UK's Sellafield nuke waste processing plant fined £333K for infosec blunders

Radioactive hazards and cyber failings ... what could possibly go wrong?

by · The Register

The outfit that runs Britain's Sellafield nuclear waste processing and decommissioning site has been fined £332,500 ($440,000) by the nation's Office for Nuclear Regulation (ONR) for its shoddy cybersecurity practices between 2019 and 2023.

Sellafield, located in Cumbria, England, manages more radioactive waste than any other nuclear site in the world, and decommissioning work happening at the facilities involves high-hazard activities including waste retrieval, plutonium and uranium storage, and spent nuclear fuel management and remediation. 

The last thing it needs is dodgy cybersecurity. Yet the site's poor infosec practices violated the UK's Nuclear Industries Security Regulations 2003, according to the ONR. 

Luckily, despite its four-year stretch of lax cybersecurity, which left its IT systems vulnerable to unauthorized access and data theft, "there is no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the identified failings," the regulatory body concluded. Sellafield Ltd is the government-controlled company responsible for the plant.

"Failings were known about for a considerable length of time but despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised," said Paul Fyfe, ONR's senior director of regulation after the judge imposed a financial penalty on the nuclear waste management facility.

Sellafield Ltd did not immediately respond to The Register's inquiries.

This fine and court appearances follow allegations in December 2023 that Sellafield had been hit with malware by Russia and China. At the time, the UK government and ONR both denied systems were compromised. But later, the ONR decided to prosecute the entity following its investigation of the nuclear site.

While it's said nothing malicious happened despite Sellafield's infosec near misses, last year an ONR inspector noted that a successful ransomware attack could cripple "high-hazard risk reduction" work being done at the site, and recovering IT operations following this type of digital intrusion could take up to 18 months.

Plus, in an internal report, the facility itself admitted that a successful phishing attack or a malicious insider could have compromised sensitive data, disrupted operations, damaged facilities, and delayed decommissioning activities.

Following the ONR investigation and subsequent prosecution, Sellafield in June pleaded guilty to failing to comply with its own security plan by not ensuring adequate protection of sensitive nuclear information on its IT network.

The outfit also pleaded guilty to failing to comply with its approved security plan by not arranging for annual operational technology health checks, performed by an authorized tester in March 2021 and March 2022.

And then, the nuclear waste repository reportedly asked the judge for leniency.

Earlier this week at Westminster Magistrates Court, Chief Magistrate Senior District Judge Paul Goldspring ordered Sellafield to pay a fine of £332,500, plus prosecution costs of £53,253.20. ®

UK government denies China/Russia nuke plant hack claimReport suggests Sellafield compromised since 2015, response seems worryingly ignorant of StuxnetSimon Sharwood, 05 Dec 2023The UN unanimously agrees that cybercrime is bad, mkay?Also: British nuke subs get code from Russia; and BlackSuit begs for $500MIain Thomson, 12 Aug 2024Nearly 3M people hit in Harvard Pilgrim healthcare data theftAlso, TheMoon botnet back for EoL SOHO routers, Sellafield to be prosecuted for 'infosec failures', plus critical vulnsBrandon Vigliarolo, 01 Apr 2024If you're excited by that $1.5B Michigan nuke plant revival, bear in mind it's definitely a fixer-upperActivists, ex-insider sound the alarm as operator says all is under controlBrandon Vigliarolo, 04 Oct 2024