The UK state-owned operator of Europe’s largest nuclear waste dump failed to tackle cyber security weaknesses despite repeated interventions from regulators, a court heard.
Sellafield Ltd, which runs the Sellafield nuclear waste site in Cumbria, north-west England, allowed “significant vulnerabilities” to persist in its IT systems, prosecutors told Westminster magistrates court in London. “We are not dealing with what could be described as ‘technical’ breaches of the regulations,” said Nigel Lawrence KC, prosecuting for the UK’s Office for Nuclear Regulation (ONR). Sellafield holds the world’s largest stockpile of plutonium, a byproduct of nuclear power production, and is described by the ONR as “one of the most complex and hazardous nuclear sites in the world”. Lawrence told the court that the ONR had for a “number of years” highlighted problems with Sellafield’s cyber security management.
Independent testing carried out at the ONR’s request in late 2022 found vulnerabilities that could allow hackers to gain access to Sellafield’s network. The company also failed to carry out annual computer system health checks set out in its regulator-approved security plan, while some of its systems were also outdated, Lawrence added. Separately, in April 2022, a subcontractor managed to email himself 4,000 documents, including 13 classified as “official sensitive”, without the transfer being flagged, Lawrence told the court. “The failings were present over some considerable time and, despite significant interventions from ONR and guidance from its own IT provider, the defendant allowed a situation to persist in which significant vulnerabilities were present in its cyber security systems,” Lawrence said.
“These had the potential to cause serious security breaches, including the compromise of sensitive nuclear information,” he added. The details emerged in a sentencing hearing after Sellafield pleaded guilty in June to three offences under the Nuclear Industries Security Regulations 2003. The prosecution, the first under those rules, followed an ONR investigation into Sellafield’s cyber security management between 2019 and 2023. The company, which is owned by the UK’s Nuclear Decommissioning Authority, is in charge of cleaning up and maintaining the 6 sq km site that holds waste from the UK’s active and closed nuclear power plants. Paul Greaney KC, for Sellafield, said there was no evidence of any real-life successful cyber attack against Sellafield, adding that the vulnerabilities identified did not create the risk of a radiological threat.
“If someone took over, would they be able to cause a catastrophe? The answer to that simple question is no,” he told the court. In a statement following the hearing, Sellafield said it had “made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient”. In relation to the subcontractor emailing files, it said most were the individual’s personal files, and there was no loss of official sensitive information. It added: “We take cyber security extremely seriously at Sellafield, as reflected in our guilty pleas. “The charges relate to historic offences and there is no suggestion that public safety was compromised. Sellafield has not been subjected to a successful cyber attack or suffered any loss of sensitive nuclear information.”
The ONR did not ask the court to impose a specific penalty. It said Sellafield should be fined a sufficient amount to reflect the importance of complying with regulations. The rules allow for an unlimited fine. Last year, Sellafield was fined £400,000 for a health and safety breach. Sentencing has been adjourned to be handed down by the judge in writing at a later date.
(Financial Times, August 09, 2024)