UK nuclear site Sellafield fined $440,000 for cybersecurity shortfalls

Nuclear waste processing facility Sellafield has been fined £332,500 ($440k) by the Office for Nuclear Regulation (ONR) for failing to adhere to cybersecurity standards and putting sensitive nuclear information at risk over four years, from 2019 to 2023.

According to the ONR announcement, Sellafield failed to follow its own approved cybersecurity protocols by leaving multiple vulnerabilities in its IT systems unpatched, violating the Nuclear Industries Security Regulations 2003.

Although no exploitation has occurred, the weaknesses exposed the facility to risks such as ransomware, phishing, and potential data loss, which could disrupt high-hazard operations and delay decommissioning work.

A disaster waiting to happen

Sellafield is one of Europe’s largest nuclear facilities, located in Cumbria, UK. It plays a significant role in managing and processing radioactive materials, handling more nuclear waste in one location than any other facility worldwide.

The site is involved in retrieving nuclear waste, fuel, and sludge from legacy ponds and silos, storing radioactive materials such as plutonium and uranium, managing spent nuclear fuel rods, and remediating and decommissioning nuclear facilities.

Sellafield is a critical unit for the UK’s nuclear waste management system, so its IT systems security is vital to ensure safe operations.

Last year, a series of investigations by The Guardian into Sellafield’s cybersecurity brought attention to multiple severe issues, revealing that contractors had easy access to critical systems where they, among other things, could install USB drives.

Additionally, well-known vulnerabilities within the facility abound, giving the site the nickname “Voldemort” by people working there.

An audit from French security firm Atos revealed that roughly 75% of Sellafield’s servers were vulnerable to attacks with potentially catastrophic consequences.

The nuclear site’s operators pleaded guilty in June 2024 to their failure to comply with standard IT security regulations, admitting their failure.

ONR’s fines Sellafield but confirmed no breach

ONR investigated these reports, and while it confirmed that Sellafield failed to abide by the cybersecurity standards that underpin the operation of such sites in the UK, it says it found no evidence that the vulnerabilities were leveraged in attacks.

This contrasts previous reports by the press that Russian and Chinese hackers allegedly planted malware on the site, and that security breaches occurred as far back as 2015.

“An investigation by ONR […] found that Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information,” reads ONR’s announcement.

“Significant shortfalls were present for a considerable length of time. It was found that Sellafield Ltd allowed this unsatisfactory performance to persist, meaning that its information technology systems were vulnerable to unauthorized access and loss of data.”

“However, there is no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the identified failings.”

Inspections conducted by the ONR on Sellafield revealed that the scenario of a successful ransomware attack could derail normal operations at the nuclear site for up to 18 months.

Sellafield has replaced key people in senior leadership and IT management over the past year to implement plans to remediate the cybersecurity risks as soon as possible. Good progress has been seen on that front, according to ONR.