Cybersecurity vulnerabilities at the UK’s most hazardous nuclear site must be urgently addressed and explanations given for any shortcomings, a cabinet minister has demanded.
Claire Coutinho, secretary of state for energy security and net zero, wrote to the chief executive of the Nuclear Decommissioning Authority (NDA), David Peattie, saying allegations by the Guardian about failings in cybersecurity at Sellafield in Cumbria needed “urgent attention”.
The intervention follows the revelation that the vast nuclear waste and decommissioning dump has been hacked by groups linked to China and Russia, and its potential effects covered up by senior staff. It emerged as part of Nuclear Leaks, a year-long Guardian investigation into problems spanning cyber hacking, radioactive contamination, and toxic workplace culture at Sellafield.
Coutinho said: “The allegations are a worrying reminder of the longstanding nature of some of these issues, specifically cybersecurity at Sellafield, which I understand has been under enhanced regulatory scrutiny since 2014.”
The energy secretary added that, while Sellafield has said it had no evidence of having been a victim of a successful cyber-attack on its systems by state-sponsored hackers, she asked for “further reassurance on this matter” from Sellafield, its regulator the Office for Nuclear Regulation (ONR) and the government’s National Cyber Security Centre.
“I would like to see the NDA provide further assurance that cybersecurity threats are treated with the highest level of priority and that threats that do emerge are properly recorded and acted upon,” her letter states.
The government has also formally requested an update on a range of activities at the site, including work on cleaning up leaking silos of radioactive sludge and liquid after a report by the Guardian on growing safety concerns.
Coutinho’s opposite number, Labour’s Ed Miliband, had called for government action after the Guardian’s reporting. He said the revelations were “very concerning” and involved allegations of the utmost seriousness.
“The government has a responsibility to say when it first knew of these allegations, what action it and the regulator took, and to provide assurances about the protection of our national security,” Miliband said.
The prime minister’s spokesperson also warned on Tuesday of the risks posed by hostile states to the UK’s most sensitive infrastructure.
“The National Cyber Security Centre has warned of the cyber threat to our critical national infrastructure for some time,” they said. “That’s why we’ve worked closely with UK business organisations to improve cybersecurity and resilience across a range of sectors.”
They added that “regulators have reassured the government that public safety is not compromised at Sellafield and the public should be reassured of that. I can’t get into more detail on that particular intelligence or details of the specific incident.”
Politicians from other opposition parties also expressed concerns.
Carla Denyer, co-leader of the Green party, which opposes nuclear power, said: “This toxic legacy of nuclear weapons and nuclear power poses a serious risk to life and public health as well as poisoning relations with other countries, especially Norway, that would be devastated by a radioactive plume if ever there was a major incident at Sellafield.
“This is Europe’s most hazardous nuclear site, so the government must put in place the investment needed to make it as safe as possible.”
A spokesperson for Sellafield said in response to the Guardian’s reporting: “We take cybersecurity extremely seriously at Sellafield,” and that it was working on improving its capabilities, adding that the site was “proud” of its safety record.
“The nature of our site means that, until we complete our mission, our highest hazard facilities will always pose a risk,” the spokesperson said.
Sellafield is understood to argue that the leaking silo poses “no additional risk” to staff and the public.