Sellafield issues an apology after pleading guilty to a series of cybersecurity failings

703     0
The Sellafield nuclear site is home to the largest store of plutonium on the planet. Composite: Guardian Design/Alamy
The Sellafield nuclear site is home to the largest store of plutonium on the planet. Composite: Guardian Design/Alamy

Nuclear site awaits sentencing over breaches that it admitted could have threatened national security

Sellafield has apologised after pleading guilty to criminal charges relating to a string of cybersecurity failings at Britain’s most hazardous nuclear site, which it admitted could have threatened national security.

Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. 

Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.

Late last year, the Guardian’s Nuclear Leaks investigation revealed a string of IT failings at the state-owned company dating back several years, as well as radioactive contamination and toxic workplace culture. 

Sellafield is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation. It has a workforce of about 11,000 people and is part of the Nuclear Decommissioning Authority, a taxpayer-owned and -funded quango.

The Guardian’s investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield’s system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous.

Sellafield pleaded guilty to charges brought by the Office for Nuclear Regulation (ONR) in June, which relate to information technology security offences spanning a four-year period from 2019 to 2023.

The firm is now awaiting final sentencing, whichthe chief magistrate, Paul Goldspring, said would happen within weeks. The ONR has said it expects sentencing to take place in September.

At a sentencing hearing on Thursday, the court heard that a test had found that it was possible to download and execute malicious files on to Sellafield’s IT networks via a phishing attack “without raising any alarms”, according to Nigel Lawrence KC, representing the ONR.

The site, the world’s largest store of plutonium, was left vulnerable to internal and external cyber-attacks and 75% of its servers were insecure, Lawrence said, citing a report by Atos, a subcontractor at the site.

Sellafield’s own report, from the external IT company Commissum, found that any “reasonably skilled hacker or malicious insider” could access sensitive data and insert malware – computer code – that could then be used to steal information. 

Euan Hutton, chief executive of Sellafield, apologised for failures spanning years in a written witness statement referred to by Paul Greaney KC, representing the company. Hutton said: “I again apologise on behalf of the company for matters which led to these proceedings … I genuinely believe that the issues which led to this prosecution are in the past.”

Hutton was in court but did not speak at the hearing.

Greaney said the company had tried to address its cybersecurity failings by changing IT management at the site and creating a new secure datacentre.

The barrister said some problems identified in recent years had been “turbo-charged” by the prosecution. Greaney said the failings were not a result of cost-cutting. “There was no penny-pinching,” he added.

The court also heard that a subcontractor was sent 4,000 files by mistake, 13 of which were classed as “official/sensitive”, without any alarm being triggered.

Sensitive nuclear information (SNI), the industry’s special classification system, was left vulnerable in part because of the use of “obsolete” technology including Windows 7 and Windows 2008, Lawrence said.

SNI is a mode of categorising information that may have national security implications, and has a special status in law, like other classified materials handled by the British security services or the civil service. Details are given SNI status if they are “deemed to be of value to an adversary planning a hostile act”, according to the ONR.

While all parties said the failings were very serious, the judge said he would need to balance the cost to the taxpayer with the need to deter others in the sector from committing similar offences.

The sentencing would be “new territory for all of us”, Goldspring said, given that no nuclear site had been prosecuted in this way before.

The National Audit Office, Britain’s public spending watchdog, launched an investigation this year into costs and risks at Sellafield.

The Guardian reported last year that the site systems had been hacked by groups linked to Russia and China in December last year, embedding sleeper malware that could lurk and be used to spy or attack systems. 

At the time, Sellafield said it did not have evidence of a successful cyber-attack. Greaney told the court that there was no evidence found for an “effective” cyber-attack on Sellafield. The court heard that Sellafield’s operations centre was found to be “unable to adequately alarm and respond to tested attacks”.

A spokesperson for the company said: “We take cybersecurity extremely seriously at Sellafield, as reflected in our guilty pleas. The charges relate to historic offences and there is no suggestion that public safety was compromised.

“Sellafield has not been subjected to a successful cyber-attack or suffered any loss of sensitive nuclear information. We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient.”

The ONR declined to comment. Sellafield has agreed to pay £53,000 in legal costs.

David Wilson

Print page

Comments:

comments powered by Disqus