Strengthening Cybersecurity in U.S. and U.K. Nuclear Facilities

The overarching framework is set out in the Civil Nuclear Cyber Security Strategy 2022. This strategy aims to strengthen the cybersecurity posture of the U.K. civil nuclear sector over five years. It focuses on four key objectives:

Risk Management: Prioritizing cybersecurity as part of a holistic risk management approach.
Risk Mitigation: Proactively addressing cyber risks, including those from legacy systems and new technologies.
Incident Management: Enhancing resilience by preparing for and responding to cyber incidents collaboratively.
Culture and Skills: Promoting a positive security culture and developing cyber skills within the sector.

Underpinning this strategy are an overlapping (and growing) regime of cybersecurity laws:

The Nuclear Industries Security Regulations 2003 (“the NISR”) governs a wide range of security issues, including obligations to ensure that “sensitive nuclear information” is kept secure.
The Network and Information Security Regulations (“NIS 1”) designates nuclear sites as critical infrastructure and imposes an obligation to implement “appropriate technical and operational measures” to protect IT systems and to ensure continuity of service.

Whilst these regimes have been in place for some time, regulators recently stepped up enforcement to ensure compliance with these laws as was evidenced by the recent prosecution of Sellafield.

The Sellafield Case 

Sellafield Ltd, the company licensed to operate the Sellafield nuclear decommissioning and waste site, received a fine in October 2024 of £332,500 after pleading guilty to three offences relating to inadequate cybersecurity controls and procedures that it had in place across a four-year period. 

The prosecution was brought by the U.K.’s independent nuclear regulator (the Office for Nuclear Regulation (“ONR”)) following its investigation where it had identified that Sellafield Ltd had failed to meet the requisite standards, procedures and arrangements set out in its own approved plan for cybersecurity as required under the NISR.

The ONR’s case was not brought on the basis that there had been an actual exploitation of the security failings (seemingly because there was a lack of evidence that attacks had been successful, rather than conclusive proof that the attacks were stopped). The basis of the prosecution was Sellafield’s unsatisfactory performance in relation to the management of its IT systems, and that had the vulnerabilities been exploited by attackers, it could have led to the unauthorised access to critical systems and loss of key data resulting in disrupted operations, damaged facilities and the delay of important decommissioning activities. In particular, Sellafield failed to comply with its own cybersecurity plan and failed to undertake annual checks on the security of its operational and information technology systems.

Following its guilty plea to three offences under the NISR, Sellafield Ltd was ordered to pay a fine of £332,500, along with prosecution costs of £53,253.20. Despite the successful prosecution, the ONR has reported that the cybersecurity failings have yet to be fixed and are subject to ongoing required improvements. 

Going forward, the U.K. legal regime is only going to get stronger. The Government has announced that it plans to introduce a new Cyber Security and Resilience Bill which intends to strengthen the U.K.’s operational resilience to cyber threats by, amongst other things:

Updating the existing (NIS1) regime to ensure that more essential services are protected, including by increasing the scope of digital services and supply chains within the regime;
Increasing regulators’ powers through introducing new cost recovery mechanisms and the ability to proactively investigate potential vulnerabilities (similar to the U.S.’s 2022 update to inspection procedure 71130); and
Expanding reporting requirements. 

It is worth noting that the European Union’s transition from NIS 1 to NIS 2 demonstrates a strengthened approach to cybersecurity, featuring expanded scope, more detailed requirements, and enhanced enforcement measures. This update emphasizes the EU’s dedication to protecting critical infrastructure and extends security obligations to equipment suppliers and service providers. The U.K. Government is likely to use NIS 2 as a model when developing its own Cyber Security and Resilience Bill.