British nuclear site Sellafield to be prosecuted for cybersecurity failures

The United Kingdom’s independent nuclear safety regulator has revealed that it will begin legal proceedings against the company managing the Sellafield nuclear site. This is after a 4-year long investigation concluded that the company was in breach of IT security best practices.

“There is no suggestion that public safety has been compromised as a result of these issues,” the regulator assured.

We’re yet to establish whether senior managers at Sellafield Ltd will also be named as defendants in the case. If they are prosecuted and found guilty, then they face up to two years of imprisonment according to the Nuclear Industries Security Regulations 2003.

This is not the first time Sellafield, which is state-owned, has been in the spotlight for alleged security failings. The U.K. chief nuclear inspector’s annual report revealed that the company was forced to rework its policies last year after it was deemed non-compliant.

Referencing the U.K.'s civil nuclear cybersecurity strategy, the National Cyber Security Centre (NCSC) warns that ransomware is the biggest threat that the nuclear company should be worried about.

While these systems are typically equipped with multiple safeguards to prevent a radiological incident, a ransomware attack would still cause tangible damage in terms of disrupted services.

Sellafield's nuclear reactor ceased operation in 2003, but the site remains the largest nuclear facility in Europe.It houses a substantial amount of plutonium and various facilities for nuclear decommissioning, waste processing, and storage.

Admittedly, cyberattacks targeting the operational technology (OT) systems at power plants are infrequent but not unprecedented. You are probably familiar with the Stuxnet attack. The Triton malware is a more recent similar incident that was flagged in Saudi Arabia in 2017.