Nuclear Sector Must Step Up Cybersecurity

The nuclear industry is weak on cyber security, says a policy institute analysis. To respond, the sector has to take a more transparent and collaborative approach – and speed up action on improvement

Staff Writer NS ENERGY, 4th May 2026

THE ROYAL INSTITUTE OF INTERNATIONAL Affairs (a UK policy institute colloquially known as ‘Chatham House’) has described the nuclear industry’s status on cybersecurity as “playing catch-up”. It has warned that “the nature of licensing systems for nuclear operators means that long periods of risky working practices are often tolerated”. As an example, it highlighted the UK’s Sellafield fuel cycle site, which pleaded guilty in June 2024 to criminal charges that related to gaps in its cybersecurity between 2019 and 2023. The site had been repeatedly flagged in inspections by the UK Office for Nuclear Regulation (ONR), which warned it would apply ‘enhanced regulatory attention’ to cybersecurity practices.

The Royal Institute of International Affairs (RIIA) warning came in a report, ‘Cybersecurity of the civil nuclear sector’ that considered the threat landscape and the international legal framework for cybersecurity as it applies to the nuclear industry. The group examined the issue because it saw the civil nuclear industry expanding worldwide at the same time as cyber threats are evolving, and because cyber operations targeting civil nuclear systems have been reported worldwide…………………………………………………………………………

Playing catch-up

RIIA says that the nuclear sector lacks a comprehensive understanding of the threat landscape around cybersecurity and effective resilience strategies.

Vulnerabilities arise from technical and non-technical factors, including the use of older software, personnel being targeted and the lack of sufficient sector-wide awareness and collaboration. Cyber incidents can also occur accidentally as a result of existing vulnerabilities in commercial software. These vulnerabilities include: entry points such as inadequate IT infrastructure maintenance; missing patches and updates; unsafe working practices such as connection to unprotected networks; the use of portable storage devices; legacy systems; and inadequate data protection. The report says, “this range of potential threats makes it doubly essential to ensure fundamentally secure working practices, as it is very difficult to identify and protect against every individual vulnerability”.

The authors say “the nuclear industry was a comparatively late starter” on cybersecurity, compared with other industries associated with critical national infrastructure or sectors such as finance. They add that “the nuclear industry’s strong pre-existing physical security, and its use of bespoke or uncommon industrial control software, meant that there was a sense within the sector that all aspects of security were sufficiently covered.” That sense has gone: more systems in nuclear power plants have acquired digital elements, including commercial off-theshelf software solutions and more cyber vulnerabilities have been introduced as a result. This has increasingly left systems and facilities open to attack and, “in some respects, the civil nuclear industry is thus still playing catch-up”.

The group also says that another challenge to realising cyber security is that the nuclear industry is isolated from other sectors. It is therefore difficult to exchange experiences of best practice with other industries; instead the exchange is “ad hoc, often informal, and largely based on the personal drive and networks of individuals in cybersecurity roles”. The industry is not transparent about incidents, because it is concerned about revealing information about vulnerabilities and equally concerned about public perception if vulnerabilities are revealed. Regulators typically discuss cybersecurity gaps only with specific operators rather than sharing concerns more widely. The report says, “the nuclear industry’s preoccupation with perceptions can get in the way of transparency, even though stronger disclosures would help to bolster confidence in the safety of working practices”…………………………………………………………

………… SMRs may have more cyber vulnerabilities because they are less bespoke than traditional reactors, are connected to the internet and cannot have sterile ‘air gaps’ where there is no connection, because operators require remote access. They may be “more of a target for opportunistic cybercriminals”. In addition, SMRs will also be vulnerable through the construction supply chain, while using artificial intelligence (AI) could lower the entry barrier for cyberattack by making tools for cyber intrusions more accessible and affordable. Finally, if they are successful there will simply be more SMRs, in more places where cyber criminals can attack…………………………………………………………………………….. https://www.nsenergybusiness.com/analysis/playing-catch-upon-cyber-safety/