Header image

Sellafield Fines by Regulator of Cybersecurity Policy Failings

Fine likely reduced based on fact no vulnerabilities had been exploited.

Sellafield has been handed a fine of £332,500 by the Office for Nuclear Regulation (ONR) over cybersecurity failings.

The offences relate to Sellafield Ltd's management of the security around its information technology systems between 2019 to 2023 and its breaches of the Nuclear Industries Security Regulations 2003.

The investigation by ONR - the UK’s independent nuclear regulator - found that Sellafield Ltd failed to meet the standards, procedures and arrangements set out in its own approved plan for cybersecurity and for protecting sensitive nuclear information.

No Flaws Were Exploited

At a hearing in June, Sellafield Ltd pleaded guilty to all charges, and the ONR was satisfied that no vulnerabilities had been exploited.

However in 2023, an ONR inspector noted that a successful ransomware attack could impact on important ‘high-hazard risk reduction’ work at the site with a subsequent return to normal IT operations potentially taking up to 18 months.

While internally, Sellafield Ltd observed how a successful phishing attack, or malicious insider, might trigger the loss or compromise of key systems of data.

Paul Fyfe, ONR’s senior director of regulation, said: "It has been accepted [that] the company's ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor.

"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.”

The ONR said that with new leadership and additional resources in place at Sellafield, it had seen positive improvements during the last year, and evidence the senior leadership is now giving cybersecurity the level of attention and focus it requires.

"We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cybersecurity, are effectively managed by the nuclear industry.”

Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

No events found.