© iStock/Maxian

Reports of cyber-attacks on UK nuclear facility at Sellafield

The Office for Nuclear Regulation (ONR) published a statement yesterday (4 December 2023) after the Guardian newspaper reported cyberattacks on the Sellafield nuclear facility on the same day.

The article in the Guardian reported that the UK's Sellafield nuclear facility had been compromised by attack groups with close links to Russia and China. The British daily refers to sources from government circles, the ONR and security services in general. According to these, so-called sleeper malware is said to have been discovered embedded in the nuclear facility's computer networks as early as in 2015. Such malware does not become active immediately after installation, but initially remains inactive and waits for signals, times or events (so-called triggers) to activate it.  

The statement from state-owned operator Sellafield Ltd. says that there is no evidence to suggest that the networks of Sellafield Ltd were successfully attacked in the manner described by the Guardian. The regulatory authority ONR made similar comments in its statement. However, it added that Sellafield Ltd. does not currently fulfil the required IT security standards, which is why the company is under special observation and has been subject to special measures. There are no indications that public safety is being jeopardised, the authority added. 

IT security at nuclear facilities 

Nuclear facilities are part of the critical infrastructure and are therefore subject to special regulations regarding measures to protect them from attacks. This also includes protection against cyber-attacks. Nuclear power plants use digital and analogue systems to monitor, operate, control, protect and secure the facilities. In nuclear power plants, for example, a so-called "defence-in-depth" concept is used, with several safety levels applied across the entire system. Part of this approach involves hardware devices that allow data to flow between highly secure areas (e.g. reactor control) and less secure areas in one direction only. In addition, digital areas that are critical to plant safety systems are isolated from external networks, including the internet.  

GRS continuously analyses the IT threat situation in relation to industrial control systems and critical infrastructures on behalf of the Federal Ministry for the Environment.  


The Sellafield nuclear facility is located in the north-west of England on the Irish Sea. It is home to reprocessing plants, fuel element factories, a vitrification plant for highly radioactive waste and a number of other nuclear facilities, such as the Calder Hall nuclear power plant, which was shut down in 2003. In addition, large quantities of radioactive waste (including spent fuel assemblies and waste from reprocessing) are stored at the site.