Exclusive: Malware may still be being provided and its potential effects have been covered up by employees, research reveals
The UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China, the Guardian can reveal.
This startling revelation and its effects were systematically covered up by senior officials at the massive nuclear waste and decommissioning site, the investigation revealed.
The Guardian found that the government doesn’t know exactly when computer systems were first compromised. But sources say the breaches were first detected as early as 2015, when experts realized that latent malware — software that can be hidden and used to spy on or attack systems — had been integrated into Sellafield’s computer networks.
It is not yet clear if the malware has been eradicated. This may simply mean that some of Sellafield’s most sensitive activities, such as moving radioactive waste, tracking leaks of hazardous fabrics, and detecting fires, have been compromised.
Sources suggest that foreign hackers have most likely accessed the privacy levels of the site, which spans 6 square kilometers (6 square miles) on the coast of Cumbria and is one of the most dangerous in the world.
The full scale of any knowledge loss and persistent threat to the systems was made harder to quantify because Sellafield failed to alert nuclear regulators for several years, the resources said.
The revelations emerged in Nuclear Leaks, a year-long Guardian investigation into cyberpiracy, radioactive contamination and poison paint culture at Sellafield.
It has the largest stockpile of plutonium on the planet and is a huge dumping ground for nuclear waste from weapons systems and decades of atomic energy production.
Guarded by an armed police force, it also contains contingency plans and documents to be used if the UK suffers a foreign attack or faces a disaster. Built more than 70 years ago and formerly known as Windscale, it produced plutonium for nuclear weapons during the Cold War. and absorbed radioactive waste from other countries, including Italy and Sweden.
The Guardian may also reveal that Sellafield, which has more than 11,000 employees, was subjected last year to some form of “special measures” for ongoing cybersecurity breaches, according to resources from the Nuclear Regulatory Authority (ONR) and security services.
The watchdog is also believed to be preparing to prosecute individuals there for cyber failings.
The ONR proved that Sellafield does not meet its cybersecurity standards, but declined to comment on breaches or allegations of “cover-up. “
A spokesperson said: “Some issues are the subject of ongoing investigations, so we are unable to comment further at this time. “
In a statement, Sellafield also declined to comment on its lack of information to regulators, focusing instead on innovations it says it has made in recent years.
Labour’s shadow secretary of state for energy security and net zero, Ed Miliband, said it was a “very worrying report on one of our most sensitive energy infrastructures”.
“This raises accusations that the government wants to treat with the utmost seriousness,” he said.
“The government has a duty to say, when it becomes aware of these allegations, what steps it and the regulator took and offer assurances that our national security is protected. “
The challenge of unsecured servers at Sellafield, nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR’s investigation and the site’s computer glitches, is highly sensitive and dangerous. This highly sensitive knowledge can be exploited through The Enemies of Britain. Sellafield’s server network was described by the administrator as “fundamentally insecure”.
The scale of the problem was only revealed when staff at an external site found that they could access Sellafield’s servers and reported it to the ONR, according to an insider at the watchdog.
Other considerations come with the ability for third-party contractors to connect USB drives to the formula unattended.
In a highly embarrassing incident last July, key login points and passwords for secure computer systems were inadvertently broadcast on national television via BBC One’s Countryfile nature series, after groups were invited to the secure site for an article on rural communities and the nuclear industry.
The ONR has prepared a draft prosecution against Sellafield for cybersecurity, a type of enforcement action it can take if it believes there is “sufficient evidence to offer a realistic prospect of conviction. “
Senior officials at the nuclear plant have known about cybersecurity issues for at least a decade, according to a 2012 report seen by the Guardian, which warned that there were “critical security vulnerabilities” that needed to be addressed urgently.
It found that security resources at the time were “not adequate to police the internal threat [from staff] … let alone react to a significant increase in external threat”.
More than a decade later, Sellafield’s staff, regulators and resources within the intelligence network that sell the systems at the vast nuclear waste plant are still not fit for purpose. Senior executives also intentionally tried to hide the scale of the disruptions posed by on-site cybersecurity disruptions from security officials tasked with testing the UK’s vulnerability to attacks in recent years. This is the issue of possible prosecution.
Security officials are also concerned that the ONR has been slow to share its intelligence on cyber failings at Sellafield because they indicate that its own scrutiny has been ineffective for more than a decade.
The latest annual report from the ONR stated that “improvements are required” from Sellafield and other sites in order to address cybersecurity risks. It also confirmed that the site was in “significantly enhanced attention” for this activity.
The ONR said it discovered cybersecurity “deficiencies” in its inspections and noted that it took “enforcement action” as a result.
The scale of cybersecurity considerations is such that some officials deserve to urgently have entirely new systems built at the nearby Sellafield Emergency Control Center, a separate secure facility.
Among the highly sensitive documents stored at Sellafield are crisis manuals, blueprints that consult other people through nuclear emergency protocols and what to do in the event of a foreign attack on the UK.
These documents come with some of the lessons learned in sensitive operations, adding the 2005 Exercise Reassure – and the normal Oscars training – which were aimed at testing the UK’s ability to manage a nuclear crisis in Cumbria.
ONR was so concerned about external sites accessing Sellafield’s servers and an obvious cover-up by the staff component that it questioned the groups cautiously. Sellafield’s board of directors carried out an investigation into the factor in 2013 and the ONR warned that it would call for more transparency around cybersecurity.
Cyberattacks and cyberespionage via Russia and China are among the biggest threats to the U. K. , according to security officials. The most recent National Risk Register, an official document outlining the main risks the UK may face, includes a cyberattack on civilian nuclear weapons. infrastructure.
In recent years, attackers from hostile states have targeted allies in the “Five Eyes” intelligence-sharing community. The U. S. has been under attack, and its government agencies, including its Department of Energy, attacked record-breaking software in June of this year.
The UK’s GCHQ cyber wing, which has offices in central London and is part of the national intelligence network based in Cheltenham in Gloucestershire, warned of an increase in cyberattacks on critical national infrastructure by Russia and China.
The government’s growing fear of China’s involvement in the UK’s critical national infrastructure has led to the withdrawal of Chinese state-owned energy company CGN from the Sizewell C nuclear allocation in Suffolk and Huawei’s withdrawal from the centre of the telecoms network in recent years.
That ended a close Anglo-Chinese relationship, culminating in then-Prime Minister David Cameron hailing a “golden age” between the two countries and drinking beer with Chinese Prime Minister Xi Jinping in a Buckinghamshire pub in 2015.
Rishi Sunak’s government has championed the progress of the country’s nuclear industry after the energy crisis, picking up where his predecessor Boris Johnson left off. Earlier this year, then-Energy Secretary Grant Shapps unveiled Great British Nuclear, a company designed to generate new nuclear power. plants. A generation of new nuclear projects will require an expansion of the UK’s decommissioning activities.
Nuclear decommissioning, a large share of which is done at Sellafield, is one of the biggest drains on the UK government’s annual business department budget. The site costs about £2.5bn a year to operate. Decommissioning is such a huge, long-term bill that it was examined as a “fiscal risk” to the UK’s economic health by the spending watchdog, the Office for Budget Responsibility. It is estimated it could cost as much as £263bn to manage the legacy of the UK’s nuclear energy and weaponry industries.
This figure varies widely depending on how long-term cash flows are calculated, and the OBR has warned that Sellafield’s long-term prices can range from minus 50% to over 300%.
A Sellafield spokesperson said: “We take cybersecurity incredibly seriously at Sellafield. All of our systems and servers have layers of protection.
“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.
“Over the past decade, we have evolved to meet the demanding conditions of the modern world, adding greater importance to cybersecurity.
“We are working intensively with our regulator. As a result of the progress we have made, we have agreed on a “significantly strengthened” exit from the regulation.
An ONR spokesperson said: “Sellafield Ltd ultimately meets the main criteria we require for cybersecurity, which is why we have paid special attention to it.
“Some explicit issues are the subject of ongoing investigations, so we are unable to comment further at this time. “
Prior to publication, Sellafield and the ONR declined to answer a number of specific questions or say if Sellafield networks had been compromised by groups linked to Russia and China. Following publication, they said they had no records to suggest Sellafield’s networks had been successfully attacked by state actors in the way the Guardian described.
A spokesperson for the Department of Energy Security and Net Zero said: “We await the safety and security criteria when decommissioning nutransparent ancient sites, and the regulator is transparent that public safety is not compromised at Sellafield.
“Many of the issues raised are historical and the regulator has for some time been working with Sellafield to ensure necessary improvements are implemented. We are expecting regular updates on how this progresses.”