# Water utility cybersecurity: The nearly £1 million lesson from South Staffordshire Water # Water utility cybersecurity: The nearly £1 million lesson from South Staffordshire Water The Information Commissioner's Office (ICO) recently fined South Staffordshire Water £963,900. The penalty follows a major data breach where attackers lurked in internal systems for over a year before anyone noticed. While the breach was discovered in August 2022, the investigation found attackers had been inside since 2021. For water utilities and essential services, the lesson is simple: the "castle and moat" security model is dead. Traditional perimeters just don't work in a modern threat environment. ## Why the perimeter failed The South Staffordshire Water breach highlights a fatal flaw in traditional security thinking. Most organizations still dump their budgets into firewalls, assuming the internal network is a safe zone. That assumption collapses the moment an attacker steals one set of credentials or an employee clicks a phishing link. Once inside the perimeter, attackers find themselves in a high-trust zone with almost no barriers between them and critical operational assets. Because South Staffordshire Water didn't have robust internal monitoring, the breach went undetected for two years. Traditional security looks at traffic at the gateway, but it misses what users do once they're authenticated. If an attacker uses a stolen password for a virtual private network, they look like a trusted team member. Without identity-aware access controls that verify the user, the device, and the context of every single request, your perimeter is an open door. Security has to follow the identity of the user and the specific application, regardless of their location on the network. For a deeper look at modernizing your defences, read our [Industrial Cyber Security Best Practices Guide](https://www.agilicus.com/resources/industrial-cyber-security-best-practices/). ## Identity is the new perimeter The ICO noted that South Staffordshire Water failed to use multi-factor authentication for remote access. This is a massive oversight for a critical public service. While multi-factor authentication is a basic requirement today, many organizations still struggle to deploy it across legacy systems and operational technology. The Agilicus Zero Trust platform solves this without the usual deployment headaches. By replacing passwords and virtual private networks with identity-aware access, Agilicus ensures that stolen credentials aren't enough to breach a system. When a user logs in, we verify their identity through single sign-on with multiple factors. This happens at the application layer, not the network layer. If a phishing attack compromises a password, the attacker is still blocked because they can't provide the secondary factor. We effectively remove the risk of credential theft becoming a single point of failure. Our platform also enforces granular access. Unlike a virtual private network that grants a user access to an entire network segment, Agilicus only allows access to the specific application needed for a task. This "least privilege" approach is critical for infrastructure security. Even if one system is compromised, the attacker is trapped in that application and can't move laterally to other assets. ## The five per cent visibility trap Most water utilities only monitor about five per cent of their internal network traffic. Traditional tools are overwhelmed by the volume of data from industrial systems. But as South Staffordshire Water found, what you don't see can cost millions in fines and remediation. If attackers can lurk for years, you have a visibility problem. We change this with a 100 per cent audit trail at the application layer. Agilicus records every access request, login, and denial in a searchable format. This turns monitoring from a passive checkbox into an active defence. Security teams can see exactly who accessed what and what they did. This level of auditability is now a regulatory necessity for any organization managing critical services. To identify your own gaps, our [Cyber Security Assessment](https://www.agilicus.com/cyber-security-assessment/) provides a roadmap for improvement. You can't fix what you can't see. ## Legacy infrastructure doesn't need to be a security hole Water utilities rely on legacy industrial control systems designed decades ago. They weren't meant for the internet and often lack multi-factor authentication. Many operators fear that modern security means expensive hardware or disruptive downtime. This fear often delays critical improvements. The Agilicus approach handles this "legacy headache" by wrapping a security layer around these older systems. It doesn't require code changes or agents on sensitive equipment. You can implement Zero Trust for critical infrastructure today using the systems you already have. This non-disruptive approach lets utilities meet modern standards without risking operational uptime. It's a pragmatic way to bring twentieth-century infrastructure into a modern security environment. ## Conclusion: A pragmatic approach to security The fine against South Staffordshire Water is a wake-up call for the entire utility industry. It's a reminder that doing nothing costs far more than implementing modern controls. But effective security isn't about building higher walls. It requires a fundamental shift in how we think about access, identity, and trust. Every request must be verified, every action audited, and every user granted only the minimum access they need. At Agilicus, we prioritize business outcomes and reliability. By focusing on identity-aware access and application-level visibility, utilities can avoid the failures that led to the South Staffordshire breach. It's time to move beyond the perimeter and embrace Zero Trust for modern critical infrastructure.