Britain’s largest nuclear plant operator has apologised after admitting to a series of cyber security failings that could have jeopardised national security.

Sellafield, a government-owned facility which is home to the largest store of plutonium in the world, left sensitive information exposed to foreign hackers for four years. The case has raised questions about UK’s nuclear safety protocols.

The nuclear waste management firm appeared in a sentencing hearing on 8^th August to face charges brought by the Office for Nuclear Regulation (ONR). An investigation by the ONR revealed cyber security failings at the site between 2019 and 2023.

The ONR described Sellafield as “one of the most complex and hazardous nuclear sites in the world,” highlighting the critical nature of its infrastructure and the consequences that could arise from a cyber attack, including theft of sensitive information or catastrophic damage.

The Guardian’s Nuclear Leaks investigation, which first revealed Sellafield’s lax approach to cyber security, found that 75% of Sellafield’s computer servers were vulnerable to cyber attacks, leaving the site open to exploitation by hostile actors.

The Guardian also reported that Sellafield has been hacked by groups linked to both China and Russia, but this claim was denied by the nuclear firm.

A Sellafield spokesperson said: “We take cybersecurity extremely seriously at Sellafield, as reflected in our guilty pleas. The charges relate to historic offences and there is no suggestion that public safety was compromised.

“Sellafield has not been subjected to a successful cyber-attack or suffered any loss of sensitive nuclear information,” they added.

As the UK government accelerates its plans for a nuclear energy renaissance through the Great British Energy bill, experts warn that cyber security must be top priority.

Marion Messmer, senior research fellow at Chatham House stated: “While the renewed and more energetic focus on nuclear energy is good news for UK industry, the cybersecurity of the UK’s nuclear energy industry has been called into question.” She said that these concerns have been highlighted by repeated gaps found during inspections at the Sellafield site.

Although the government published a “Civil Nuclear Cybersecurity Strategy” in 2022, Messmer explained its full implementation is delayed until 2026-27, leaving the sector exposed to increasing cyber threats.

“While the UK has a cybersecurity strategy in place, its implementation needs to be accelerated to address the growing threat landscape,” said Messmer.

Messmer outlined three key priorities for the UK government:

• Speed up implementation of the cyber security strategy: Prioritise improving incident response exercises and leveraging expertise from other sectors and international partners.
• Prioritise cyber security in small modular reactor (SMR) development: Position the UK as a global leader in cybersecurity by design for SMRs.
• Integrate nuclear cyber security with broader government efforts: Align cyber security measures for the nuclear sector with the upcoming cyber security and resilience bill, creating a more comprehensive approach.

Messmer said that the UK is not the only state struggling with the cyber security of critical national infrastructure.

“This is now a global issue with several critical sectors, including health services and energy providers, being identified as priority targets,” she stated.

Sellafield is expected to be sentenced in September and has previously agreed to cover legal costs of £53,000.

ONR said: “Sellafield Ltd had previously pleaded guilty to those offences in June, and while a hearing did take place today, Chief Magistrate Senior District Judge Paul Goldspring did not pass sentence.