A former Royal Air Force officer who has led Sellafield’s information security for more than a decade is to leave the vast nuclear waste site in north-west England, it can be revealed.
Richard Meal, who is chief information security officer at the Cumbrian site, is to leave later this year.
Meal will be the second senior leader to depart the organisation this year, after the top director responsible for safety and security – Mark Neate – announced in January that he planned to leave.
His imminent departure follows several safety and cybersecurity failings, as well as claims of a “toxic” working culture, that were revealed in Nuclear Leaks, a year-long Guardian investigation into Sellafield, late last year. Sellafield said no staff departures were linked to the revelations.
Sellafield, which has more than 11,000 staff, was placed into a form of “special measures” in 2022 for consistent failings on cybersecurity, according to sources at the Office for Nuclear Regulation (ONR) and the security services.
Sellafield said it did not have evidence of a successful cyber-attack after the Guardian revealed that groups linked to Russia and China had penetrated its networks.
Meal joined Sellafield, the nuclear waste and decommissioning site in Cumbria that is also the world’s largest store of plutonium, in late 2013. In his early career, he spent nearly two decades in the Royal Air Force in security positions until 2005. He then held a string of consultancy roles, including at industry giant KPMG.
In 2016, Meal told Sellafield’s in-house magazine that the cost of getting cybersecurity measures wrong was “huge”. “From a financial level, the cost of returning a plant to service if it was shut down could be in the millions of pounds. That’s before you consider the operational impact on delivering our mission, and the need to manage safety and reputational issues,” he said.
Last year, Meal was appointed to the North West Cyber Resilience Centre’s guidance council, which helps businesses across the region protect themselves against the threat of cybercrime. It is chaired by Andrew Snowden, the police and crime commissioner for Lancashire.
In response to the Guardian’s investigation, the energy secretary, Claire Coutinho, said the reports were “deeply concerning” and wrote to the Nuclear Decommissioning Authority (NDA), the state-owned body that ultimately runs Sellafield, demanding a “full explanation”.
In his response, the NDA’s chief executive, David Peattie, said there had been “necessary changes to the leadership, governance, and risk management of cyber” and responsibility for its cyber function had been moved. A new head of cybersecurity took up the role in January. Sellafield declined to name the new appointee.
On announcing his departure, Neate said that he had decided last year “that 2024 was the right time for me to move on”. He will be replaced this week by the current head of the site’s “spent fuel management value stream”, James Millington, on an interim basis.
Separately, Nic Westcott, the former Openreach and Severn Trent executive, was seconded from Nuclear Waste Services in January as interim chief people officer.
In its latest annual report, the ONR stated that “improvements are required” from Sellafield and other sites in order to address cybersecurity risks. It also confirmed that the site was in “significantly enhanced attention” for this activity.