Nuclear Leaks, a year-long Guardian investigation, has uncovered problems with cyber hacking, radioactive leaks and toxic workplace culture at Sellafield, the UK’s most hazardous nuclear site.
It has also revealed how a small corner of the UK has an outsized influence on its special relationship with the US, with the countries bound by the shared history of nuclear weapons development. Britain’s neighbours in Europe, particularly Norway and Ireland, also keep a sharp eye on the site, from where previous pollution incidents and radioactivity as a result of a fire have made it to their shores.
What is Sellafield?
The taxpayer-funded site in Cumbria, in the remote north-west coast of England, has the largest store of plutonium on the planet and is a huge nuclear decommissioning and waste dump, handling the remains of decades of atomic power generation and nuclear weapons programmes. It also takes in nuclear waste from countries including Italy, Japan and Germany – which is then processed, packaged and sent back.
Originally named Windscale, the industrial complex dates back to the cold war arms race, and was the original site for the development of nuclear weapons in the UK in 1947, manufacturing plutonium, as Britain raced to build an atomic bomb.
It was the scene of one of Europe’s worst nuclear disasters, the Windscale reactor fire in 1957, which carried a plume of toxic smoke across to the continent.
It was also home to the world’s first full-scale commercial nuclear power station, Calder Hall, which was opened in 1956 and ceased generating electricity in 2003.
The site, which has almost 1,000 buildings, has a workforce of 11,000, with its own railway, road network, laundry services for normal and potentially radioactive garments, and its own police force with more than 80 dogs.
Great Britain still has a group of nuclear power plants, majority owned by France’s EDF, which generate about 16% of the electricity for the power network.
The UK is also building new nuclear power stations, including Hinkley Point C in Somerset, although their waste will eventually be buried in a new geological disposal facility.
What are the cybersecurity concerns?
A Guardian investigation found that Sellafield has been hacked into by cyber groups closely linked to Russia and China and that its potential effects have been consistently covered up by senior staff.
The hack was one of a series of cyber issues at the site, and was covered up by senior managers. Other concerns included external contractors being able to plug memory sticks into the system while unsupervised and staff at remote sites being able to access its computer servers.
The UK’s nuclear watchdog, the Office for Nuclear Regulation (ONR), put the site into a form of “special measures” for consistent failings on cybersecurity.
Sources said cyber breaches were first detected as far back as 2015, when experts realised sleeper malware – software that can lurk and be used to spy on or attack systems – had been embedded in Sellafield’s computer networks. It is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive data on activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised.
What is leaking?
The investigation revealed a worsening leak of radioactive liquid from one of the “highest nuclear hazards in the UK” – a decaying silo from which radioactive material is leaking into the ground. The leak is likely to continue to 2050.
The Guardian also revealed concerns about B30, a pond containing nuclear sludge from corroded nuclear fuel rods, whose concrete and asphalt skin is ribboned with cracks. These cracks have worsened in recent months, according to sources.
Why are Norway, Ireland and the US so worried and how bad could it get?
Concerns over safety at Sellafield have caused diplomatic tensions with countries including the US, Norway and Ireland. Norwegian officials are concerned that an accident at the site could lead to a plume of radioactive particles being carried by prevailing south-westerly winds across the North Sea, with potentially devastating consequences for Norway’s food production and wildlife. Radioactive contamination from the 1957 Windscale fire reached Norway’s shores.
In 2006, the Irish government tried to take action against Sellafield by referring it to a UN tribunal over concerns about Sellafield’s impact on the environment.
An EU report in 2001 warned an accident at Sellafield could be worse than Chornobyl, the site of the 1986 disaster in Ukraine that exposed five million Europeans to radiation. The report warned that events that could trigger an atmospheric release of radioactive waste at the plant included explosions and air crashes.
Fire safety is a key area of concern. The Guardian investigation revealed an internal document in November 2022 warned of a “cumulative risk” posed by failings in a range of areas, from nuclear safety to managing risks from fire and asbestos. “They can’t handle fire or asbestos on site, let alone the crumbling of nuclear containment materials,” one senior Sellafield employee told the Guardian.
On the hack, sources have said the full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years.
On the leaking silo, a report in June from the ONR said the risk from the leak was deemed by Sellafield to be “as low as reasonably practicable”. But scientists who have spoken to the Guardian are increasingly concerned that the full scale of the leak, and the rate at which it may pollute the groundwater, is unclear.
What has the UK government said?
Claire Coutinho, the secretary of state for energy security and net zero, wrote to the chief executive of the Nuclear Decommissioning Authority, David Peattie, saying revelations by the Guardian about failings in cybersecurity needed “urgent attention”.
She said: “The allegations are a worrying reminder of the longstanding nature of some of these issues, specifically cybersecurity at Sellafield.” On the toxic ponds, she said she has also asked Sellafield to “inform me of what efforts have been taken to increase the pace of this work”.
The UK government’s National Cyber Security Centre said: “The NCSC has warned of the enduring and significant cyber threat to the UK’s critical national infrastructure for some time, including in our latest annual review.
“We work closely with all areas of the UK’s critical national infrastructure and engage with organisations to highlight the threat landscape and mitigation activities as part of our routine operations.”
What has Sellafield said?
Sellafield has said it is “working closely with our regulator” on cybersecurity. “As a result of the progress we’ve made, we have an agreed route to step down from ‘significantly enhanced’ regulation,” a spokesperson said.
Prior to publication, Sellafield and the ONR declined to answer a number of specific questions about cybersecurity or say if Sellafield networks had been compromised by groups linked to Russia and China. After publication, they said they had no records to suggest Sellafield’s networks had been successfully attacked by state actors in the way the Guardian described.
After publication, Sellafield also said that it had a “high degree of confidence that no such malware exists on our system”.
On the silo leak, Sellafield is understood to argue that it poses “no additional risk” to staff and the public. A Sellafield spokesperson said: “We are proud of our safety record at Sellafield and we are always striving to improve.
“The nature of our site means that until we complete our mission, our highest hazard facilities will always pose a risk.
“We continuously measure and report on nuclear, radiological, and conventional safety.”