said that,

“Thames Water is exposing dozens of vulnerable servers to the Internet, including several where there are multiple high severity CVEs, vulnerabilities with public exploits available used in previous ransomware attacks, and numerous extremely outdated versions of PHP, Microsoft IIS, and Apache Tomcat.”

In a response as predictable as it was infuriating, Thames declined to comment on the record but a source at the company said it had “not experienced any cyber-attacks, full stop”.

Feels reassuring, doesn’t it? Especially the “full stop” at the end of the sentence.

At this point I could rail against the horizontal complacency of Thames Water but, really what would be the point? This is a company which treats every one of it’s customers with contempt every single day. It’s management and ownership have been playing fast and loose with the safety of the water supply and the environment since it bought those first Lotus Notes licences.

So, I’ll leave you with some more of Stuart McKenzie’s thoughts on infrastructure resilience, specifically how far ahead of the likes of Thames Water, our enemies are likely to be.

“In a lot of the early attacks against Ukrainian critical infrastructure the implants were there six or seven years beforehand. This is not something that happens quickly. You aim to have implants in place years in advance.”

When the call comes, it will be from inside the building.

The Data Use and Access Bill had its second reading in the Lords, and John Leonard found out some of the ways that AstraZeneca is using GenAI.

Computing continued to celebrate the recognition of UK IT Award winners such as Gemma Hyde, IT Leader of the Year. Finally, Tom Allen and guests explored the likely effectiveness of RTO mandates in the latest episode of Ctrl Alt Lead.