Sellafield Ltd Fined £332,500 Over Cybersecurity Lapses

The Office for Nuclear Regulation (ONR) has fined Sellafield Ltd, the firm responsible for managing the Sellafield nuclear waste processing and decommissioning site in Cumbria, England, £332,500 ($440,000) for inadequate cybersecurity practices. These lapses occurred over a four-year period from 2019 to 2023, although the ONR reported no evidence of exploited vulnerabilities.

Sellafield manages more radioactive waste than any other nuclear site globally. The decommissioning work at the facility involves high-risk activities such as waste retrieval, storage of plutonium and uranium, and spent nuclear fuel management. According to ONR, the cybersecurity inadequacies violated the UK’s Nuclear Industries Security Regulations 2003.

Despite being informed of these failings for a considerable time, Sellafield Ltd was seen as not having taken effective measures to mitigate the risk, as pointed out by Paul Fyfe, ONR’s senior director of regulation. This exposed the site to potential security breaches and data compromise.

The penalties come in the aftermath of allegations made in December 2023 regarding possible hacking attempts by Russia and China, although both the UK government and ONR denied these claims at the time. An internal ONR investigation later revealed the potential impact of a successful ransomware attack, which could delay IT operations recovery by up to 18 months, severely affecting high-hazard risk reduction work.

Sellafield Ltd pleaded guilty to failing to adhere to its security plan, which included inadequate protection of sensitive nuclear information and not conducting annual operational technology health checks as mandated in March 2021 and March 2022.

This week, Westminster Magistrates Court ordered Sellafield to pay the fine along with prosecution costs amounting to £53,253.20. The response from Sellafield Ltd to queries from The Register has not been immediate.