Sellafield nuclear site fined £332,500 fine for lax infosec • The Register

The outfit that runs Britain’s Sellafield nuclear waste processing and decommissioning web site has been fined £332,500 ($440,000) by the nation’s Workplace for Nuclear Regulation (ONR) for its shoddy cybersecurity practices between 2019 and 2023.

Sellafield, positioned in Cumbria, England, manages extra radioactive waste than another nuclear web site on the earth, and decommissioning work taking place on the services includes high-hazard actions together with waste retrieval, plutonium and uranium storage, and spent nuclear gas administration and remediation. 

The very last thing it wants is dodgy cybersecurity. But the positioning’s poor infosec practices violated the UK’s Nuclear Industries Safety Rules 2003, in response to the ONR. 

Fortunately, regardless of its four-year stretch of lax cybersecurity, which left its IT techniques weak to unauthorized entry and information theft, “there is no such thing as a proof that any vulnerabilities at Sellafield Ltd have been exploited on account of the recognized failings,” the regulatory physique concluded. Sellafield Ltd is the government-controlled firm responsible for the plant.

“Failings have been recognized about for a substantial size of time however regardless of our interventions and steerage, Sellafield failed to reply successfully, which left it weak to safety breaches and its techniques being compromised,” mentioned Paul Fyfe, ONR’s senior director of regulation after the decide imposed a monetary penalty on the nuclear waste administration facility.

Sellafield Ltd didn’t instantly reply to The Register‘s inquiries.

This nice and court docket appearances observe allegations in December 2023 that Sellafield had been hit with malware by Russia and China. On the time, the UK authorities and ONR each denied techniques have been compromised. However later, the ONR determined to prosecute the entity following its investigation of the nuclear web site.

Whereas it is mentioned nothing malicious occurred regardless of Sellafield’s infosec close to misses, final 12 months an ONR inspector famous {that a} profitable ransomware assault might cripple “high-hazard danger discount” work being performed on the web site, and recovering IT operations following any such digital intrusion might take as much as 18 months.

Plus, in an inside report, the ability itself admitted {that a} profitable phishing assault or a malicious insider might have compromised delicate information, disrupted operations, broken services, and delayed decommissioning actions.

Following the ONR investigation and subsequent prosecution, Sellafield in June pleaded responsible to failing to adjust to its personal safety plan by not guaranteeing sufficient safety of delicate nuclear data on its IT community.

The outfit additionally pleaded responsible to failing to adjust to its permitted safety plan by not arranging for annual operational know-how well being checks, carried out by a licensed tester in March 2021 and March 2022.

After which, the nuclear waste repository reportedly asked the judge for leniency.

Earlier this week at Westminster Magistrates Court docket, Chief Justice of the Peace Senior District Decide Paul Goldspring ordered Sellafield to pay a nice of £332,500, plus prosecution prices of £53,253.20. ®