Nuclear energy has always had a polarising effect on the public consciousness. Mark Neate, Environment, Safety and Security Director at Sellafield talks to Johanna Hamilton AMBCS about IT, legacy systems and how modern-day nuclear power could be a world-leading opportunity for British manufacturing.

Once a wonder of modern technology, producing almost endless amounts of electricity from splitting the atom, to a doomsday scenario threatening mankind’s very existence, nuclear power has certainly had it’s ups and its (melt)downs.

Tell me about your role at Sellafield?

My role is multifaceted and as the title ‘Environment Safety and Security’ conveys – this includes protection of the environment and more broadly sustainability, taking a longer-term view of our impact on the environment.

I characterise the purpose of Sellafield as creating a clean and safe environment for future generations. Within that we have three strategic themes – one is safe secure sustainable site stewardship, on a daily basis (we only have to sneeze and there's reverberations). The other is progress (high hazard risk reduction) at pace. And then, finally, there's lifetime value for money – it’s public money.

These three themes are broadly complementary but can create ambiguity for me; for example, managing environmental impact of significant capital builds against the necessarily stringent demands of nuclear safety.

Reducing risk at pace is clearly what we want to do given Sellafield is one of the largest and more hazardous sites in the World, but pace in itself can bring with it risk if not managed appropriately – nuclear safety will always remain our primary consideration. And then, of course, as a component within that there's cyber.

Have you seen a rise in the number of cyber attacks since COVID and the war in Ukraine?

No. It’s largely thousands of generic attempts bouncing off our defensive capabilities. We have seen cyber related attempts at exploitation but in terms of trying to exploit our IT or OT, they're more in the sense of people trying manipulate data for money. That's where we see it coming in as a quasi-cyber domain.

Either through mistake and emails, our biggest risk is still human. So, we do see low level activity but we haven't seen high level activity and of course unsurprisingly given the nature of Sellafield we have not only our own defences but we enjoy support from Government agencies such as NCSC; so there's a variety of measures in place that surround us.

Your job at Sellafield is to protect an area of 265 hectares and 1000 buildings with some 200 plus nuclear facilities. It's Europe's largest nuclear site with the most diverse range of nuclear facilities in the world situated on a single site. What are the IT challenges?

That conveys a picture and of course much of the challenge we are dealing with is legacy. So a history from materials for conventional weaponry back in the long past, back in the 40s and 50s and then into material for the bomb and then into power generation. Moving forward, it’s then reprocessing it and getting rid of the hazard and storing material on a quantity that's amongst the largest quantities in in the world.

We have everything from the very modern to the very old. So when cyber is considered there are a number of complexities. For example, patching – yes of course we seek to patch, but a number of our systems are historic and can't be patched and you can't simply replace the system, so you have to balance the risk. “Well, if I can't do that with the system and it has a potential vulnerability what else can I do?” So, where necessary, we adopt other measures, from isolation from the internet and intranet, comprehensive surveillance and fortified physical access measures.

So, our approach to cyber has been somewhat unusual in that you'd start, ordinarily from the inside (protect the ‘crown jewels’) through a comprehensive understanding of all the detailed risks associated with 200 nuclear facilities and then move out. But our assessment of risk and where we identified greatest benefit led to an approach that I generalise as outside to in; protect from internet access, then intranet and then focus on the specifics of the facility.

So is that looking for vulnerabilities through pentesting? Red teaming?

With an understanding of the threat we started by asking “where is the critical vulnerability?” Is it in the connection to the internet? If it is, then let's make sure we've got sufficient protection against the internet.

Then we go to a middle layer of, right, now it's the interconnection from our business systems into the facilities and let's protect that ring. Then finally, let's move into the facilities themselves and do the sort of detailed protection needed at that level. So, we're progressing through that and we're now into the detail of the facilities.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

We do red teaming as we want to be confident that there isn't something we’ve missed. So we utilise the support of GCHQ, and the NCSC to explore the facilities and find a possible unacceptable radiological consequence that we maybe blind to.

Of course, in an ideal world we would replace all legacy systems and old operating technologies and put in fibre – but even that presents problems. Digging around a congested site – it sounds large but with all those buildings, they're cheek to jowl – can impact current operations and, every now and then, expose legacy issues. As always, it’s about balancing risk.

My role is to balance environment safety and security with the amount of investment that is made available. Whether it’s people, hardware, software, I'm seeking to mitigate risk and balance investment across all areas. What investment gives me the best benefit for risk reduction in the near and far term? There’s always the reality that the budget is finite and even in an unconstrained financial environment only so much work can be completed at any one time.

It feels like society is coming full circle on nuclear energy. A world leading technology in the 1950s, through various nuclear accidents to the need to decommission coal-powered stations. Do you think that there will be a new resurgence and acceptance in nuclear energy now?

Absolutely. Whether it's the likes of Hinkley Point C and Big Build or our Government investing in Small Modular Reactors we have areas of British industry such as Rolls Royce getting involved. In terms of risk retirement Sellafield is a huge investment for Government – with a budget this year of £2.345 billion.

The challenge is not to let the historical view of Sellafield turn into a misperception of what the future opportunity of modern nuclear presents. We as a business need a certain amount of power, so we will continue to monitor evolving options that give us both power and also the opportunity to reduce our carbon footprint.

The promise of cheaper cleaner electricity with nuclear is rather blighted by decommissioning which can run to many tens of billions and involve very polluting materials. How can you balance the dream of nuclear with some of the harsher realities?

Sellafield is really a distortion of that cost – we are still paying for the ‘sins of our forefathers’. Decommissioning of the large plants is not an inexpensive proposition which is why the advent of things like advanced modular reactors or small modular reactors are becoming a more attractive proposition.

Much of our cost is associated with the nature and quantities of waste we are dealing with, which we might reduce with future technologies, for example thermal treatment of waste – this in turn, could pay dividends when eventually retiring Hinckley Point C albeit the amount of fuel they're using is quantums less than that stored at Sellafield.

It's on a different scale, notwithstanding the concrete rebar, in terms of the nuclear waste associated with modern facilities it's a fundamentally different ball game to the waste challenge presented by Sellafield.

So, do you think there will be smaller reactors but more of them in the future?

There's opportunity there and of course the larger installations play to where we used to be with Calder Hall. They play to other international propositions, whether it's French, Chinese, American whatever. But, at the smaller end of the spectrum in other propositions such as fusion, there’s potential there for the UK, that’s where the Government are investing.

We’re at the SASIG conference today for cyber security. How important is it for you to invest your time in networking with other security professionals?

I've been a long supporter of SASIG. Martin Smith MBE, Chairman and founder of SASIG came to Sellafield and gave us some assistance largely looking at security from a human perspective – and that rolled across into our enduring participation in SASIG. For me, there's an opportunity to meet a number of the vendors – Dark Trace, Egress etc.

It's an opportunity for me to catch up with them, to network with others but also to listen to different ideas. At times we can all be quite insular. I see things through the nuclear industry perspective and of course I'm trying to balance various risks – but when I’m listening to banking and what they're doing and I start to think, “how can I learn from this?” SASIG is a great way to mix with people and garner ideas.