Sellafield to be prosecuted over alleged cyber compliance failure

Sellafield Ltd, the organisation responsible for cleaning up and decommissioning the UK’s largest nuclear waste site, is to be prosecuted over alleged cyber security failings dating back to 2019

Alex Scroxton,
Security Editor

Published: 28 Mar 2024 15:28

Sellafield Ltd, the Nuclear Decommissioning Authority-backed organisation currently working to wind up operations at the troubled Sellafield nuclear facility in Cumbria, is to be prosecuted over significant cyber security failings under the auspices of the Nuclear Industries Security Regulations of 2003.

The charges, laid by the Office for Nuclear Regulation (ONR), cover a range of alleged IT security offences during the period between 2019 and 2023.

“The decision to begin legal proceedings follows an investigation by ONR, the UK’s independent nuclear regulator,” the body said in a brief statement. “There is no suggestion that public safety has been compromised as a result of these issues.

“Details of the first court hearing will be announced when available. Given that some matters are now subject to legal proceedings, we are unable to comment further.”

The announcement came mere hours after it was reported that Sellafield’s chief information security officer, Richard Meal – a former RAF officer who has been in post for over 10 years – stepped down from his role, although this has not been confirmed by Sellafield.

Computer Weekly understands that Sellafield’s apparent cyber security issues have been bubbling to the surface for a while, and in 2023 the site’s operators strenuously denied allegations – arising from a lengthy Guardian investigation – that its IT systems had been thoroughly compromised by state-backed threat actors originating from China and Russia.

The newspaper claimed the hackers had deployed difficult-to-detect sleeper malware on Sellafield’s systems to harvest data and snoop on the ongoing nuclear clean-up at the facility, which was the scene of the UK’s worst ever nuclear disaster in the 1950s.

The Guardian accused Sellafield of a consistent cover-up of the intrusions, which supposedly dated to 2015, and alleged that the extent of the breach only came to light when workers at other sites discovered they could remotely access Sellafield’s systems.

An insider at the site described Sellafield’s network as “fundamentally insecure” and drew attention to various concerns, which included the use of USB memory sticks by third-party contractors and an incident in which a visiting BBC camera crew accidentally filmed and broadcast user credentials. So severe were some of the failings that they were supposedly nicknamed “Voldemort”.

At the time, Sellafield chief executive Euan Hutton told the BBC that the facility had “robust, multi-layer protection systems” and a “24/7-staffed cyber security operations centre” that would have detected any intrusion.

The ONR has not provided details of any specific cyber security incidents that form the basis of its action.

A spokesperson for the Department for Energy Security and Net Zero, which bears ultimate responsibility for funding Sellafield, said: “Safety and security at our former nuclear sites is paramount and we fully support the Office for Nuclear Regulation in its independent role as regulator.

“The regulator has made clear that there is no suggestion that public safety has been compromised at Sellafield.

“Since the period of this prosecution, we have seen a change of leadership at Sellafield and the ONR has noted a clear commitment to address its concerns.”

A spokesperson for Sellafield Ltd said: “The ONR’s Civil Nuclear Security and Safeguards (CNSS) has notified us of its intention to prosecute the company relating to alleged past nuclear industry security regulations compliance.

“As the issue is now the subject of active court proceedings, we are unable to comment further.”

Read more on Data breach incident management and recovery

Top 10 investigations and national security stories of 2023