Cumbrian nuclear facility Sellafield is still under scrutiny for cyber security problems, despite the regulator’s clean bill of health for its physical security.
The Office for Nuclear Regulation (ONR) has returned the Sellafield site to a “routine regulatory regime for physical security after a period of enhanced oversight”, according to a government statement.
The ONR’s statement said: “Over the last two years, ONR has carried out a regular programme of inspections and interventions at Sellafield, assessing evidence provided by the licensee’s security and resilience team. This identified a period of sustained improved performance in the area of physical security, and ONR is satisfied that the required security outcomes are now being achieved.”
However, the ONR added: “Sellafield Ltd currently remains in significantly enhanced attention for cyber security, and collaborative work is ongoing to achieve the required improvements in this area.”
In December 2023, The Guardian reported that groups linked to China and Russia had hacked into Sellafield’s IT systems, “embedding sleeper malware that could lurk and be used to spy or attack systems”.
And in October 2024, the nuclear waste facility was ordered to pay £400,000 by Westminster Magistrates’ Court, after it pleaded guilty to criminal charges over years of cyber security failings, and apologised to the court.
The ONR brought the charges against Sellafield Ltd, accusing it of leaving exposed information that could threaten national security over a four-year period, from 2019 to 2023. Three-quarters of its servers were also said to be vulnerable to cyber attack.
One of the three criminal charges brought related to Sellafield’s failure to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”, while the other two related to failures to conduct “annual health checks” of its IT systems.
Sellafield’s lawyers said at the time, “it is important to emphasise there was not and has never been a successful cyber attack on [the facility]”, before noting that the offences are “historical … [and] do not reflect the current position”.
Paul Dicks, the ONR’s director of regulation for Sellafield, decommissioning, fuel and waste, said of the new bill of health: “We have worked closely with Sellafield Ltd through our enabling approach to ensure that the required improvements are delivered. I’m satisfied that Sellafield Ltd has demonstrated significant and sustained security improvements which has allowed us to return them to routine regulatory attention.”
Sellafield operates under the governance of the Nuclear Decommissioning Authority (NDA), a quasi-governmental body that serves to wind up and render safe the UK’s oldest nuclear industry sites.
In November 2024, the NDA opened a cyber security centre to safeguard against cyber attacks on the civil nuclear sector.
Its Group Cyberspace Collaboration Centre in Cumbria is said to gather security, digital and engineering experts to work on how best to adopt new technologies and defend against evolving threats.
Warren Cain, superintending inspector at the Office for Nuclear Regulation, said: “All nuclear sites must have strong cyber security systems in place to protect important information and assets from cyber threats.
“Cyber security is a key regulatory priority for the Office for Nuclear Regulation, and we welcome the NDA’s commitment to strengthen their cyber defences with this new specialist facility.”
Besides Sellafield, the UK’s nuclear sites include Hinkley Point, Harwell, Dungeness, Bradwell and Sizewell, Trawsfynydd and Wylfa, and Dounreay.