It is a popular pastime in the modern era to imagine how the world is going to end – AI might become a little too intelligent and no longer particularly artificial, for instance, rise up and rebel against its human masters in a robo-doom scenario where lasers obliterate high-rise buildings one by one. Or perhaps the great powers will argue again, and vaporise half of the global landscape in under ten minutes with their terrifying nuclear arsenals as World War Three rains fire from the heavens. Or perhaps it will all be an accident, an experiment that goes wrong, like how Chernobyl ended one small part of the world tucked away in Ukraine, or a hack that worked too well.
One of the most worrying trends in the development of modern warfare is not laser blasters, flying machine guns or any other terrifying toy, but the calculated and dangerous development of cyberwarfare. Since the Bush administration unleashed Stuxnet on the Iranian nuclear development programme, power plants and electricity grids have become one of the favourite victims of cybercriminals – and, more specifically, cybersoldiers – around the world. This has included the WannaCry and NotPetya attacks on Ukraine by Russian state-backed groups such as Sandworm (also known as GRU unit 64455, meaning they are a part of the Russian military proper. Iran and Ukraine may seem far-flung places to many in the West. Until it happens in the United Kingdom.
The very recent attack on Sellafield – if this attack is confirmed - is just one of a string of attacks targeting the ‘Five Eyes’ alliance, which has included attacks on parts of the United States power grid. Aside from being the most toxic, and the most dangerous, nuclear power plant in Europe, Sellafield also holds many of the most secret and most dangerous files regarding the UK’s nuclear defence strategy, to name just one of the topics discussed. According to the Guardian’s report, it is these files which may have been either corrupted or stolen. However, the most worrying theory reported is that the activities of the hackers may have resulted in disruption to hazardous material disposal and handling, and other vital processes to the safe production of nuclear power. This poses a risk to public safety and could introduce harmful materials into the local area.
At present, the UK government still denies that Sellafield has been attacked in any form, which could be true, but may also be a coverup of the highest risk to attempt to hide the embarrassment such an attack would bring on the nation. The difficulty is, it’s completely not out of the question that Sellafield has been attacked and the malware remains relatively undetected – it would be a tempting target to Russian or Chinese hackers looking to cause chaos or steal some of the most valuable files available. Furthermore, Sellafield was put in what the Office for Nuclear Regulation (ONR) described as ‘significantly enhanced observation’ because of their shortcomings in terms of cybersecurity.
Even if the UK government’s insistence that Sellafield is safe, the question remains – why is cybersecurity, especially in the nuclear sector, not being treated as the highest priority?
Energy sectors around the world have fallen under almost constant attack, and the chaos that would ensue from a truly successful attack on the scale of something like NotPetya - which wiped the computers of multinational organisations across more than sixty countries - would be catastrophic, especially in a Western country with the degree of automation common to countries such as the US. Chornobyl and Fukushima were accidents, and still killed or injured hundreds of thousands of residents and workers. The question to ask now is whether the UK government is wilfully endangering thousands or even millions of its citizens, or whether this is due to incompetence.
Cybersecurity and site security in this case, and many cases where nuclear and other forms of energy become targets, go hand in hand. Alarmingly, Sellafield spokespeople continue to dodge questions about the condition of Silo B30, which may have several significant cracks, and contains pools of ‘nuclear sludge’. This would already pose a danger to life even before the potential cyberattacks are considered. And yet, the only response from Sellafield, the ONR, the environment agency, and cybersecurity bodies within the government is to dodge questions and deny reports of things going wrong. When so much is at risk, this is a totally unacceptable response, but unfortunately by no means surprising. When such a hazardous place becomes so wrapped up in scandal that it has to change its name to stop people from getting nervous – from a fire in the 1950s that was considered the worst nuclear disaster of the time, to a UN court case brought by Ireland – something should really change.
While far-fetched, Sellafield Ltd and the UK government are risking snow in Cumbria being a permanent reality – nuclear winter through incompetence and vicious cyberattacks. These two factors are closely linked – it is still up for debate whether the government’s woefully inadequate cyberwarfare strategy can be chalked up to gross incompetence or laziness to the point of negligence. The truth is that hoping cyberwarfare will just go away if you ignore it for long enough is a lot like Sellafield. Eventually, the sludge comes leaking out, and people will start to die.
Image: Simon Ledingham
Comments