UK Cites Nuclear Plant Operator Over Cybersecurity Strategy

The UK Government’s safety watchdog, the Office for Nuclear Regulation (ONR), has placed a nuclear firm on notice over its cybersecurity practices.

In the chief nuclear inspector’s annual report on Great Britain’s nuclear industry, the ONR stated that EDF Energy has been placed on “significantly enhanced regulatory attention” after an inspection into its cybersecurity practices.

The ONR decision to closely study the cyber credentials of a nuclear power station operator in the UK, comes amid growing tensions about the cyber actions of hostile nation states.

EDF cited

EDF it should be remembered is a French power utility, and it runs one nuclear power station in Scotland (Torness in East Lothian), as well four nuclear power stations in England.

EDF is also building a new nuclear station at Hinkley Point in Somerset.

In the chief nuclear inspector’s annual report, EDF was cited for not providing the inspector with a “comprehensive and fully resourced cyber security improvement plan.”

“EDF did not meet its commitment to provide us with a comprehensive and fully resourced cyber security improvement plan, as agreed, by end of March,” the report stated. “Consequently, EDF’s corporate centre has been moved to significantly enhanced regulatory attention for cyber security.”

“EDF has made two new appointments to specifically address cyber security,” the report stated. “We have subsequently met with EDF senior team to ensure regulatory expectations are understood.”

Silicon UK understands that the ONR’s decision to change the level of attention to “significantly enhanced” is not related to any specific cyber event, but more concerns EDF’s ability to demonstrate its systems are robust.

Essentially, it is understood that EDF did not deliver a cyber improvement plan by the end of March, which prompted the ONR’s escalation of attention.

Silicon UK understands that this plan is now in place and has been shared with the ONR.

High Standards

Paul Fyfe, Director of Regulation, Civil Nuclear Security and Safeguards for the Office for Nuclear Regulation (ONR), told Silicon UK that the nuclear regulator will continue to hold EDF to the high standards it requires.

“As the independent regulator, we strive to be as open and transparent as possible so that the public can understand our work, and trust us to hold the nuclear industry to account,” Fyfe told Silicon UK.

“Our annual Chief Nuclear Inspector’s report details the performance of the industry during the previous financial year – including positive achievements and shortfalls where they are identified,” said Fyfe.

“We take cyber security extremely seriously and require high standards at all civil nuclear facilities,” Fyfe told Silicon UK. “For this reason, all the operating EDF nuclear power stations have defence in depth systems – this means multiple layers of both security and safety which are designed to protect against cyber security breaches.

“However, we also expect continuous improvement and judged that EDF’s delivery of their cyber improvement programme had not progressed in line with commitments made and so moved them into a level of significantly enhanced attention for cyber security,” said Fyfe.

“EDF responded positively to remedy identified shortfalls and quicken progress in delivering improvements,” Fyfe said. “The enhanced attention level also means increased regulatory scrutiny, with more ONR inspections providing assurance of programme delivery and effectiveness.”

“We will continue to hold EDF to account against the high standards we require so that their power stations remain safe and secure,” Fyfe concluded.

EDF response

Meanwhile EDF Energy told Silicon UK that it is confident in its robust cyber security measures.

“We are confident that the robust cyber security arrangements we have in place mean there is no risk to plant safety at our power stations,” an EDF spokesperson told Silicon UK.

“We also recognise the importance of information security and the risks associated with loss of information.”

“Cyber security is a dynamic issue for all organisations and we will continually improve how we manage it to allow scrutiny to return to a routine level in the future,” the EDF spokesperson said.

Nuclear security

The issue of cybersecurity and operators of nuclear power stations tends to a sensitive subject.

In November 2020 a cyber attack took down the official website of the Japanese nuclear regulator for a number of hours.

In mid 2019 Indian officials confirmed that its newest nuclear power plant (the Kudankulam nuclear power plant) had been hacked.

In 2017, the United States had warned of ongoing online attacks on critical sectors including energy, nuclear and manufacturing.

That came after the US Department of Energy (DOE) acknowledged a campaign of attacks that targeted a number of energy companies, including at least one nuclear plant.

In 2016 a German nuclear power plant in Bavaria admitted that its systems were riddled with malware, and it was shut down as a precaution.

In 2015 an attacker managed to hack into the systems of a nuclear power plant in South Korea. A computer worm was later discovered in a device connected to the control system, but the plant operator insisted that the breach had not reached the reactor controls itself.

The hacker later posted files from the hack online, and included a demand for money.

Potential red flag

However the decision by the chief nuclear inspector to place EDF under greater examination has prompted a reaction from a cybersecurity professional.

“With the news that EDF failed to ‘meet its commitment to provide us with a comprehensive and fully resourced cyber security improvement plan,’ according to the UK chief nuclear inspector’s annual report is an extremely worrying ‘red flag’ for the UK critical energy infrastructure as well as UK government and regulatory policy failing,” noted Simon Chassar, CRO at Claroty.

“The reason for this is that ISA/IEC 62443 series of standards was formerly approved and published in 2018 which was endorsed by the United Nations and across 20 different industries for securing ICS automation controls; 8 years after the Stuxnet malware which affects ICS environments causing them to malfunction and feed false data,” said Chassar.

Stuxnet is thought to have been created by both Israel and the United States, after it was discovered in 2010 when it was used to attack a uranium enrichment facility at Iran’s Natanz nuclear site.

“Nuclear power is a critical infrastructure for society power needs in the UK, generating 15 percent of the UK power but also a serious highly managed environmental risk,” said Chassar.

“A cyberattack on any nuclear generation station could create massive impacts on the UK whichever nation-state sponsored or criminal faction decided to target it,” said Chassar. “The UK Government should consider adopting the American NERC-CIP security regulation (which also applies to Canada and Mexico) for the UK energy sector as well as providing the regulator with an ability to enforce failure on cyber controls; with some consideration of direct control of technology adoption, loss of licenses and financial impacts.

“Implementing a technology that quickly identifies connected physical assets and their vulnerabilities (CVE-CVSS) and known exploits (EPSS) is the immediate requirement so that a plan to reduce the inherent risk can start immediately; then start to connect anomaly alerts and known alerts into Security operations for monitoring,” Chassar concluded.