UK’s largest nuclear power site fined for cybersecurity breaches

Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration

(Image credit: Shutterstock / ArtemisDiana)

Britain’s nuclear regulator has fined the largest UK nuclear power facility £332,500 for "persistently" breaching security regulations which left IT systems vulnerable.

The instances occurred between 2019 and 2023, and although the Office for Nuclear Regulation (ONR) say there is no evidence the vulnerabilities were exploited, cybersecurity shortcomings left the facility exposed to potential loss of data and unauthorised access.

Sellafield’s reactor was shut down in 2003, but nuclear materials are still stored and plutonium is handled at the site, including a range of facilities for waste storage and processing.

All cleaned up

The site pleaded guilty to three criminal charges over the failings.

The shortfalls included failing to carry out annual security checks, which the company attributes to “sector-wide difficulties recruiting suitably qualified staff”. Since the ruling, Sellafield has made "significant improvements" to its systems and structures to ensure public safety.

A successful attack could have come in the form of a phishing campaign or a malicious insider which could have damaged facilities or disrupted operations. It was previously reported that Sellafield was breached by Russian and Chinese hackers, but both the site and the UK government have denied this.

"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised.” said The ONR's Senior Director of Regulation Paul Fyfe.

Secretary of State for Energy, Ed Miliband previously commented on news that contractors could access the site network unsupervised as a “very concerning report about one of our most sensitive pieces of energy infrastructure”.

Whilst the regulator found no evidence of harm from the cybersecurity shortfalls, the site is said to be taking the charges "very seriously", which it says is reflected in the guilty plea.

Via BBC

More from TechRadar Pro

Check out our pick of the best malware removal software
This AI-powered malware has evolved to add image recognition
Take a look at our best endpoint protection software choices

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.