Cybersecurity of the civil nuclear sector

Threat landscape and international legal protections in peacetime and conflict
Research paper Updated 12 July 2024 ISBN: 978 1 78413 616 1 DOI: 10.55317/9781784136161
Photo of Pivdennoukrainsk nuclear power plant, Ukraine, September 2022

A combination of factors – from energy security and decarbonization agendas to the emergence of small modular reactors (SMRs) that potentially make nuclear energy more accessible – are prompting many countries to consider adopting, or increasing their use of, nuclear energy. But the prospect of more nuclear power plants, many of them more digitally connected than in the past, coming into operation in more countries makes ensuring the cybersecurity of civil nuclear infrastructure more critical than ever.

This paper considers the evolving cyberthreats that the civil nuclear sector faces both in peacetime and during conflict. It outlines key vulnerabilities in the sector, including the use of older or bespoke software, a safety culture insufficiently attuned to digital and cyber risks, and the emergence of novel risks around the use of SMRs and microreactors. The paper then outlines the existing international legal frameworks that already apply to the issue and can help protect the civil nuclear sector from cyberthreats, and proposes steps to improve cybersecurity. These steps include doing more to interpret and leverage international law in the relevant areas, and enhancing operational protections such as cyber incident-response planning.