Sellafield nuclear facility, a nuclear waste dump and management center in Cumbria, England, has apologized for serious cybersecurity breaches and failings that put the United Kingdom’s security at risk.
The charges, brought by the Office for Nuclear Regulation (ONR), relate to IT security failings spanning four years (2019 to 2023) which prompted further investigations from both external private and public agencies.
Sellafield Nuclear Site Vulnerabilities
According to the sub-contractor Atos, 75% of Sellafield’s computer servers were found to be vulnerable to cyber-attacks, leaving sensitive information exposed for four years. The facility’s IT systems were criticized for being outdated, using obsolete operating systems such as Windows 7 and Windows 2008, which made them susceptible to hacking attempts.
The severity of the situation was underscored by a report from Commissum, an external IT company, which found that a “reasonably skilled hacker or malicious insider” could access sensitive data and insert malware upon the facility’s devices, raising serious concern about potential for espionage and sabotage by hostile actors.
Earlier this year, the National Audit Office, a public spending audit agency within the UK, had launched an investigation into potential costs and risks of the nuclear facility. The agency stated on its website:
“Sellafield is the UK’s most complex and challenging nuclear site. It holds around 85% of all the UK’s nuclear waste, much of which is stored in ageing facilities. Unlike modern nuclear facilities, many of the buildings at Sellafield were built with limited consideration of how they would ultimately be decommissioned. Cleaning up the site is a long-term endeavour, likely to last well into the next century. It is expected to cost £84 billion (in discounted prices), though this cost estimate is highly uncertain.”
While the company had earlier claimed to have made significant improvements to its systems and structures, the court heard that the site’s operations center was unable to adequately alarm and respond to tested attacks.
Apology and Sentencing
Sellafield’s chief executive, Euan Hutton, apologized for the failings in a written statement, stating that the issues were in the past. The company has since then taken additional steps to rectify the situation, changing IT management and creating a new secure datacentre. However, the court must weigh the costs to the taxpayer against the need to deter others in the sector from committing similar offences.
The judge, Paul Goldspring, acknowledged that this is “new territory” for all parties, as no nuclear site has been prosecuted for cybersecurity breaches before. The National Audit Office has launched an investigation into costs and risks at Sellafield, and the facility has agreed to pay £53,000 in legal costs. Sentencing is expected to take place in September.
The situation has garnered concern as the consequences of a successful cyber-attack on a nuclear facility could be catastrophic, and further undermines public assurance in the safety of critical nuclear infrastructure. The expected sentencing of Sellafield will likely set a new precedent upon the nuclear industry.