Britain’s nuclear regulator has fined Britain’s largest nuclear power plant £332,500 for “persistent” breaches of safety regulations, leaving IT systems vulnerable.
The cases occurred between 2019 and 2023, and while the Office for Nuclear Regulation (ONR) says there is no evidence the vulnerabilities were exploited, cybersecurity deficiencies left the facility exposed to potential data loss and unauthorized access.
The Sellafield reactor was closed in 2003, but it continues to store nuclear material and process plutonium, including a range of waste storage and processing facilities.
Everything cleared up
The site pleaded guilty to three criminal charges over the deficiencies.
The shortcomings included failing to carry out annual safety checks, which the company attributed to “industry-wide difficulties in recruiting sufficiently qualified staff”. Since the ruling, Sellafield has made “significant improvements” to its systems and structures to ensure public safety.
A successful attack could have come in the form of a phishing campaign or a malicious insider that could damage facilities or disrupt operations. It was previously reported that Sellafield was hacked by Russian and Chinese hackers, but both the site and the British government have denied this.
“Deficiencies had been known for some time, but despite our interventions and guidance, Sellafield failed to respond effectively, leaving it vulnerable to security breaches and compromise of its systems.” said Paul Fyfe, ONR Senior Director of Regulation.
Secretary of State for Energy Ed Miliband previously responded to the news that contractors could access the site network without supervision as a “deeply worrying report on one of our most sensitive parts of energy infrastructure”.
Although the regulator found no evidence of harm from the cybersecurity shortcomings, the site is said to be taking the allegations “very seriously”, which it said is reflected in the guilty verdict.
Via BBC