A nuclear power plant worker in Scotland has been escorted from EDF’s West Kilbride premises and the police called, after allegedly viewing bomb-making websites whilst at work. The full story is here.
Some comment from Advent IM DIrector, Julia McCarron.
Trying to find out how to build a bomb whilst working on-site at a nuclear power plant probably wasn’t the smartest thing for the worker at Hunterston B, West Kilbride to do. And his alleged stupidity is luckily what got him caught. But the situation poses a number of positives, negatives and discussion points.
The positives. There would appear to be a decent security culture within the plant as demonstrated by the fact that a fellow worker spotted nefarious activity and reported it. There would also appear to be stringent security checks following government guidelines carried out by EDF in the employment process.
The negatives. Whilst the individual concerned may or may not have been a British National (this is not clear) the fact that he had only recently moved to England should have been flagged during the vetting process and highlighted a risk. Arguably this would have indicated that he was not suitable for employment and certainly not deployment near the nuclear core.
The Discussions. It could be that EDF did (almost) everything right and nothing flagged indicating the individual was a risk (the recent move to England not withstanding). It’s perfectly possible that no background on the individual would have led them to believe there was an issue with employing him. There could be hundreds of cases like this for many of our CNI organisations – he wasn’t flagged because there was nothing in his past to flag … you can’t cater for this in the vetting process. But what you can do is maybe provide ‘probation’ periods that don’t allow these individuals access to critical or sensitive areas until they have proven themselves reliable and capable. This still isn’t foolproof but could act as a deterrent for individuals wanting to gain access to CNI quickly in order to carry out an act of terrorism. I’m not saying that was the case here, but it could be a prudent move as a general policy.
Also, was the laptop his own or EDF provided. Two issues spring to mind here. If it was EDF supplied the individual would surely have been in breach of an acceptable use policy. So even if this was ‘innocent’, was the individual aware of the policy and had he agreed in writing that he understood it and would comply with it? If it was his own, EDF should review/develop a BYOD policy. I would not expect employees at a CNI site to be able to use their own devices and be able to connect to the internet. Again, was there a policy and was the individual in breach of it? If BYODs aren’t allowed how did he get his laptop in? Is there a role CNC could play in policing the policy (no pun intended)?
In the end danger, if there was any, was averted. But something in the process wasn’t right and EDF need to review the incident to discover the root cause and make improvements to the employment process.