Guardian newspaper alleges state-backed criminals infiltrated ‘highest echelons’ of nuclear site’s IT systems
The UK’s nuclear regulator is giving government body tasked with cleaning up the Sellafield nuclear waste site “robust scrutiny” amid concerns that the organisation’s computer systems are not secure enough.
The Office for Nuclear Regulation (ONR) had already placed Sellafield Ltd in “special measures” after failing to meet cyber security standards, but said in a statement on Monday (4 December) that it will continue to hold Sellafield Ltd to account to ensure improvements are made through a range of regulatory action and enforcement.
The ONR said with new leadership in place at Sellafield Ltd, “we have seen positive signs of improvement in recent months but will continue to apply robust regulatory scrutiny as necessary to ensure the ongoing safety of workers and the public”.
It said: “In relation to cyber security, Sellafield Ltd is currently not meeting certain high standards that we require, which is why we have placed them under significantly enhanced attention.
“Some specific matters are subject to an ongoing investigation process, so we are unable to comment further at this time.”
The ONR’s comments came as it was forced to deny claims the site in Cumbria, northwest England, had suffered a serious security breach at the hands of Russia and China-linked hackers.
A report in The Guardian newspaper alleged that state-backed criminals had infiltrated “the highest echelons” of Sellafield’s IT systems and left behind so-called sleeper malware – malicious software that is hidden and later used for spying or carrying out crippling attacks.
Senior staff failed to disclose the hack to the ONR for several years and more generally sought to “cover up” the poor state of cyber security, the Guardian said.
The newspaper raised concerns that highly-sensitive documents may have been accessed and that crucial equipment at the facility – the largest nuclear site in western Europe, where primary activities are nuclear waste processing and storage and nuclear decommissioning. Former activities included nuclear power generation from 1956 to 2003, and nuclear fuel reprocessing from 1952 to 2022.
However, shortly after the report was published, Sellafield Ltd and the ONR insisted there was no record of a successful cyber-attack by state or non-state hackers, and that no sleeper malware had been discovered either.
The regulator said it had “seen no evidence that Sellafield’s systems have been hacked in the way described”.
‘No Records Or Evidence To Suggest Cyber-Attack’
Sellafield Ltd added: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked.
“Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.
“We have asked The Guardian to provide evidence related to this alleged attack so we can investigate. They have failed to provide this.
“All of our systems and servers have multiple layers of protection.
“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.”
The ONR said in a report in October that Sellafield Ltd had made “limited progress” in ensuring adequate cyber security arrangements due to resource constraints, resulting in the ONR taking enforcement action.
It said Sellafield Ltd is undertaking a comprehensive assurance activity of its cyber security arrangements.
“Upon completion of this analysis, Sellafield Ltd will be expected to act upon these findings to address any identified shortfalls,” the ONR said.