Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England.
Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator.
Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060).
The offences relate to Sellafield’s security around its information technology systems between 2019 and 2023 and breaches of the Nuclear Industries Security Regulations 2003.
At a hearing in June 2024, Sellafield pleaded guilty to all the charges brought by the ONR, which encompassed the following offences:
- Failure to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network on or before March 18, 2023
- Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorized check scheme tester on and before March 19, 2023
- Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorized check scheme tester on and before March 1, 2022
Sellafield is one of Europe’s industrial complexes, managing more radioactive waste than any other nuclear facility worldwide.
Cybersecurity Attack Could Have Disrupted Operations, Exposed Sensitive Data
A successful cyber-attack could have resulted in severe consequences for the nuclear plant as a result of Sellafield Ltd’s failures. This included disruption to the atomic plant’s systems, damaged facilities, delayed decommissioning, and the loss or compromise of key data systems.
A 2023 inspection concluded that a successful ransomware attack could impact important high-hazard risk reduction work at the site, and the full recovery of IT operations could take up to 18 months.
Additionally, internal simulations demonstrated how a successful phishing attack or malicious insider could trigger sensitive data breaches.
There is no evidence that threat actors have exploited any of the cybersecurity vulnerabilities identified at Sellafield.
Read now: Cybersecurity Incident Affects Arkansas City Water Treatment Facility
Paul Fyfe, ONR’s SenioONR’sector of Regulation, noted that Sellafield was aware of its cybersecurity failings for a “considerable” e length of time” but failed” to respond effectively.
“Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence that senior leadership is now giving cyber security the level of attention and focus it requires,” commented Fyfe.
He added, “We will continue to apply robust regulatory scrutiny where necessary to ensure the nuclear industry effectively manages all risks, including cyber security. “
Responding to the ruling, Sellafield Ltd media manager Matt Legg emphasized the charges related to historical offences.
“We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient,” he said.
Source: Infosecurity Magazine
- #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity Professionals
Software updates are critical in protecting systems from cyber threats and providing new and improved functionality to software products. They are necessary to patch vulnerabilities that can be exploited by malicious actors, ensuring that systems remain secure. Software updates are one of the four pillars of the 2024 International Cybersecurity Awareness Month campaign. As part … - Universal Music Group Admits Data Breach
Universal Music Group (UMG), one of the world’s largest music corporations, disclosed a data breach in mid-July 2024. According to a filing with the Maine Attorney General’s Office, the breach may have exposed the personal information of 680 US residents. In the filing, UMG said it detected unauthorized activity in one of its internal applications on July 15, … - Sellafield Fined for Cybersecurity Failures at Nuclear Site
Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England. Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060). The offences …