The UK nuclear industry regulator has taken Sellafield, the world’s largest store of plutonium, out of special measures for its physical security – but said concerns remained over its cybersecurity.
Guarding arrangements at the vast nuclear waste dump in Cumbria have improved enough to allow for routine inspections from the Office for Nuclear Regulation (ONR), rather than requiring “enhanced regulatory oversight”.
In 2023, the Guardian’s Nuclear Leaks investigation revealed a string of safety concerns at the site – from issues with alarm systems to problems staffing safety roles at its toxic ponds – as well as cybersecurity failings, radioactive contamination and allegations of a toxic workplace culture.
The top director responsible for safety and security at Sellafield, Mark Neate, left the company early last year.
The site in north-west England stores and treats decades of nuclear waste from atomic power generation and weapons programmes and is expected to cost £136bn to clean up.
The watchdog said on Wednesday that the state-owned site had now demonstrated “significant and sustained security improvements” – enough to allow for it to be placed on a less severe regulatory regime after two years of frequent checks.
Gary Wilkinson, the head of security and resilience for Sellafield, said the step was “a significant achievement and has been a big team effort across the company”.
However, the regulator added that there were still outstanding concerns over how cybersecurity is managed at the nuclear waste dump, which is part of the UK’s critical infrastructure. It remains “in significantly enhanced attention for cybersecurity and collaborative work is ongoing to achieve the required improvements in this area”, the ONR said.
Last year, Sellafield was ordered to pay almost £400,000 after it pleaded guilty to criminal charges over years of cybersecurity failings and made a formal apology to the court.
The Guardian reported that the site’s systems had been hacked by groups linked to Russia and China, embedding sleeper malware that could lurk and be used to spy or attack systems.
Sellafield has consistently maintained that it was not subjected to a “successful” cyber-attack.
Paul Goldspring, the chief magistrate who ordered Sellafield to pay the fine, said in October’s sentencing that the prosecution did not offer evidence of a successful cyber-attack, even if it asserted that it was impossible for Sellafield to prove that the nuclear site had not been “effectively attacked”.
As a result, the court could only sentence Sellafield on the basis that there was no evidence of “actual” harm arising from any attacks.
Lord Hunt, the minister for energy security and net zero, said of the physical security improvements at Sellafield: “This is an example of our world-class nuclear regulator working with industry to raise safety and security standards.
“There’s still more to do, but this shows that Sellafield is moving in the right direction. Managing the nation’s nuclear legacy remains a priority, and we will continue to support Sellafield in delivering this vital mission.”
Wilkinson said that an action plan over “many months” had allowed the company to improve the ONR’s confidence in its physical security.
Sellafield declined to comment on its cybersecurity.
