Sellafield & Cybersecurity

Real-world examples from both the U.S. and U.K. demonstrate that nuclear facilities are being targeted by sophisticated cyber attackers, including state actors. This isn’t just a theoretical risk—it’s happening now, and facilities must take it seriously. The successful prosecution of Sellafield with significant fines (£332,500) shows that regulators are now willing to take strong enforcement action, even when no actual breach has occurred. Nuclear facilities cannot afford wait for an incident before improving their cybersecurity—they must be proactive. With both the U.S. and U.K. strengthening their regulatory frameworks and increasing enforcement powers, nuclear facilities should take steps now to review and upgrade cybersecurity measures. This includes not just updating technical controls, but also ensuring compliance with security plans, auditing systems, and maintaining proper documentation. National security regulators are particularly concerned about the vulnerabilities of nuclear facilities to cyberattacks. In March 2022, the U.S. Justice Department unsealed criminal indictments against four agents of the Russian government, charging them with offenses related to cyber “spearfishing attacks” which compromised the business network of the Wolf Creek Nuclear Operating Corporation (WCNOC) in Burlington, Kansas. Also of note is the October 2024 prosecution and conviction of Sellafield Ltd in the U.K. for three offenses involving inadequate cybersecurity controls. In that case, the company (rather than the hacker) was charged by the Office for Nuclear Regulation (ONR) for failing to protect sensitive nuclear information and for failure to follow its own cybersecurity plan between 2019 and 2023. Fortunately, the nuclear facilities in both cases were not materially compromised in these attacks. The targeting of nuclear facility operators demonstrated that malicious actors intended to exploit cyber vulnerabilities within the nuclear industry.