Data defence: Reflections on the recent water industry cyber-attacks

Matt Eustace, Data Protection Officer at UK AI firm Aiimi, data insights specialists and experts on data security, who work with a number of water companies, offers perspective on recent events, and advice on making data watertight against such attacks.

Last month, not one, but two major water companies were the victims of ransomware attacks. Veolia North America, in the US, and Southern Water, in the UK, both suffered data breaches as a consequence of the attacks, with the Black Basta ransomware group claiming responsibility for the Southern Water raid. Southern Water has since confirmed that data belonging to 5-10% of its customers has been stolen as a result.

Public services and infrastructure have become a popular target among cybercriminals in recent years. From the infamous 2022 Colonial Pipeline attack (which caused the US government to invoke emergency powers to avoid fuel shortages), to last autumn’s British Library breach and a series of attacks on NHS organisations – incidents are plentiful and painful. The size of this threat is only set to grow, as warned in a new government report, with AI tools enabling cybercriminals to increase the scale and severity of their attacks.

Despite the increasing cyber threat, the importance of data held by public services cannot be underestimated. For instance, water companies hold vast amounts of information that contain crucial insights into service use and impact. To this end, Ofwat has been calling on water companies to engage in open data practices to better utilise this information: data sharing that would boost transparency and consumer trust, help establish new business models and services (that could especially benefit vulnerable customers), improve decision making and help meet environmental

Of course, there’s a fine balance to strike between making the best use of data and pursuing innovation, whilst upholding the safety and security of critical national infrastructure. How, then, can water companies utilise data whilst protecting it from the designs of cybercriminals?

Shoring up your data
The first step in successfully securing data is understanding it. Organisations who are serious about security will run a firmwide data audit, to understand the scope and nature of the data they’ll have to manage, and to discover any data that’s been stored and forgotten about. Organisations evolve, adopting new and retiring old technology, introducing new systems and information via mergers and acquisitions, and seeing employees come and go. This means that if there’s no system in place to manage data,

it’s easy to lose track of all the information a company holds. Once the full scope of data being handled is revealed, the next step is to structure that data. This means identifying out-of-date information that needs to be updated, labelling any sensitive information, and categorising data for easy future retrieval. Not only does this ensure companies are efficiently working with accurate information, it also means that all sensitive data – including the personally identifiable information which is hugely attractive to hackers – can be separated out and given the full protection it needs.

Employee passport photos held by HR departments are a very different type of data to the readings coming from site sensors. Both should be protected, but the data will need to be treated differently. Once the data has been categorised, companies then need to review access. It’s important employees are given easy access to the information they need to do their job and aren’t being siloed – this is how mistakes can occur.

But it’s also crucial only the users that need that data can get to it. A common way cyberattacks occur is through phishing attacks: trying to trick users via increasingly sophisticated tactics into clicking on malicious links, for example, and allowing cybercriminals into a network. Part of protecting against this is through regular employee training. But another important pillar of protection is being strict about who can access what, and having stringent security checks to enforce this. An intern shouldn’t have keys to the boardroom.

Continuous monitoring
The issue is that this process of organising data can’t be a one-off occurrence. New data will be continuously coming in, and continually sorting, labelling and storing it correctly is a huge task.

It’s a challenge for organisations like water companies, who are dealing with data en masse, in particular. This is where AI comes in. AI tools can automate data governance, to efficiently and accurately manage the process by which data is scoped out, structured and secured. Specialist AI tools will flag any duplicate or similar versions of files along the way, and even convert sound files into text for greater accessibility and easier use. This means companies can automatically understand the data they have, where it lives, how sensitive it is, what it’s being used for, and who really needs access. And it ensures sensitive information is instantly protected, barricading it against hackers and maintaining compliance with the latest data protection laws.

Automatic data management does more than defend data, however. Cleaned-up data lays the foundation for future AI applications, as the correct information is accessible in the right form for AI tools to instantly understand and process and ROT (Redundant Obsolete and Trivial) or highly sensitive data is kept out of the picture. As water companies embrace AI to help deliver improved services and protect the world’s most precious resource, it’s imperative they have the data management in place to back it up.

The lesson of last month is that public services are very much in the crosshairs of cybercriminals. But this doesn’t mean organisations are completely open to attack. The data malicious actors are after can be effectively safeguarded through thorough automated data governance. Knowing what you have, where it is, and who has access to it is crucial if companies want to keep their information out of hackers’ hands.