Sellafield has said there is no evidence to indicate a successful cyberattack by state actors on the networks at its nuclear site.
The Guardian reported the nuclear fuel reprocessing site, Sellafield, suffered a cyberattack by cyber groups linked to Russia and China on 4 December.
“We have no records or evidence to suggest that Sellafield networks have been successfully attacked by state-actors in the way described by the Guardian,” said a Sellafield spokesperson.
Sellafield stressed that its monitoring systems are robust and has a high degree of confidence that no such malware exists on its systems.
“This was confirmed to The Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting,” said the Sellafield spokesperson.
Sellafield said that critical networks that enable them to operate safely are isolated from the general IT network meaning a cyberattack would be unsuccessful.
“We take cybersecurity extremely seriously at Sellafield … All of our systems have multiple layers of protection,” added the Sellafield spokesperson.
Sellafield has asked The Guardian to provide evidence related to the alleged attack so it can investigate. Sellafield said The Guardian has not fulfilled the request.
In response to The Guardian’s report, the Shadow Secretary of State for Energy Security and Net Zero, Ed Miliband, said the news of the alleged attack was ‘very concerning’.
“It raises allegations that must be treated with the utmost seriousness by the Government. The Government has a responsibility to say when it first knew of these allegations, what action it and the regulator took, and to provide assurances about the protection of our national security,” said Miliband.
Claire Coutinho, the Secretary of State for Energy Security and Net Zero, has requested an investigation into the matter.
In a letter addressed to David Peattie, the Group Chief Executive Officer at the Nuclear Decommissioning Authority (NDA), Coutinho asked for a full explanation of the allegations.
“I would like to see the NDA provide further assurance that cybersecurity threats are treated with the highest level of priority and that threats that do emerge are properly recorded and acted upon,” said Coutinho in the letter posted on X (formerly Twitter).
Coutinho also requested a delivery plan and timeline for how Sellafield will come out of enhanced regulatory scrutiny on the issue.
Sellafield Faces Scrutiny from Britain’s Office for Nuclear Regulation
In a separate statement, Britain’s Office for Nuclear Regulation (ONR) also said it had seen no evidence that state actors had hacked its systems as The Guardian described.
“We have been clear that there are areas where improvements are required to achieve the high standards of safety and security we expect to see, but there is no suggestion that this is compromising public safety,” said the ONR.
Despite this, the ONR said that Sellafield is currently not meeting certain high standards that the regulator requires and has placed them under ‘significantly enhanced attention’.
“We will continue to hold Sellafield to account to ensure these improvements are made through a range of regulatory action and enforcement.
“With new leadership in place at Sellafield, we have seen positive signs of improvement in recent months but will continue to apply robust regulatory scrutiny as necessary to ensure the ongoing safety of workers and the public,” said the ONR.
Some specific matters are subject to an ongoing investigation process, meaning the ONR cannot comment further at this time.
The Guardian reported that the ONR was believed to be preparing to prosecute individuals at the Sellafield for cyber failings. The news outlet said this enforcement action is only taken if there is ‘sufficient evidence to provide a realistic prospect of conviction’.
The news outlet said Sellafield was placed into a form of special measures for consistent cybersecurity failings last year.
The Alleged Sellafield Cyberattack
The disclosures surfaced in ‘Nuclear Leaks’, a year-long investigation by The Guardian into cyber hacking, radioactive contamination, and a toxic workplace culture at Sellafield.
The unidentified sources indicated foreign hackers likely accessed highly confidential material at the Sellafield site, which spans 2 square miles on the Cumbrian coast.
The Guardian reported the alleged cyberattack and potential effects have been consistently covered up by senior staff. It also said there was uncertainty among authorities about the initial compromise of IT systems.
Sources indicated that breaches were first identified in 2015 when experts discovered sleeper malware embedded in Sellafield’s computer network.
Sleeper malware operates on a device it has infected and is timed to go either on a specific date or at the end of its countdown. When the specified time arrives, it is too late to identify the origin of the threat and to stop it.
The Guardian said it is not known if the alleged malware had been eradicated.
“It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised,” said The Guardian.
The Guardian reported a Government official, familiar with the ONR investigation and IT failings at the site, mentioned that the insecure servers at Sellafield were nicknamed ‘Voldemort’. This moniker was inspired by the notorious Harry Potter villain.
The nickname ‘Voldemort’ originated due to the extreme sensitivity and danger associated with the vulnerabilities. These vulnerabilities involved highly exploitable data, leading the official to describe Sellafield’s server network as fundamentally insecure.
The magnitude of the vulnerabilities came to light when employees at an external site discovered they could access Sellafield’s servers and reported it to the ONR. This disclosure was made by an insider at the watchdog. Additional concerns involved unsupervised external contractors plugging memory sticks into the system.
According to The Guardian’s sources, Sellafield’s failure to promptly notify nuclear regulators for several years has hindered the accurate assessment of the complete extent of data loss and ongoing risks to systems.
History of Cyber Failings at Sellafield
Last July, login details and passwords for secure IT systems at Sellafield were inadvertently broadcast on national TV by the BBC One nature series Countryfile. This followed the crews’ invitation to the secure site for a segment on rural communities and the nuclear industry.
Senior figures at the nuclear site have been aware of cyber problems for over a decade, as a 2012 report seen by The Guardian highlighted ‘critical security vulnerabilities’ that demanded urgent attention. The report noted inadequate security resources to address internal threats from staff or respond to an external threat increase.
Concerns persisted over a decade later. Staff, regulators, and intelligence sources believe that systems at Sellafield remain unfit for purpose.
The Guardian reported that some unnamed officials believe urgent action is needed to combat Sellafield’s cybersecurity failings. They proposed the creation of entirely new systems at Sellafield’s separate and secure emergency control centre.
The Office for Nuclear Regulation (ONR) expressed deep concern about external sites accessing Sellafield’s servers and an alleged cover-up by staff, leading to cautionary interviews with teams.
In 2013, the Sellafield board conducted an inquiry, prompting the ONR to demand increased transparency regarding IT security.
What is Stored at the Sellafield Nuclear Site?
Sellafield houses the world’s largest plutonium store. It also serves as a vast repository for nuclear waste from weapons programmes and decades of atomic power generation.
Previously known as Windscale, the site produced plutonium weapons during the Cold War. It also accepted radioactive waste from countries over its 70-year history, including Italy and Sweden.
The site is currently guarded by armed police and stores critical emergency planning documents for potential foreign attacks or disasters in the UK. These documents include disaster manuals and plans guiding individuals through emergency nuclear protocols.
The documents include insights from sensitive operations like Exercise Reassure in 2005 and the Oscar exercises. These exercises were aimed to assess the UK’s preparedness for managing a nuclear disaster in Cumbria.
UK Battles With Cybercrime
The National Risk Register recently flagged that civil nuclear facilities could be targeted for cyberattacks. The Register is the Government’s assessment of the most serious risks facing the UK.
The UK’s National Cyber Security Centre warned of the emergence of state-aligned actors who are ideologically, rather than financially, motivated. Among those are threat actors who are sympathetic to China and Russia.
Increasing Government apprehension about Chinese involvement in the UK’s critical national infrastructure has led to the removal of Huawei products from the core of the telecommunications network.
The alleged Sellafield cyberattack is one of many hacking incidents that have been identified in the UK this year. In October, Russian hackers led a cyberattack that forced the Royal Family website offline.
In August, the UK Electoral Commission reported a ‘complex cyberattack on its systems’ by hostile actors where millions of UK voters’ data could have been compromised.
In June, a cybercrime gang, believed to be based in Russia, warned major British companies, including the BBC, British Airways, and Boots to email them before 14 June or stolen data from a MOVEit hack will be published.