)
On October 2, 2024, the United Kingdom's Office for Nuclear Regulation (ONR) fined Sellafield Limited £332,500 for cybersecurity issues spanning four years. Sellafield, the world’s largest radioactive waste processing facility, manages the most hazardous nuclear materials. Despite this high-stake environment, Sellafield neglected to implement critical safeguards against a breach. The relatively modest fine imposed on Sellafield by the ONR belies the gravity of the cybersecurity risks that were narrowly averted. The fine should serve as a wake-up call for other nuclear facilities to prioritize cybersecurity.
Sellafield’s security failures remind us that even facilities managing high-risk materials like plutonium and uranium can overlook essential cybersecurity practices. Sellafield failed to protect its IT systems and omitted required security checks—critical oversights that persisted despite regulatory oversight.
Rising Cybersecurity Threats to Nuclear Infrastructure
Sellafield’s case is part of a broader trend. In 2023 and 2024, cyberattacks targeting critical infrastructure surged, affecting nuclear research centers, water treatment facilities, and other sectors. Intelligence from multiple online environments indicates that politically motivated activists and financially driven cybercriminals both possess the intent and the capability to breach critical infrastructure.
Threat Indicators Leading Up to the Sellafield Incident
Months before the Sellafield incident, Cybersixgill comprehensive coverage across the cyber underground identified a disturbing trend: the level of footprinting and recon activity targeting nuclear facilities is rising.
A. Nuclear Sector Threat Intelligence
Analyses of various cybercriminal forums uncovered a coordinated focus on nuclear facilities. For example, in early 2024, an active threat actor advertised data stolen from a Brazilian state-owned nuclear energy company, claiming access to 250GB of sensitive files on nuclear energy, nuclear submarines, and uranium mining. This data included technical information, operational details, and employee records.
Cross-platform monitoring showed that threat actors frequently shifted across forums to maximize visibility to potential buyers. Numerous underground forums provided evidence of the rising monetization of such data, with threat actors selling access credentials and network data for multiple nuclear facilities worldwide.
B. Direct Observations of Underground Activity
Direct observations of underground activity further underscored the escalating threat. In November 2023, a hacktivist group breached the Idaho National Laboratory (INL), a U.S. Department of Energy nuclear research facility. The attackers infiltrated INL’s Oracle HCM system, compromising personal employee data, including full names, birthdates, emails, phone numbers, and social security numbers. These hacktivists subsequently shared the leak on a cybercrime forum, where they posted samples of the complete dataset, inviting forum members to invest heavily to access it.
Although the attackers did not manage to reach or steal nuclear research data, the breach illustrated that nuclear research facilities are also high-value targets.
Across underground forums and marketplaces, the trend toward selling access credentials to nuclear facilities is unmistakable. Stolen login details and network access are frequently offered alongside detailed technical documents to verify their authenticity, reflecting the commoditization of access to nuclear institutions.
Insights from Sellafield’s Security Failures
The £332,500 fine against Sellafield results from security lapses unaddressed for years despite regulatory warnings.
A. Documented Violations
Sellafield faced three primary charges under the Nuclear Industries Security Regulations 2003:
Inadequately protecting sensitive nuclear information on its IT network, a fundamental requirement for any nuclear facility.
Failing to conduct mandatory annual security checks on operational technology systems vital to facility operations.
Neglecting required annual checks on IT systems.
The ONR reported that Sellafield was aware of these security gaps but did not take corrective action. A 2023 ONR inspection specifically warned that a ransomware attack on the facility could result in “high-hazard risks,” with potential recovery times estimated at up to 18 months.
Despite gravity of the warning, Sellafield took no meaningful corrective action, leaving its systems exposed to potential breaches.
B. Missed Prevention Opportunities
Aside from the concerning Sellafield’s security issues, interest in nuclear-specific attack steadily grew on underground forums in the months leading up to the fine. Threat actors on multiple platforms frequently discussed methods to breach into nuclear facilities. Conversations centered on vulnerabilities in industrial control systems and operational technology, the very areas where Sellafield neglected to perform annual security checks.
Threat actors shared technical documentation on security weaknesses, network architectures, and access points within nuclear facilities. There could not be clearer warnings of emerging attack methods aimed at nuclear infrastructure.
This intelligence, combined with verified breaches at other facilities, highlighted how proactive threat intelligence could have enabled Sellafield to, at a minimum, fix the vulnerabilities identified by threat actors. This could have been an efficient stop gap measure while preparing to upgrade IT and operational technology security.
Broader Lessons and Implications for Critical Infrastructure
Sellafield’s case underscores the risks of weak cybersecurity in nuclear facilities. As the potential incident was prevented, the damage to Sellafield was limited to financial and reputational damage. Yet, its broader implications signal potential vulnerabilities across critical infrastructure.
Recent cyberattacks on water treatment facilities in the U.S., from Pennsylvania to Kansas, point to an escalating trend of attackers targeting other critical infrastructures.
Even though Sellafield avoided a direct breach, its systemic security weaknesses mirror those plaguing other sectors.
In underground forums where attack methodologies for nuclear facilities are shared, there is also evidence of coordinated efforts to breach into other types of critical infrastructure, including water systems, energy grids, and industrial control networks.
In the upcoming Part 2 of this analysis, we will examine how nuclear-sector intelligence can inform security strategies for protecting critical infrastructure more broadly.
)
)
)
)