Sellafield Fined for Cybersecurity Failures at Nuclear Site

By /

Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England.

Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator.

Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060).

The offences relate to Sellafield’s security around its information technology systems between 2019 and 2023 and breaches of the Nuclear Industries Security Regulations 2003.

At a hearing in June 2024, Sellafield pleaded guilty to all the charges brought by the ONR, which encompassed the following offences:

  • Failure to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network on or before March 18, 2023
  • Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorized check scheme tester on and before March 19, 2023
  • Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorized check scheme tester on and before March 1, 2022

Sellafield is one of Europe’s industrial complexes, managing more radioactive waste than any other nuclear facility worldwide.

Cybersecurity Attack Could Have Disrupted Operations, Exposed Sensitive Data

A successful cyber-attack could have resulted in severe consequences for the nuclear plant as a result of Sellafield Ltd’s failures. This included disruption to the atomic plant’s systems, damaged facilities, delayed decommissioning, and the loss or compromise of key data systems.

A 2023 inspection concluded that a successful ransomware attack could impact important high-hazard risk reduction work at the site, and the full recovery of IT operations could take up to 18 months.

Additionally, internal simulations demonstrated how a successful phishing attack or malicious insider could trigger sensitive data breaches.

There is no evidence that threat actors have exploited any of the cybersecurity vulnerabilities identified at Sellafield.

Read now: Cybersecurity Incident Affects Arkansas City Water Treatment Facility

Paul Fyfe, ONR’s SenioONR’sector of Regulation, noted that Sellafield was aware of its cybersecurity failings for a “considerable” e length of time” but failed” to respond effectively.

“Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence that senior leadership is now giving cyber security the level of attention and focus it requires,” commented Fyfe.

He added, “We will continue to apply robust regulatory scrutiny where necessary to ensure the nuclear industry effectively manages all risks, including cyber security. “

Responding to the ruling, Sellafield Ltd media manager Matt Legg emphasized the charges related to historical offences.

“We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient,” he said.

Source: Infosecurity Magazine

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top