UK warns nuclear power plant operator of cybersecurity failings

EDF, the company operating several nuclear power plants in Britain, has been placed under “significantly enhanced regulatory attention” after an inspection into its cybersecurity practices.

The new attention is an escalation of the enhanced regulatory attention that EDF — a subsidiary of the French state-owned energy company Électricité de France — received last year.

Since then, EDF failed to “meet its commitment to provide us with a comprehensive and fully resourced cyber security improvement plan,” according to the U.K. chief nuclear inspector’s annual report.

A company spokesperson said EDF understands that cybersecurity “is a dynamic issue for all organisations and we will continually improve how we manage it to allow scrutiny to return to a routine level in the future.”

EDF’s current efforts “mean there is no risk to plant safety at our power stations,” the spokesperson said. “We also recognise the importance of information security and the risks associated with loss of information.”

There is no evidence that any British nuclear power plants have been successfully attacked by hackers, however the Intelligence and Security Committee (ISC) of Parliament warned earlier this year that China has been engaging in widespread cyber operations as well as targeting projects in the civil nuclear sector.

The ISC said Chinese threat actors had broken into the computer networks of British and international companies within the energy sector, although these were said to be targeting the non-nuclear sector as a result of China’s “huge domestic demand for energy.”

Beyond the shortcomings, the causes of the new regulatory attention, which was first reported by The Ferret, have not been publicly released.

EDF, which supplies energy to more than 5 million business and residential customers, generated more than £8.7 billion in revenues in 2021. Its press office did not respond to a request for comment.

As set out in the U.K.'s civil nuclear cybersecurity strategy, the National Cyber Security Centre (NCSC) threat assessment warns that ransomware “almost certainly represents the most likely disruptive threat.”

A ransomware attack on the IT systems used by a nuclear power plant could disrupt its operations, although the industrial systems are designed with multiple failsafes to prevent a radiological accident.

Cyberattacks targeting the operational technology systems at power plants are rare, but not unheard of — with the Triton malware discovered in Saudi Arabia in 2017 among the best known and most concerning examples.

It is not known whether the suspected Russian actors behind this attack could have engineered a method to overcome the failsafe mechanisms preventing an explosion.

According to the British government’s National Risk Register, a cyberattack on the computer systems controlling a nuclear reactor could potentially require a controlled shutdown as a protective measure.

Although the register did not record any risk of radiological contamination, the disruption to energy production could be especially lengthy due to the regulatory controls around nuclear safety and security.