The United Kingdom's nuclear safety regulator has announced its intention to prosecute the management company responsible for overseeing the Sellafield nuclear site over alleged cybersecurity breaches spanning a four-year period from 2019 to early 2023.
Sellafield, the UK's primary nuclear waste storage facility, which houses the largest stockpile of plutonium worldwide, has come under intense scrutiny due to significant lapses in its information technology security protocols. The digital infrastructure of Sellafield holds not only sensitive operational data but also crucial planning documents vital for the UK's response to critical incidents, including potential attacks by foreign entities.
The Office for Nuclear Regulation (ONR) noted that “there is no suggestion that public safety has been compromised as a result of these issues.”
In 2022, the British government imposed “special measures” on Sellafield due to recurring cybersecurity failures. In December 2023, The Guardian reported that Sellafield had fallen victim to cyber intrusions linked closely to both Russian and Chinese cyber groups.
Investigations revealed that authorities were unable to pinpoint precisely when the IT systems at Sellafield were initially compromised. Sources indicated that signs of breaches surfaced as far back as 2015, when experts detected the presence of sleeper malware within Sellafield's computer networks. It’s unknown, whether the site’s systems were purged of malware, the paper noted at the time.
It’s also unclear whether senior managers at Sellafield will face charges. According to the Nuclear Industries Security Regulations 2003, individuals convicted of such offenses could potentially face up to two years of imprisonment.