Sellafield pleads guilty to criminal charges over cyber security

The Sellafield nuclear waste site has pleaded guilty to criminal charges brought by the industry regulator, admitting to significant cyber security failings over a four-year period that put sensitive information at risk.

Lawyers acting for the state-owned Sellafield Ltd – which is working on behalf of the Nuclear Decommissioning Authority (NDA) to manage the Sellafield nuclear waste facility in Cumbria – pleaded guilty to all three charges brought by the Office for Nuclear Regulation (ONR), telling a London magistrates’ court that while the organisation “had in place systems of cyber security, those systems were not sufficiently adhered to for a period”.

One of the criminal charges revolved around Sellafield’s failure to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”, while the other two related to failures to conduct “annual health checks” of its IT systems.

This sensitive data can include the movement of nuclear inventory, waste management, planning information and services provided to Sellafield by contractors.

However, Sellafield’s lawyers also said “it is important to emphasise there was not and has never been a successful cyber attack on [the facility]”, before noting that the offences are “historical … [and] do not reflect the current position”.

The ONR was also clear in its own statement about the guilty pleas that “these charges relate to historic offences and there is no evidence that any vulnerabilities were exploited”.

Sentencing will now take place on 8 August, and will mark the first prosecution brought by the ONS since the Nuclear Industries Security Regulations that were introduced in 2003.

A spokesperson for Sellafield said: “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised.

“As the issue remains the subject of active court proceedings, we are unable to comment further.”

The Guardian reported in December 2023 that the nuclear site’s systems had been hacked by groups linked to Russia and China as far back as 2015, which allegedly embedded sleeper malware in the network.

It also accused Sellafield of a consistent cover-up of the intrusions, which supposedly dated to 2015, and alleged that the extent of the breach only came to light when workers at other sites discovered they could remotely access Sellafield’s systems.

An insider at the site described Sellafield’s network as “fundamentally insecure” and drew attention to various concerns, including the use of USB memory sticks by third-party contractors and an incident in which a visiting BBC camera crew accidentally filmed and broadcast user credentials. So severe were some of the failings that they were supposedly nicknamed “Voldemort”.

Sellafield said at the time it did not have evidence of a successful cyber attack, and has strenuously denied the allegations.