UPDATED March 28, 2024. 22:35pm GMT to clarify that Sellafield Ltd's CISO will leave later this year but remains in place and that part of the NDA's annual governance statement that flags potential risks was mischaracterised as a risk assessment. Updated sections in italics.
Sellafield Ltd, the company cleaning up the UK’s largest and most dangerous nuclear waste site, is being prosecuted for cybersecurity failures between 2019 and 2023.
The Office for Nuclear Regulation (ONR) said it has “notified Sellafield Ltd that it will be prosecuted under the Nuclear Industries Security Regulations 2003.”
“The decision to begin legal proceedings follows an investigation by ONR, the UK’s independent nuclear regulator” it added in a short statement on March 28.
"There is no suggestion that public safety has been compromised as a result of these issues," the ONR added.
Sellafield Ltd. is a wholly owned subsidiary of the publicly owned Nuclear Decommissioning Authority. It employs 10,892 staff.
Sellafield Ltd. is clearing up legacy nuclear waste pools at the Sellafield site in “the largest, most important environmental restoration programme in Europe”.
The site houses 85% of all the UK’s nuclear waste in less than two square miles.
There are four nuclear ponds and silos at the Sellafield site. One (built in the 1940s) has remained open to the elements for more than sixty years.
Alongside skips of irradiated oxide and metal fuel, it contains disused machinery and radioactive sludge. Regulators have described it as an “intolerable risk.”
Sellafield received £2.5 billion in public funding in 2023; the lion's share of an annual £3 billion+ annual bill to clean up what the Guardian describes pithily as a "sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation."
Quis custodiet?
The Nuclear Decommissioning Authority, the public body overseeing UK-wide nuclear waste cleanup projects, including at Sellafield, itself is working to improve its cybersecurity, its annual report shows.
"The threat environment continues to grow and there has been increased HMG and regulatory expectations" it notes, adding that "Our Cyber Security Strategy is well established, but requires further integration with organisational and operational planning across the whole NDA group.
"The nature of the threat continues to change and is so prevalent that we have established a group-wide programme (Cyber Security Resilience Programme) to ensure that we become an increasingly harder target for those who seek to do harm to our businesses or our sites."
(It also warned that more broadly across the UK’s nuclear waste estate there has been a “deterioration of assets” including a worrying fire within Sellafield’s Magnox reprocessing plant.)
Subscribe to The Stack today for free
The Sellafield prosecution follows a decision by the ONR in 2022 to launch “targeted formal enforcement to ensure that [cyber] shortfalls are addressed.”
“Given ongoing delays with delivery of safety and security improvements as well as matters of legal compliance, we took action to hold Sellafield Ltd to account in accordance with their legal obligations. We have sought improvements in relation to high hazard and risk reduction activities and compliance,” the ONR said in 2022.
“Sellafield Ltd remains subject to significantly enhanced regulatory attention for cyber security. This is likely to remain in place for the year ahead, as Sellafield… address[es] the shortfalls we reported last year” it said at the time; the company having made “limited progress in ensuring adequate cyber security arrangements due to resource constraints and we subsequently took enforcement action.”
Sellafield’s CISO Richard Meal will step down from his role later this year, following safety and security director Mark Neate (who resigned in January 2024) out of the door.
The Sellafield prosecution comes after The Guardian in 2023 alleged that the company had covered up intrusions by state-backed hackers and that workers at other sites had discovered they could remotely access Sellafield’s systems, with USB memory sticks routinely used by contractors and a visiting BBC camera crew once accidently caught filming and broadcasting valid user credentials.