This week, a few stories to bring cyber security a little closer to home:

3 – Cyber security concerns at the world’s largest store of plutonium.

2 – Cyber security attacks on our water supply.

1 – One cyber attack that impacted at least 80 law firms, and delayed house purchases.

Glass Half Full: To put a positive spin on all of these stories: If things aren’t going well for you this December, at least you don’t work in a nuclear plant, a water treatment plant, or a company that now faces difficult questions from at least 80 legal firms!


3 – Cyber concerns at Sellafield.

“The UK’s most hazardous nuclear site, Sellafield, has been hacked into by cyber groups closely linked to Russia and China [..] Authorities do not know exactly when the IT systems were first compromised. But sources said breaches were first detected as far back as 2015 [..] The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years.”

This is according to a report in The Guardian, following a “year-long investigation [by the Guardian] into cyber hacking, radioactive contamination and toxic workplace culture at Sellafield”. “The Guardian also reports “that Sellafield, which has more than 11,000 staff, was last year placed into a form of “special measures” for consistent failings on cybersecurity [by its regulator, which is] also believed to be preparing to prosecute individuals there for cyber failings”.

The UK government has stated that “We have no records or evidence to suggest that Sellafield Ltd networks have been successfully attacked by state-actors in the way described by the Guardian”. But the government does not say the newspaper is wrong, or that all of the other issues reported by the Guardian are inaccurate.

So what?

When I read this story and the UK government’s denial, a few things came to mind.

  1. “We have no records or evidence” is a weak rebuttal. As the saying goes, “Absence of evidence is not evidence of absence”. The statement does not say the newspaper is wrong, or that all of the other issues reported by the Guardian are inaccurate.
  2. Sellafield is 128 miles from Dublin, but under the control of a different government which seems more interested in securing court approval to send immigrants to Rwanda than securing its nuclear sites. So, this story is a good time to remember this line from the Serenity Prayer: “Grant me the serenity to accept the things I cannot change”.
  3. We need to support (and pay for) independent journalism. It funds these types of investigations, makes sure institutions are held to account, and supports free speech and truth – Even if this support results in piles of newspapers lying around my house waiting to be read.


2 – Cyber attackers target water treatment plants

Equipment manufactured by Israeli companies are being attacked, causing problems for water treatment plants around the world.

According to a recent report in Government Technology (and shared by ISACA SmartBrief), the issue has affected at least one water treatment plant in the US. According to a report in Breaking News (and sent my way by Philip Breen), it has also impacted a treatment plant in Ireland. In the latter attack, 180 homes were without water for two days while the system was being restored. Apparently, CISA has reminded some equipment users “to ensure the default ‘1111’ password is not in use” on their networks.

So what?

Many people may think they are not at risk of a cyber attack, and ask “why would an attacker attack us”? But as this attack demonstrates, even if you are not a valuable target, you could still suffer collateral damage.


1 – Attack on 1 IT provider impacts over 80 UK law firms

“A cyber incident [on a UK IT service provider], has brought many conveyancing firms, and transactions, to a standstill”

This is according to a report in Today’s Conveyancer. According to the report, “despite initial reports suggesting up to 200 firms were affected, the actual number of impacted firms is closer to 80 and appears to be affecting different firms in different ways, depending on their reliance on [the IT provider’s] systems. Some firms have reported they don’t have access to emails, phones or case management systems and are unable to exchange or complete [property transactions].”

So what?

This reinforces the point about being collateral damage, and it is a reminder as to why regulators and regulations like DORA keep focusing on supply chain risk / third party risk management and operational resilience.