.png)
Date: 08/12/2023
Where:
Cumbria, UK
Who’s involved:
Sellafield Nuclear Site, The Guardian news organization, unnamed Chinese and Russian threat actors, UK Government
What happened:
As part of a broader investigation by The Guardian, a series of claims were published in early December 2023 suggesting that the Sellafield nuclear site, which engages in nuclear fuel reprocessing, nuclear waste storage, and weapons decommissioning, had been compromised by cyber threat actors affiliated with Russia and China.
The report alleged that these groups had successfully hacked the site's computer systems, leaving malware undiscovered for years.
Cybersecurity issues at the site have been documented for over a decade. A 2012 report warned of "critical security vulnerabilities".
The accusations by The Guardian’s report say that breaches were first detected as far back as 2015, with sleeper malware embedded in Sellafield's computer networks. This is a type of backdoor in a computer system or network that is intended to activate when a certain future condition is met.
As the reports are currently unspecific, it’s unclear if the malware has been eradicated or the full extent of any data loss or ongoing risks. The hack possibly compromised sensitive activities like radioactive waste monitoring and fire checks.
On 4/12/2023, the UK government, including Sellafield Ltd and the Office for Nuclear Regulation (ONR), issued statements strongly denying the Guardian's report. They asserted that there were no records or evidence of a successful cyberattack by state actors at the Sellafield site.
Part of the denial emphasized that critical networks essential for safe operations at Sellafield were isolated from their general IT network, likely referring to a practice known as “Air Gapping”, ensuring that an attack on the IT system would not penetrate these critical systems.
While denying the cyberattack, the ONR acknowledged that Sellafield was not meeting certain high standards of cybersecurity required by them and had placed the plant under significantly enhanced attention but did not comment on breach details or cover-up claims.
Despite the challenges, Sellafield insists that it takes safety seriously, with continuous measures and reporting on nuclear, radiological, and conventional safety.
Analysis:
While significant, these claims have not yet been independently verified.
Not enough details regarding the claims have been made public. Despite having a reputation as a major news source, security practitioners still have to take The Guardian’s findings at their word for the time being as of 07/12/2023.
The lack of details in the claims may be coming for a future report, or may be an effect of The Guardian doing its diligence to not implicate the identity of their source.
Sellafield, with a history of incidents, contains significantly more radioactive material than Chernobyl.
An accident at Sellafield could lead to a plume of radioactive particles affecting neighboring countries, raising significant international concerns.
There is a history of criticism regarding the site's basic safety requirements, long-term dangers, and alleged cover-ups.
In the past, leaks and safety issues have caused tensions with Norway and Ireland, with concerns about potential radioactive contamination.
The ONR's latest review indicated the need for improvements in safety, fire safety, and cybersecurity.
The specific claims need to be weighed against these factors: The strong denial by the UK government and Sellafield Ltd, the lack of direct public evidence, and the challenges in independently verifying such claims make it difficult to definitively assess their validity without further corroborative evidence.
Conclusion:
The Guardian's unconfirmed allegations about a security breach at Sellafield nuclear power plant underscore the need for stringent safety and cybersecurity measures in critical infrastructure, particularly those with hazardous materials. These sites are prime targets for both state-backed and criminal threat actors, impacting national security and public safety. The UK Government claims to have adequate cybersecurity measures in place at Sellafield, possibly relying on precautions like Air Gaps, which require physical presence for a breach. However, the UK's history of limited disclosure in cyber incidents warrants scrutiny.
This incident's timing is crucial as the UK aims to significantly boost nuclear power by 2050, where Sellafield's security concerns could hinder these plans. The Guardian's confidence in its report, despite lacking detail, suggests protection of a sensitive information source. The ONR's comments about Sellafield's cybersecurity shortcomings highlight the need for ongoing improvements in security protocols for critical infrastructure.
