At first glance, the headline news in late 2023 about a potential cyber security incident at the UK nuclear site Sellafield could be just another chapter in the world’s ongoing saga of cyber attacks. While the details remain hazy and Sellafield denies the Guardian’s serious allegations, the reports present some interesting learning opportunities for executives, businesses and cyber security professionals alike.
Sellafield is the UK’s primary nuclear waste storage facility, and it houses the largest store of plutonium on the planet. Its digital systems are also home to the planning documents that the UK relies on to help it respond to critical incidents – including attacks by foreign powers on the UK.
What is alleged?
The Guardian claims that, as long ago as 2015, Russian and Chinese threat actors successfully breached Sellafield’s cyber defences by using “sleeper malware”.
Sleeper malware can take many forms – sleeper ransomware, such as the Windows-based Locker, has been prevalent for more than a decade and in recent years the macOS malware Sliver Sparrow has shown its own ‘sleeper’ functionality.
The Guardian report also highlighted potential failures in basic cyber security principles. It claimed that staff at an external site had access into Sellafield servers, and that external contractors were able to plug memory sticks into Sellafield’s systems without supervision. (The latter brings back memories of the now infamous Stuxnet attack on Iranian enrichment plants, which was reportedly achieved using removable storage devices.)
The claims have been refuted by Sellafield, which says it has “no records or evidence” to indicate that its networks have been successfully breached in “the manner described” by the Guardian. Sellafield also says it has, “a high degree of confidence that no such malware exists on our system.”
The report calls into question cyber security governance at Sellafield. The Guardian claims the site was “last year placed into a form of ‘special measures’ for consistent failings on cyber security,” attributing this to sources within the security services and the Office for Nuclear Regulation (ONR).
While the ONR doesn’t directly confirm the assertion of ‘special measures,’ its published comments do confirm that Sellafield is not “meeting certain high standards that we require” and that it is now “under significantly enhanced attention.”
What might the threat actors be trying to achieve?
No ransom demand has been received, nor is there (as yet) any evidence that Sellafield’s daily operations have been disrupted.
If the site has in fact been breached, it is possible that the threat actors were simply testing the waters and are now hopeful that their access to Sellafield’s networks and data will one day prove useful to them.
Alternatively, they may have been laying the groundwork for something more far-reaching.
What are the lessons for businesses?
Sellafield is a major piece of the UK’s critical national infrastructure. It’s clear that there would be an impact far beyond the physical site itself should it be subject to a successful cyber attack or ongoing compromise of the kind described by the Guardian.
Although not all businesses grapple with securing sites designated as critical national infrastructure, the principles that should be followed are universal:
- Secure the environment: managed detection and response shapes a fully formed managed service around the technical tools and knowhow to detect and respond to the evolving digital threats.
- Quantify the risks: develop an understanding of risk from third parties (e.g. external contractors) through due diligence and assess your own risks through systems testing.
- Improve the position: embedded training through structured exercises, either with full threat simulations to test your playbooks or desktop-based scenarios to stretch your incident response plan.
- Ensure you can respond: develop a strong relationship with a trusted partner who can provide knowledge, skills and expertise to get your business back up and running after an incident happens.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
We safeguard clients and their communities
Petroleum Development Oman Pension Fund
“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”
ATHEX
"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."
Northern Trust
“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”
Insights
Thomas Murray Partners with Socura to offer Managed Detection and Response to clients that need support to stop cyber threats 24/7.
The collaboration will see Thomas Murray offer Socura MDR to help its clients proactively identify and respond to threats.
Thomas Murray and Crimson7 Announce Strategic Partnership to Modernise Threat Informed Security
Thomas Murray and Crimson7 are partnering to combine their expertise and create innovative solutions for tackling key cyber security challenges.
Thomas Murray and askblue partner to support financial institutions in meeting the Digital Operational Resilience Act (DORA) requirements
Thomas Murray and askblue are collaborating to provide services that help financial institutions comply with DORA requirements.
Threat Intelligence for Law Firms: Protecting clients in the digital age
As a law firm, protecting your clients' data and reputation is more critical than ever in today’s digital-first world.