Sellafield must pay nearly £400,000 to settle criminal charges brought against it for years of cyber security failures at Britain’s largest and most dangerous nuclear site. According to the regulator who brought the charges, the vast nuclear waste dump Cumbria exposed information that could have threatened national security for four years. The regulator also discovered that 75% its computer servers are vulnerable to cyber attacks.
The Westminster magistrates’ court in London heard that Sellafield failed to protect crucial nuclear information. Paul Goldspring, the chief magistrate at Westminster Magistrates Court in London, said that, after considering Sellafield’s guilty plea and public funding model he would fine them £332,500 for cyber breaches and £53200 for prosecution expenses.
It has already apologized to the Office for Nuclear Regulation (ONR) in June. The company pleaded guilt when the Office for Nuclear Regulation brought the charges in June. They relate to IT security offenses spanning four years from 2019 to 2023. Goldspring stated that the case was “bordering on neglect” and “a dereliction of responsibility”.
He said that Sellafield could have “foreseenably” caused harm and that a loss in data “could have had enormous risk adverse consequences for the workers, public and environment”. Sellafield is a huge rubbish dump in Cumbria that has about 11,000 employees. It stores and treats nuclear waste from decades of atomic power and weapons programs. The largest plutonium store in the world is located at the Nuclear Decommissioning Authority (NDA), a taxpayer-funded and owned quango.
The hacking of the site by groups associated with Russia and China was revealed late last year. Sleeper malware could be embedded in the system to spy on or attack it. Investigation revealed that Sellafield’s computer servers had been deemed to be so unsecure that they were nicknamed “Voldemort” after Harry Potter’s villain because the problem was considered sensitive and dangerous. The investigation revealed that there were concerns over external contractors plugging memory sticks into the system unsupervised.
Goldspring said that in sentencing that the prosecution had failed to provide any proof of a successful cyber attack, even though it claimed that Sellafield could not prove that its nuclear site was not “effectively attacked”. The court was only able to sentence Sellafield because there were no “actual” injuries resulting from the attacks.
The fine was reduced to one-third because the nuclear site admitted guilt at the first chance. The judge noted that Sellafield had improved its cybersecurity over the past few months. The fine was reduced further because it depends on public funding in order to run as a non-profit.
Goldspring said at an earlier hearing, in August, that while all parties agreed the failures were serious, he needed to weigh the cost of the fine against the need to prevent others from committing the same offences.
Nigel Lawrence KC representing the ONR testified that a phishing attempt could be used to download and run malicious files onto Sellafield’s computer networks “without raising alarms”. Commissum, an external IT firm, found that “any reasonably skilled hacker” or malicious insider could access sensitive data, insert malware, and then use it to steal information from Sellafield.
Euan Hutton has apologized for his failure and stated that he “sincerely” believes “the issues leading to this prosecution is in the past”. Paul Fyfe is the senior director for regulation at ONR. He said, “We are pleased with Sellafield Ltd.’s guilty pleas.
It has been acknowledged that the company was unable to meet certain obligations under the Nuclear Industries Security Regulations of 2003 over a four-year period. “Sellafield was aware of the failures for some time, but they failed to act on them despite our intervention and guidance. This left them vulnerable to security breaches, and their systems were compromised.”
The ONR said that there have been “positive improvements at Sellafield” during the past year under the new leadership. Sellafield’s spokesperson stated: “We at Sellafield take cybersecurity very seriously, as shown by our guilty pleas.
The charges are based on historical crimes and no evidence suggests that the public’s safety was compromised.”Sellafield was not the victim of a successful cyber attack.”We have already made significant improvements in our systems, networks and structures to ensure that we are better protected.
The cyber threat is constantly evolving. We will continue to work closely with the regulator in order to meet the high standards that are rightfully required.
Ed Miliband said, “We take safety of our national infrastructure very seriously, and I am pleased that we have a strong regulator who holds our nuclear industry accountable.”
“I have written the CEO of the Nuclear Decommissioning Authority to seek assurance that cybersecurity failures at Sellafield will not happen again.”
Post Disclaimer
The following content has been published by Stockmark.IT. All information utilised in the creation of this communication has been gathered from publicly available sources that we consider reliable. Nevertheless, we cannot guarantee the accuracy or completeness of this communication.
This communication is intended solely for informational purposes and should not be construed as an offer, recommendation, solicitation, inducement, or invitation by or on behalf of the Company or any affiliates to engage in any investment activities. The opinions and views expressed by the authors are their own and do not necessarily reflect those of the Company, its affiliates, or any other third party.
The services and products mentioned in this communication may not be suitable for all recipients, by continuing to read this website and its content you agree to the terms of this disclaimer.