British nuclear site Sellafield to be prosecuted for cybersecurity failures

The United Kingdom’s independent nuclear safety regulator has announced that it will be prosecuting the company managing the Sellafield nuclear site over “alleged information technology security offenses during a four year period between 2019 and early 2023.”

It is not clear whether senior managers at the state-owned Sellafield Ltd. will face charges. Under the Nuclear Industries Security Regulations 2003, individuals convicted of an offense can face up to two years imprisonment.

“There is no suggestion that public safety has been compromised as a result of these issues,” the regulator announced on Thursday, adding that the decision to begin legal proceedings followed an investigation.

“Details of the first court hearing will be announced when available,” stated the ONR.

Sellafield had previously been the focus of enhanced regulatory attention over its cybersecurity failings, as the U.K. chief nuclear inspector’s annual report revealed last year. At the same time, EDF, the company operating several nuclear power plants in Britain, was placed under similar measures.

As set out in the U.K.'s civil nuclear cybersecurity strategy, the National Cyber Security Centre (NCSC) threat assessment warns that ransomware “almost certainly represents the most likely disruptive threat.”

A ransomware attack on the IT systems used by a nuclear power plant could disrupt its operations, although the industrial systems are designed with multiple failsafes to prevent a radiological accident.

Sellafield’s nuclear reactor was closed in 2003, but the sprawling complex remains the largest nuclear site in Europe, with the ONR describing it as “one of the most complex and hazardous nuclear sites in the world.”

It houses more plutonium — in particular the isotopes created as a byproduct of nuclear reactor operations — than any other location on the planet, alongside a range of facilities for nuclear decommissioning, and waste processing and storage.

It was the location of the country’s worst-ever nuclear accident in 1957, when a reactor caught fire leading to radioactive material spreading in the atmosphere across Britain and Europe.

Cyberattacks targeting the operational technology (OT) systems at power plants are rare, but not unheard of — with the Triton malware discovered in Saudi Arabia in 2017 among the best known and most concerning examples.

It is not known whether the suspected Russian actors behind that attack could have engineered a method to overcome the failsafe mechanisms preventing an explosion.

According to the British government’s National Risk Register, a cyberattack on the computer systems controlling a nuclear reactor could potentially require a controlled shutdown as a protective measure, although there is not a major concern about them causing any radiological discharge.

As Sellafield no longer has an operational nuclear reactor, it is not clear what damage a cyber incident at the facility could cause.