The energy security secretary has sought answers from the Nuclear Decommissioning Authority (NDA) on Monday after Sellafield denied claims that the nuclear site’s IT systems have been hacked by groups linked to hostile states.
The Office for Nuclear Regulation (ONR) also disputed the hacking claims but confirmed that it is scrutinising Sellafield Ltd because the company isn’t meeting the required “high standards” in relation to cyber security.
Claire Coutinho, secretary of state for energy security and net zero, wrote to the NDA’s group CEO David Peattie, asking for further assurance that Sellafield, which is a part of the NDA group, is treating cyber security threats “with the highest level of priority.”
The minister also asked the NDA about its work on stopping the leak at the Magnox Swarf Storage Silo (MSSS), which has accelerated in recent years.
The report also said Sellafield has been placed into “special measures” by the ONR.
Both Sellafield and the ONR denied claims about the alleged cybersecurity breach.
Sellafield said it has “no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state actors in the way described by the Guardian.”
“This was confirmed to the Guardian well in advance of publication, along with rebuttals to a number of other inaccuracies in their reporting.
“We have asked the Guardian to provide evidence related to this alleged attack so we can investigate. They have failed to provide this.”
The company said it takes cyber security “extremely seriously” and has “multiple layers of protection” around all its systems and servers.
It also said its critical networks are isolated from its general IT network.
The watchdog said improvements are required at Sellafield but there’s no suggestion that the problems are compromising public safety.
“We will continue to hold Sellafield Ltd to account to ensure these improvements are made through a range of regulatory action and enforcement,” the ONR said, adding that there has been “positive signs of improvement in recent months” with new leadership at the company.
The regulator also said it will “continue to apply robust regulatory scrutiny as necessary to ensure the ongoing safety of workers and the public.”
“In relation to cyber security, Sellafield Ltd is currently not meeting certain high standards that we require, which is why we have placed them under significantly enhanced attention,” the ONR said.
“Some specific matters are subject to an ongoing investigation process, so we are unable to comment further at this time.”
Acknowledging the watchdog’s statement that there has been improvement, Ms. Coutinho said the allegations are still “a worrying reminder of the longstanding nature of some of these issues.”
According to the minister, the company has been placed under enhanced regulatory scrutiny since 2014.
Ms. Coutinho said she expects “further assurance that cyber security threats are treated with the highest level of priority and that threats that do emerge are properly recorded and acted upon.”
The minister asked Mr. Peattie to provide a delivery plan and timeline for how Sellafield will come out of enhanced regulatory scrutiny on the issue of cybersecurity.
She also requested a schedule for the NDA’s work regarding stopping the leak at the MSSS.
The MSSS was originally built in the 1960s and is assessed to be one of the NDA’s highest-risk nuclear facilities.
The Guardian published another report on Tuesday, claiming the safety at the MSSS has “caused diplomatic tensions.”
Sellafield, the first commercial nuclear power station that came into operation in 1956, was the site of one of the earliest nuclear accidents in the world.
A fire that broke out in 1957 led to the release of radioactive material that spread across the UK and Northern Europe.
The Cabinet Office’s list of potential disasters published in August put a civil nuclear accident under the category of “catastrophic” events, but said it’s ”remotely possible at best” because British law “requires planning for a range of scenarios, including those far beyond a reasonable worst-case” in line with international good practice.
