Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The state-owned operator of the UK’s largest nuclear waste site has pleaded guilty to criminal charges brought by the industry regulator over IT security breaches.
Lawyers acting for Sellafield told a London court on Thursday that they accepted cyber security was “not sufficiently adhered to for a period”, although they insisted there had not been a successful cyber attack and that its systems were now secure.
One of the charges to which Sellafield pleaded guilty was that it failed in March last year to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”.
The other two charges related to failures to arrange “annual health checks” for its systems.
Sellafield pleaded guilty to all three charges in the prosecution brought by the Office for Nuclear Regulation under the Nuclear Industries Security Regulations 2003. Sentencing will take place on August 8.
Sellafield Ltd, which is owned by the UK’s Nuclear Decommissioning Authority, is in charge of cleaning up and looking after the Sellafield nuclear waste facility in Cumbria, north-west England.
The 6 sq km site holds waste from the UK’s current active fleet of nuclear power plants, as well as from closed plants, including the former fleet of Magnox reactors.
It holds the world’s largest stockpile of plutonium, a byproduct of nuclear power production, and is described by the ONR as “one of the most complex and hazardous nuclear sites in the world”.
Paul Greaney KC, representing Sellafield, told Westminster Magistrates’ Court that the guilty pleas “reflect the fact that while it had in place systems of cyber security, those systems were not sufficiently adhered to for a period”.
“However, it is important to emphasise there was not and has never been a successful cyber attack on Sellafield.” He added: “The offences to which Sellafield has pleaded guilty are historical. They do not reflect the current position.”
Greaney said that Sellafield’s systems were “robust” and added that media reports that its site had been compromised were “false”.
The Guardian newspaper previously alleged that Sellafield’s IT systems had been hacked by groups linked to Russia and China.
The Office for Nuclear Regulation said in a statement on Thursday: “We acknowledge that Sellafield Limited has pleaded guilty to all charges . . . These charges relate to historic offences and there is no evidence that any vulnerabilities were exploited.”
The prosecution is the first the ONR has brought under the 2003 regulations.