What the Enhanced CAF (eCAF) Means for UK Water Companies

The water sector faces a unique set of pressures, such as geographically dispersed assets, legacy Operational Technology that predates the internet, and a regulator (the Drinking Water Inspectorate or DWI) that is increasingly focused on evidence over assertion.

For the first article in our sector specific series, we’re diving into the UK Water sector’s specific implementation of the CAF, the shift toward the Enhanced Profile (eCAF), and where the real compliance pitfalls lie.

The Regulator's View

While the NCSC designs the framework, the DWI as the competent authority, enforces it. For UK Water companies, the days of "basic" cyber hygiene are rapidly ending.

The sector has moved decisively toward the Enhanced Profile, often referred to as eCAF. This is a fundamental shift in risk appetite. The DWI recognises that the disruption of water supply or wastewater treatment constitutes a severe risk to public health and the environment. Consequently, the "Basic" profile, which assumes a threat actor with modest capabilities, is no longer considered sufficient for Critical National Infrastructure.

The eCAF assumes your adversary is capable, well resourced, and persistent.

Key Nuances of the Water Sector Profile

If you’re tasked with aligning a Water company’s security posture with the eCAF, generic IT controls won't cut it. Here are the three friction points we at Cyro Cyber see most often in the field:

The "Distributed Asset" Dilemma

Unlike a data centre, a Water company’s "network" includes thousands of unmanned pumping stations, reservoirs, and telemetry outstations spread across hundreds of square miles.

Principle B2 (Identity and Access Control) and B5 (Resilient Networks) are notoriously difficult here. How do you enforce Multi-Factor Authentication (MFA) on a legacy PLC at a remote borehole with poor 4G signal?

The DWI expects you to have a handle on all ingress points. The eCAF demands that you stop viewing these remote sites as "low risk" simply because they are small. If they connect back to the central SCADA network, they are a pathway for lateral movement.

VISIBILITY

Water companies are digitalising rapidly, with smart meters, digital twins, and remote telemetry becoming standard. This further blurs the line between corporate IT and industrial OT and introduces the challenge of you cannot protect what you cannot see. The eCAF places a heavy emphasis on Asset Management (A3).

Many Water companies still rely on spreadsheets to track OT assets. To meet the Enhanced profile, you need automated, live visibility into your OT estate. You need to know not just what devices are on the network, but what they are talking to, their connections.

SUPPLY CHAIN DEPENDENCIES

The water treatment process relies on a fragile just-in-time supply chain for chemicals (chlorine, coagulants, etc.) and niche third party support for proprietary OT kit. Principle A4 (Supply Chain) requires you to understand the cyber maturity of your critical suppliers.

The reality is, if a ransomware attack hits your chemical supplier, how long can you maintain safe water production? The eCAF asks you to plan for these "ripple effect" scenarios.

DEADLINES AND DRIVERS - AMP8 AND BEYOND

The timing of this shift isn't accidental. Within the current AMP8 (Asset Management Period 8), the DWI is using the Price Review mechanism (PR24) to ensure that cyber resilience is funded, but that funding comes with strings attached.

There is a growing expectation that critical systems must reach the Enhanced profile standards by roughly 2028. This aligns with the broader push across UK CNI to "harden" defences against state sponsored threats.

Furthermore, the incoming Cyber Security and Resilience Bill is set to give regulators more teeth, including the power to mandate specific reporting timelines and verify self-assessments more aggressively. The "mark your own homework" era is fading and the DWI is increasingly conducting verification audits to ensure your "Green" status on the dashboard matches reality on the ground.

HOW WE CAN HELP

At Cyro Cyber, we specialise in CNI cyber security, with specific experience in UK Water providers. We understand that you can’t just patch a 20-year-old SCADA system or airgap a cloud connected telemetry hub.

We help Water sector organisations (and their supply chains) make sense of the eCAF, viaL

• Gap Analysis: Defining your current operating position against the Enhanced profile, with risk treatment guidance and support.

• OT Specific Remediation: Designing security controls that respect the physics of water treatment (e.g., ensuring security scans don't trip PLCs).

• DWI Reporting Support: Helping you translate technical risks into the language of the regulator.

Get in touch today to discuss further.

Enquire Now

One of our experts will be in touch shortly to better understand your requirements and challenges.