#Infosec2025: Ransomware Drill to Spotlight Water Utility Cyber Risks

In the face of growing geopolitical instability, critical infrastructure organizations face an unprecedented level of cyber threats, putting their operations, data and very existence at risk.

Water utilities are prime targets, as our daily lives and activities are heavily reliant on water supplies and wastewater processes. The consequences of a breach could be catastrophic, disrupting essential services and potentially impacting public health.

Recent events in the UK, such as the ransomware attack against Southern Water in October 2024 and the alleged attacks against Thames Water in November 2024, have highlighted the sector’s vulnerability to these threats.

Identity security provider Semperis is hosting an immersive ransomware simulation focused on water utilities at Infosecurity Europe 2025.

Yossi Rachman, Semperis’ Director of Security Research, said his company recently found that around 60% of utility operators were targeted by cyber-attacks within the past year, with 80% of those suffering multiple attacks.

Blue Team v Red Team

The drill, called ‘Operation 999,’ will be set at a fictitious water treatment company.

Rachman will be the exercise’s facilitator and moderator. He explained to Infosecurity the premise of the scenario: “A new acting CISO has stepped in after the previous one was fired after several cyber-attacks. The new CISO has invested a lot of effort in hardening the systems, making sure everything is secure, recruiting top professionals and investing in bleeding-edge technologies in order to defend the different systems – and they’re certain that they’ll be able to contain any cyber-attack within minutes.”

The fictitious organization will have a blue team of cyber defenders, made up of eight to 10 participants from the public and private sector, including former hackers, incident response executives and members of government cybersecurity agencies.

However, the blue team will face an equally matched red team of attackers, led by Rob Shapland, an ethical hacker and Director of Cyonic Cyber.

“Rob’s team will show the CISO another kind of reality,” Rachman warned.

The two teams will be presented choices of actions based on a framework built by Rachman and his team and will have to nominate someone to explain the choices made at each round.

Actions include incident response and security measures, as well as cyber resilience and business continuity plans, internal and external communications.

Targeting SCADA Systems and Identities

The intrusion conducted by the red team will primarily target the fictitious company’s Supervisory Control and Data Acquisition (SCADA) systems and the integration between those systems and various IT systems, particularly those used to govern identities within the environment (e.g. Microsoft Active Directory integration).

“According to our recent study, 81% of cyber-attacks on utilities come from compromised identity systems, such as Microsoft’s Active Directory and Entra ID or Okta, for example,” Rachman added.

The ‘Operation 999’ will be hosted by Semperis on June 4 from 16:00 to 18:00 BST at The Good Hotel, Western Gateway, Royal Victoria Dock – just a few minutes from the ExCel London.

The 2025 event celebrates the 30th anniversary of Infosecurity Europe, taking place from June 3-5 at the ExCel London.

Register here to secure your place today.