Sellafield will have to pay almost £400,000 after it pleaded guilty to criminal charges over years of cybersecurity failings at Britain’s most hazardous nuclear site.
The vast nuclear waste dump in Cumbria left information that could threaten national security exposed for four years, according to the industry regulator, which brought the charges. It was also found that 75% of its computer servers were vulnerable to cyber-attack.
Sellafield had failed to protect vital nuclear information, Westminster magistrates court in London heard on Wednesday. Chief magistrate, Paul Goldspring, said that after taking into account Sellafield’s guilty plea and its public funding model he would fine it £332,500 for cybersecurity breaches and £53,200 for prosecution costs.
The state-owned company has already apologised for the cybersecurity failings. It pleaded guilty to the charges – which relate to IT security offences spanning a four-year period from 2019 to 2023 – when they were brought by the Office for Nuclear Regulation (ONR) in June.
Judge Goldspring said the case fell into a category “bordering on negligence” and a “dereliction of responsibilities”.
Sellafield might also “foreseeably have caused harm” and a loss of data could “have had huge risk adverse consequences for workers, the public and the environment”, he said.
Sellafield, which has a workforce of about 11,000 people, is a sprawling rubbish dump on the Cumbrian coast that stores and treats decades of nuclear waste from atomic power generation and weapons programmes. It is the world’s largest store of plutonium and is part of the Nuclear Decommissioning Authority, a taxpayer-owned and -funded quango.
Late last year, the Guardian’s Nuclear Leaks investigation revealed a string of IT failings at the state-owned company, dating back several years, as well as radioactive contamination and a toxic workplace culture. The Guardian reported that the site’s systems had been hacked by groups linked to Russia and China, embedding sleeper malware that could lurk and be used to spy or attack systems.
The Guardian investigation revealed that Sellafield’s computer servers were deemed so insecure that the problem was nicknamed ‘Voldemort’, after the Harry Potter villain, because it was sensitive and dangerous. It also revealed concerns about external contractors being able to plug memory sticks into its system while unsupervised.
In sentencing, Goldspring added that the prosecution did not offer any evidence of a successful cyber-attack, even if it asserted that it was impossible for Sellafield to prove that the nuclear site had not been “effectively attacked”.
As a result, the court could only sentence Sellafield on the basis that there was no evidence of “actual” harm arising from any attacks.
The fine was reduced by one-third as the nuclear site pleaded guilty at the first opportunity. The judge also noted that Sellafield has sought to improve its cybersecurity in recent months. The fine was further reduced as it is ultimately dependent on public funding to operate as a not-for-profit business.
At an earlier hearing in August, Goldspring had said that, while all parties said the failings were very serious, he would need to balance the cost to the taxpayer with the need to deter others in the sector from committing similar offences in deciding the size of the fine.
At that hearing, the court heard that a test had found that it was possible to download and execute malicious files on to Sellafield’s IT networks via a phishing attack “without raising any alarms”, according to Nigel Lawrence KC, representing the ONR.
An external IT company, Commissum, found that any “reasonably skilled hacker or malicious insider” could access sensitive data and insert malware (computer code) that could then be used to steal information at Sellafield.
Euan Hutton, chief executive of Sellafield, has apologised for the failing and said he “genuinely” believes that “the issues which led to this prosecution are in the past”.
Paul Fyfe, senior director of regulation at the ONR, said: “We welcome Sellafield Ltd’s guilty pleas.
“It has been accepted the company’s ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
“Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.”
There have, however, been “positive improvements” at Sellafield during the last year under new leadership, the ONR added.
A Sellafield spokesperson said: “We take cybersecurity extremely seriously at Sellafield, as reflected in our guilty pleas.
“The charges relate to historical offences and there is no suggestion that public safety was compromised.
“Sellafield has not been subjected to a successful cyber-attack.
“We’ve already made significant improvements to our systems, network and structures to ensure we are better protected and more resilient.
“The cyber threat is continually evolving, and we will continue to work with the regulator to ensure we meet the high standards rightly required of us.”