Ministers are under pressure to explain the actions of the government and regulators over cyber security at Europe’s most hazardous nuclear site after a Guardian investigation revealed disturbing vulnerabilities in its networks.
The shadow energy secretary, Ed Miliband, called on the government to urgently “provide assurances” about Sellafield, after the Guardian revealed it had been hacked by groups linked to Russia and China.
The investigation also disclosed how Sellafield is in effect in “special measures” because of concerns about cybersecurity and its regulator, the Office for Nuclear Regulation, put the site into “significantly enhanced attention” for cybersecurity.
The hack and its potential effects have been consistently covered up by senior staff at Sellafield, and have emerged in Nuclear Leaks, a year-long Guardian investigation into the vast nuclear waste and decommissioning site.
The investigation also found that external contractors had been able to plug memory sticks into the system while unsupervised. The problem of insecure servers at Sellafield was nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR investigation.
The disclosures have triggered concerns in Westminster over the government’s handling of the site, which has the largest store of plutonium on the planet and absorbs about £2.5bn a year of the energy department’s budget.
Miliband said: “This is a very concerning report about one of our most sensitive pieces of energy infrastructure. It raises allegations that must be treated with the utmost seriousness by government.
“The government has a responsibility to say when it first knew of these allegations, what action it and the regulator took and to provide assurances about the protection of our national security.
Miliband said Labour would “make cybersecurity a top priority, protecting our institutions and public services”.
Angus MacNeil, an independent MP and chair of the energy security committee, said: “This is concerning news for me, not just as chair of the energy security committee but also as a member of the joint committee on the national security strategy where cyber-attacks have been the subject of our investigations.
“The most concerning part is that Sellafield seems not to have been open with the regulatory authorities about the security breaches, trying to improve matters themselves without perhaps the best of help which also lays them open to charges of ‘cover-up’. From now on that culture has to change at Sellafield.”
A National Cyber Security Centre spokesperson said to the media: “The NCSC has warned of the enduring and significant cyber threat to the UK’s critical national infrastructure for some time, including in our latest annual review.
“We work closely with all areas of the UK’s critical national infrastructure and engage with organisations to highlight the threat landscape and mitigation activities as part of our routine operations.”
A spokesperson from the Department for Energy Security and Net Zero said: “Many of the issues raised are historical and the regulator has for some time been working with Sellafield to ensure necessary improvements are implemented. We are expecting regular updates on how this progresses.”
The ONR said Sellafield was “currently not meeting the high standards that we require in cybersecurity” and that some “specific matters are subject to ongoing investigations”.
A Sellafield spokesperson said: “We take cybersecurity extremely seriously at Sellafield. All of our systems and servers have multiple layers of protection.
“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these.
“Over the past 10 years we have evolved to meet the challenges of the modern world, including a greater focus on cybersecurity.”
The spokesperson added Sellafield is “working closely with our regulator” and has an “agreed route to step down from ‘significantly enhanced’ regulation”.
Before publication of news of the hack, Sellafield and the ONR declined to answer a number of specific questions or say if Sellafield networks had been compromised by groups linked to Russia and China. After publication, they said they had no records to suggest Sellafield’s networks had been successfully attacked by state actors in the way the Guardian described.