Avoiding cyber attack fallout: Lessons from the Sellafield site

What is alleged? 

The Guardian claims that, as long ago as 2015, Russian and Chinese threat actors successfully breached Sellafield’s cyber defences by using “sleeper malware”.

Sleeper malware can take many forms – sleeper ransomware, such as the Windows-based Locker, has been prevalent for more than a decade and in recent years the macOS malware Sliver Sparrow has shown its own ‘sleeper’ functionality.

The Guardian report also highlighted potential failures in basic cyber security principles. It claimed that staff at an external site had access into Sellafield servers, and that external contractors were able to plug memory sticks into Sellafield’s systems without supervision. (The latter brings back memories of the now infamous Stuxnet attack on Iranian enrichment plants, which was reportedly achieved using removable storage devices.) 

The claims have been refuted by Sellafield, which says it has “no records or evidence” to indicate that its networks have been successfully breached in “the manner described” by the Guardian. Sellafield also says it has, “a high degree of confidence that no such malware exists on our system.” 

The report calls into question cyber security governance at Sellafield. The Guardian claims the site was “last year placed into a form of ‘special measures’ for consistent failings on cyber security,” attributing this to sources within the security services and the Office for Nuclear Regulation (ONR).

While the ONR doesn’t directly confirm the assertion of ‘special measures,’ its published comments do confirm that Sellafield is not “meeting certain high standards that we require” and that it is now “under significantly enhanced attention.”

What might the threat actors be trying to achieve? 

No ransom demand has been received, nor is there (as yet) any evidence that Sellafield’s daily operations have been disrupted.

If the site has in fact been breached, it is possible that the threat actors were simply testing the waters and are now hopeful that their access to Sellafield’s networks and data will one day prove useful to them. 

Alternatively, they may have been laying the groundwork for something more far-reaching.

What are the lessons for businesses? 

Sellafield is a major piece of the UK’s critical national infrastructure. It’s clear that there would be an impact far beyond the physical site itself should it be subject to a successful cyber attack or ongoing compromise of the kind described by the Guardian.

Although not all businesses grapple with securing sites designated as critical national infrastructure, the principles that should be followed are universal:

• Secure the environment: managed detection and response shapes a fully formed managed service around the technical tools and knowhow to detect and respond to the evolving digital threats. 
• Quantify the risks: develop an understanding of risk from third parties (e.g. external contractors) through due diligence and assess your own risks through systems testing.
• Improve the position: embedded training through structured exercises, either with full threat simulations to test your playbooks or desktop-based scenarios to stretch your incident response plan. 
• Ensure you can respond: develop a strong relationship with a trusted partner who can provide knowledge, skills and expertise to get your business back up and running after an incident happens.