Sellafield Limited was today fined £332,500 for cyber security shortfalls during a four-year period following a prosecution brought by the Office for Nuclear Regulation (ONR).
The offences relate to Sellafield Ltd's management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.
An investigation by ONR, the UK’s independent nuclear regulator, found that Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information.
Significant shortfalls were present for a considerable length of time, said ONR.
It was found that Sellafield Ltd allowed this unsatisfactory performance to persist, meaning that its information technology systems were vulnerable to unauthorised access and loss of data.
However, there is no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the identified failings.
In 2023, an ONR inspector noted that a successful ransomware attack could impact on important ‘high-hazard risk reduction’ work at the site with a subsequent return to normal IT operations potentially taking up to 18 months.
Internally, Sellafield Ltd themselves had also observed how a successful phishing attack or malicious insider might trigger the loss or compromise of key systems of data.
A successful attack could have disrupted operations, damaged facilities and delayed important decommissioning activities.
At a hearing in June at Westminster Magistrates Court, the company pleaded guilty to three offences:
- On or before the 18 March 2023, the defendant failed to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network.
- On and before the 19 March 2021, the defendant failed to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorised Check scheme tester.
- On and before the 1 March 2022, the defendant failed to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorised Check scheme tester.
Today, at the same court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield Ltd to pay a fine of £332,500, along with prosecution costs of £53,253.20p.
As part of the sentencing determination, District Judge Goldspring ruled the breaches represented a medium culpability (high end).
Sellafield in Cumbria is one of Europe's largest industrial complexes, managing more radioactive waste in one place than any other nuclear facility in the world.
Work includes a wide-range of high-hazard nuclear activities such as the retrieval of nuclear waste, fuel and sludge from legacy ponds and silos, the storage of special nuclear materials including plutonium and uranium, spent nuclear fuel management and the remediation of hundreds of facilities across the site.
After today’s hearing, Paul Fyfe, ONR’s Senior Director of Regulation, said: "We welcome Sellafield Ltd's guilty pleas.
"It has been accepted the company's ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.
"Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires.
"We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry.”