The Sellafield nuclear site – a cornerstone of the UK’s nuclear fuel reprocessing and waste storage – found itself once again the subject of controversy earlier this month. Among complaints of other safety violations and risks, The Guardian‘s ongoing investigation paints a picture of a decade-long cyber siege, allegedly orchestrated by Russian and Chinese threat actors, on top of other claims of substandard safety practices. This revelation, if substantiated, doesn’t just raise alarms about Sellafield‘s digital defenses, but also echoes broader concerns about the security of critical infrastructure amid rising geopolitical tensions.
A note going forward in this article: many of these sources are found in various works by The Guardian and several Irish publications, as part of their ongoing investigation, though it’s my hope that I provide some extra context to some of the exhibits. I’m mentioning this, because I feel it would be wrong to present the documents as if I dug them out myself. I’ll highlight the parts that were my own work.
A 2012 report ominously flagged “critical security vulnerabilities” at Sellafield, yet it seems these warnings may have been just the tip of the iceberg. According to The Guardian, Sellafield‘s computer systems were not just vulnerable, but compromised. The report suggests that since 2015, sleeper malware has been lurking in the Sellafield‘s networks. This malware’s potential to disrupt sensitive operations like radioactive waste monitoring is a chilling thought.
However, on 4/12/2023, the UK government, Sellafield Ltd, and the Office for Nuclear Regulation (ONR) countered these allegations, denying any records of such a cyberattack. They highlighted what sounds like “Air Gapping” of critical networks.
Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.Press release by Sellafield LTD on 4 December
Despite this, ONR‘s admissions of Sellafield‘s subpar cybersecurity at various points adds a layer of complexity to the narrative. While the admissions highlighted by The Guardian are strictly part of their own investigation, there were further signs that cybersecurity was a recurring issue at the plant.
Analyzing the Allegations: Between Fact and Speculation
The Guardian‘s claims, while significant, currently hang in the balance of verification. As of 07/12/2023, the security community can only speculate on the veracity of these allegations. The absence of detailed public information from The Guardian might indicate an upcoming report or a careful attempt to protect sensitive sources.
It should be noted that as of the time of this writing, the full text of these two reports doesn’t seem to be publicly available. I’ve gone through the publicly available records from 2018 until the most recent, and have had mixed results with no explicit mentions of a cybersecurity incident. The following was what I was able to find.
- The ONR President states an expectation for improvements respective to cybersecurity in FY2024
- There is a statement that Sellafield Ltd. is undertaking a “comprehensive assurance activity of its cybersecurity arrangements”.
- The “additional theme” of cybersecurity is being further integrated into the site’s health and safety practices.
- There is a pretty standard acknowledgement of the need to invest further in the site’s cybersecurity.
- There is an emphasis on the need to improve the cyber protection capabilities, “…particularly at category 1 sites and where interfaces exist between operational and information technology.” This may indicate where airgaps are bridged with physical media, or that airgapping is, in fact, not happening. If there is proper system isolation, there may be an implication here of issues at these spots or with safety practices conducted by the staff, but this is pure speculation on my part.
- In this report, it is stated that Accenture is advising Sellafield Ltd. I did not find any statements indicating that Accenture worked with the organization before or since. However, in 2021 (which could vaguely line up with The Guardian‘s timeline), Accenture was attacked by the LockBit ransomware gang, with a 6 terabyte data leak alleged by the threat actor. Over 2000 files were confirmed to be published as part of the back-and-forth with Accenture, who said at the time that they did not pay the ransom. I wasn’t able to verify this on LockBit‘s darkweb portal, as their current one doesn’t go back that far. Again, this is speculation, but it’s another notable dot that may be connected. This also assumes that Accenture‘s tenure started before FY2022.
- The report mentions the commencement of a series of thematic inspections aimed at assessing the adequacy of cybersecurity leadership and risk management arrangements. Initial insights from these inspections suggest that improvements are needed from some duty holder leadership teams to actively define a suitable cybersecurity strategy for their organizations.
- The report mentions that although Sellafield Ltd‘s performance in protective security has been generally adequate, several shortfalls in cybersecurity have been identified. Consequently, Sellafield continues to receive “significantly enhanced” regulatory attention.
- This report mentions some major overhauls to the regulatory expectations of cybersecurity practices at Sellafield.
- It states that regulatory intelligence identified that structural issues contributed to “tactical issues of cybersecurity”.
- Cybersecurity remains a key area of regulatory focus, with significant investments leading to a more experienced team and improved regulatory capability and resilience.
- It was identified in this report that changes needed to be made to the cybersecurity practices of vendors that service Sellafield Ltd.
Quarterly Inspection Findings (only those with irregularities)
The Quarterly Inspections highlight several radiation leak and other safety incidents, but it wasn’t until I went back to 2014-2015 that I was able to find anything referencing cybersecurity. I’ll leave a dropdown here about the safety incidents. These are mostly directly quoted from my findings in the reports:
During the second quarter of 2019 (1 April to 30 June), the Office for Nuclear Regulation (ONR) reported one incident at a nuclear licensed site in Great Britain that met the Ministerial Reporting Criteria (MRC).
Dounreay Site Restoration Limited – Fuel Cycle Area (7 June 2019): Low levels of radiological contamination were detected on an individual’s hand and shoe during exit monitoring from the Fuel Cycle Area. The individual received decontamination, and the area was temporarily restricted and later cleared of contamination. The ONR concluded that the contamination was minor and came from a facility within the fuel cycle area, leading to minimal radiation exposure significantly below annual dose limits. The incident generated media interest but was rated as Level 0 (Below Scale/No Safety Significance) on the International Nuclear and Radiological Event Scale (INES) https://www.onr.org.uk/quarterly-stat/2019-2.htm
The quarterly statement from the Office for Nuclear Regulation (ONR) for the period of 1 October 2019 to 31 December 2019 reports two civil incidents at nuclear licensed sites in Great Britain that met the Ministerial Reporting Criteria (MRC).
Sellafield Ltd – Redundant Settling Tank (RST) Sludge Sump (19 October 2019): Sellafield Ltd reported a loss of radioactively contaminated water from the RST facility. Investigations concluded a leak to the ground, believed to be from historic leak paths from small cracks in the sump’s structure. There were no radiation dose consequences to the workforce or the public, and no risk to public water supply boreholes. The incident was classified as Level 1 (Anomaly) on the International Nuclear and Radiological Event Scale (INES).
Sellafield Ltd – Magnox Swarf Storage Silo Original Building (12 November 2019): An increased leakage rate of radioactively contaminated water was reported from this facility. The leak is believed to be into the ground from cracks in the structure below ground level, possibly reopening an existing crack from a previous leak in the 1970s. There were no radiation dose consequences or detectable changes in radiological conditions at the plant. The incident was classified as Level 2 (Incident) on the INES. Both incidents resulted in additional ground contamination at Sellafield, requiring cleanup. https://www.onr.org.uk/quarterly-stat/2019-4.htm
During the third quarter of 2020 (1 July to 30 September), the Office for Nuclear Regulation (ONR) reported two incidents at nuclear licensed sites in Great Britain that met the Ministerial Reporting Criteria (MRC).
Sellafield Ltd – Chemical Requiring Specialist Disposal (11 August 2020): A routine inspection revealed a potentially explosive chemical change in composition in a storage cupboard at Sellafield’s Magnox Reprocessing Facility. The Army Explosive Ordnance Disposal team safely disposed of the chemical. Sellafield Ltd is improving waste chemical management, and the incident was rated Level 0 (Below Scale / No Safety Significance) on the INES.
Sellafield Ltd – Uranyl Nitrate Leak from Pipework (10 September 2020): A small leak of Uranyl Nitrate from a pipe was reported. The area was cordoned off and the spill contained. Investigations showed internal corrosion in the pipe, leading to replacement and system service restoration. The incident was rated Level 1 (Anomaly) on the INES. No radiation dose consequences to the workforce or the public were reported in both incidents https://www.onr.org.uk/quarterly-stat/2020-3.htm
During the third quarter of 2021 (1 July to 30 September), the Office for Nuclear Regulation (ONR) reported one incident at a nuclear licensed site in Great Britain that met the Ministerial Reporting Criteria (MRC).
Heysham 1 Incident (22 July 2021): Heysham 1 experienced a complete loss of 400kV power supplies due to the failure of a National Grid transformer offsite. Both reactors, operating at full power, tripped automatically. One of the four Emergency Boiler Feed Pumps (EBFP) started automatically for post-trip cooling, while two others failed due to an automatic control system issue and were manually started after 45 minutes. The site incident was declared by EDF, and post-trip cooling was effectively established. There were no injuries or radiological consequences. The event was rated Level 2 (Incident) on the International Nuclear Event Scale (INES).
Response and Actions:
EDF initiated emergency arrangements and maintained adequate stocks of boiler feed demineralised water.
Improvements were made in water stock management and decision-making instructions.
Post-trip logic was modified to prevent a recurrence of such an event.
The investigation concluded that the shortfall in the operation of the post-trip logic equipment was not reasonably foreseeable.
No significant compliance shortfalls were found, and the duty holder’s measures to learn from the incident were confirmed.
ONR conducted a return to service inspection, finding no issues preventing the restart of both reactors.
Hartlepool, the only other station of similar design, was confirmed to have resilient post-trip logic equipment, indicating this was not a fleet-wide issue https://www.onr.org.uk/quarterly-stat/2021-3.htm
During the fourth quarter of 2021 (1 September to 31 December), the Office for Nuclear Regulation (ONR) reported three incidents at nuclear licensed sites in Great Britain that met the Ministerial Reporting Criteria (MRC).
Sellafield – Ventilation Duct Holes (9 August 2021): Holes were identified in a ventilation duct at Sellafield’s Highly Active Liquor Evaporation and Storage facility. Although radioactive contamination was detected outside the duct, it was confined to its immediate vicinity with no increase in dose to workers or the public. Sellafield Ltd conducted inspections and planned repairs. The INES rating was provisionally 0, indicating no safety significance.
Sellafield – Magnox Reprocessing Facility Fire (22 October 2021): A fire, caused by a faulty light fitting, occurred in a radiologically controlled area of the facility. The building was evacuated, and the fire was extinguished without nuclear safety issues, injuries, or radiological consequences. Operations were temporarily shut down for equipment checks and repairs before resuming service. The ONR required no further investigation as there were no radiological or nuclear safety consequences.
Siemens Healthcare Limited – Radiopharmaceuticals Transport Incident (11 September 2021): A package of radiopharmaceuticals fell from a vehicle due to incorrect securing. The undamaged package, found by a member of the public, posed no risk. Following ONR’s investigation, Siemens Healthcare Limited was issued an Improvement Notice for inadequate radiation risk assessment, which was later complied with and closed in January 2022 https://www.onr.org.uk/quarterly-stat/2021-4.htm
During the second quarter of 2022 (1 April to 30 June), the Office for Nuclear Regulation (ONR) reported two incidents at nuclear licensed sites in Great Britain that met the Ministerial Reporting Criteria (MRC).
Dounreay Incident (20 April 2022): At Dounreay Site Restoration Ltd, a higher than expected pressure excursion occurred during operations at the Prototype Fast Reactor Sodium Tank Farm. This resulted in minor damage and the release of a small amount of caustic liquor. There were no injuries or significant radiological risk. The ONR issued an Enforcement Letter to Dounreay for contraventions and required improved arrangements before resuming operations. The incident was rated Level 1 (‘Anomaly’) on the International Nuclear Event Scale (INES).
Sellafield Incident (2021, Reported in 2022): A routine internal dosimetry monitoring at Sellafield Ltd identified an individual with internal radiation contamination exceeding the annual statutory dose limit. Sellafield Ltd responded by further testing and placing the individual on restricted activities. Investigations to determine the cause of the dose uptake are ongoing. The ONR is reviewing the incident, which has been provisionally rated as INES 1, potentially escalating to INES level 2 if further enquiries confirm a one-off exposure event exceeded statutory limits https://www.onr.org.uk/quarterly-stat/2022-2.htm
During the fourth quarter of 2022 (1 October to 31 December), the Office for Nuclear Regulation (ONR) reported one incident at a nuclear licensed site within Great Britain that met the Ministerial Reporting Criteria (MRC).
Sellafield Incident (5 October 2022): An empty irradiated fuel transport flask from Sellafield Ltd was delivered to EDF’s Hinkley Point B site. A routine radiation survey found some contamination on the flask’s exterior, exceeding regulatory limits. The ONR’s follow-up confirmed that adequate protection measures during transport prevented further spread of contamination, ensuring public safety. EDF cleaned and analyzed the flask, and Sellafield Ltd paused flask exports, conducted radiation monitoring, and implemented an enhanced monitoring regime before resuming transport. No further contamination incidents have occurred. The ONR plans to inspect Sellafield Ltd’s transport management arrangements for irradiated fuel flasks to assess regulatory compliance https://www.onr.org.uk/quarterly-stat/2022-4.htm
- The Office for Nuclear Regulation (ONR) had received an unsatisfactory assurance following an internal audit review on cybersecurity. The audit also identified the need for external IT expert support and the production of options for consideration. Additionally, a governance structure was established to ensure adequate oversight.
- Up-skilling Staff for Cybersecurity Regulation: The ONR was focusing on up-skilling staff to provide consistent and proportionate regulation of evolving cybersecurity threats. This effort was part of a broader initiative to implement robust governance and assurance processes. The ONR intended to continue concentrating regulatory efforts on areas of work based on regulatory intelligence and in alignment with wider government and ONR priorities.
Contextualizing Sellafield: The Bigger Picture and the UK’s Nuclear Ambitions
The stakes are high: Sellafield houses more radioactive material than Chernobyl, and a mishap here could spell disaster, not just for the UK but for neighboring nations. Past incidents and criticisms of the site’s safety, along with the ONR‘s recent call for improvements, add layers of gravity to the situation.
As the UK endeavors to boost its nuclear power capabilities by 2050, the security of sites like Sellafield will have a tremendous impact on public opinion. The Guardian‘s confidence in its report, coupled with the ONR‘s comments, emphasizes the urgent need for enhanced cybersecurity protocols in critical infrastructure. While the UK Government asserts robust cybersecurity measures, the country’s history of opaque disclosures in cyber incidents warrants a closer examination. It is my belief that the UK government is not beyond downplaying, or simply being unable to address the threats to critical infrastructure presented by cybersecurity vulnerabilities.
The Guardian‘s allegations underscore the dual threat posed to critical infrastructure: from state-backed espionage to criminal cyber activities. Sellafield‘s role in the UK’s nuclear future makes it imperative that these claims are thoroughly investigated and addressed to ensure not just national security, but international safety and confidence in the UK’s nuclear stewardship.