The UK’s Office for Nuclear Regulation (ONR) has started legal action against the controversial Sellafield nuclear waste facility due to years of alleged cybersecurity breaches.
Last December, as we previously reported, claims surfaced about Russian and Chinese hackers planting malware on the nuclear reactor site’s systems as far back as 2015.
The fear is that the malware might have been planted on Sellafield’s IT systems for espionage (to access sensitive information about personnel or radioactive waste movement) and for disruptive attacks.
Sellafield’s computer servers are considered alarming by some insiders, earning the nickname “Voldermort,” after the Harry Potter villain.
External contractors have reportedly been allowed to plug potentially-infected USB devices into the Sellafield facility’s network. A 2012 report warned of “critical security vulnerabilities” that still need urgent fixing.
The Guardian, which initially brought attention to the claims, said that it was still not known if the malware infection had been eradicated, and that the Sellafield site had been put in “special measures” due to its consistent cybersecurity breaches and failure to report incidents.
At the time of the initial reports in The Guardian, the UK government tried to defuse the seriousness of the situation:
“We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian.”
However, as The Guardian now reports, the ONR will prosecute Sellafield for alleged security offences, prompted by the newspaper’s investigation.
“These charges relate to alleged information technology security offences during a four-year period between 2019 and early 2023. There is no suggestion that public safety has been compromised as a result of these issues,” said the ONR. “The decision to begin legal proceedings follows an investigation by ONR, the UK’s independent nuclear regulator.”
According to the ONR, details of the first court hearing would be announced when available.
Sellafield appointed a new chief digital information officer responsible for cybersecurity a month after The Guardian‘s initial revelations.
“Safety and security at our former nuclear sites is paramount and we fully support the Office for Nuclear Regulation in its independent role as regulator,” said the UK government’s Department for Energy Security and Net Zero, which funds Sellafield. “The regulator has made clear that there is no suggestion that public safety has been compromised at Sellafield. Since the period of this prosecution, we have seen a change of leadership at Sellafield and the ONR has noted a clear commitment to address its concerns.”
In 1957, a fire broke out at the Sellafield reactor site (then known as Windscale), releasing radioactive contamination across Europe. It was the worst nuclear accident in British history.
While there has been no evidence presented of an immediate risk of public safety, the potential for espionage or a targeted disruptive attack undoubtedly raises concern – particularly for a place with such a chequered history as Sellafield.