Stay knowledgeable with free updates
The UK state-owned operator of Europe’s largest nuclear waste dump failed to sort out cyber safety weaknesses regardless of repeated interventions from regulators, a court heard.
Sellafield Ltd, which runs the Sellafield nuclear waste site in Cumbria, north-west England, allowed “significant vulnerabilities” to persist in its IT methods, prosecutors told Westminster magistrates court in London.
“We are not dealing with what could be described as ‘technical’ breaches of the regulations,” mentioned Nigel Lawrence KC, prosecuting for the UK’s Office for Nuclear Regulation (ONR).
Sellafield holds the world’s largest stockpile of plutonium, a byproduct of nuclear energy manufacturing, and is described by the ONR as “one of the most complex and hazardous nuclear sites in the world”.
Lawrence told the court that the ONR had for a “number of years” highlighted issues with Sellafield’s cyber safety administration.
Independent testing carried out on the ONR’s request in late 2022 discovered vulnerabilities that might enable hackers to achieve entry to Sellafield’s community.
The firm additionally failed to perform annual laptop system well being checks set out in its regulator-approved safety plan, whereas a few of its methods had been additionally outdated, Lawrence added.
Separately, in April 2022, a subcontractor managed to electronic mail himself 4,000 paperwork, together with 13 labeled as “official sensitive”, with out the switch being flagged, Lawrence told the court.
“The failings were present over some considerable time and, despite significant interventions from ONR and guidance from its own IT provider, the defendant allowed a situation to persist in which significant vulnerabilities were present in its cyber security systems,” Lawrence mentioned.
“These had the potential to cause serious security breaches, including the compromise of sensitive nuclear information,” he added.
The particulars emerged in a sentencing listening to after Sellafield pleaded responsible in June to three offences beneath the Nuclear Industries Security Regulations 2003.
The prosecution, the primary beneath these guidelines, adopted an ONR investigation into Sellafield’s cyber safety administration between 2019 and 2023.
The firm, which is owned by the UK’s Nuclear Decommissioning Authority, is in command of cleansing up and sustaining the 6 sq km site that holds waste from the UK’s energetic and closed nuclear energy crops.
Paul Greaney KC, for Sellafield, mentioned there was no proof of any real-life profitable cyber assault in opposition to Sellafield, including that the vulnerabilities recognized didn’t create the chance of a radiological menace.
“If someone took over, would they be able to cause a catastrophe? The answer to that simple question is no,” he told the court.
In a press release following the listening to, Sellafield mentioned it had “made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient”.
In relation to the subcontractor emailing recordsdata, it mentioned most had been the person’s private recordsdata, and there was no lack of official delicate data.
It added: “We take cyber security extremely seriously at Sellafield, as reflected in our guilty pleas.
“The charges relate to historic offences and there is no suggestion that public safety was compromised. Sellafield has not been subjected to a successful cyber attack or suffered any loss of sensitive nuclear information.”
The ONR didn’t ask the court to impose a particular penalty. It mentioned Sellafield must be fined a ample quantity to mirror the significance of complying with rules. The guidelines enable for a vast fantastic. Last yr, Sellafield was fined £400,000 for a well being and security breach.
Sentencing has been adjourned to be handed down by the choose in writing at a later date.