French energy giant EDF has been placed under ‘enhanced attention’ by the UK’s Office for Nuclear Regulation (ONR) after identifying shortfalls in its cybersecurity plans, according to reports this weekend.
The ONR is taking action due to the findings of routine inspections over the past 12 months. The Telegraph newspaper quoted the body as saying it had “identified shortfalls in governance, risk and compliance in certain technical controls” during these inspections.
EDF owns and runs the UK’s network of nuclear power stations at five locations and is currently building a new nuclear power station at Hinkley Point in Somerset, together with minority Chinese partner CGN. The action takes place against a backdrop of increased awareness of the vulnerability of energy infrastructure around Europe to cyber-attack.
In particular, Russia has been blamed for cyber-attacks on both windfarms and nuclear power plants in Europe as part of its invasion of Ukraine.
In a statement to Infosecurity Magazine, an EDF spokesperson said: “The ONR inspections identified an increased potential for risks due to the upgrade of complex IT systems and changes in the organization of our internal security department. The regulator has not identified any additional issues of concern, it has simply chosen to subject these areas to greater scrutiny over the next year as part of its ongoing inspection regime.”
It further pointed out that being in ‘enhanced attention’ is not the same as enforcement action. “It means the ONR feels the need to deploy more resources in the area to help drive enhancements to cybersecurity arrangements and in physical arrangements.”
The ONR has three attention levels: Level 3 Routine, Level 2 Enhanced and Level 1 Significantly Enhanced.
“Level 2 is brought in for a number of reasons; in this case, the move of our security team from one part of the nuclear business to another has had a significant influence as this is the first full department to make the move.”