The increasing complexity and scale of cyber risks against civil nuclear infrastructure are closely tied to advancements in technology, which in turn have helped expand access to nuclear energy to a broader range of countries. Understanding and addressing these risks is essential for the safe and secure development and expansion of nuclear energy, which can offer significant social, economic and environmental benefits.
From a legal perspective, although no single legal regime specifically addresses cyberthreats to civil nuclear infrastructure, existing international law already offers robust safeguards – if not in practice, at least in principle. These safeguards encompass both general rules and specific regimes, and require states to refrain from conducting cyber operations targeting civil nuclear facilities, and to redress the effects of such incidents when they occur.
In the long term, states should develop strategies to both enhance the enforcement of international law in cyberspace and ensure accountability for unlawful cyber operations, including those targeting civil nuclear facilities. States may also need to evaluate the necessity of developing new treaties or adapting existing rules of customary international law to address cyber-nuclear threats comprehensively. In the short term, states should consider providing specific interpretations of existing rules and adopting additional non-binding norms or standards to complement them.
Previous Chatham House research proposed various measures to protect against cyber incidents targeting civil nuclear facilities. These recommendations included: the establishment of an international cybersecurity management strategy; coordinated plans of action to address technical shortfalls; initiatives to foster a culture of cybersecurity among the nuclear community; robust dialogue between nuclear engineers and contractors to raise awareness of cybersecurity risks; promotion of cyber insurance; network monitoring; promotion of vulnerability disclosure; establishment of national computer emergency response teams (CERTs) specialized in industrial control systems; promotion of the concept of ‘security by design’; steps to ensure sufficient redundancy in digital systems; and measures to protect the integrity of digital supply chains.
Expanding on this research, and building on the analysis above, this paper offers recommendations structured across three levels:
International
- Initiate capacity-building initiatives to raise awareness of current cyber risks against civil nuclear infrastructure. Amplify existing guidance on how to protect against such risks, and develop new guidance to address gaps, where needed, to ensure the safety and security of both existing and future nuclear energy endeavours. This should be done by states as well as by non-state actors, including the private sector, academia, international organizations and civil society.
- Use existing multi-stakeholder platforms and initiatives to conduct focused discussions. The IAEA has produced numerous guidelines on how to protect civil nuclear infrastructure from cyberthreats. These guidelines can serve as building blocks for future discussions on the matter. Platforms like the Global Forum on Cyber Expertise, the Paris Call on Trust and Security in Cyberspace, the Cybersecurity Tech Accord and others can use this guidance to start dedicated discussions on the cybersecurity of civil nuclear infrastructure that bring together the international cyber capacity-building community and the nuclear community. These forums could also serve as useful spaces for discussion to ensure that SMRs and microreactors are designed with the right cybersecurity considerations from the start.
- Initiate dedicated discussions at UN level. The UN Open-Ended Working Group (OEWG) on ICTs could hold dedicated discussions on addressing cybersecurity risks in the civil nuclear sector as part of a larger and more detailed discussion around the protection of critical infrastructure. These discussions, which could be championed by UN member states and non-government stakeholders alike, should seek to raise awareness of existing risks, explore the application of current rules and norms to this sector, and brainstorm additional protection strategies. Moreover, as the discussions progress, it will be crucial to consider how they can be integrated into a dedicated mechanism for regular institutional dialogue on ICT threats in the future. This future mechanism, whether in the form of a Programme of Action or otherwise, should be designed to ensure sustained engagement and progress on addressing cybersecurity threats to critical infrastructure, including in the civil nuclear sector.
Regional
- Build capacity through regional organizations. Regional organizations should play an active role in helping to enhance the capacity of their member states to safeguard civil nuclear facilities and bolster critical infrastructure. This can be achieved through organized discussions at a regional level, which can facilitate the sharing of best practice and lessons learned.
- Develop context-specific cybersecurity frameworks. Regional efforts can focus on developing cybersecurity frameworks for the protection of critical infrastructure, including in the civil nuclear sector. These should be tailored to the unique needs of member states, with targeted actions designed to enhance the cybersecurity of civil nuclear infrastructure. Regional discussions can sometimes achieve substantial consensus on these matters among neighbouring nations, or among states sharing similar perspectives or contexts. Subsequently, such regional or multilateral agreements can serve as viable models for testing and potentially expanding developments more widely in the international arena. These discussions can also be organized between like-minded states or within a different grouping. They can foster cooperation and alignment in addressing cybersecurity challenges on a broader scale, and can ensure the protection of vital assets.
National
- Continue to invest in cybersecurity preparedness. States should continue to develop their cybersecurity preparedness through their CERTs and computer security incident response teams (CSIRTs), and should deepen their understanding of all cyberthreat vectors against critical infrastructure, including against the civil nuclear sector.
- Conduct incident-response planning. States should incorporate cybersecurity of civil nuclear infrastructure in their domestic civil contingency and resilience plans, including by designing and carrying out tests and simulation exercises specific to cyber-nuclear risks and involving all relevant stakeholders.
- Interpret international rules and guidance within a national context. States and other stakeholders should initiate efforts aimed at interpreting and applying international rules, norms and guidance, such as the IAEA guidance, in their national contexts.
- Facilitate public–private partnerships (PPPs). States should facilitate PPPs to protect the civil nuclear industry by promoting information exchange and collaboration between government and industry stakeholders.
- Engage in collaborative awareness-raising efforts. States should actively engage with relevant stakeholders, including regulatory bodies, industry associations, academia and civil society, to collectively raise awareness on best practices aimed at strengthening cybersecurity measures and resilience within the civil nuclear sector.
By implementing these recommendations at all levels, states and other key stakeholders can collaborate to mitigate cybersecurity risks and ensure the safe and secure development and growth of the civil nuclear sector. This can help maximize the benefits of this sector for societies, economies and the environment.