UK’s largest nuclear power site fined for cybersecurity breaches
Sellafield fined over £330,000 in a landmark prosecution
Britain’s nuclear regulator has fined the largest UK nuclear power facility £332,500 for "persistently" breaching security regulations which left IT systems vulnerable.
The instances occurred between 2019 and 2023, and although the Office for Nuclear Regulation (ONR) say there is no evidence the vulnerabilities were exploited, cybersecurity shortcomings left the facility exposed to potential loss of data and unauthorised access.
Sellafield’s reactor was shut down in 2003, but nuclear materials are still stored and plutonium is handled at the site, including a range of facilities for waste storage and processing.
All cleaned up
The site pleaded guilty to three criminal charges over the failings.
The shortfalls included failing to carry out annual security checks, which the company attributes to “sector-wide difficulties recruiting suitably qualified staff”. Since the ruling, Sellafield has made "significant improvements" to its systems and structures to ensure public safety.
A successful attack could have come in the form of a phishing campaign or a malicious insider which could have damaged facilities or disrupted operations. It was previously reported that Sellafield was breached by Russian and Chinese hackers, but both the site and the UK government have denied this.
"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.” said The ONR's Senior Director of Regulation Paul Fyfe.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Secretary of State for Energy, Ed Miliband previously commented on news that contractors could access the site network unsupervised as a “very concerning report about one of our most sensitive pieces of energy infrastructure”.
Whilst the regulator found no evidence of harm from the cybersecurity shortfalls, the site is said to be taking the charges "very seriously", which it says is reflected in the guilty plea.
Via BBC
More from TechRadar Pro
- Check out our pick of the best malware removal software
- This AI-powered malware has evolved to add image recognition
- Take a look at our best endpoint protection software choices
Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.