A former Royal Air Force officer who has led Sellafield’s information security for more than a decade is to leave the vast nuclear waste site in north-west England, it can be revealed.
Richard Meal, who is chief information security officer at the Cumbrian site, is to leave later this year.
Meal will be the second senior leader to depart the organisation this year, after the top director responsible for safety and security – Mark Neate – announced in January that he planned to leave.
His imminent departure follows several safety and cybersecurity failings, as well as claims of a “toxic” working culture, that were revealed in Nuclear Leaks, a year-long Guardian investigation into Sellafield, late last year. Sellafield denied Meal’s departure was linked to the revelations.
Sellafield, which has more than 11,000 staff, was placed into a form of “special measures” in 2022 for consistent failings on cybersecurity, according to sources at the Office for Nuclear Regulation (ONR) and the security services.
Sellafield said it did not have evidence of a successful cyber-attack after the Guardian revealed that groups linked to Russia and China had penetrated its networks.
Meal joined Sellafield, the nuclear waste and decommissioning site in Cumbria that is also the world’s largest store of plutonium, in late 2013. In his early career, he spent nearly two decades in the Royal Air Force in security positions until 2005. He then held a string of consultancy roles, including at industry giant KPMG.
In 2016, Meal told Sellafield’s in-house magazine that the cost of getting cybersecurity measures wrong was “huge”. “From a financial level, the cost of returning a plant to service if it was shut down could be in the millions of pounds. That’s before you consider the operational impact on delivering our mission, and the need to manage safety and reputational issues,” he said.
Last year, Meal was appointed to the North West Cyber Resilience Centre’s guidance council, which helps businesses across the region protect themselves against the threat of cybercrime. It is chaired by Andrew Snowden, the police and crime commissioner for Lancashire.
In response to the Guardian’s investigation, the energy secretary, Claire Coutinho, said the reports were “deeply concerning” and wrote to the Nuclear Decommissioning Authority (NDA), the state-owned body that ultimately runs Sellafield, demanding a “full explanation”.
In his response, the NDA’s chief executive, David Peattie, said there had been “necessary changes to the leadership, governance, and risk management of cyber” and responsibility for its cyber function had been moved. A new head of cybersecurity took up the role in January. Sellafield declined to name the new appointee.
On announcing his departure, Neate said that he had decided last year “that 2024 was the right time for me to move on”. He will be replaced this week by the current head of the site’s “spent fuel management value stream”, James Millington, on an interim basis.
Separately, Nic Westcott, the former Openreach and Severn Trent executive, was seconded from Nuclear Waste Services in January as interim chief people officer.
In its latest annual report, the ONR stated that “improvements are required” from Sellafield and other sites in order to address cybersecurity risks. It also confirmed that the site was in “significantly enhanced attention” for this activity.
A spokesperson for Sellafield said: “We take cybersecurity extremely seriously at Sellafield. We work with our regulators to continuously review and improve where required.”
The spokesperson denied Meal’s departure was linked to the Guardian’s revelations and said the disclosures had not been investigated. “We have not initiated or conducted an investigation nor have we made any personnel changes as a result of the Guardian’s allegations.”
Britain’s public spending watchdog, the National Audit Office, last month launched an investigation into risks and costs at Sellafield.
The Nuclear Leaks series detailed concerns over cracks in the concrete and asphalt skin of a toxic point known as the First Generation Magnox storage pond or informally as “Dirty 30”. This week, Sellafield said that the building had been “prioritised for cleanup” by the NDA and that the first “zeolite skip” – containers used to absorb radiation in the 1970s and 1980s – had been removed and placed in a shielded box.
Separately, Sellafield released its gender pay report for the year to 5 April 2023, which showed the median gender pay gap had risen to 13.7% from 11.3% a year earlier. The proportion of women in the upper quartile of its pay scale was static, at 18%.
Sellafield issued a range of responses to the Guardian’s initial reports into its cybersecurity, safety and cultural issues, which it published online.