Starting in April 2017, the UK water market is going to change in a big way. Water suppliers will be able to open up their business as a retail service, offering water and wastewater to any commercial property in the UK. This will create the largest water market in the world, delivering an estimated £200 million of overall benefits to customers and the UK economy. While a new competitive market will drive opportunity, there will be new cybersecurity challenges to address.
The three key players in this market shift are MOSL (Market Operator Services), Ofwat (the economic regulator of the water sector in England and Wales) and Defra (Department for Environment Food and Rural Affairs). These players are working together on the Open Water Programme in order to;
- Create a more robust water sector that is more efficient and customer focused
- Improve product ranges and quality of services
- Foster market innovation
What Does This Mean for Water Companies in the UK?
Water companies have a lot of work to do in order to get themselves ready for the market. But, they also have a lot of opportunity to increase revenue once their services open to the market. While some companies are leading the way, other companies are waiting to see the results before they decide whether or not they should participate.
'Readiness' is a key concern in the mind of water company executives. According to Sarah Hendry, Director of DEFRA, system delivery is the most challenging aspect of participating in the Open Water Programme.
The technical aspect of becoming a member has many angles. The first is the core IT system that underpins the Open Water Programme, also known as CMOS, or the Central Market Operating System.
CMOS will manage all electronic transactions involved in switching customers from current retailer and wholesaler to their new chosen provider. It will also provide usage and settlement data for the new retailer to use in the billing process.
Data is another angle. Responsibility for data will lie with individual utility companies. As data has always been kept in-house and alongside the upcoming General Data Protection Regulation (GDPR), compliance must be addressed by any water company.
Authentication into CMOS
A requirement of joining the Open Water Programme is purchasing a Digital Certificate, which will allow you to login to CMOS. A Digital Certificate is like an online passport and will provide system integrators the opportunity to prove their identity when logging into the system. This is a cybersecurity failsafe that will help to prevent unsolicited sign in to CMOS by cyber-attackers.
According to the CMOS Proforma, certificates need to comply with the following standards:
- Issued by a Certificate Authority (CA)
- Compliant with X.509 standard
- Class 2 Client Certificate (a type of certificates which validates your organization)
- Must be a client authentication certificate and not a server authentication certificate
- Must have a validity period of no more than three years and not be expired
- The certificate common name (CN) must be unique for each certificate and follow the format of for example: MST_ABC Water_WS_B2B_2
A Digital Certificate protects you from hackers with a public and private key (long generated passwords). The public key can be passed onto anyone, but the private key must be kept only with the owner of the certificate. MOSL will require your public key, so make sure you ONLY give them your public key and not your private key too.
You can learn more about encryption here.
A Certificate Authority (CA), will validate (when you purchase a certificate) that the identity of your organization is real. MOSL will then validate that the person submitting the pro-forma is authorized to do so. A list of authorized users will have to be submitted by the CIO (Chief Information Officer) on behalf of your organization in order for MOSL to then validate each person.
Cybersecurity for Water Utility Companies
Digital Certificates for authentication are a requirement of participating in the Open Water Programme and becoming a member of MOSL. Authentication is a form of cybersecurity that will prevent unauthorized login attempts from suspicious users, but there are quite a few other cybersecurity risks that you should be aware of and be preparing for in moving to an open market. This information is relevant for any water utility company in the world that operates in an open market.
Customers now have a choice – and they will start looking into a number of factors to determine which water company they want to supply their water. Many things from customer service to website and online experience will come into the decision making process. Your reputation and trust in your customers will become an important factor that will help your business grow.
As such, it will become more prevalent to decrease the risk of a cyber-attack. While a cyber-attack on your business could potentially present significant financial damages, you could also lose customer trust and the impact on your business could be much bigger and take longer to recover from.
Kemuri Water Treatment Company was hacked in 2016 and as a result 2.5 million customers had their personal information exposed. But, this was just a result of a bigger hack, which led to loss of control of Kemuri's water treatment valves controlling the flow of chemicals. Scary right?
You should be working closely with your IT departments in order to prepare yourself from a similar incident. Our advice is to have a mixed strategy involving some if not all of the following:
- Identity and access management
- Certificate management platform
- Server encryption
- SSL/TLS – web certificates
- Physical security
- Protective monitoring
- Incident response plan
You should also be prepared to comply with cybersecurity regulations. Ensuring you comply will enable you to avoid some hefty fines in the possible future. These are EU governed laws and the outcome of Brexit means that we cannot know for sure if these will continue to be the law in the future, but your organization should be preparing for them regardless. These include GDPR and eIDAS.
Looking into the future, the European Parliament is set to pass a new network and information security derivative known as the NIS Derivative, which will place minimum standards for cybersecurity on critical infrastructure operators. The USA already has something similar with the National Institute of Standards and Technology (NIST), who has published cybersecurity standards for energy and utility companies. Keep your eyes and ears open for the publishing of the NIS Derivative and when it is released, make sure you’re putting the required measurements in place in order to comply with the standards. Look out for a guide that we will publish on this as well to help you.
To find out more about how to comply with these up and coming regulations, you can watch our webinar.
In order to authenticate into CMOS, you will require an X.509 Digital Certificate via our Managed PKI Platform.
If you would like to get in touch regarding any other Digital Certificates or Certificate Management Platform contact us here.
