Sellafield fined more than £330k for cyber security shortfalls
Sellafield Limited has been fined a total of £332,500 for cyber security shortfalls following a prosecution brought by the Office for Nuclear Regulation (ONR).
This relates to Sellafield's management of security around its information technology systems over a four year period. This is between 2019 to 2023 and involves breaches of the Nuclear Industries Security Regulations 2003.
Cumbria's Sellafield is one of the largest industrial complexes in Europe and manages more radioactive waste in one place than any other nuclear facility in the world. ONR is the UK’s independent nuclear regulator and found Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information. ONR said the shortfalls were present for a considerable length of time.
READ MORE: First picture of 'talented' boy, 8, shot dead on farm as football club pays tribute
It was found Sellafield allowed their unsatisfactory performance to persist. This meant information technology systems were vulnerable to unauthorised access and a loss of data.
However, there is no evidence to suggest any vulnerabilities at the company had been exploited as a result of the failings. Last year, an inspector from the ONR noted a successful ransomware attack could impact on important ‘high-hazard risk reduction’ work at the site.
A subsequent return to normal IT operations would then usually take up to 18 months.
Internally, Sellafield observed how a successful phishing attack or malicious insider might trigger the loss or compromise of key systems of data. It would have disrupted operations, damaged facilities and delayed important decommissioning activities.
The company pleaded guilty to three offences at a hearing in Westminster Magistrates Court in June. The offences were:
On or before the 18 March 2023, the defendant failed to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network.
On and before the 19 March 2021, the defendant failed to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorised Check scheme tester.
On and before the 1 March 2022, the defendant failed to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorised Check scheme tester.
Today (Wednesday, October 2), at the same court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield Ltd to pay a fine of £332,500, along with prosecution costs of £53,253.20. District Judge Goldspring ruled the breaches represented medium culpability (high end), as part of the sentencing determination.
Work at Sellafield includes a wide-range of high-hazard nuclear activities such as the retrieval of nuclear waste, fuel and sludge from legacy ponds and silos, the storage of special nuclear materials including plutonium and uranium, spent nuclear fuel management and the remediation of hundreds of facilities across the site.
After today’s hearing, Paul Fyfe, ONR’s Senior Director of Regulation, said: "We welcome Sellafield Ltd's guilty pleas. It has been accepted the company's ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised. Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires.
"We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry.”