Sellafield nuclear site hit with £332,500 fine after 'significant cybersecurity shortfalls'

The UK's Sellafield nuclear waste processing and storage site has been fined £332,500 by regulators after its IT systems were found to have been left vulnerable to hackers and unauthorised access for years.

The Office for Nuclear Regulation (ONR) described the Sellafield site as "one of Europe's largest industrial complexes, managing more radioactive waste in one place than any other nuclear facility in the world."

As such, you would like to imagine that cybersecurity would be taken extremely seriously at Sellafield.

However, an ONR report highlighted breaches of the Nuclear Industries Security Regulations 2003 between 2019 and 2023.

These included a failure by Sellafield to ensure there was adequate protection of sensitive nuclear information on its network. In addition, there was a failure to comply with approved security plans for annual penetration tests of its operational technology (OT) and information technology (IT) systems by an NCSC Check-approved supplier.

News first emerged of cybersecurity problems at Sellafield in late 2023, when the UK rebutted newspaper claims that hackers with links to Russia and China had compromised the site.

According to media reports, external contractors at Sellafield hd been allowed to plug potentially-infected USB drives into the facility's network, and some insiders were so alarmed about the state of the servers that they had christened a server "Voldermort" after the Harry Potter villain.

The company pleaded guilty to three offences in June 2024.

“We take cyber security extremely seriously at Sellafield, as reflected in our guilty pleas," said Sellafield spokesperson Matt Legg. "The charges relate to historical offences and there is no suggestion that public safety was compromised. Sellafield has not been subjected to a successful cyber-attack."

“We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient," continued Legg. “The cyber threat is continually evolving, and we will continue to work with the regulator to ensure we meet the high standards rightly required of us.”

According to the ONR, no evidence was found that security vulnerabilities had been exploited by hackers.

Safety fears at Sellafield have long been a concern of the general public, and with good reason.

In what was the worst nuclear accident in British history, a fire broke out at the Sellafield reactor site (then known as Windscale) in 1957, releasing radioactive contamination across Europe.