Sellafield as been fined over £300k for shortfalls in its cybersecurity over a 4-year period.
The prosecution was brought by the Office for Nuclear Regulation (ONR).
It relates to Sellafield Ltd’s management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.
ONR, the UK’s independent nuclear regulator found that it had “failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information.”
The investigation found that its IT systems were “vulnerable to unauthorised access and loss of data.”
However, it did report that there was no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the failings.
Last year, an ONR inspected noted that: “a successful ransomware attack could impact on important ‘high-hazard risk reduction’ work at the site with a subsequent return to normal IT operations potentially taking up to 18 months.”
Sellafield Ltd itself had also observed how a successful phishing attack or malicious insider “might trigger the loss or compromise of key systems of data.”
During the case, Sellafield apologised for the failings and pleaded guilty to the charges.
At Westminster Magistrates Court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield Ltd to pay a fine of £332,500, along with prosecution costs of £53,253.
The District Judge ruled the breaches represented a medium culpability (high end).
“We welcome Sellafield Ltd’s guilty pleas,” said Paul Fyfe, ONR’s Senior Director of Regulation.
“It has been accepted the company’s ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
“Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.
“Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires.
“We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry.”
Sellafield’s Chief Executive apologised for the failings and said that he believe the issues which led to the prosecution “are in the past.”