Nuclear waste processing facility Sellafield has been fined £332,500 ($440k) by the Workplace for Nuclear Regulation (ONR) for failing to stick to cybersecurity requirements and placing delicate nuclear data in danger over 4 years, from 2019 to 2023.
Based on the ONR announcement, Sellafield didn’t comply with its personal accepted cybersecurity protocols by leaving a number of vulnerabilities in its IT methods unpatched, violating the Nuclear Industries Safety Rules 2003.
Though no exploitation has occurred, the weaknesses uncovered the power to dangers akin to ransomware, phishing, and potential knowledge loss, which might disrupt high-hazard operations and delay decommissioning work.
A catastrophe ready to occur
Sellafield is considered one of Europe’s largest nuclear amenities, situated in Cumbria, UK. It performs a major position in managing and processing radioactive supplies, dealing with extra nuclear waste in a single location than some other facility worldwide.
The location is concerned in retrieving nuclear waste, gasoline, and sludge from legacy ponds and silos, storing radioactive supplies akin to plutonium and uranium, managing spent nuclear gasoline rods, and remediating and decommissioning nuclear amenities.
Sellafield is a important unit for the UK’s nuclear waste administration system, so its IT methods safety is significant to make sure secure operations.
Final yr, a sequence of investigations by The Guardian into Sellafield’s cybersecurity introduced consideration to a number of extreme points, revealing that contractors had quick access to important methods the place they, amongst different issues, might set up USB drives.
Moreover, well-known vulnerabilities throughout the facility abound, giving the location the nickname “Voldemort” by folks working there.
An audit from French safety agency Atos revealed that roughly 75% of Sellafield’s servers had been weak to assaults with probably catastrophic penalties.
The nuclear web site’s operators pleaded responsible in June 2024 to their failure to adjust to normal IT safety rules, admitting their failure.
ONR’s fines Sellafield however confirmed no breach
ONR investigated these studies, and whereas it confirmed that Sellafield didn’t abide by the cybersecurity requirements that underpin the operation of such websites within the UK, it says it discovered no proof that the vulnerabilities had been leveraged in assaults.
This contrasts earlier studies by the press that Russian and Chinese language hackers allegedly planted malware on the location, and that safety breaches occurred way back to 2015.
“An investigation by ONR […] found that Sellafield Ltd failed to meet the standards, procedures and arrangements, set out in its own approved plan for cyber security and for protecting sensitive nuclear information,” reads ONR’s announcement.
“Significant shortfalls were present for a considerable length of time. It was found that Sellafield Ltd allowed this unsatisfactory performance to persist, meaning that its information technology systems were vulnerable to unauthorized access and loss of data.”
“However, there is no evidence that any vulnerabilities at Sellafield Ltd have been exploited as a result of the identified failings.”
Inspections performed by the ONR on Sellafield revealed that the situation of a profitable ransomware assault might derail regular operations on the nuclear web site for as much as 18 months.
Sellafield has changed key folks in senior management and IT administration over the previous yr to implement plans to remediate the cybersecurity dangers as quickly as doable. Good progress has been seen on that entrance, based on ONR.
