Security breaches

Date released

24 November 2021

Request number

202110031

Release of information under

Freedom of Information Act 2000 (FOIA)

Information requested

1. How many "initial notifications” the ONR received, as laid out in the ONR's guidance, from civil nuclear license holders relating to security breaches during the whole of 2018, and up to the latest date possible in 2019?
2. How many INF1 reports the ONR received from civil nuclear license holders relating to security breaches during the whole of 2018, and up to the latest date possible in 2021?
3. Of these – both any "initial notifications" and any INF1 reports – how many were related to cyber security threats or attacks?
4.  Please provide any, if not all, of the following details relating to these reported incidents: the nuclear license holder, the nuclear license site concerned, the date, and a brief description of the final outcome of the incident.

Information released

I confirm that under Section 1 of the FOIA we hold some of the information requested. We have answered your questions in turn below.

I would also like to refer you to a previous similar FOI response issued in 2019.

1. How many "initial notifications” the ONR received, as laid out in the ONR's guidance, from civil nuclear license holders relating to security breaches during the whole of 2018, and up to the latest date possible in 2019?

Under the Nuclear Industries Security Regulations (NISR) 2003 all operators of civil licenced nuclear sites are required to have a site security plan. The plan is formally approved by us on behalf of the Secretary of State for Business, Energy and Industrial Strategy (BEIS). Where certain events or matters occur on these sites, such as failure to comply with some aspect of that plan, the operator is legally required to formally report it in accordance with Regulation 10 of NISR 2003. This is done through an initial notification and subsequent submission of an Incident Notification Form 1 (INF 1).

Records of initial notifications are not held and therefore we are unable to answer question 1 fully. There is however a process in place to ensure that notifications are followed up, as required under NISR 2003. This must be done formally by submitting an INF1 form. The response to question 2 therefore provides the correlation between initial notifications and INF1’s.

2. How many INF1 reports the ONR received from civil nuclear license holders relating to security breaches during the whole of 2018, and up to the latest date possible in 2021?

We received a total of 214 INF1 forms in 2018, 312 in 2019, 321 in 2020 and 368 up to 30 October 2021. All relate to reportable events or matters submitted by operators of civil nuclear licensed sites under the requirements of Regulation 10 of NISR 2003.

3. Of these – both any "initial notifications" and any INF1 reports – how many were related to cyber security threats or attacks?

Of the INF1’s received, one in 2018, three in 2019, two in 2020 and two in 2021 relate to cyber security threats or attacks.

4. Please provide any, if not all, of the following details relating to these reported incidents: the nuclear license holder, the nuclear license site concerned, the date, and a brief description of the final outcome of the incident.

Please refer to the attached document detailing this information.

Further Information:

To clarify the response to questions 3 and 4, you may wish to note that the nuclear industry, like any other industry, is subject to cyber-attacks. However, where the attack is defeated by the ‘defence in depth’ cyber security controls maintained by dutyholders, this would fall below the reporting threshold and an INF1 would not be raised. There is no requirement for dutyholders to report attacks on systems that fall outside of our regulatory scope.

Exemptions applied

N/A

PIT (Public Interest Test) if applicable

N/A