Credit rating agency Moody's has warned that water companies face a “high” risk from cyber-attacks targeting drinking water as they await approval from industry regulators to increase spending on digital security.

Hackers are increasingly targeting infrastructure companies such as water and wastewater treatment companies, and the use of artificial intelligence (AI) could accelerate this trend, Moody's said in a note to investors.

Southern Water, which serves 4.6 million customers in the south of England, claimed last month that the Black Basta ransomware group had accessed its systems and posted a “limited amount” of data to the dark web. announced. The same group hacked outsourcing company Capita last year.

Separately, South Staffordshire Water I apologized In 2022, after hackers steal customers' personal data.

Moody's warned that the increasing use of data logging equipment and digital smart meters to monitor water consumption is making businesses more vulnerable to attacks. Systems used at water treatment facilities are typically separated from a company’s other IT departments, including customer databases, but some systems are more closely integrated to improve efficiency, he said.

After a hack, companies typically have to hire specialized cybersecurity firms to repair systems and communicate with customers, and they can also face penalties from regulators. The UK's Information Commissioner's Office can fine companies up to 4% of group turnover or €20m (£17m), whichever is higher.

Moody's said the cost of system remediation, including re-securing and strengthening existing cyber defenses and paying potential fines, would typically result in only a “modest increase” in debt levels if the incident is short-lived.

But Moody's warned that “the greater risk to our industry and society is if malicious actors were able to gain access to operational technology systems and harm drinking water or wastewater treatment facilities.”

The agency said water suppliers, governments and regulators need to strengthen their cyber defenses “as attacks against critical infrastructure become more sophisticated and state-aligned actors are now increasingly becoming cyber attackers.” He said he was aware of his gender.

More about the digital security of Britain's infrastructure assets, including the £50bn project to build vast underground nuclear waste repositories and the Sellafield nuclear facility in Cumbria, where the Guardian revealed a series of cybersecurity issues. There is widespread concern.

Moody's report comes as water companies in England and Wales hope to receive allowances from Ofwat to increase spending on cyber defense. The regulator is assessing plans to raise the bill from 2025 to 2030 to cover investments.

Ofwat's decision, to be announced later this year, comes at a critical juncture for an industry that has come under fire for sewage dumping, inadequate leak records and high executive pay.

In October last year, companies announced that they would be required to fund a record £96bn investment in fixing raw sewage leaks, reducing leaks and building reservoirs. submitted a five-year business plan detailing price increases.

Moody's analysis shows that businesses want to increase their total spending on security from less than £100m to nearly £700m over the next five years. Increased scrutiny of the industry and the hack into Southern Water could strengthen its case, the credit agency said.

The department said costs to South Staffordshire Water related to the hack could reach £10 million, including potential civil action.

Moody's warning about the potential impact on water companies’ debt comes amid growing concerns over leverage in the water sector, where up to 28% of bill payments are used for debt servicing in regions of England. .

Industry body Water UK announced last week that average annual bills have risen by 6% since April, outpacing the current rate of inflation.