Nuclear power: Sellafield admits massive failings in cybersecurity
The operator of the Sellafield nuclear facility apologizes for cyber security failures. National security could have been jeopardized.
(Image: gov.uk)
The operator of the UK's largest nuclear facility in Sellafield has admitted to massive errors and pleaded guilty following several criminal charges due to cybersecurity deficiencies. 75 percent of the site's servers were vulnerable to cyberattacks. This was revealed as part of the investigation into the incidents at Westminster Magistrates' Court in London. The Sellafield Group, which is backed by the Nuclear Decommissioning Authority (NDA), the UK's regulatory body for the decommissioning, cleaning and dismantling of nuclear facilities, admitted that these failures could have put national security at risk.
Due information remained unprotected for four years, reports the Guardian, citing the NDA. The Sellafield Group had claimed to have carried out critical IT security checks that had not actually taken place. Concerns were also raised that external contractors were able to insert USB sticks into Sellafield's IT systems unsupervised. The servers were considered so insecure internally that the problem was named after the Harry Potter villain Voldemort.
"Outdated" Microsoft operating systems in use
In a court hearing on Thursday, a representative of the Office for Nuclear Regulation (ONR) described how a test had shown that it was possible to download and execute malicious files on Sellafield's IT networks via a phishing attack. This would not trigger an alarm. The ONR filed the lawsuit in June. The judges also heard that a subcontractor was inadvertently sent 4,000 files, 13 of which were classified as "official/sensitive". Other sensitive nuclear information was compromised in part due to the use of "outdated" technologies such as Windows 7 and Windows Server 2008, according to the ONR.
"We have already made significant improvements to our systems, networks and structures to be better protected and more resilient," a Sellafield spokeswoman said. The facility has agreed in advance to pay legal costs of 53,000 pounds (around 62,000 euros). The court would be breaking new ground with sanctions. Last year, the Guardian reported that the facility's IT systems had been attacked by cyber criminals with links to Russia and China. The British government denied this at the time.
In addition to a nuclear power plant and a reprocessing facility, the site also includes the world's largest plutonium storage facility and a nuclear waste disposal site. Accidents have occurred there several times since the 1950s.
(usz)
