Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
The UK state-owned operator of Europe’s largest nuclear waste dump has been fined £332,500 after pleading guilty to “serious” cyber security failings.
Sellafield Ltd, which is in charge of managing and cleaning up the nuclear waste site in Cumbria, north-west England, was on Wednesday ordered to pay prosecutors’ costs of £53,253, as well as a court surcharge of £190.
Handing down the sentence at Westminster Magistrates Court in London, senior district judge Paul Goldspring said the breaches were “not a momentary lapse that had been put right immediately” and could have caused harm.
“The offences in this case are serious,” he added.
Goldspring said the policing of nuclear material was of “crucial national importance” to ensure that “material or technology does not get into malevolent hands” and to safeguard public safety.
However, he also noted that there was no evidence of actual harm and the breaches were the result of “sector-wide difficulties recruiting suitably qualified staff” rather than cost-cutting in pursuit of profits.
He also said that since the company, which employs about 12,000 people, was state-owned, “every penny of any fine is paid by the tax-payer”.
The 6km sq Sellafield nuclear waste site holds nuclear waste from Britain’s current and closed nuclear reactors, including the world’s largest stockpile of plutonium.
Sellafield Ltd pleaded guilty in June to three offences under the Nuclear Industries Security Regulations 2013.
It followed an investigation by the Office for Nuclear Regulation covering Sellafield’s cyber security between 2019 and 2023. It is the first time the ONR has prosecuted anyone under the laws.
At an earlier hearing in August, Nigel Lawrence KC for the ONR said the regulator had highlighted issues with Sellafield’s cyber security management for “a number of years”.
Testing carried out by Sellafield in late 2022 at the ONR’s request revealed vulnerabilities that could have allowed a hacker to “view and extract sensitive data and execute malicious code” such as ransomware.
Sellafield also failed to carry out certain annual computer system health checks, despite assuring the regulator it had done so.
“The offences in this case are serious ones,” Lawrence added. “Despite significant interventions from ONR and guidance from its own IT provider, the defendant allowed a situation to persist in which significant vulnerabilities were present in its cyber security systems.
“These had the potential to cause serious security breaches, including the compromise of sensitive nuclear information.”
Paul Greaney KC, representing Sellafield at the August hearing, said there was no evidence of a real-life successful cyber attack against its systems, and the damage hackers could do was limited.
“If someone took over, would they be able to cause a catastrophe,” he asked. “The answer to that simple question is no.”
Sellafield has apologised for the failings, and said in August it had since made “significant improvements” to its systems, network and structures to strengthen protections and resilience.
In a statement provided after the sentencing, the ONR said a successful cyber attack could have “disrupted operations, damaged facilities and delayed important decommissioning activities”.
However, it added there was “no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the identified failings”.