Critical Infrastructure Security

UK Nuclear Cleanup Site Faces Criminal Cybersecurity Charges

Probe Finds 'Largest and Most Hazardous Nuclear Site' Violated Security Laws
UK Nuclear Cleanup Site Faces Criminal Cybersecurity Charges
The Sellafield Nuclear Reprocessing Plant in the United Kingdom (Image: Getty Images)

Britain's nuclear power watchdog said it plans to prosecute major waste processing site Sellafield for violating cybersecurity regulations.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

Sellafield, "the largest and most hazardous nuclear site" in Britain, according to the U.K.'s Nuclear Decommissioning Authority, violated the Nuclear Industries Security Regulations law, the Office for Nuclear Regulation said after conducting an investigation.

"These charges relate to alleged IT security offences during a four-year period between 2019 and early 2023," the independent nuclear regulator said in a Thursday statement announcing the prosecution.

"There is no suggestion that public safety has been compromised as a result of these issues," the ONR said. "Given that some matters are now subject to legal proceedings, we are unable to comment further."

The first court hearing has yet to be scheduled.

Sellafield has approximately 12,000 staff and an annual budget of 2 million pounds - $2.5 billion. The site primarily processes and stores nuclear waste and handles the decommissioning of nuclear devices and infrastructure.

Earlier in the week, The Guardian reported that Richard Meal, Sellafield's CISO for the past 10 years, plans to leave his post later this year, following a similar announcement by the head of safety and security at Sellafield, Mark Neate, who in January announced that he planned to leave.

The law Sellafield allegedly violated requires individuals "to appropriately protect" classified information designated as being 'sensitive nuclear information,'" in the interest of national security. The regulations are enforced by the ONR's Civil Nuclear Security branch on behalf of the Secretary of State for Energy and Climate Change.

The founding of Sellafield, in a remote coastal location in northwest England, dates from 1947, when the British government commissioned it to produce plutonium for the country's nuclear weapons program. Subsequently, the site helped design and build the country's first nuclear reactor, which contributed to the country's power grid until 2003, as well as recycle uranium and plutonium.

The Nuclear Decommissioning Authority, an executive nondepartmental public body created by the Energy Act 2004, estimated in 2018 that cleaning up the country's nuclear sites will take until 2120 and cost at least $153 billion, of which Sellafield is expected to account for $115 billion. The NDA said "these estimates remain highly uncertain" as it has "struggled to understand the full extent of the work necessary to clean up its most hazardous facilities."

In 2022, the government placed Sellafield into "special measures" due to repeated cybersecurity failings, The Guardian reported as part of a long-running investigation that documented not just cybersecurity shortcomings but also radioactive contamination and a "toxic" workplace culture.

The newspaper reported last December that nation-state hacking groups tied to both Russia and China had penetrated Sellafield's networks and planted "sleeper malware."

Warnings by Western governments about the use of such tactics by Beijing and Moscow have been on the increase. Last month, U.S. security agencies and their Five Eyes intelligence-sharing alliance counterparts in the United Kingdom, Canada, Australia and New Zealand warned that a Chinese hacking group with the codename Volt Typhoon had gained footholds in some victims' IT environments "for at least five years" and appeared be "prepositioning for future disruptive or destructive attacks."

The countries warned that China-backed hackers had also exfiltrated sensitive information tied to operational technology systems, including SCADA systems and relays, and in some cases also had access to CCTV surveillance systems at critical infrastructure facilities.

The alert arrived amid rising tension between China and the West over the South China Sea, as well as Chinese President Xi Jinping having ordered his armed forces to be capable of invading Taiwan by 2027. Western observers have warned that China might attempt to crash Western critical infrastructure to slow its military's response and buy time for Beijing's ground forces to conquer Taiwan.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.