Sellafield Ltd has been fined £332,500 for cyber security shortfalls over four years.
The firm was prosecuted by the Office for Nuclear Regulation and relate to Sellafield Ltd’s management of the security around its information technology systems between 2019 and 2023 and its breaches of the Nuclear Industries Security Regulations 2003.
An investigation by the Office for Nuclear Regulation, the UK’s independent nuclear regulator, found that Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information.
Significant shortfalls were present for a considerable length of time, said the Office for Nuclear Regulation.
It was found that Sellafield Ltd allowed this unsatisfactory performance to persist, meaning that its information technology systems were vulnerable to unauthorised access and loss of data.
However, it said, there was no evidence that any vulnerabilities at Sellafield Ltd had been exploited as a result of the identified failings.
In 2023, an Office for Nuclear Regulation inspector noted that a successful ransomware attack could impact on important ‘high-hazard risk reduction’ work at the site with a subsequent return to normal IT operations potentially taking up to 18 months.
Internally, Sellafield Ltd itself had observed how a successful phishing attack or malicious insider might trigger the loss or compromise of key systems of data.
A successful attack could have disrupted operations, damaged facilities and delayed important decommissioning activities.
At a hearing in June at Westminster Magistrates Court, the company pleaded guilty to:
- On or before March 18 2023, the defendant failed to comply with its approved safety plan by failing to ensure there was adequate protection of sensitive nuclear information on its information technology network.
- On and before March 19 2021, the defendant failed to comply with its approved safety plan by not arranging for annual health checks to be undertaken on its operational technology systems by an authorised Check scheme tester.
- On and before the March 1 2022, the defendant failed to comply with its approved safety plan by not arranging for annual health checks to be undertaken on its information technology systems by an authorised Check scheme tester.
Today, at the same court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield Ltd to pay a fine of £332,500, with costs of £53,253.20p.
As part of the sentencing determination, District Judge Goldspring ruled the breaches represented medium culpability (high end).
After today’s hearing, Paul Fyfe, the Office for Nuclear Regulation’s senior director of regulation, said: “We welcome Sellafield Ltd’s guilty pleas.
“It has been accepted the company’s ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
“Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.
“Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires.
“We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry.”