Sprawling Sellafield Nuclear Waste Site Prosecuted for Cybersecurity Failings

Sellafield Ltd, the managing company of the Sellafield nuclear site, will be prosecuted by the UK's independent nuclear safety regulator for alleged cybersecurity offenses.

According to the safety regulator, the infractions were garnered over a four-year period from 2019 to 2023. However, the regulator noted in its announcement that there is nothing to suggest that public safety has been compromised over these "information technology security offenses." The Office for Nuclear Regulation (ONR) provided little comment regarding what the specific issues are, or the legal proceedings, but noted that "details of the first court hearing will be announced when available."

This is not the first time the company has been under scrutiny. Its cybersecurity issues were also addressed in the Chief Nuclear Inspector's annual report on the country's nuclear industry, released last September. And in December, the Guardian released a bombshell report that advanced persistent threats (APTs) backed by Russia and China have been breaching the Sellafield's IT systems as far back as 2015 — attacks that the paper alleged have been consistently covered up by senior staff at the site, which holds a vast store of radioactive waste and the world's largest store of plutonium.

Though it's not currently known whether any senior managers were involved in these security failings and, if so, whether they'll face charges, if convicted, an individual can face a maximum of two years in prison. 

A nuclear reactor is located on the Sellafield grounds. Even though it was closed in 2003, it is still Europe's largest nuclear site, and the ONR considers it to be "one of the most complex and hazardous nuclear sites in the world." That's likely a big part of the reason why the company's cybersecurity failings are of notable concern. 

Though cyberattacks on power plants aren't necessarily common, they have occurred on rare occasions, such as the 2017 spate of attacks using Triton malware, also known as Trisis and HatMan, that was used to target a Middle East petrochemical facility at the hands of the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM). The threat actor moved through IT and operational technology (OT) networks to gain entry to the safety system and targeted the Schneider Electric Triconex safety instrumented system, which allows initiation of a safe shutdown process in case of emergencies. With the system modified by malware, it could have led to damages to the facility, operational shutdown, and even fatalities.

That said, what kind of damage a cyberattack would cause Sellafield and whether it could have a similar catastrophic fallout is unknown, since the nuclear reactor is no longer operational.