News that one of the UK’s most high profile nuclear power stations has been hacked with fears that the hackers have been accessing highly sensitive information or years has led to new calls for the country to tightening up security at its vital infrastructure.
It has been reported, by The Guardian newspaper that the UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China. The publications also alleges the attack and its potential effects have been consistently covered up by senior staff at the vast nuclear waste and decommissioning site. The Guardian added it had discovered that the authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015, when experts realised sleeper malware – software that can lurk and be used to spy or attack systems – had been embedded in Sellafield’s computer networks.
Sources told the newspaper that they fear foreign operatives have accessed the highest levels of confidential material at the two-square-mile site.
A spokesperson from Sellafield Limited said: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by The Guardian. Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.
“We have asked the Guardian to provide evidence related to this alleged attack so we can investigate. They have failed to provide this.”
They added: “We take cyber security extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection. Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.”
The news has been met by warnings from cyber experts that the incident is a dire warning to the UK that it needs to increase its cyber security around its critical infrastructure.
Dr Klaus Schenk, senior vice president, security, and threat research at Verimatrix, said “This is not the first time we’ve observed cybersecurity vulnerabilities being downplayed or hidden by senior staff at nuclear facilities. While this behaviour exists in many industries, it’s striking how the nuclear sector seems to face fewer repercussions compared to others, such as GDPR violations in case of a cyberattack against a well-known company. Sharing information about hacks and being transparent about the details is always challenging, but it’s the only way to improve security when done responsibly.”
Jamie Ahktar, CEO and co-founder at CyberSmart said: “It almost goes without saying, but the details of this breach are very concerning. Not only does the potential identification of ‘sleeper’ malware illustrate the sophistication of state-sponsored attacks but if the breach has lain undetected since 2015 it poses serious questions about Sellafield’s cyber defences.
“Given that the site has faced several problems with its cybersecurity over the years, we hope this incident serves as a reminder, not just to Sellafield, but to all parts of the UK’s critical infrastructure and the small businesses that work in tandem with it to take cybersecurity seriously.”
Fergal Lyons, cybersecurity evangelist at Centripetal, said the incident raised serious concerns for the energy sector.
“The lapse in cybersecurity measures at Sellafield, a high-security nuclear facility, represents a concerning oversight that persisted over an extended period. It’s alarming how this negligence went unnoticed and underreported by regulators,” he explained. “This situation underscores the daunting task of safeguarding any high-value facility under constant siege by assailants globally.
“Addressing these threats requires a deep dive into identifying and understanding these assailants—where they originate and who they are. It is important to note that in over 95% of cyberattacks globally, there existed some form of threat intelligence that, if leveraged effectively, could have mitigated the attack’s devastating impact.
“Conventional cybersecurity defences are failing on multiple fronts, as is evident in the surge of ransomware attacks and data breaches, signalling the need for an industry-wide re-evaluation of our existing defensive strategies.”