In what is a stark warning to nuclear facilities around the world, UK nuclear facility Sellafield, formerly called Windscale, is reported to have been hacked by groups linked to China and Russia, according to The Guardian newspaper. The newspaper reported that, breaches were detected as long ago as 2015 and it is likely that foreign hackers have accessed “the highest echelons of confidential material at the site”.
The 70-year-old sprawling six-square-kilometre facility, located on the North-West coast of England, holds the planet’s largest store of plutonium as a result of processing nuclear waste from decades of atomic power generation and weapons programs.
But the UK government immediately rebutted the allegations made by the newspaper: “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state actors in the way described by the Guardian,” adding “Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.” According to the Mail Online news website, Sellafield also says it has ‘no records or evidence’ that the nuclear facility had been ‘successfully attacked by state actors’.
However, the vast nuclear facility, which employs 11,000 staff, has an unhappy history where cyber security is concerned. Security flaws highlighted by The Guardian include external contractors allegedly being able to plug memory sticks into the system while unsupervised. Last July, the facility was reported to have inadvertently broadcast login details and passwords for ‘secure’ IT systems on national TV, while co-operating with the BBC TV series, Countryfile, on a documentary about rural communities living alongside nuclear facilities. Last year, Sellafield, which has more than 11,000 staff, was placed under “special measures” for consistent cybersecurity failings, according to sources at the Office for Nuclear Regulation (ONR), reports The Guardian.
News of the alleged breach should nevertheless galvanize those managing nuclear facilities to overhaul their own cybersecurity. When the sprawling Sellafield nuclear facility, then known as Windscale, was originally constructed well over half a century ago, its security was state-of-the-art and continued to be so until relatively recently. Patrolled by armed police officers, the facility is no doubt physically secure and able to protect itself from unauthorized visitors. Even in the early years of the age of the internet, nuclear facilities like this were seen to be protected by what was known as the “air gap”. This referred to the fact that the systems running them were not connected to the internet and were essentially old-fashioned fully-sealed local area networks.
But the efficiencies offered by a myriad of online services and the ubiquitous nature of mobile devices have effectively driven a coach and horses through the old cyber-safeguards as a growing number of nuclear facilities across the globe have been tempted to use a rapidly widening range of online contractors and services to cut costs and increase efficiencies.
The Guardian’s allegations that onsite contractors may have been able to insert USB devices into the system are particularly disturbing. Devices such as the “Bash Bunny”, which have been available online for between $100 – $200 for several years, need only be inserted into a USB port on any terminal for a very short time in order to compromise the entire control system. Nuclear facilities like Sellafield have more recently become the known targets of international terrorists. The Chernobyl and Fukushima disasters provide firm on-the-ground evidence of the human and environmental devastation that would inevitably result from a successful terrorist cyber-attack on a poorly-protected nuclear facility such as Sellafield.
