Anna Isaac and Alex Lawson 

Sellafield pleads guilty to criminal charges over cybersecurity failings

UK nuclear site pleads guilty to IT security breaches from 2019 to 2023
  
  

Sellafield’s lawyers have said that cybersecurity requirements were not ‘sufficiently adhered to for a period’.
Sellafield’s lawyers have said that cybersecurity requirements were not ‘sufficiently adhered to for a period’. Photograph: David Levene/The Guardian

The UK’s most hazardous nuclear site, Sellafield, has pleaded guilty to criminal charges related to cybersecurity failings brought by the industry regulator.

Lawyers acting for Sellafield told Westminster magistrates’ court on Thursday that cybersecurity requirements were “not sufficiently adhered to for a period” at the vast nuclear waste dump in Cumbria.

The charges relate to information technology security offences spanning a four-year period from 2019 to 2023. It emerged in March that the Office for Nuclear Regulation (ONR) intended to prosecute Sellafield for technology security offences.

Late last year the Guardian’s Nuclear Leaks investigation revealed a catalogue of IT failings at the site dating back several years.

Sellafield pleaded guilty to a charge that it had failed to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”, the Financial Times reported.

The Guardian reported last year that the site systems had been hacked by groups linked to Russia and China in December last year, embedding sleeper malware that could lurk and be used to spy or attack systems. At the time, Sellafield said it did not have evidence of a successful cyber-attack.

Paul Greaney KC, acting for Sellafield, told the court: “It is important to emphasise there was not and has never been a successful cyber-attack on Sellafield.”

Greaney added that Sellafield’s systems were now robust and said media reports of hacks were “false”.

An ONR spokesperson said: “We acknowledge that Sellafield Limited has pleaded guilty to all charges.

“There is no evidence that any vulnerabilities have been exploited,” the spokesperson said, adding that due to ongoing legal proceedings the ONR could not offer further detail at this time.

Sentencing is expected to take place on 8 August.

The site has the largest store of plutonium in the world and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.

The Guardian investigation revealed a string of IT issues, including concerns about external contractors being able to plug memory sticks into its computer system while unsupervised.

The investigation found problems had been known by senior figures at the nuclear site for at least a decade, according to a report dated from 2012, which warned there were “critical security vulnerabilities” that needed to be addressed urgently.

Sellafield’s computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR investigation and IT failings at the site, because it was so sensitive and dangerous.

At the time, Sellafield said that “all of our systems and servers have multiple layers of protection”.

“Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these,” a spokesperson said.

Britain’s public spending watchdog, the National Audit Office, launched an investigation into risks and costs at Sellafield earlier this year.

A spokesperson for Sellafield said: “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised.

“As the issue remains the subject of active court proceedings, we are unable to comment further.”

 

Leave a Comment

Required fields are marked *

*

*