Sellafield has been fined £332,500 for cybersecurity shortfalls over four years following a prosecution brought forward by the nation’s nuclear watchdog.
The Office for Nuclear Regulation (ONR) said the offences relate to Sellafield’s management of the security around its information technology systems between 2019 and 2023 and its breaches of the Nuclear Industries Security Regulations 2003.
An investigation by ONR, the UK’s independent nuclear regulator, found that Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information.
Significant shortfalls were present for a considerable length of time, the ONR said.
It was found that Sellafield allowed this unsatisfactory performance to persist, meaning that its information technology systems were vulnerable to unauthorised access and loss of data.
However, there is no evidence that any vulnerabilities at Sellafield have been exploited because of the identified failings.
In 2023, an ONR inspector noted that a successful ransomware attack could impact important ‘high-hazard risk reduction’ work at the site with a subsequent return to normal IT operations potentially taking up to 18 months.
Internally, Sellafield themselves had also observed how a successful phishing attack or malicious insider might trigger the loss or compromise of key data systems.
A successful attack could have disrupted operations, damaged facilities and delayed important decommissioning activities.
At a hearing in June at Westminster Magistrates Court, the company pleaded guilty to three offences:
- On or before the 18 March 2023, the defendant failed to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network.
- On and before the 19 March 2021, the defendant failed to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorised Check scheme tester.
- On and before the 1 March 2022, the defendant failed to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorised Check scheme tester.
Today (October 2), at the same court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield Ltd to pay a fine of £332,500, along with prosecution costs of £53,253.20.
As part of the sentencing determination, District Judge Goldspring ruled the breaches represented medium culpability (high-end).
Sellafield is one of Europe's largest industrial complexes, managing more radioactive waste in one place than any other nuclear facility in the world.
Work includes a wide-range of high-hazard nuclear activities such as the retrieval of nuclear waste, fuel and sludge from legacy ponds and silos, the storage of special nuclear materials including plutonium and uranium, spent nuclear fuel management and the remediation of hundreds of facilities across the site.
After today’s hearing, Paul Fyfe, ONR’s senior director of regulation, said: "We welcome Sellafield Ltd's guilty pleas.
"It has been accepted the company's ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.
"Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires.
READ NEXT: Nuclear site failed to manage risks of hazardous chemical, regulator finds
"We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry.”
A Sellafield spokesperson said: “We take cyber security extremely seriously at Sellafield, as reflected in our guilty pleas.
“The charges relate to historical offences and there is no suggestion that public safety was compromised.
“Sellafield has not been subjected to a successful cyber-attack.
“We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient.
“The cyber threat is continually evolving, and we will continue to work with the regulator to ensure we meet the high standards rightly required of us.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here