A multinational nuclear power company has been hit by an official crackdown because of cyber security failures that critics warned were a “very real and present danger”.
Oversight of EDF Energy by the UK Government’s safety watchdog, the Office for Nuclear Regulation, has been “significantly enhanced” to combat “shortfalls” in defences against digital attacks. This means more inspections and increased scrutiny of EDF’s cyber security.
EDF is a French government company that runs one nuclear power station in Scotland, at Torness in East Lothian, and four in England. It is also building a new nuclear station at Hinkley Point in Somerset.
Campaigners described EDF’s failure to properly protect its nuclear operations from “potentially dangerous cyber attacks” as “incomprehensible”. Nuclear plants were “vulnerable” to computer viruses that could threaten safety, they said.
EDF, however, was confident that its cyber security was “robust” and that there was “no risk” to nuclear safety. It promised to “continually improve” its management of threats so that regulation could return to a routine level.
No details of EDF’s cyber security failings have been released for fear of helping would-be hackers. Cyber attacks are on the increase, with many organisations – such as the Scottish Environment Protection Agency – severely impacted.
The Times reported in 2017 that insecure passwords used by EDF nuclear managers had been found in two lists of stolen credentials traded on Russian hacking sites. According to The Telegraph in 2019, UK government intelligence experts had been called in after a cyber attack on an unnamed nuclear power company, suspected to be EDF.
The Ferret revealed in March 2023 that the police force tasked with guarding UK nuclear plants reported 37 security breaches in 2021-22, the highest for eight years. In August we reported that the Ministry of Defence’s nuclear managers had recorded 113 “security concerns” since 2017-18.
The Office for Nuclear Regulation (ONR) initially put EDF under “enhanced” attention in 2022 because of concerns about its cyber security. But a new report from ONR’s chief nuclear inspector, Mark Foy, revealed that regulation has now been toughened.
“EDF did not meet its commitment to provide us with a comprehensive and fully resourced cyber security improvement plan, as agreed, by end of March,” said Foy.
“Consequently, EDF’s corporate centre has been moved to significantly enhanced regulatory attention for cyber security.” EDF’s nuclear headquarters are in Gloucester, England.
Foy added: “EDF has made two new appointments to specifically address cyber security. We have subsequently met with EDF senior team to ensure regulatory expectations are understood.”
ONR told The Ferret that it took cyber security “extremely seriously” and required “high standards”. Nuclear stations had “multiple layers” of security to protect against breaches.
“However, we also expect continuous improvement and judged that EDF’s delivery of their cyber improvement programme had not progressed in line with commitments made,” said ONR’s regulation director, Paul Fyfe.
“EDF responded positively to remedy identified shortfalls and quicken progress in delivering improvements. The enhanced attention level also means increased regulatory scrutiny, with more ONR inspections providing assurance of programme delivery and effectiveness.”
Fyfe added: “We will continue to hold EDF to account against the high standards we require so that their power stations remain safe and secure.”
It is understood that increased regulation was not triggered by any specific event, but by concerns about EDF’s ability to demonstrate that its systems were robust. EDF’s delayed cyber improvement plan is now said to have been shared with ONR.
Nuclear plants ‘vulnerable’ to cyber attack
Dr Paul Dorfman, a nuclear critic and visiting fellow at the science policy research unit in the University of Sussex, highlighted concerns expressed by the UN’s International Atomic Energy Agency (IAEA) about the growing threats posed by cyber attacks.
Nuclear power plants are “vulnerable,” Dorfman said. “Cyber attacks threaten the security of nuclear facilities by compromising command and control systems and damaging safety, security and emergency responses.”
He added: “Rapidly spreading computer viruses and worms can infect instrument systems and corrupt files. EDF’s persisting failure to prepare for the very real and present danger of cyber attack on nuclear facilities is, quite simply, incomprehensible.”
Pete Roche, a consultant and anti-nuclear campaigner based in Edinburgh, pointed out that the Torness nuclear station was due to keep operating until 2028 despite cracks spreading in its graphite core.
“We need an operating company which can give meticulous attention to detail,” he said. “These revelations about cyber security seem to indicate that EDF is not capable of doing that.”
Roche also criticised EDF for trying to build more nuclear power stations. “And yet they don’t even seem capable of protecting themselves against potentially dangerous cyber attacks,” he argued.
David Livingstone, a cyber security expert at Chatham House in London who previously advised the Scottish Government, warned that there could be no “second best” when it came to protecting nuclear power stations from digital attacks.
Working out whether cyber attackers were foreign states, campaign groups or individual hackers could be impossible, he said. “And a nuclear energy operator must not overlook the possibility that an attack could come from an insider,” he added.
“Keeping nuclear facilities secure from cyber threats is not a static environment. Threat actors are constantly developing their capacities, nuclear technologies are changing, outside world events are causing shifts in risk axes.
“Everybody has to be on their toes, particularly within critical national infrastructures, of which nuclear energy is but one.”
EDF insisted its nuclear operations were safe. “We are confident that the robust cyber security arrangements we have in place mean there is no risk to plant safety at our power stations,” a company spokesperson told The Ferret.
“We also recognise the importance of information security and the risks associated with loss of information. Cyber security is a dynamic issue for all organisations and we will continually improve how we manage it to allow scrutiny to return to a routine level in the future.”
Cover image thanks to iStock/Philip Silverman.