Sellafield, World's Largest Store of Plutonium, Apologizes After Guilty Plea Over String of Cybersecurity Failings (theguardian.com) 27
Bruce66423 writes: Sellafield [U.K.'s largest nuclear site] has apologised after pleading guilty to criminal charges relating to a string of cybersecurity failings at Britain's most hazardous nuclear site, which it admitted could have threatened national security.
Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.
The Guardian's investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield's system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous.
The good news is that the problem has been spotted. The bad news is that there can be no meaningful punishment for a government owned company. One can only hope that they will do better in the future.
Among the failings at the vast nuclear waste dump in Cumbria was the discovery that 75% of its computer servers were vulnerable to cyber-attacks, Westminster magistrates court in London heard. Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.
The Guardian's investigation also revealed concerns about external contractors being able to plug memory sticks into Sellafield's system while unsupervised and that its computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain because it was so sensitive and dangerous.
The good news is that the problem has been spotted. The bad news is that there can be no meaningful punishment for a government owned company. One can only hope that they will do better in the future.
Store of Plutonium (Score:2)
So, when's the next sale?
Re: (Score:3)
Well, so far the recently incoming government discovered: £22 billion of hidden spending that had been lost by the various departments that were legally obliged to report it, 200k extra people for the waiting lists for essential operations, a cost of £700 million (that's $1 billion between friends) for shipping four people off to Rwanda and a massive racist hate network.
So my prediction is that the previous Conservative government already sold it to North Korea and Somalia in return for what is
Re: (Score:2)
So, when's the next sale?
How do we get rid of nuclear waste right away? Give women coupons for it!
Sounds like they got the hard part... (Score:3)
Now they just need a Delorean and a flux capacitor so they can go back in time and patch their servers!
Perhaps not the company (Score:2)
Perhaps the UK (Score:5, Interesting)
Governments cut costs by having 3rd party contractors do things. Part of that is because if they did it themselves, they would have to do it right and there would be no cost savings.
And then the company gets targeted as hard as a nation-state without having the resources to defend itself. While it's true they probably failed basic security, they would still be an equally large target regardless.
Outsourcing cyber security (Score:2)
The virtue of such an approach - as in this case - is that there is clear accountability for the failures. The contractor needs to be BIG - with serious security credentials, and be paid a lot of money for doing the job. The reality here appears that Sellafield didn't have it outsourced, and the numpty who was responsible proved to be either out of their depth or was refused sufficient resources to do it right. Or both. Given how little the public sector tends to pay for IT specialists, I'm betting on 'nump
Re:Outsourcing cyber security (Score:5, Informative)
What wasn't clear was that Sellafield Ltd is not a private company. It is owned and controlled by the UK government. The issue seems to be that it was treated like a fully private company when the larger government should have had its hands in things like security.
Re:Perhaps the UK (Score:5, Interesting)
Governments cut costs by having 3rd party contractors do things.
Ok, then fine and imprison the execs of these companies who failed to do things properly and perhaps the next time there is a competition the bids that come in will be vastly more realistic since those making them will know that if they grossly underbid and fail to deliver they may end up with a hefty prison sentences for breaching national security requirements.
I'm all for using private companies to reduce unnecessary costs but there has to be some strong incentive to ensure that they do not sacrifice necessary costs so they can make more profit.
Re: (Score:2)
As it turns out, Sellafield Ltd. is not a private company - they are fully under the UK government.
Comment removed (Score:4)
Re: I don't want to hear "who's to blame?" on this (Score:2)
Re: (Score:3)
Fortunately things like uranium and plutonium are heavy. If it gets spilled, it falls down into the dirt pretty quick.
I can tell from this excellent advice you are working for the UK Government as a nuclear expert. That's why I predicted that this would end up dumped into the North Sea as sewage. What can possibly go wrong?
Re: (Score:2)
The whole place is a disaster. Endless nuclear accidents. This is no surprise at all, incompetence is their hallmark.
another case of brain outsourcing (Score:2)
Proving again you can be smart and stupid at the same time.
Management everywhere is moronic. Save money, said every MBA, everywhere, by outsourcing.
Also, ahem, why isn't the word "Microsoft" mentioned anywhere?
Whenever there's a hack these days, they magically forget to mention which software was hacked, and it's nearly always {microsoft, cisco, vmware}.
In this case, it's obviously MS. Consequences? Nowhere in sight.
Not a big deal. Just
Re: (Score:2)
Re: (Score:2)
Sensitive nuclear information (SNI), the industry’s special classification system, was left vulnerable in part because of the use of “obsolete” technology including Windows 7 and Windows 2008
- do they really need to spell out "Microsoft"?
Re: (Score:2)
Also, I was right, somehow, and without even reading:
Microsoft is at the centre of this problem ONCE AGAIN.
I do believe the brain-outsourcing comment still stands.
Re: (Score:2, Interesting)
Microsoft literally has exceptions in their terms for Windows and many of their other major software products for use for critical industry. I am paraphrasing here but it essentially says - our software is not designed for critical infrastructure, and the most you can sue for is $5 dollars. Yup Microsoft makes CrowdStrike's $10 gift certs look generous.
I don't know but I would not be the least be surprised if the same language is in their Government Cloud offerings. Its a nice little game, nobody will eve
Not Rocket Scientists (Score:3)
Information Technology is so hard even "Rocket Scientists" can't do it!
These guys are not rocket scientists they are warehouse operators and the only way they'll ever find themselves in space is if they screw up even worse than they already have.
Resolution (Score:2)
Not again... (Score:3)
False reports (Score:2)
Information that could threaten national security was left exposed for four years, the nuclear watchdog revealed, and Sellafield said it had been performing critical IT health checks that were not, in fact, being carried out.
The people behind these false reports need some time in jail. Otherwise, this simply won't change.
The Q though. (Score:5, Insightful)
Re: (Score:2)
That was my first thought too. Why connected to the Internet?
I'm sure all those upcoming new micro-reactors... (Score:2)