Sellafield, UK’s largest nuclear site, fined £330,000 for cybersecurity failings

The company managing the Sellafield nuclear site in the United Kingdom has been fined £332,500 ($435,400) in a landmark prosecution after pleading guilty to three criminal charges over cybersecurity failings.

Earlier this year, Britain’s nuclear safety regulator announced it was bringing charges against the company operating the facility over “alleged information technology security offenses during a four year period between 2019 and early 2023.”

The company operating the site, which is owned by the British state, pleaded guilty in June to the three charges of cybersecurity failings, although its legal representative denied in court claims that the facility had been hacked.

Although its reactor was shut down in 2003, Sellafield, which is Europe’s largest nuclear facility, sprawling across about 6 sq km in Cumbria, remains “one of the most complex and hazardous nuclear sites in the world,” according to the Office for Nuclear Regulation (ONR).

The site currently houses more plutonium — particularly the isotopes created as a byproduct of nuclear reactor operations — than any other location on the planet, alongside a range of facilities for nuclear decommissioning, and waste processing and storage.

Senior district judge Paul Goldspring said the company’s cybersecurity failings were “serious” although he noted there was no evidence they had led to any harm, as reported by the Financial Times newspaper.

The shortcomings were caused by “sector-wide difficulties recruiting suitably qualified staff” according to Goldspring. They included failing to carry out annual security checks, despite assuring the ONR that it had done so.

The case is the first the ONR has filed under the Nuclear Industries Security Regulations 2003, a law that requires nuclear premises to meet set standards for their physical and IT security plans.

It followed the United Kingdom’s chief nuclear inspector’s annual report, which revealed the site had already been the focus of enhanced regulatory attention over its cybersecurity failings.

Despite a report by The Guardian newspaper claiming that Sellafield had been compromised by hacking groups linked to both China and Russia, both Sellafield and the British government have denied any such incidents have taken place.