The control room inside the Paks nuclear power plant in Hungary. Photo: Bloomberg/Contributor
Risk conclusions
Solutions to these risks, therefore, should go beyond applying cybersecurity policies because, in this context, cyber risk reduction is actually about nuclear risk reduction.22
The insurance of civil nuclear facilities has a long and complicated history, but two events that stand out are the use of probabilistic risk assessment techniques in the 1975 Reactor Safety Study (widely known as the Rasmussen Report);23 and the establishment of the Price–Anderson Act in 1957. The Rasmussen Report accomplished the herculean statistical task of estimating risk in the absence of an actuarial history of civil nuclear safety, which in turn gave the US Congress the confidence in reactor safety to provide $560 million in insurance above and beyond that available from the private market (which was only prepared to offer $60 million).24 Counterintuitively, as systems achieve greater safety levels, the more difficult it can be to calculate the insurance risks associated with them, given the consequent rarity of incidents on which to base assessments. For example, for nuclear reactors built in the 1960s, statistically it would be necessary to wait 30–40 years for enough near misses and incidents to occur that could inform actuarial calculations.25 As a relatively new field, cyber risk is at a very similar point in history today.