Sellafield Fined for Cybersecurity Failures at Nuclear Site

Security

Sellafield Ltd has been fined £332,500 ($437,440) for cybersecurity failings running the Sellafield nuclear facility in Cumbria, North-West England.

The fine was issued by Westminster Magistrates Court following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator.

Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060).

The offences relate to Sellafield’s management of the security around its information technology systems between 2019 to 2023 and breaches of the Nuclear Industries Security Regulations 2003.

At a hearing in June 2024, Sellafield plead guilty to all the charges brought by the ONR, which encompassed the following offences:

  • Failure to comply with its approved security plan by failing to ensure there was adequate protection of Sensitive Nuclear Information on its information technology network on or before March 18, 2023
  • Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorized check scheme tester on and before March 19, 2023
  • Failure to comply with its approved security plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorized check scheme tester on and before March 1, 2022

Sellafield is one of Europe’s largest industrial complexes, managing more radioactive waste than any other nuclear facility in the world.

Attack Could Have Disrupted Operations, Exposed Sensitive Data

A successful cyber-attack could have resulted in severe consequences to the nuclear plant as a result of Sellafield Ltd’s failings. This included disruption to the nuclear plant’s operations, damaged facilities, delayed decommissioning, and the loss or compromise of key systems of data.

A 2023 inspection concluded that a successful ransomware attack could impact important high-hazard risk reduction work at the site, with the full recovery of IT operations taking up to 18 months.

Additionally, internal simulations demonstrated how a successful phishing attack or malicious insider could trigger sensitive data breaches.

There is no evidence that any of the cybersecurity vulnerabilities identified at Sellafield have been exploited by threat actors.

Read now: UK Sets Out Nuclear Cybersecurity Strategy

Paul Fyfe, ONR’s Senior Director of Regulation, noted that Sellafield was aware of its cybersecurity failings for a “considerable length of time” but failed to respond effectively.

“Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires,” commented Fyfe.

“We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry,” he added.

Responding to the ruling, Sellafield Ltd media manager Matt Legg emphasized that the charges related to historical offences.

“We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient,” he said.

Products You May Like

Articles You May Like

Major Biometric Data Farming Operation Uncovered
Ruijie Networks’ Cloud Platform Flaws Could Expose 50,000 Devices to Remote Attacks
North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign
16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft
US and Japan Blame North Korea for $308m Crypto Heist

Leave a Reply

Your email address will not be published. Required fields are marked *