Sellafield Ltd, the state-owned company managing the Sellafield nuclear waste site in Cumbria, has pleaded guilty to criminal charges related to cyber security failings that occurred over a four-year period. The Office for Nuclear Regulation brought three charges against Sellafield, including a failure to adequately protect sensitive nuclear information on its IT network and a lack of annual health checks on its systems. Although the organization admitted to these historical offenses, they maintained that there had been no successful cyber attacks on the facility.
The sentencing for these charges is set for 8 August, marking the first prosecution under the Nuclear Industries Security Regulations introduced in 2003. Despite reports of hacking incidents linked to Russia and China in the past, Sellafield has denied any successful cyber attacks and emphasized their cooperation with the ONR throughout the legal process.
Concerns about potential vulnerabilities in the nuclear facility were raised by insiders, including issues with third-party contractors using USB memory sticks and a security breach involving a BBC camera crew accidentally broadcasting user credentials. The ongoing security challenges faced by Sellafield have also been highlighted by the alleged 2017 cyber attack on Copeland Borough Council, which manages data related to the site. However, Sellafield and the NDA have stated that they have no evidence of compromised nuclear information from this incident.