Many states are becoming more interested in nuclear energy as a means to help achieve environmental goals, economic development and energy security. A declaration by 25 countries – including the US, the UK and Canada – during the COP28 UN Climate Change Conference in December 2023 exemplified this trend, announcing an ambition to triple nuclear energy capacity by 2050 as part of efforts to achieve net zero greenhouse gas emissions and limit global warming.
The commitment emphasized not only the potential role of nuclear energy in supporting sustainable development but also the consequent importance of maintaining safety, sustainability, security and non-proliferation standards in the civil nuclear industry. As growth in the use of nuclear energy would imply that more nuclear power plants will come into operation, considerations of safety and security in the civil nuclear industry – including around cybersecurity, the specific subject of this paper – are likely to become more critical than ever.
Since Russia’s full-scale invasion of Ukraine in February 2022, there has been a notable shift in many Western countries’ energy security strategies. Global interest in nuclear energy has been reawakened, driven by a desire to reduce dependencies on external suppliers and bolster domestic energy security. Even before the full-scale invasion of Ukraine, expansion of nuclear energy was on the agenda of many developing countries. As of 2021, 28 countries without existing nuclear power plants were actively pursuing plans to incorporate nuclear energy into their energy portfolios. This surge in interest can be attributed in part to nuclear energy’s reliability, resilience and low carbon footprint. Nuclear energy’s compatibility with renewable energy sources, complementing the role of renewables in reducing carbon emissions, further increases its potential appeal for countries aiming to minimize their carbon footprint and achieve decarbonization goals across various sectors.
However, any expansion of nuclear capabilities also brings new challenges, particularly in cybersecurity. Cyber operations targeting civil nuclear systems have been reported worldwide. Such operations pose significant risks, with potential harms including information theft, equipment malfunction, disruption of energy supplies, environmental damage and health impacts. The risks are prevalent both in peacetime and during conflicts. Of increasing concern is the vulnerability to cyberattacks, as well as physical attacks, of nuclear power plants located in conflict zones. The damage to Ukraine’s nuclear infrastructure since 2022 exemplifies this type of risk. Moreover, as small modular reactors (SMRs) become more widespread in civil nuclear infrastructure, the likelihood of nuclear facilities becoming targets in conflict situations will rise.
Despite these risks, the nuclear sector lacks a comprehensive understanding of the threat landscape around cybersecurity. The sector also lacks effective resilience strategies. While existing international law and norms outline states’ obligations and responsibilities in cyberspace, how these obligations and responsibilities apply to civil nuclear infrastructure remains underexplored. Addressing this gap will be crucial to protecting nuclear power plants from cyberthreats, especially as the transition from fossil fuels will potentially result in such plants increasing in both importance and number.
This research paper seeks to contribute to the debate so that robust policies can be developed in this area. Section 2 discusses the threats and risks to civil nuclear infrastructure, particularly from a cybersecurity perspective. Section 3 details the applicable international legal framework that can help protect against them. Section 4 recommends policies and best practice for governments and other relevant stakeholders, with a focus on the role of existing commitments and institutional channels in preventing malicious cyber operations against civil nuclear systems, and in holding to account those responsible for such operations or the threat thereof.