Sector

Water & Utilities

Structured assurance for water treatment, distribution, SCADA, and telemetry — addressing CAF, NIS, and Ofwat operational resilience expectations.

Threat Landscape

Water infrastructure faces the convergence of nation-state interest, criminal opportunism, and legacy OT vulnerability. State-sponsored actors have demonstrated capability and intent to compromise water treatment systems; the 2021 Oldsmar incident illustrated the potential for cyber attacks to create direct public health consequences.

The distributed nature of water infrastructure — hundreds of remote sites running SCADA and telemetry — creates a broad attack surface. Many remote treatment works and pumping stations operate with minimal local security, relying on network segmentation that may be inadequate against determined adversaries.

Regulatory & Framework Landscape

NCSC CAF v4.0 NIS Regulations 2018 IEC 62443 NIST SP 800-82 Ofwat Expectations ISO/IEC 27001:2022

Water companies are designated operators of essential services under the NIS Regulations, assessed against the NCSC CAF. Ofwat sets operational resilience expectations that increasingly include cybersecurity. IEC 62443 applies to industrial control systems across treatment and distribution. The Environment Agency and Drinking Water Inspectorate set additional expectations for systems affecting water quality and environmental compliance.

CCM Domain Alignment

D14 OT/ICS Security 24 controls

D16 Critical Infrastructure Resilience 13 controls

Water organisations activate both the D14 OT/ICS Security overlay for SCADA, DCS, and telemetry systems and the D16 Critical Infrastructure Resilience overlay for resilience controls applicable to critical national infrastructure. This provides comprehensive coverage across treatment works, distribution networks, and corporate IT integration points.

Operating Context

OT/ICS Security Converged Assurance

How C-PAP Supports Water & Utilities

C-PAP provides a unified assurance platform consolidating CAF assessment (Ofwat requirement) with IEC 62443 OT security implementation. The platform supports a scaled approach to geographically dispersed operational sites with varying connectivity and security maturity.

For water companies managing hundreds of remote treatment and pumping sites alongside corporate IT infrastructure, C-PAP enables IT/OT convergence visibility through a single governance model. Structured evidence collection strengthens Ofwat and NCSC reporting whilst integrating environmental safety and cyber risk as regulators expect.

Ready to discuss Water & Utilities assurance?

Request a sector-specific briefing or explore the full Water & Utilities brief through our resource portal.

Request Briefing Request Full Brief