Sellafield pleads guilty to cybersecurity failures

Article by Adam Duckett


SELLAFIELD, which processes the UK’s nuclear waste, has pleaded guilty to all criminal charges related to cybersecurity failings brought by the Office for Nuclear Regulation (ONR).

Lawyers representing Sellafield told Westminster Magistrates Court on Thursday that they accepted cybersecurity was “not sufficiently adhered to for a period,” the Financial Times reports. It pleaded guilty to charges that it failed in March 2023 to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”. Two other charges related to failures to arrange “annual health checks” for its systems.

News of IT weaknesses were reported by The Guardian last year, which alleged the Sellafield systems had been hacked, that servers storing highly sensitive data were unsecured, and that contractors were able to plug USB drives into systems while unsupervised.

Sellafield has denied that there was a successful hack and the ONR has confirmed this.

Paul Greaney KC, a lawyer representing Sellafield, told the court: “It is important to emphasise there was not and has never been a successful cyber-attack on Sellafield.”

The exact nature of Sellafield’s failings have not been disclosed.

Following Sellafield’s guilty plea, a ONR spokesperson said as the details of the case have yet to be heard in court, the regulator was unable to provide any further comments. Though they noted “there is no evidence that any vulnerabilities have been exploited”.

The ONR announced earlier this year that Sellafield would be prosecuted under the 2003 Nuclear Industries Security Regulations for alleged information technology security offences during a four-year period between 2019 and early 2023

A Sellafield spokesperson said: “The charges relate to historic offences and there is no suggestion that public safety was compromised.”

A sentencing hearing has been scheduled for 8 August.

The Sellafield site, which covers more than two square miles, opened in 1947 to produce plutonium for nuclear weapons and went on to design and house the world’s first commercial nuclear power plant. It is now home to huge quantities of stored nuclear waste which it is working to process. Sellafield describes itself as one the most significant environmental remediation challenges in Europe.

The effects of a cyber-attack on processing and industrial facilities can be severe. For example, in 2014, German authorities revealed that hackers had forced an unnamed German steel mill into an uncontrolled shutdown that caused massive damage to the plant. In 2021, a high-profile attack on a US fuel pipeline shut down operations for five days and cost millions of dollars.

Article by Adam Duckett

Editor, The Chemical Engineer

Recent Editions

Catch up on the latest news, views and jobs from The Chemical Engineer. Below are the four latest issues. View a wider selection of the archive from within the Magazine section of this site.