The government of the United Kingdom has issued a strongly worded denial of a report that the Sellafield nuclear complex has been compromised by malware for years.
The report, appearing in The Guardian, claimed that the controversial complex was hacked by “cyber groups closely linked to Russia and China,” with the infection detected in 2015 but perhaps present before that year.
The report claimed that “sleeper malware” was embedded in unspecified systems, potentially compromising info on movement of nuclear materials and matters related to safety.
A UK government statement insists “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian,” adding “Our monitoring systems are robust and we have a high degree of confidence that no such malware exists on our system.”
“All of our systems and servers have multiple layers of protection,” reads one of the rebuttal’s bullet points. Another adds “Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.”
The Guardian‘s report mentioned infections in “IT systems” and malware “embedded in Sellafield’s computer networks.”
But it is not clear if those systems and networks are isolated, per the government response.
The rebuttal’s info about the isolation of some of Sellafield’s IT estate is also of dubious value, given that the most infamous attack on a nuclear facility – the Stuxnet infection of Iranian enrichment plants – is thought to have been carried out using removable storage devices to get across air gaps.
Nor does the rebuttal address all the issues in the Guardian report, which claimed Sellafield “was last year placed into a form of ‘special measures’ for consistent failings on cyber security, according to sources at the Office for Nuclear Regulation (ONR) and the security services.”
The ONR has posted its own comment on the story, but it does not directly address the allegation of “special measures.”
It does, however, state that the Office has “been clear that there are areas where improvements are required to achieve the high standards of safety and security we expect to see, but there is no suggestion that this is compromising public safety.”
“In relation to cyber security, Sellafield Ltd is currently not meeting certain high standards that we require, which is why we have placed them under significantly enhanced attention,” the doc adds, winding up with news that “Some specific matters are subject to an ongoing investigation process, so we are unable to comment further at this time.” ®