Operator of Sellafield nuclear waste site fined £332k over ‘significant shortfalls’ in cybersecurity


Public body dedicated to nuclear cleanup had previously pleaded guilty to charges of inadequate protection for sensitive material and a failure to conduct the requisite annual checks on tech systems

The public body responsible for operating the Sellafield nuclear waste-processing site has been fined hundreds of thousands of pounds over major “shortfalls” in its cybersecurity that persisted for four years.

At a hearing at Westminster Magistrates Court in June, Sellafield Ltd pleaded guilty to three offences following a prosecution brought by watchdog the Office for Nuclear Regulation. The charges relate to the time period from 2019 to 2023 and the offences include a lack of adequate protection for sensitive nuclear information stored on Sellafield’s systems, and a failure to conduct the necessary annual health checks on both operational technology and IT platforms.

The court convened again this week and chief magistrate senior district judge Paul Goldspring concluded that Sellafield Ltd was guilty of “medium culpability – high end” breaches of its responsibilities. The arm’s-length body was hit with a fine of £332,500 and also ordered to pay prosecution costs of £53,253.

Prior to bringing the prosecution, the ONR indicates that it inspectors assessed the nuclear waste entity’s cybersecurity set-up and found that “significant shortfalls were present for a considerable length of time… [and] Sellafield Ltd allowed this unsatisfactory performance to persist, meaning that its information technology systems were vulnerable to unauthorised access and loss of data”.


Related content


The data in question relates to the management of a site that is responsible for “managing more radioactive waste in one place than any other nuclear facility in the world, [where] work includes a wide range of high-hazard nuclear activities such as the retrieval of nuclear waste, fuel and sludge from legacy ponds and silos, the storage of special nuclear materials including plutonium and uranium, spent nuclear fuel management and the remediation of hundreds of facilities across the site”.

Paul Fyfe, ONR’s senior director of regulation, said that the watchdog “welcomes Sellafield Ltd’s guilty pleas” in relation to its cyber failings.

“It has been accepted the company’s ability to comply with certain obligations under the Nuclear Industries Security Regulations 2003 during a period of four years was poor,” he added. “Failings were known about for a considerable length of time but, despite our interventions and guidance, Sellafield failed to respond effectively, which left it vulnerable to security breaches and its systems being compromised. Nevertheless, with new leadership and additional resources in place at Sellafield Ltd, we have seen positive improvements during the last year, and evidence the senior leadership is now giving cyber security the level of attention and focus it requires. We will continue to apply robust regulatory scrutiny where necessary to ensure all risks, including cyber security, are effectively managed by the nuclear industry.”

Based on the Cumbrian coast, the Sellafield site (pictured above) occupies about two square miles and began operating shortly after the Second World War. From 1956 until 2003, the facility generated nuclear power. For almost 20 years thereafter it reprocessed nuclear fuel but, since 2022, it has been dedicated to the processing of nuclear waste and conducting the safe decommissioning of nuclear facilities – a process which is expected to take until 2040.

Sellafield Ltd is owned by the government and its work is directed by the Nuclear Decommissioning Authority, an executive agency which operates under the sponsorship of the Department for Energy Security and Net Zero.

In response to the court’s punishment, a spokesperson for Sellafield Ltd said: “We take cybersecurity extremely seriously at Sellafield, as reflected in our guilty pleas. The charges relate to historical offences and there is no suggestion that public safety was compromised.  Sellafield has not been subjected to a successful cyberattack. We’ve already made significant improvements to our systems, network, and structures to ensure we are better protected and more resilient. The cyberthreat is continually evolving, and we will continue to work with the regulator to ensure we meet the high standards rightly required of us.”

Sam Trendall

Learn More →