The outfit that runs Britain's Sellafield nuclear waste processing and decommissioning site has been fined £332,500 ($440,000) by the nation's Office for Nuclear Regulation (ONR) for its shoddy cybersecurity practices between 2019 and 2023.
Sellafield, located in Cumbria, England, manages more radioactive waste than any other nuclear site in the world, and decommissioning work happening at the facilities involves high-hazard activities including waste retrieval, plutonium and uranium storage, and spent nuclear fuel management and remediation.
The last thing it needs is dodgy cybersecurity. Yet the site's poor infosec practices violated the UK's Nuclear Industries Security Regulations 2003, according to the ONR.
Luckily, despite its four-year stretch of lax cybersecurity, which left its IT systems vulnerable to unauthorized access and data theft, "there is no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the identified failings," the regulatory body concluded. Sellafield Ltd is the government-controlled company responsible for the plant.
"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised," said Paul Fyfe, ONR's senior director of regulation after the judge imposed a financial penalty on the nuclear waste management facility.
Sellafield Ltd did not immediately respond to The Register's inquiries.
This fine and court appearances follow allegations in December 2023 that Sellafield had been hit with malware by Russia and China. At the time, the UK government and ONR both denied systems were compromised. But later, the ONR decided to prosecute the entity following its investigation of the nuclear site.
While it's said nothing malicious happened despite Sellafield's infosec near misses, last year an ONR inspector noted that a successful ransomware attack could cripple "high-hazard risk reduction" work being done at the site, and recovering IT operations following this type of digital intrusion could take up to 18 months.
- UK government denies China/Russia nuke plant hack claim
- The UN unanimously agrees that cybercrime is bad, mkay?
- Nearly 3M people hit in Harvard Pilgrim healthcare data theft
- If you're excited by that $1.5B Michigan nuke plant revival, bear in mind it's definitely a fixer-upper
Plus, in an internal report, the facility itself admitted that a successful phishing attack or a malicious insider could have compromised sensitive data, disrupted operations, damaged facilities, and delayed decommissioning activities.
Following the ONR investigation and subsequent prosecution, Sellafield in June pleaded guilty to failing to comply with its own security plan by not ensuring adequate protection of sensitive nuclear information on its IT network.
The outfit also pleaded guilty to failing to comply with its approved security plan by not arranging for annual operational technology health checks, performed by an authorized tester in March 2021 and March 2022.
And then, the nuclear waste repository reportedly asked the judge for leniency.
Earlier this week at Westminster Magistrates Court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield to pay a fine of £332,500, plus prosecution costs of £53,253.20. ®