Under the Nuclear Industries Security Regulations (NISR) 2003 all operators of civil licenced nuclear sites are required to have a site security plan. The plan is formally approved by ONR on behalf of the Secretary of State for Business, Energy and Industrial Strategy. Where certain events or matters occur on these sites, such as failure to comply with some aspect of that plan, the operator is legally required to formally report it in accordance with Regulation 10 of NISR 2003. This is done through an initial notification and subsequent submission of an INF1 form.
Records of initial notifications are not held and therefore we are unable to answer question 1 fully. There is however a process in place to ensure that notifications are followed up, as required under NISR 2003, formally in writing by an INF1 form and the response to question 2 therefore provides the correlation between initial notifications and INF1s.
ONR received 214 INF1 forms in 2018 and 102 in 2019 up to 7 May 2019. All relate to reportable events or matters submitted by operators of civil nuclear licensed sites under the requirements of Regulation 10.
Of the INF1 received, two relate to cyber security threats or attacks.
Licence Holder: EDF Energy Nuclear Generation Limited (NGL)
Licence Site: Barnwood
Outcome: EDF Energy NGL network users received a number of targeted phishing emails from a compromised known third party. EDF Energy NGL blocked access to external web sites hyperlinked within the emails and communications were sent to all recipients of the phishing email asking them to confirm their actions in relation to the phishing email. A further technical review of access to the external web sites was undertaken. All users known to have received the phishing email had their passwords reset as a precaution. There was no indication of compromise to the EDF Energy NGL network. The third party system falls outside of ONR’s regulatory scope.
Licence Holder: Magnox
Licence Site: Wylfa
Outcome: As the investigation is currently on going, we do not currently hold the information and no final outcome is yet available. In accordance with ONR guidance NR-OPEX-GD-001 Notifying and Reporting Incidents and Events to ONR cited in question 1; it is expected that a report should be produced within 60 days – see section 3.1.4 and 3.1.5 of the ONR guidance.
To clarify the response to questions 3 and 4, you may wish to note that the nuclear industry, like any other industry, is subject to cyber-attacks. However, where the attack is defeated by the ‘defence in depth’ cyber security controls maintained by dutyholders, this would fall below the reporting threshold and an INF1 would not be raised. There is no requirement for dutyholders to report attacks on systems that fall outside of ONR’s regulatory scope.
You may also wish to refer to the FOI releases on the ONR website to view previous similar requests: http://www.onr.org.uk/foi/information-releases.htm