The government agency responsible for cleaning Sellafield nuclear waste in Cambria was put under “special measures” due to not meeting cyber-security standards.
The Office for Nuclear Regulation is investigating Sellafield Ltd’s computer security.
The regulator denied that the site was hacked by individuals connected to Russia and China.
Criminals supported by the government infiltrated the top levels of Sellafield’s IT systems. They planted a type of harmful software called sleeper malware, which was hidden and later used for spying or causing severe harm.
The Guardian reported that senior staff members failed to inform the ONR of the hack for several years, and also “covered up” the state of cyber-security.
The incident raised fears that sensitive documents could have been accessed, and that equipment at the facility – which is the largest nuclear site of western Europe, where 140 tonnes of plutonium were stored – might be damaged or disrupted.
Sellafield Ltd. and the ONR insisted that there have been no successful cyberattacks by any hackers, whether state or non-state, or any sleeper malware.
The regulator stated that it “had not seen any evidence” that Sellafield’s systems had been hacked as described. It added: “We are clear that improvements are needed to achieve the high levels of safety and security that we expect to see. But there is no suggestion this compromises public safety.
“We will continue holding Sellafield Ltd accountable to ensure that these improvements are made by a variety of regulatory actions and enforcement, which includes matters which are under an ongoing investigation process.”
Sellafield Ltd said: “We do not have any records or evidence that Sellafield Ltd’s networks have been successfully hacked.
“Our monitoring system is robust, and we are confident that such malware does not exist on our system.
We have asked The Guardian for evidence relating to this alleged assault so that we can investigate. They have not provided this.”
The Guardian reported that the ONR was preparing to bring charges against Sellafield Ltd for its numerous cyber security failings.