Sellafield Ltd will have to pay almost £400,000 after it pleaded guilty to criminal charges over years of cybersecurity failings at Britain’s most hazardous nuclear site.
The state-owned company, operator of the vast nuclear site Cumbria, northwest England, left information that could threaten national security exposed for four years, according to the industry regulator, the Office for Nuclear Regulation (ONR), which brought the charges. It was also found that 75% of its computer servers were vulnerable to cyber-attack.
Sellafield Ltd had failed to protect vital nuclear information, Westminster magistrates court in London heard on Wednesday (2 October).
Chief magistrate Paul Goldspring said that after taking into account Sellafield Ltd’s guilty plea and its public funding model, he would fine it £332,500 for cybersecurity breaches and £53,200 for prosecution costs, a total of £385,700.
The offences related to Sellafield Ltd’s management of the security around its information technology systems between 2019 to 2023 and its breaches of the nuclear industry security regulations.
An investigation by the ONR found that Sellafield Ltd failed to meet the standards, procedures and arrangements set out in its own approved plan for cyber security and for protecting sensitive nuclear information.
Regulator Points To ‘Significant Shortfalls’
Significant shortfalls were present for a considerable length of time, said the ONR.
In a written witness statement referred to in an earlier hearing on 8 August Euan Hutton, chief executive of Sellafield Ltd, apologised for failures spanning years.
Hutton said: “I again apologise on behalf of the company for matters which led to these proceedings… I genuinely believe that the issues which led to this prosecution are in the past.”
In June Sellafield Ltd pleaded guilty to three criminal charges brought by the ONR over the IT security breaches.
One of the charges was that it failed in March last year to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”.
The other two charges related to failures to arrange “annual health checks” for its systems.
Sellafield Ltd is owned by the Nuclear Decommissioning Authority, a UK government body set up specifically to deal with the country’s nuclear legacy.
The Sellafield site is one of the largest and most hazardous nuclear facilities in Europe.
It comprises of a range of nuclear facilities, including redundant facilities associated with early defence work, as well as operating facilities associated with the Magnox reprocessing programme, a mixed oxide fuel plant and a range of waste treatment plants.
It began life in the early 1950s making plutonium for nuclear weapons, and later that decade became the location of Calder Hall, the world’s first commercial nuclear power station.