A UK facility containing the world’s largest stockpile of civil plutonium has been breached by hackers linked to Russia and China, with attacks traced back as far as 2015, according to a bombshell new report.
The Guardian cited various inside sources as claiming Sellafield, which is Europe’s largest nuclear site, has repeatedly covered up deficiencies in its cybersecurity posture.
It said that “sleeper malware” was detected in 2015, although it is unclear when the site’s IT systems were first compromised. Foreign hackers have likely accessed the most sensitive material stored on those systems, the report added. This could include information on moving radioactive waste, monitoring for leaks, checking for fires and even government emergency planning documents related to contingencies for foreign attacks or disaster.
The nuclear site was accused of failing to inform regulators for many years about its security woes. A 2012 report seen by The Guardian revealed “critical security vulnerabilities” that needed to be addressed urgently and that resources were “not adequate to police the internal threat [from staff] … let alone react to a significant increase in external threat.”
A government official reportedly described the IT network as “fundamentally insecure.”
Regulators Step In
An insider told the paper that these troubles only came to light after staff working at an external site realized they could access Sellafield’s servers. They subsequently reported it to the Office for Nuclear Regulation (ONR).
The regulator has now placed Sellafield under “significantly enhanced attention” while it works on remediating these issues. It is apparently preparing enforcement action in the form of a “notice of prosecution” on cybersecurity.
However, officials have also complained that the regulator has been slow to share intelligence on any failings found and that its own scrutiny has failed over the years.
Other concerns raised in the report include external contractors being able to plug memory sticks into machines unsupervised.
Cybersecurity Priority for CNI
A Sellafield spokesperson said the site was working closely with the ONR to agree an off-ramp from its “significantly enhanced” status.
“We take cybersecurity extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection. Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these,” they added.
“Over the past 10 years we have evolved to meet the challenges of the modern world, including a greater focus on cybersecurity.”
Oz Alashe, CEO of CybSafe, argued that cybersecurity should be an organization-wide responsibility.
“Rather than reacting with blame when incidents occur, organizations should focus on equipping employees to uphold security standards as part of their regular workflow. This prevents the instinct to hide lapses that can leave systems vulnerable,” he added.
“By proactively engaging all staff in recognizing phishing attempts, following protocol with hardware, and speaking up about suspicious activity, employees can become an organization’s best line of defence. Pair this with approachable, non-punitive reporting channels, and organizations can address vulnerabilities before hackers exploit them.”
Patrick Tiquet, VP Security & Compliance at Keeper Security, noted that critical infrastructure continues to be a prime target for cybercriminals.
"Nuclear plants rely on sophisticated control systems and technologies, making them challenging to secure completely. Advanced Persistent Threats (APTs) and well-funded hacking groups may see them as attractive targets due to the potential vulnerabilities in these complex systems. Protecting critical infrastructure from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating," Tiquet said.