Sellafield nuclear facility fined £332,000 over significant data security failings

The Office for Nuclear Regulation has imposed a penalty of more than £330,000 on Sellafield nuclear facility in Cumbria for serious cyber security failings that made the site vulnerable to cyber attacks.

 

In a recent press release, the Office for Nuclear Regulation, Britain’s nuclear safety regulator, said that the Cumbria-based nuclear facility, which has the world’s largest stock of civil plutonium, failed to meet the security standards mandated by the Nuclear Industries Security Regulations 2003 between 2019 to 2023.

 

“An investigation by ONR, the UK’s independent nuclear regulator, found that Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information. Significant shortfalls were present for a considerable length of time,” ONR said in its press release.

 

ONR added that while its investigation revealed no network breaches, Sellafield “allowed this unsatisfactory performance to persist” which in turn made Sellafield’s internal network vulnerable to unauthorised access and loss of data.

 

“In 2023, an ONR inspector noted that a successful ransomware attack could impact on important ‘high-hazard risk reduction’ work at the site with a subsequent return to normal IT operations potentially taking up to 18 months,” ONR explained.

 

In June, Sellafield pleaded guilty to three charges of data security failures and now, Chief Magistrate Senior District Judge Paul Goldspring has ordered Sellafield to pay a fine of £332,500, along with prosecution costs of £53,253.20.

 

Commenting on the verdict, ONR’s Senior Director of Regulation, Paul Fyfe, said, “We welcome Sellafield Ltd’s guilty pleas. It has been accepted the company’s ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.

 

“Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.

 

“Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires.

 

“We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry,” he added.