Sellafield issued hefty fine for cybersecurity failures

Sellafield nuclear facility in Cumbria pictured with clear skies.
(Image credit: Getty Images)

Sellafield has been fined £332,500 plus costs for security failings that were described as a 'disaster waiting to happen'.

The penalty has been imposed by the Office for Nuclear Regulation (ONR), and relates to the way Sellafield failed to meet the standards, procedures, and arrangements set out in its own approved plan for cybersecurity, as well as its failure to protect sensitive nuclear information between 2019 and 2023.

While there's no evidence that these failings have been exploited, they did leave Sellafield's IT systems vulnerable to unauthorized access and loss of data, according to the ONR.

Last year, an ONR inspector warned that a successful ransomware attack could affect important ‘high-hazard risk reduction’ work at the site, disrupt operations, damage facilities, and delay important decommissioning activities. Full recovery of IT operations could potentially take up to 18 months in the event of an attack the inspector found.

Meanwhile, the company itself concluded that a successful phishing attack or malicious insider could have triggered the loss or compromise of key systems and data.

"Failings were known about for a considerable length of time, but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised," said Paul Fyfe, ONR’s senior director of regulation, at a hearing this week.

At an earlier hearing in June at Westminster Magistrates Court, the company pleaded guilty to failing to ensure there was adequate protection of sensitive nuclear information on its information technology network.

It also admitted failing to comply with its approved security plan by not arranging for annual 'health checks' on its operational technology (OT) systems by an authorized Check scheme tester.

"It has been accepted the company's ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor," Fyfe said.

"Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cybersecurity the level of attention and focus it requires.

"We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cybersecurity, are effectively managed by the nuclear industry."

RELATED WEBINAR

Located in Cumbria, Sellafield handles more radioactive waste in one place than any other nuclear facility in the world.

Its work includes a wide range of high-hazard nuclear activities such as the retrieval of nuclear waste, fuel, and sludge from legacy ponds and silos, the storage of special nuclear materials including plutonium and uranium, and the management of spent nuclear fuel.

Since the original allegations, the company has improved IT management at the site and has also established a new secure data center for hosting its sensitive data.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.