Defenses against the Cyber Threat Remain Insufficient

The results of the 2018 NTI Index indicate that nuclear facilities’ defenses against cybersecurity threats remain insufficient. The NTI Index asks whether domestic laws, regulations, or licensing rules require nuclear facilities to have protections in place, protect critical digital assets, include cyber threats in the Design Basis Threat,[1] conduct cybersecurity assessments, and ensure an incident response plan is in place. Although some countries have made modest improvements, many remain poorly prepared for a cyber threat.

  • One-third of countries with weapons-usable nuclear materials or nuclear facilities lack all of the basic cybersecurity regulations measured by the NTI Index. Since 2016, only 12 countries improved their cybersecurity regulations.[2]
  • Only 12 countries and Taiwan with weapons-usable nuclear materials or nuclear facilities received full credit—a score of five—confirming that those countries have enacted the regulations measured in the Index.[3]
  • Two-thirds of countries and Taiwan (68 percent) assessed in the NTI Index do not yet have a cyber-incident response plan, a factor measured for the first time this year. Given that cybersecurity measures never will be perfectly effective, an incident response plan and response capabilities are essential.
  • Countries with large numbers of sites are more likely to have cyber-nuclear regulations in place. For example, the United States receives full credit (five points), and the Russian Federation receives four out of five points on the cybersecurity indicators. Countries with few nuclear sites (such as Algeria, Argentina, and Bangladesh) are among those that have not yet enacted cyber-nuclear regulations and consequently have scored zero out of five points on the cybersecurity indicators.

[1] According to the IAEA’s Recommendations for Physical Protection of Nuclear Materials and Nuclear Facilities (INFCIRC/225/Revision5), a design basis threat is “attributes and characteristics of potential insider and/or external adversaries who might attempt unauthorized removal of nuclear material or sabotage against which a physical protection system is designed and evaluated.”

[2] Armenia, Australia, Canada, the Czech Republic, Germany, Italy, Japan, Kazakhstan, Norway, Slovenia, Spain, and the United Kingdom.

[3] Australia, Belarus, Canada, Finland, France, Germany, Hungary, the Netherlands, Romania, South Korea, the United Kingdom, and the United States.