A “disaster waiting to happen”: Sellafield plant admits to glaring cybersecurity failures
Sellafield Ltd, the firm in charge of managing one of Europe’s largest nuclear sites, has plead guilty to charges relating to cybersecurity failings at the facility,
The company apologized for its shortcomings after the Westminster magistrates court was presented with a litany of security failings that could have threatened the UK’s national security.
The Sellafield site was used for processing and storing nuclear waste, and is one of largest stores of plutonium in the world, employing over 10,000 people from the Cumbria area.
Multiple investigations into the security posture of the facility revealed staggering vulnerabilities that exposed the operation to a wide range of potentially devastating cyber attacks.
A Guardian investigation into the safety of the nuclear sector found contractors at Sellafield could easily access critical systems, describing how a contractor could plug a USB memory stick into the site’s computer system while unsupervised.
The investigation also found many staff members working on the Sellafield site referred to its cyber shortcomings as Voldemort, as they were so sensitive and dangerous.
Moreover, a report from French security firm Atos, a subcontractor at the Sellafield site, found 75% of its servers were vulnerable to cyber attack.
Sellafield’s own investigation, led by external IT firm Commissum, concluded that any “reasonably skilled hacker or malicious insider” could access sensitive data and load malware onto the network.
The Office for Nuclear Regulation (ONR) brought charges against the company in charge of the facility in June, relating to criminal security failings at the site over four years between 2019 and 2023.
Nigel Lawrence KC, representing the ONR, highlighted the organization’s poor IT governance, explaining to the court that it was possible to download and execute malicious files on the site’s networks via a phishing attack “without raising any alarms”.
Sellafield cyber failings “nothing short of catastrophic”
Speaking to ITPro, Mark Flynn, cybersecurity expert at Computer Care, said he was shocked by the level of negligence displayed by those in charge of managing the facility.
“The cybersecurity failings at Sellafield are nothing short of catastrophic. For a facility of such critical national importance to have 75% of its computer servers vulnerable to cyber attacks is beyond negligent – it’s a disaster waiting to happen,” he warned.
“The use of obsolete technology like Windows 7 and Windows 2008 at a nuclear site is particularly alarming. These systems are no longer supported with security updates, leaving them wide open to exploitation. It’s akin to leaving the keys to the kingdom under the doormat and hoping no one notices.”
Flynn added that what he found most worrying was the length of time these weaknesses went unaddressed.
“What’s most concerning is the duration of these vulnerabilities. Four years is an eternity in cybersecurity terms. The fact that sensitive nuclear information was left exposed for so long suggests a culture of complacency that has no place in such a high-stakes environment,” he explained.
“The ability for malicious files to be downloaded and executed on Sellafield’s networks without raising any alarms is frankly terrifying. This level of vulnerability at a site housing the world’s largest store of plutonium is unacceptable and poses a significant threat to national security.”
The cyber capabilities of Sellafield need to be totally rebuilt, Flynn argued, stating that UK businesses should treat this case as a “wake-up call” to reassess their defensive posture.
“Moving forward, Sellafield needs a complete overhaul of its cybersecurity culture. This means regular penetration testing, continuous monitoring, and a proactive approach to identifying and mitigating vulnerabilities. The leadership must prioritize cybersecurity at every level of the organization and ensure that it’s treated with the urgency and importance it demands,” he stated,
“Every business and organization in the UK should take this as a wake-up call. In our increasingly digital world, cybersecurity is just as crucial as physical security when it comes to protecting our assets. We can’t afford to let complacency creep in when the stakes are this high.”
Defense accuses prosecution of “turbocharging” claims
Sellafield Ltd plead guilty to the charges brought by the ONR, with Euan Hutton, chief executive of the facility, apologizing for its failings in a written statement.
“I again apologize on behalf of the company for matters which led to these proceedings… I genuinely believe that the issues which led to this prosecution are in the past.”
Paul Greaney KC, representing the firm, noted the company had made some efforts to address its glaring security shortcomings. This included changing the IT management at the site, as well as creating a new secure datacenter for hosting the facility’s sensitive data.
He added that the prosecution had unnecessarily exaggerated the security failings at Sellafield, arguing it had “turbocharged” the issues and rejected the ONR’s claims the problems were the result of cost saving measures.
The company is now awaiting final sentencing, which is expected to take place within a matter of weeks, potentially in September according to the ONR.