Nuclear waste processing facility Sellafield has been fined £332,500 ($440k) by the Workplace for Nuclear Regulation (ONR) for failing to stick to cybersecurity requirements and placing delicate nuclear info in danger over 4 years, from 2019 to 2023.
In line with the ONR announcement, Sellafield did not observe its personal authorised cybersecurity protocols by leaving a number of vulnerabilities in its IT programs unpatched, violating the Nuclear Industries Safety Rules 2003.
Though no exploitation has occurred, the weaknesses uncovered the ability to dangers similar to ransomware, phishing, and potential information loss, which may disrupt high-hazard operations and delay decommissioning work.
A catastrophe ready to occur
Sellafield is one in every of Europe’s largest nuclear services, situated in Cumbria, UK. It performs a major function in managing and processing radioactive supplies, dealing with extra nuclear waste in a single location than every other facility worldwide.
The location is concerned in retrieving nuclear waste, gasoline, and sludge from legacy ponds and silos, storing radioactive supplies similar to plutonium and uranium, managing spent nuclear gasoline rods, and remediating and decommissioning nuclear services.
Sellafield is a crucial unit for the UK’s nuclear waste administration system, so its IT programs safety is significant to make sure protected operations.
Final yr, a sequence of investigations by The Guardian into Sellafield’s cybersecurity introduced consideration to a number of extreme points, revealing that contractors had quick access to crucial programs the place they, amongst different issues, may set up USB drives.
Moreover, well-known vulnerabilities throughout the facility abound, giving the location the nickname “Voldemort” by individuals working there.
An audit from French safety agency Atos revealed that roughly 75% of Sellafield’s servers had been susceptible to assaults with doubtlessly catastrophic penalties.
The nuclear website’s operators pleaded responsible in June 2024 to their failure to adjust to customary IT safety laws, admitting their failure.
ONR’s fines Sellafield however confirmed no breach
ONR investigated these studies, and whereas it confirmed that Sellafield did not abide by the cybersecurity requirements that underpin the operation of such websites within the UK, it says it discovered no proof that the vulnerabilities had been leveraged in assaults.
This contrasts earlier studies by the press that Russian and Chinese language hackers allegedly planted malware on the location, and that safety breaches occurred way back to 2015.
“An investigation by ONR […] discovered that Sellafield Ltd failed to satisfy the requirements, procedures and preparations, set out in its personal authorised plan for cyber safety and for safeguarding delicate nuclear info,” reads ONR’s announcement.
“Vital shortfalls had been current for a substantial size of time. It was discovered that Sellafield Ltd allowed this unsatisfactory efficiency to persist, which means that its info expertise programs had been susceptible to unauthorized entry and lack of information.”
“Nevertheless, there isn’t any proof that any vulnerabilities at Sellafield Ltd have been exploited on account of the recognized failings.”
Inspections carried out by the ONR on Sellafield revealed that the state of affairs of a profitable ransomware assault may derail regular operations on the nuclear website for as much as 18 months.
Sellafield has changed key individuals in senior management and IT administration over the previous yr to implement plans to remediate the cybersecurity dangers as quickly as potential. Good progress has been seen on that entrance, in accordance with ONR.