Government denies evidence of nuclear site hack

Report alleged Sellafield IT systems were attacked by hacking groups linked to Russia and China

The Sellafield site in Cumbria, formerly known as Windscale

Image:
The Sellafield site in Cumbria, formerly known as Windscale

The UK government has categorically denied any evidence of a successful cyberattack on the Sellafield nuclear site, refuting claims made in a recent report by The Guardian.

The newspaper alleged that Sellafield, responsible for nuclear fuel reprocessing, waste storage and decommissioning, had fallen victim to cyber groups closely associated with Russia and China.

In an official statement on Monday, the government said its monitoring systems are robust, and it was confident that no malware from state actors exists on the Sellafield system.

The government further highlighted that these clarifications were provided to The Guardian well before the publication.

The Office for Nuclear Regulation (ONR) echoed the government's stance, stating that there is no evidence to support the claims of state actors hacking its systems.

However, the ONR did acknowledge that Sellafield is not currently meeting certain high standards of cybersecurity, leading to the plant being placed under "significantly enhanced attention."

The ONR revealed that specific matters related to cybersecurity at Sellafield are subject to an ongoing probe, preventing it from providing further comments at this time.

Sellafield, under the control of the government's Nuclear Decommissioning Authority, is located in northwest England and employs around 11,000 individuals.

The sprawling two-square-mile site is deemed the most hazardous location in the UK. The facility, which served as a nuclear power plant until 2003, now houses the largest store of plutonium globally and is currently utilised for nuclear waste processing, storage, and decommissioning.

The Guardian's investigation delved into radioactive contamination, cyber hacking and workplace culture at the Sellafield site.

The report alleged security breaches dating back to 2015, which it claimed were not reported to regulators for many years. It also quotes sources from the ONR indicating that Sellafield was placed under "special measures" last year due to cybersecurity failings.

The report suggested the presence of sleeper malware, capable of spying on or attacking systems, embedded in the networks.

According to The Guardian's sources, the ONR and security services placed Sellafield under "special measures" last year due to consistent cybersecurity failings, with potential prosecutions looming for individuals responsible for the breaches.

Despite the serious nature of the accusations, the ONR has refrained from commenting on specific breaches, only confirming that Sellafield has failed to meet cyber standards.

Ed Miliband, the shadow secretary of state for energy security and net zero, expressed deep concern about the report, urging the government to treat it "with the utmost seriousness."

"The government has a responsibility to say when it first knew of these allegations, what action it and the regulator took and to provide assurances about the protection of our national security," Miliband said.

The Department for Energy Security and Net Zero emphasised the expectation of the highest safety and security standards and acknowledged ongoing efforts to ensure necessary improvements at Sellafield.

"Many of the issues raised are historical and the regulator has for some time been working with Sellafield to ensure necessary improvements are implemented. We are expecting regular updates on how this progresses," a spokesperson from the Department said.