Sellafield fined for cyber security breaches

The company which runs the Sellafield nuclear site has been fined £332,500 for cyber security shortfalls.

The nuclear regulator found the Cumbrian facility "persistently" breached security regulations, meaning its IT systems were vulnerable to unauthorised access and loss of data.

However, there was no evidence that vulnerabilities had been exploited as a result, the Office for Nuclear Regulation (ONR) said.

Sellafield Ltd said it took cyber security "extremely seriously, as reflected in our guilty pleas", adding it had already made significant improvements to its systems.

Sellafield is one of Europe's largest industrial complexes, managing more radioactive waste in one place than any other nuclear facility in the world.

The company pleaded guilty to three offices in June, relating to its failure to comply with approved security plans to protect sensitive information between 2019 to 2023.

Sellafield Ltd was ordered to pay a fine of £332,500, along with prosecution costs of £53,253.20 at Westminster Magistrates Court.

Significant shortfalls were present for a considerable length of time, meaning that its information technology systems were vulnerable to unauthorised access and loss of data, the ONR said.

It also found, internally, that Sellafield Ltd itself had observed how a successful phishing attack or malicious insider might trigger the loss or compromise of key systems of data.

The ONR said a successful attack could have disrupted operations, damaged facilities and delayed decommissioning activities.

The ONR's Senior Director of Regulation Paul Fyfe, said: "Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.

"Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires."

In a statement, Sellafield Ltd media manager Matt Legg said: "We've already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient."

It added the charges related to historical offences and there was no suggestion that public safety was compromised.

"We take cyber security extremely seriously at Sellafield, as reflected in our guilty pleas."

Meanwhile, Energy Secretary Ed Miliband said he had written to the Nuclear Decommissioning Authority to seek assurances "cybersecurity failings at Sellafield are being addressed and cannot happen again".

Miliband said: "We take the safety of our nationally significant infrastructure very seriously and I welcome the fact we have a robust regulator holding our nuclear industry to account."

Follow BBC Cumbria on X, Facebook, Nextdoor and Instagram. Send your story ideas to [email protected]