UK's largest nuclear site denies being hacked but pleads guilty over cybersecurity failures

The company managing the Sellafield nuclear site in the United Kingdom has pleaded guilty to three criminal charges over cybersecurity failings in a landmark prosecution, with its legal representative denying in court claims that the facility had been hacked.

Earlier this year, Britain’s nuclear safety regulator announced it was bringing charges against the company operating the facility over “alleged information technology security offenses during a four year period between 2019 and early 2023.”

The case is the first the Office for Nuclear Regulation (ONR) has filed under the Nuclear Industries Security Regulations 2003, a law that requires nuclear premises to meet set standards for their physical and IT security plans. It followed the United Kingdom’s chief nuclear inspector’s annual report, which revealed the site already had been the focus of enhanced regulatory attention over its cybersecurity failings.

The sentencing hearing is scheduled for August 8.

Sellafield currently houses more plutonium — particularly the isotopes created as a byproduct of nuclear reactor operations — than any other location on the planet, alongside a range of facilities for nuclear decommissioning, and waste processing and storage.

Although its reactor was shut down in 2003, Sellafield — Europe’s largest nuclear facility, sprawling across about 6 sq km in Cumbria — remains as remaining “one of the most complex and hazardous nuclear sites in the world,” according to ONR. 

ONR’s specific charges, listed below, relate to procedural failures rather than any specific hacking incidents:

• Failing to comply with their approved security plan by not arranging for annual health checks to be undertaken of their information technology systems by an authorized check scheme tester.
• Failing to comply with their approved security plan by not arranging for annual health checks to be undertaken of their operational technology systems by an authorized check scheme tester.
• Failing to comply with their approved security plan by failing to ensure that there was adequate protection of Sensitive Nuclear Information on their information technology network.

Despite a report by The Guardian newspaper claiming that Sellafield had been compromised by hacking groups linked to both China and Russia, both Sellafield and the British government have denied any such incidents have taken place.

The Financial Times newspaper reported that Paul Greaney KC, Sellafield's legal representative, told the court that the company's guilty pleas “reflect the fact that while it had in place systems of cyber security, those systems were not sufficiently adhered to for a period.

“However, it is important to emphasize there was not and has never been a successful cyber attack on Sellafield,” he stressed, adding: “The offenses to which Sellafield has pleaded guilty are historical. They do not reflect the current position.”

The full details of the failings that Sellafield is being prosecuted over are not yet public. Following the guilty plea issued by the company’s lawyers on Thursday, it is expected that they will be shared in a case summary issued at the same time as the sentencing hearing. 

A spokesperson for the ONR said: “We acknowledge that Sellafield Limited has pleaded guilty to all charges. There is no evidence that any vulnerabilities have been exploited. As the details of the case have yet to be heard in court, we are unable to provide further comments at this stage.”

A spokesperson for Sellafield said: “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. “The charges relate to historic offences and there is no suggestion that public safety was compromised. As the issue remains the subject of active court proceedings, we are unable to comment further.”