News

Cybersecurity under the microscope after Sellafield failings

An image of Sellafield - nuclear decommissioning cyber security
Sellafield (Image: Steve Allen | Dreamstime.com)

Cybersecurity within critical national infrastructure is under the microscope as Sellafield – and the cybersecurity sector as whole – awaits the sentencing of the facility.

Sellafield Ltd pleaded guilty to three counts of technology security offences during 2019-2023 at Westminster Magistrates’ Court earlier this summer. A sentence hearing was held last week (8 August), but Chief Magistrate Senior District Judge Paul Goldspring did not pass sentence. The Office of Nuclear Regulation (ONR), which brought the case against Sellafield, expects the facility to be sentenced in September.

After Sellafield entered its guilty plea in June, the ONR noted: “There is no evidence that any vulnerabilities have been exploited.”

According to The Guardian’s report, the court was told that 75% of Sellafield’s computer servers were vulnerable to cyber-attacks. The court was also told that sensitive nuclear information (SNI) was left vulnerable in part because of the use of obsolete technology, including Windows 7 and Windows 2008. The ONR describes SNI as “information relating to activities carried out on or in relation to civil nuclear premises, and deemed to be of value to an adversary planning a hostile act”.

Furthermore, the court heard that a subcontractor was sent 4,000 files by mistake. Of those files, 13 were classed as “official/sensitive”, without any alarm being triggered.

The Guardian noted: “While all parties said the failings were very serious, the judge said he would need to balance the cost to the taxpayer with the need to deter others in the sector from committing similar offences. The sentencing would be ‘new territory for all of us‘, Goldspring said, given that no nuclear site had been prosecuted in this way before.”

Public safety not compromised

A Sellafield spokesperson said: “We take cybersecurity extremely seriously at Sellafield, as reflected in our guilty pleas. The charges relate to historic offences and there is no suggestion that public safety was compromised.

“Sellafield has not been subjected to a successful cyber-attack or suffered any loss of sensitive nuclear information.

“We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient. As the issue remains the subject of active court proceedings, we are unable to comment further.”

In an unrelated move, the National Audit Office is set to report on risk reduction at Sellafield in the autumn. This report will examine whether the Nuclear Decommissioning Authority and Sellafield are taking a sustainable approach to decommissioning.

Don’t miss out on BIM and digital construction news: sign up to receive the BIMplus newsletter.

Story for BIM+? Get in touch via email: [email protected]

Latest articles in News