The police force tasked with guarding UK nuclear plants reported 37 security breaches last year including the thefts of a uniform, confidential documents, an officer’s diary and three ‘classified’ Microsoft tablets.
The findings come after The Ferret lodged a freedom of information (FOI) request with the Civil Nuclear Constabulary (CNC) asking for details of security incidents between the start of April 2021 and the end of March 2022.
Alongside the thefts, there were 12 instances of personal data being compromised, and a further 19 cases where staff lost their warrant or identity cards.
The 37 incidents reported last year was the highest number for eight years.
The CNC is an armed force which protects ten civilian nuclear sites across the UK including Torness and Dounreay in Scotland. It is also responsible for the security of nuclear energy material when it is being transported.
The force says that countering terrorism is “at the heart” of its remit.
But campaigners said the CNC had allowed an “appalling litany of security breaches” which undermine the nuclear industry’s claim that its sites are among the most secure in the country.
One activist argued that “few things could be worse than terrorists getting into a nuclear plant” and called for an “urgent inquiry into why the CNC are doing such a terrible job” of preventing security incidents.
The CNC said that it takes security issues “extremely seriously” and has a “robust process” for dealing with reported breaches. The force claimed the majority of security incidents were “low level” such as the “mistyping an email address or sending a document with the wrong security classification”.
Few things could be worse than terrorists getting into a nuclear plant and we need an urgent inquiry into why the CNC are doing such a terrible job.
Richard Dixon, freelance researcher and member of the board of Environmental Standards Scotland
All of the stolen items were taken from vehicles, according to the FOI response. The tablets – which are listed as Microsoft Surface Pros – included classified information and were stolen while vehicles were outside secure premises.
The thefts of the diary and uniform, alongside the loss of the identity cards are all listed as ‘low level breaches’ by the force.
The CNC said these thefts had happened in two incidents when thieves accessed unmarked vehicles while they were parked at service stations. The tablets were encrypted and immediately wiped once the thefts were reported, it claimed.
Examples of personal data being compromised include information being “incorrectly uploaded to a cloud platform” and correspondence being sent to personal email addresses or the wrong external team.
There was also an incident of “inappropriate access to and sharing of police information” but the FOI response does not provide any further information about this.
| Year | No. of recorded security breaches |
|---|---|
| 2016-17 | 18 |
| 2017-18 | 23 |
| 2018-19 | 27 |
| 2019-20 | 25 |
| 2020-21 | 34 |
| 2021-22 | 37 |
The CNC has over 1,100 firearms officers at its disposal and has access to “over 10 different weapons systems”. The force has stationed armed police at non-military nuclear sites across the UK since 2005, after a decision was made to bulk up security at plants in the aftermath of the 9/11 attacks in America.
Its annual budget has grown by around £20m since 2016-17 and now sits at just over £120m. However, this increased spending power has not reduced the number of reported security breaches which have more than doubled in the last six years.
In 2021, the Office for Nuclear Regulation (ONR) – which oversees the civil nuclear industry – also recorded the highest number of security issues at UK nuclear sites for at least 12 years.
The 456 incidents flagged to the ONR by the whole nuclear industry that year included unauthorised people gaining access to secure areas of plants, and cybersecurity threats such as attacks using malicious software.
The growing number of security incidents comes at the same time that the UK Government has announced its ambition to boost production of nuclear energy.
It wants to build 24 gigawatts of new nuclear power capacity by 2050. One new station – Hinkley Point C in Somerset – is already under construction, while another – Sizewell C in Suffolk – has received planning permission.
Dr Paul Dorfman, chair of the Nuclear Consulting Group, told The Ferret he was “hugely concerned about the wisdom of this strategy” at a time when “security incidents are on the rise”.
He claimed that renewable technologies are a “cheaper, quicker and safer” option to reach climate targets than nuclear energy.
Richard Dixon, a freelance researcher and member of the board of Environmental Standards Scotland, questioned whether the breaches meant “any old terrorist can simply buy a security badge and a uniform down the local pub”.
“This is an appalling litany of security breaches,” Dixon said. “Because of the risk of terrorist attack, the nuclear industry always tells you their sites are among the most secure in the country.
“Few things could be worse than terrorists getting into a nuclear plant and we need an urgent inquiry into why the CNC are doing such a terrible job.”
Losing data, IDs and uniforms seriously calls into doubt the capacity of this authority to deal with terrorist threats.
Lynn Jamieson, Scottish Campaign for Nuclear Disarmament
The chair of the Scottish Campaign for Nuclear Disarmament, Lynn Jamieson, claimed the findings showed “nuclear power stations in the UK are as accident prone as anywhere else in the world”.
“Losing data, IDs and uniforms seriously calls into doubt the capacity of this authority to deal with terrorist threats,” she said.
The Ferret previously revealed details of security breaches at the CNC back in 2016. There had been 21 incidents in 2015-16 with smartphones and ID cards among the items stolen or lost.
At that time, the force’s then chief constable, Mike Griffiths, said it was looking to keep breaches to a “minimum and deal with them swiftly and robustly”.
Julie Carlisle, a data protection officer for the CNC, said that the increase in reporting in 2021-22 is “considered a positive thing” because it “demonstrates the security culture” at the force.
“From 1 April 2021 to 31 March 2022 we saw a slight increase in the number of security incidents reported to us, with the majority being low level incidents such as mistyping an email address or sending a document with the incorrect security classification,” she said.
“Since the two thefts from vehicles, we have reiterated the message to all employees that no CNC property, including uniform, must be left when a vehicle is unattended, and we have seen no further incidents.”
Carlisle added the lost identity cards were “immediately reported” and security was stepped up at the site where the staff who lost them were based.
“The CNC takes any potential security issues extremely seriously and has a robust and tested process for recording and dealing with any reported breaches,” Carlisle said.
Cover image thanks to deemac1/iStock
