The UK‘s nuclear safety regulator is pursuing legal action against Sellafield Ltd., the company managing the Sellafield nuclear site, for alleged cybersecurity breaches spanning four years from 2019 to early 2023. While it remains uncertain whether senior managers will face charges, individuals convicted under the Nuclear Industries Security Regulations 2003 could face up to two years imprisonment. The regulator emphasized that public safety hasn’t been compromised, but legal proceedings were initiated following an investigation into the cybersecurity failures.
Enhanced regulatory scrutiny over Sellafield’s cybersecurity lapses was revealed in the UK chief nuclear inspector’s annual report last year, coinciding with similar measures imposed on EDF, the operator of several British nuclear power plants. The National Cyber Security Centre (NCSC) threat assessment identifies ransomware as a primary disruptive threat, posing potential risks to operational technology systems in nuclear facilities. Despite the existence of failsafe mechanisms in industrial systems, a ransomware attack on nuclear power plant IT systems could disrupt operations.
Although Sellafield’s nuclear reactor ceased operation in 2003, it remains Europe’s largest nuclear site, housing vast quantities of plutonium and facilities for nuclear decommissioning, waste processing, and storage. Despite the absence of an operational reactor, the facility’s complex and hazardous nature underscores the potential consequences of a cybersecurity incident. While cyberattacks targeting operational technology systems in power plants are uncommon, the possibility of such incidents underscores the importance of robust cybersecurity measures to mitigate risks in critical infrastructure.
