Sellafield whistleblower ordered to pay costs after email tampering claims

The Sellafield nuclear waste site has pleaded guilty to criminal charges brought by the industry regulator, admitting to significant cyber security failings over a four-year period that put sensitive information at risk.

Lawyers acting for the state-owned Sellafield Ltd – which is working on behalf of the Nuclear Decommissioning Authority (NDA) to manage the Sellafield nuclear waste facility in Cumbria – pleaded guilty to all three charges brought by the Office for Nuclear Regulation (ONR), telling a London magistrates’ court that while the organisation “had in place systems of cyber security, those systems were not sufficiently adhered to for a period”.

One of the criminal charges revolved around Sellafield’s failure to “ensure that there was adequate protection of sensitive nuclear information on its information technology network”, while the other two related to failures to conduct “annual health checks” of its IT systems.

This sensitive data can include the movement of nuclear inventory, waste management, planning information and services provided to Sellafield by contractors.

However, Sellafield’s lawyers also said “it is important to emphasise there was not and has never been a successful cyber attack on [the facility]”, before noting that the offences are “historical … [and] do not reflect the current position”.

The ONR was also clear in its own statement about the guilty pleas that “these charges relate to historic offences and there is no evidence that any vulnerabilities were exploited”.

Sentencing will now take place on 8 August, and will mark the first prosecution brought by the ONS since the Nuclear Industries Security Regulations that were introduced in 2003.

A spokesperson for Sellafield said: “We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised.

“As the issue remains the subject of active court proceedings, we are unable to comment further.”

The Guardian reported in December 2023 that the nuclear site’s systems had been hacked by groups linked to Russia and China as far back as 2015, which allegedly embedded sleeper malware in the network.

It also accused Sellafield of a consistent cover-up of the intrusions, which supposedly dated to 2015, and alleged that the extent of the breach only came to light when workers at other sites discovered they could remotely access Sellafield’s systems.

An insider at the site described Sellafield’s network as “fundamentally insecure” and drew attention to various concerns, including the use of USB memory sticks by third-party contractors and an incident in which a visiting BBC camera crew accidentally filmed and broadcast user credentials. So severe were some of the failings that they were supposedly nicknamed “Voldemort”.

Sellafield said at the time it did not have evidence of a successful cyber attack, and has strenuously denied the allegations.

Achilles heel

A local council source also previously told Computer Weekly that Copeland and Cumberland councils – two local authorities that hold and manage a range of data related to Sellafield – are an “Achilles heel” for the nuclear facility, after senior managers acknowledged in October 2023 that they “still don’t know what was lost” in a separate 2017 cyber attack.

A spokesperson for Sellafield and the NDA told Computer Weekly that neither body, to its knowledge, has shared any information classified as Sensitive Nuclear Information with Copeland Borough Council.

The spokesperson said: “As part of the UK civil nuclear sector, we are subject to a strong nuclear safety and security regulatory scheme, which requires us to meet robust legal and national security requirements.

“We have no reason to believe any data related to the NDA or Sellafield was compromised in the 2017 Copeland Borough Council cyber incident.”