Sellafield has apologised after pleading guilty to criminal charges related to significant cybersecurity failings that 'potentially endangered national security'.
The charges, brought by the Office for Nuclear Regulation (ONR), cover a four-year period from 2019 to 2023 and were heard in Westminster Magistrates Court.
According to The Guardian newspaper, the court heard that three-quarters of Sellafield’s servers were vulnerable to cyberattacks, leaving the world’s largest store of plutonium exposed to potential threats.
The ONR revealed that sensitive nuclear information (SNI) had been left at risk due to outdated technology, including the use of Windows 7 and Windows 2008.
It was also discovered that critical IT health checks, which Sellafield claimed were being performed, were not conducted.
A report by external IT firm Commissum found that even a 'reasonably skilled hacker' could have accessed and compromised sensitive data.
Sellafield CEO Euan Hutton apologised in a written statement, asserting that the company has since addressed these issues.
Mr Hutton said: “I genuinely believe that the issues which led to this prosecution are in the past.”
Sellafield said it's implemented changes, including overhauling IT management and establishing a secure data centre.
During the hearing, it was disclosed that a subcontractor mistakenly received 4,000 files, 13 of which were classified as 'official/sensitive', without triggering any alarms.
Despite these lapses, Sellafield maintains that no successful cyberattacks or loss of sensitive nuclear information occurred.
A Sellafield spokesperson said: "We take cyber security extremely seriously at Sellafield, as reflected in our guilty pleas.
"The charges relate to historic offences and there is no suggestion that public safety was compromised.
"Sellafield has not been subjected to a successful cyber-attack or suffered any loss of sensitive nuclear information.
"We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient.
"As the issue remains the subject of active court proceedings, we are unable to comment further."
Chief Magistrate Paul Goldspring is expected to deliver a final sentencing in September. Sellafield has agreed to pay £53,000 in legal costs.
The case marks the first time a nuclear site has been prosecuted for cybersecurity offences.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel