The Royal Institute of International Affairs (a UK policy institute colloquially known as ‘Chatham House’) has described the nuclear industry’s status on cybersecurity as “playing catch-up”. It has warned that “the nature of licensing systems for nuclear operators means that long periods of risky working practices are often tolerated”. As an example, it highlighted the UK’s Sellafield fuel cycle site, which pleaded guilty in June 2024 to criminal charges that related to gaps in its cybersecurity between 2019 and 2023. The site had been repeatedly flagged in inspections by the UK Office for Nuclear Regulation (ONR), which warned it would apply ‘enhanced regulatory attention’ to cybersecurity practices.
The Royal Institute of International Affairs (RIIA) warning came in a report, ‘Cybersecurity of the civil nuclear sector’ that considered the threat landscape and the international legal framework for cybersecurity as it applies to the nuclear industry. The group examined the issue because it saw the civil nuclear industry expanding worldwide at the same time as cyber threats are evolving, and because cyber operations targeting civil nuclear systems have been reported worldwide.
The report says there is “only a small possibility” that a cyber operation would cause loss of control over a nuclear reactor to the point of meltdown or a significant release of radiation, because nuclear‘s ‘defence in depth’ approach means there are layers of protection and multiple redundancies, such as back-ups for cooling. Instead, RIIA focused on wider concerns. It listed potential harms from any type of cyberattack on nuclear, including information theft, equipment malfunction, disruption of energy supplies, environmental damage and health impacts.
Disrupted supply is a key concern based on nuclear’s function in the electricity system, because a cyberattack on nuclear has the potential to disrupt the electricity grid, affecting all system users and services (such as healthcare) important to life. The disruption may follow from nuclear’s role in providing ‘baseload’ power; which means that if it is shut down there may be power cuts. A further role not highlighted in the report is that nuclear (like other generating plant with rotating machinery) plays an important role in maintaining the system inertia, helping keep electricity supply within frequency and voltage limits, so if a nuclear plant is out of action the grid supply is less stable and users may experience blackouts even if there is sufficient power available.
Playing catch-up
RIIA says that the nuclear sector lacks a comprehensive understanding of the threat landscape around cybersecurity and effective resilience strategies.
Vulnerabilities arise from technical and non-technical factors, including the use of older software, personnel being targeted and the lack of sufficient sector-wide awareness and collaboration. Cyber incidents can also occur accidentally as a result of existing vulnerabilities in commercial software. These vulnerabilities include: entry points such as inadequate IT infrastructure maintenance; missing patches and updates; unsafe working practices such as connection to unprotected networks; the use of portable storage devices; legacy systems; and inadequate data protection. The report says, “this range of potential threats makes it doubly essential to ensure fundamentally secure working practices, as it is very difficult to identify and protect against every individual vulnerability”.
The authors say “the nuclear industry was a comparatively late starter” on cybersecurity, compared with other industries associated with critical national infrastructure or sectors such as finance. They add that “the nuclear industry’s strong pre-existing physical security, and its use of bespoke or uncommon industrial control software, meant that there was a sense within the sector that all aspects of security were sufficiently covered.” That sense has gone: more systems in nuclear power plants have acquired digital elements, including commercial off-the[1]shelf software solutions and more cyber vulnerabilities have been introduced as a result. This has increasingly left systems and facilities open to attack and, “in some respects, the civil nuclear industry is thus still playing catch-up”.
The group also says that another challenge to realising cyber security is that the nuclear industry is isolated from other sectors. It is therefore difficult to exchange experiences of best practice with other industries; instead the exchange is “ad hoc, often informal, and largely based on the personal drive and networks of individuals in cybersecurity roles”. The industry is not transparent about incidents, because it is concerned about revealing information about vulnerabilities and equally concerned about public perception if vulnerabilities are revealed. Regulators typically discuss cybersecurity gaps only with specific operators rather than sharing concerns more widely. The report says, “the nuclear industry’s preoccupation with perceptions can get in the way of transparency, even though stronger disclosures would help to bolster confidence in the safety of working practices”.
The report praises the IAEA’s work to standardise and improve cybersecurity guidance. But it says gaps remain in risk mitigation that cannot be easily closed. Governments have limited ability to enforce cybersecurity standards: “In particular, efforts to ensure private operators meet cybersecurity standards are often ineffective or inefficient, resulting in delays, slow progress and inconsistencies between operators,” the report says. The licensing systems for nuclear operators also mean long periods of risky working practices are often tolerated.
The advent of small modular reactors (SMRs) and microreactors presents will further alter the risk landscape. Some changes will reduce risk, for example SMRs have been designed with cyber security in mind, whereas traditional older plants were developed at a time when cybersecurity standards did not yet exist or were just emerging. Their faster design and deployment cycle also means that some vulnerabilities might be removed at the design stage by drawing on existing cybersecurity best practice.
However, some changes will also increase risk. SMRs may have more cyber vulnerabilities because they are less bespoke than traditional reactors, are connected to the internet and cannot have sterile ‘air gaps’ where there is no connection, because operators require remote access. They may be “more of a target for opportunistic cybercriminals”. In addition, SMRs will also be vulnerable through the construction supply chain, while using artificial intelligence (AI) could lower the entry barrier for cyberattack by making tools for cyber intrusions more accessible and affordable. Finally, if they are successful there will simply be more SMRs, in more places where cyber criminals can attack.
Mitigating the risk
The report concludes that mitigation of cyberthreats to civil nuclear infrastructure requires a multi-tiered approach: enhancing international and regional cooperation, refining national cybersecurity frameworks and fostering public– private partnerships.
On an international level it recommends capacity[1]building initiatives to raise awareness of current cyber risks, along with better guidance on how to protect against such risks.
It suggests using existing multi-stakeholder initiatives for focused discussions, including at the UN. These could also ensure that SMRs and microreactors are designed with the right cybersecurity considerations from the start. It will be crucial to consider how discussions can be integrated into a dedicated mechanism for regular institutional dialogue on threats in the future.
Capacity should also be built through regional organisations, which can further facilitate the industry-wide sharing of best practice and lessons learned. Regional efforts should be tailored to the needs of member states and organised between like-minded states or within a different grouping.
Nationally, countries should deepen their understanding of cyberthreat vectors against critical infrastructure and conduct incident-response planning. They should also facilitate public–private partnerships with information exchange and collaboration between government and industry stakeholders.
RIIA notes that there are obvious parallels with other critical national infrastructure sectors like water management or transport and that a wide critical national infrastructure sector dialogue on cybersecurity could help ensure that industries learn from each other. This could be followed up with a prioritised list of how to tackle the remaining challenges where the priority takes into account risk, as well as the time required to mitigate it. “It seems that nearly a decade after the conversation around enhancing the cybersecurity of civilian nuclear sites began, the industry is less far along in mitigating risks and making improvements than it should be,” RIIA says, adding that given the expected growth and diversification across the industry, with new reactor types being designed, it is urgent that nuclear industry intensifies and sustains its work on cybersecurity.