Office for Nuclear Regulation

This website uses non-intrusive anonymous cookies to improve your user experience. You can visit our cookie privacy page for more information, including details on how to opt-out.

Cyber threats to UK civil nuclear sites 2018 and 2019

Date released
4 June 2019
Request number
201905007
Release of information under
Freedom of Information Act 2000

Information requested

  1. How many "initial notifications” the ONR received, as laid out in the ONR's guidance, from civil nuclear license holders relating to security breaches during the whole of 2018, and up to the latest date possible in 2019?
  2. How many INF1 reports the ONR received from civil nuclear license holders relating to security breaches during the whole of 2018, and up to the latest date possible in 2019?
  3. Of these – both any "initial notifications" and any INF1 reports – how many were related to cyber security threats or attacks?
  4. Please provide any, if not all, of the following details relating to these reported incidents: the nuclear license holder, the nuclear license site concerned, the date, and a brief description of the final outcome of the incident.

Information released

ONR’s response to question 1

Under the Nuclear Industries Security Regulations (NISR) 2003 all operators of civil licenced nuclear sites are required to have a site security plan. The plan is formally approved by ONR on behalf of the Secretary of State for Business, Energy and Industrial Strategy. Where certain events or matters occur on these sites, such as failure to comply with some aspect of that plan, the operator is legally required to formally report it in accordance with Regulation 10 of NISR 2003. This is done through an initial notification and subsequent submission of an INF1 form.

Records of initial notifications are not held and therefore we are unable to answer question 1 fully. There is however a process in place to ensure that notifications are followed up, as required under NISR 2003, formally in writing by an INF1 form and the response to question 2 therefore provides the correlation between initial notifications and INF1s.

ONR’s response to question 2

ONR received 214 INF1 forms in 2018 and 102 in 2019 up to 7 May 2019. All relate to reportable events or matters submitted by operators of civil nuclear licensed sites under the requirements of Regulation 10.

ONR’s response to question 3

Of the INF1 received, two relate to cyber security threats or attacks.

ONR’s response to question 4

Incident 1:

Licence Holder: EDF Energy Nuclear Generation Limited (NGL)

Licence Site: Barnwood

Date: 09/10/2018

Outcome: EDF Energy NGL network users received a number of targeted phishing emails from a compromised known third party. EDF Energy NGL blocked access to external web sites hyperlinked within the emails and communications were sent to all recipients of the phishing email asking them to confirm their actions in relation to the phishing email. A further technical review of access to the external web sites was undertaken. All users known to have received the phishing email had their passwords reset as a precaution. There was no indication of compromise to the EDF Energy NGL network. The third party system falls outside of ONR’s regulatory scope.

Incident 2:

Licence Holder: Magnox

Licence Site: Wylfa

Date: 10/04/2019

Outcome: As the investigation is currently on going, we do not currently hold the information and no final outcome is yet available. In accordance with ONR guidance NR-OPEX-GD-001 Notifying and Reporting Incidents and Events to ONR cited in question 1; it is expected that a report should be produced within 60 days – see section 3.1.4 and 3.1.5 of the ONR guidance.

To clarify the response to questions 3 and 4, you may wish to note that the nuclear industry, like any other industry, is subject to cyber-attacks. However, where the attack is defeated by the ‘defence in depth’ cyber security controls maintained by dutyholders, this would fall below the reporting threshold and an INF1 would not be raised. There is no requirement for dutyholders to report attacks on systems that fall outside of ONR’s regulatory scope.

You may also wish to refer to the FOI releases on the ONR website to view previous similar requests: http://www.onr.org.uk/foi/information-releases.htm

Exemptions applied

N/A

PIT (Public Interest Test) if applicable

N/A