Office for Nuclear Regulation

Cyber attacks

Date released
24 November 2021
Request number


Release of information under
Freedom of Information Act 2000 (FOIA)

Information requested

I would like to request a breakdown of cyber-attacks in the nuclear sector since 1 January 2015. I would like the figures to be broken to show:

Information released

I confirm that under Section 1 of the FOIA we hold the information requested.

Civil Nuclear duty holders are required to report certain events and matters related to cyber security to us as specified under Regulation 10, 18 and 22 of the Nuclear Industries Security Regulations (NISR) 2003. Reports are submitted using an Incident Notification Form 1 (INF 1).

Please see the table, reproduced below, detailing the information you require which has been extracted from the database containing the INF1 notifications and covers the period 1 January 2015 to 31 October 2021.

Year Number of Confirmed Cyber-attacks* Entity
2015 3 Power station
2016 1 Power station/Decommissioning site
2017 0 N/A
2018 1 Corporate offices
2019 0 N/A
2020 3 Research facility, Decommissioning site, Corporate offices
2021 0 N/A

*The meaning of a cyber-attack is taken from the following National Cyber Security Centre (NCSC) definition “Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means.”

Further Information:

You may wish to refer to the FOI releases on our website to view previous similar requests.

Exemptions applied


PIT (Public Interest Test) if applicable