The UK state-owned company managing Europe’s largest nuclear waste facility, Sellafield Ltd, has been hit with a hefty fine of £332,500 for serious failures in cyber security. The fine comes after the company admitted to three violations of the Nuclear Industries Security Regulations during a court session at Westminster Magistrates Court in London.
In addition to the fine, Sellafield Ltd has also been ordered to pay court costs of £53,253 and a surcharge of £190. Senior district judge Paul Goldspring expressed that the breaches were significant and not just minor mistakes that could be quickly fixed. He emphasized the importance of ensuring the security of nuclear materials, which is vital to prevent them from falling into harmful hands and to keep the public safe.
Judge Goldspring acknowledged that, fortunately, there was no evidence of any actual harm resulting from these security lapses. He attributed the issues to widespread challenges in hiring qualified personnel, rather than simply cutting costs at the expense of safety. Importantly, he pointed out that because Sellafield is state-owned, any fines imposed ultimately come from taxpayer money.
Sellafield is responsible for managing nuclear waste from both current and decommissioned reactors, including the largest stockpile of plutonium in the world. The investigation into the company’s cyber security, conducted by the Office for Nuclear Regulation (ONR), looked into practices from 2019 to 2023. This marks the first prosecution under these particular security regulations.
Earlier this year, in August, it was revealed by Nigel Lawrence KC, representing the ONR, that the company had struggled with its cyber security management for many years. Testing done in late 2022 uncovered vulnerabilities that could have potentially allowed hackers to access sensitive information and execute malware attacks, including ransomware. Furthermore, Sellafield failed to perform critical annual checks on its computer systems, despite having assured regulators that such checks were completed.
Lawrence stated in court that the failure to address these vulnerabilities could have led to significant security breaches, with the possibility of sensitive nuclear information being compromised.
Paul Greaney KC, defending Sellafield, countered that there was no evidence of any actual cyber attacks on their systems and asserted that even if a hacker managed to take control, they would not be able to cause a disaster.
In response to the sentencing, Sellafield has acknowledged its failures and stated that it has made substantial improvements to its cyber security measures and overall systems. The ONR noted that while a successful cyber attack could have caused disruptions and hindered important cleanup operations, they found no evidence that the existing vulnerabilities had been exploited.
Energy Secretary Ed Miliband has formally contacted the CEO of the Nuclear Decommissioning Authority to seek assurances that the cyber security issues at Sellafield are being seriously addressed to prevent a recurrence.