Sellafield Fined £332,500 for Cyber Security Shortfalls
Oct 2
2 min read
0
1
0
Sellafield Limited has been fined £332,500 due to significant cyber security shortcomings after the Office for Nuclear Regulation (ONR) prosecuted it. The fine stems from the company's failure to adequately protect its information technology systems and sensitive nuclear information over four years, from 2019 to 2023, violating the Nuclear Industries Security Regulations 2003. Sellafield, located in Cumbria, is one of Europe's largest industrial complexes and manages more radioactive waste in one place than any other nuclear facility worldwide.
The ONR, the UK's independent nuclear regulator, found that Sellafield Limited did not meet the required standards, procedures, and arrangements outlined in its approved cyber security plan. These failures left the company's IT systems vulnerable to unauthorized access and potential data loss. The regulator expressed concern over the time these security gaps persisted, stating that Sellafield allowed its unsatisfactory cyber security performance to continue for several years.
Despite these failings, no evidence suggests that any vulnerabilities were exploited. However, an ONR inspector warned last year that a successful ransomware attack could have severely impacted the site's critical "high-hazard risk reduction" operations. If a cyber attack had been successful, returning to normal IT operations could have taken up to 18 months. Additionally, Sellafield's internal assessments indicated that a phishing attack or malicious insider could have compromised critical systems or data, leading to significant disruptions, damage to facilities, and delays in essential decommissioning activities.
Sellafield pleaded guilty to failing to comply with its approved security plan in June. These included:
- Failing to ensure adequate protection of Sensitive Nuclear Information on its IT network by March 18, 2023.
- Please arrange annual health checks on its operational technology systems by an authorized Check scheme tester before March 19, 2021.
- Failing to conduct annual health checks on its IT systems by March 1, 2022.
At the hearing in Westminster Magistrates Court on October 2, Chief Magistrate Senior District Judge Paul Goldspring imposed a fine of £332,500 and ordered Sellafield to pay prosecution costs of £53,253.20. In his sentencing determination, Judge Goldspring noted that the breaches represented medium culpability at the high end of the spectrum.
Sellafield's work involves many high-risk nuclear activities, including retrieving atomic waste and materials, managing spent nuclear fuel, and remediating numerous facilities across the site. These activities underscore the critical importance of securing IT systems to prevent unauthorized access and safeguard sensitive atomic information.
Paul Fyfe, Senior Director of Regulation at ONR, acknowledged Sellafield's guilty pleas and expressed concern over the company's cyber security shortcomings. He noted that the company's poor compliance with the Nuclear Industries Security Regulations 2003 was evident over a prolonged period despite ONR's interventions and guidance. However, Fyfe highlighted recent improvements at Sellafield, crediting new leadership and additional resources for the positive changes. He emphasized that senior leadership at Sellafield is now giving cyber security the attention and focus it requires.
The ONR will maintain stringent regulatory oversight to ensure that all risks, including cyber security, are effectively managed across the nuclear industry.