THE GUARDIAN đ” Sellafield ordered to pay nearly ÂŁ400,000 over cybersecurity failings
Sellafield will have to pay almost ÂŁ400,000 after it pleaded guilty to criminal charges over years of cybersecurity failings at Britainâs most hazardous nuclear site.
The vast nuclear waste dump in Cumbria left information that could threaten national security exposed for four years, according to the industry regulator, which brought the charges. It was also found that 75% of its computer servers were vulnerable to cyber-attack.
Sellafield had failed to protect vital nuclear information, Westminster magistrates court in London heard on Wednesday. Chief magistrate, Paul Goldspring, said that after taking into account Sellafieldâs guilty plea and its public funding model he would fine it ÂŁ332,500 for cybersecurity breaches and ÂŁ53,200 for prosecution costs.
The state-owned company has already apologised for the cybersecurity failings. It pleaded guilty to the charges â which relate to IT security offences spanning a four-year period from 2019 to 2023 â when they were brought by the Office for Nuclear Regulation (ONR) in June.
Judge Goldspring said the case fell into a category âbordering on negligenceâ and a âdereliction of responsibilitiesâ.
Sellafield might also âforeseeably have caused harmâ and a loss of data could âhave had huge risk adverse consequences for workers, the public and the environmentâ, he said.
Sellafield, which has a workforce of about 11,000 people, is a sprawling rubbish dump on the Cumbrian coast that stores and treats decades of nuclear waste from atomic power generation and weapons programmes. It is the worldâs largest store of plutonium and is part of the Nuclear Decommissioning Authority, a taxpayer-owned and -funded quango.
Late last year, the Guardianâs Nuclear Leaks investigation revealed a string of IT failings at the state-owned company, dating back several years, as well as radioactive contamination and a toxic workplace culture. The Guardian reported that the siteâs systems had been hacked by groups linked to Russia and China, embedding sleeper malware that could lurk and be used to spy or attack systems.
The Guardian investigation revealed that Sellafieldâs computer servers were deemed so insecure that the problem was nicknamed âVoldemortâ, after the Harry Potter villain, because it was sensitive and dangerous. It also revealed concerns about external contractors being able to plug memory sticks into its system while unsupervised.
In sentencing, Goldspring added that the prosecution did not offer any evidence of a successful cyber-attack, even if it asserted that it was impossible for Sellafield to prove that the nuclear site had not been âeffectively attackedâ.
As a result, the court could only sentence Sellafield on the basis that there was no evidence of âactualâ harm arising from any attacks.
The fine was reduced by one-third as the nuclear site pleaded guilty at the first opportunity. The judge also noted that Sellafield has sought to improve its cybersecurity in recent months. The fine was further reduced as it is ultimately dependent on public funding to operate as a not-for-profit business.
At an earlier hearing in August, Goldspring had said that, while all parties said the failings were very serious, he would need to balance the cost to the taxpayer with the need to deter others in the sector from committing similar offences in deciding the size of the fine.
At that hearing, the court heard that a test had found that it was possible to download and execute malicious files on to Sellafieldâs IT networks via a phishing attack âwithout raising any alarmsâ, according to Nigel Lawrence KC, representing the ONR.
An external IT company, Commissum, found that any âreasonably skilled hacker or malicious insiderâ could access sensitive data and insert malware (computer code) that could then be used to steal information at Sellafield.
Euan Hutton, chief executive of Sellafield, has apologised for the failing and said he âgenuinelyâ believes that âthe issues which led to this prosecution are in the pastâ.
Paul Fyfe, senior director of regulation at the ONR, said: âWe welcome Sellafield Ltdâs guilty pleas.
âIt has been accepted the companyâs ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.
âFailings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.â
There have, however, been âpositive improvementsâ at Sellafield during the last year under new leadership, the ONR added.
A Sellafield spokesperson said: âWe take cybersecurity extremely seriously at Sellafield, as reflected in our guilty pleas.
âThe charges relate to historical offences and there is no suggestion that public safety was compromised.
âSellafield has not been subjected to a successful cyber-attack.
âWeâve already made significant improvements to our systems, network and structures to ensure we are better protected and more resilient.
âThe cyber threat is continually evolving, and we will continue to work with the regulator to ensure we meet the high standards rightly required of us.â