France-headquartered energy giant EDF has been singled out by the UK’s Office for Nuclear Regulation (ONR) and placed under significantly enhanced regulatory attention for cyber security – the highest possible level of scrutiny – after the critical national infrastructure (CNI) operator failed to comply with previously made commitments to enhance its cyber security posture.

The ONR had put EDF under enhanced attention in 2022, after routine inspections found that EDF had fallen short in areas including governance, risk and compliance, and a number of technical controls. Some of these issues are understood to have related to an ongoing IT upgrade.

In its latest annual report, the ONR said: “EDF did not meet its commitment to provide us with a comprehensive and fully resourced cyber security improvement plan, as agreed, by end of March [2023].

“Consequently, EDF’s corporate centre has been moved to significantly enhanced regulatory attention for cyber security. EDF has made two new appointments to specifically address cyber security. We have subsequently met with EDF senior team to ensure regulatory expectations are understood.”

An EDF spokesperson told Computer Weekly: “We are confident that the robust cyber security arrangements we have in place mean there is no risk to plant safety at our power stations. We also recognise the importance of information security and the risks associated with loss of information. Cyber security is a dynamic issue for all organisations and we will continually improve how we manage it to allow scrutiny to return to a routine level in the future.”

EDF operates a significant tranche of the UK’s nuclear power infrastructure, including facilities at Hartlepool in County Durham, Heysham in Lancashire, Sizewell in Suffolk and Torness in East Lothian. Together with China General Nuclear Power Group, it is also behind the troubled Hinkley Point C project in Somerset, which has been plagued by delays and cost overruns.

Simon Chassar, chief risk officer (CRO) at Claroty, said EDF’s failings were a “red flag” given the operation’s status as a critical element of the UK’s energy infrastructure, which is deemed at high risk of cyber attack. It also, he added, pointed to UK government and regulatory policy failings.

“The reason for this is that ISA/IEC 62443 series of standards was formerly approved and published in 2018 which was endorsed by the United Nations and across 20 different industries for securing ICS [industrial control system] automation controls; 8 years after the Stuxnet malware which affects ICS environments causing them to malfunction and feed false data,” said Chassar.

“A cyber attack on any nuclear generation station could create massive impacts on the UK whichever nation-state sponsored or criminal faction decided to target it. The UK government should consider adopting the American NERC-CIP security regulation – which also applies to Canada and Mexico – for the UK energy sector as well as providing the regulator with an ability to enforce failure on cyber controls; with some consideration of direct control of technology adoption, loss of licenses and financial impacts.

“Implementing a technology that quickly identifies connected physical assets and their vulnerabilities (CVE-CVSS) and known exploits (EPSS) is the immediate requirement so that a plan to reduce the inherent risk can start immediately; then start to connect anomaly alerts and known alerts into security operations for monitoring,” he added.

Progress in other regards

Elsewhere, the ONR noted progress on cyber security made by some of the UK’s other nuclear power specialists, notably Sellafield Ltd, which has been under significantly enhanced regulatory attention for some time.

The ONR said it had now set out a “clear action path” for Sellafield Ltd to return to routine regulatory attention. “We have worked to ensure that Sellafield Ltd’s operational teams and leaders better understand their security risks and how these are effectively managed. We have been pleased by their willingness to engage in this area, including in cyber security,” said the regulator.

In general, the ONR said the industry did acknowledge the need to invest more in protecting against cyber threats, in line with commitments made in the 2022 civil nuclear cyber security strategy.

“We have, in partnership with Accenture, completed a series of briefings to dutyholder executive teams to reinforce the need for strong leadership in cyber security risk management and provided details of relevant good practices which have been successfully adopted in other industries,” said the regulator.

“We have commenced a series of thematic inspections which will assess the adequacy of cyber security leadership and risk management arrangements. While this work is ongoing, initial insight suggests that improvements are required from some dutyholder leadership teams to ensure they are actively defining a suitable cyber security strategy for their organisation.

“Dutyholders also need to ensure that they have the skills necessary within their leadership team to understand any specific cyber security risks and manage these appropriately,” added the ONR.

Broadly, the regulator has three thematic priorities related to cyber, focused on assessing the adequacy of governance arrangements, leadership and culture; risk management and cyber protection; and independent intelligence-led assurance activities that form part of a holistic approach to “evidencing the adequacy of arrangements within approved security plans”.