Sellafield Ltd has been fined £332,500 ($437,440) for cybersecurity failings running the Sellafield nuclear facility in Cumbria, North-West England.
The fine was issued by Westminster Magistrates Court following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator.
Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060).
The offences relate to Sellafield’s management of the security around its information technology systems between 2019 to 2023 and breaches of the Nuclear Industries Security Regulations 2003.
At a hearing in June 2024, Sellafield plead guilty to all the charges brought by the ONR, which encompassed the following offences:
- Failure to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network on or before March 18, 2023
- Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorized check scheme tester on and before March 19, 2023
- Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorized check scheme tester on and before March 1, 2022
Sellafield is one of Europe's largest industrial complexes, managing more radioactive waste than any other nuclear facility in the world.
Attack Could Have Disrupted Operations, Exposed Sensitive Data
A successful cyber-attack could have resulted in severe consequences to the nuclear plant as a result of Sellafield Ltd’s failings. This included disruption to the nuclear plant’s operations, damaged facilities, delayed decommissioning, and the loss or compromise of key systems of data.
A 2023 inspection concluded that a successful ransomware attack could impact important high-hazard risk reduction work at the site, with the full recovery of IT operations taking up to 18 months.
Additionally, internal simulations demonstrated how a successful phishing attack or malicious insider could trigger sensitive data breaches.
There is no evidence that any of the cybersecurity vulnerabilities identified at Sellafield have been exploited by threat actors.
Read now: UK Sets Out Nuclear Cybersecurity Strategy
Paul Fyfe, ONR’s Senior Director of Regulation, noted that Sellafield was aware of its cybersecurity failings for a “considerable length of time” but failed to respond effectively.
"Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires,” commented Fyfe.
"We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry,” he added.
Responding to the ruling, Sellafield Ltd media manager Matt Legg emphasized that the charges related to historical offences.
"We've already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient,” he said.