Defend Against the Growing Risk of Cyberattack

Like all critical infrastructure, nuclear facilities are not immune to cyberattacks; such attacks could facilitate the theft of nuclear materials or an act of sabotage, potentially resulting in catastrophic public health and economic consequences. Government and facilities’ responses to the risk of cyberattacks too often are inadequate. Effective cybersecurity measures—from incorporating cyber threats into threat assessments to mandating that nuclear facility licensees have cyber-incident response plans—must be incorporated into government regulations and facility operations.

The challenge, however, is not just for governments and regulators. Leaders, technical specialists, and operators at nuclear facilities must develop and implement plans that keep pace with the threat and reduce vulnerabilities at nuclear facilities. Governments should require—and facility operators should implement—information and operational technology systems that are resilient in the face of the cyber threat. Cooperation—in the form of internal continuous improvement efforts, mutual assistance mechanisms, and increased collaboration between physical and cybersecurity professionals within and outside of a nuclear facility—can boost defenses against this evolving threat. Given the potential consequences, all countries must work aggressively to ensure that their nuclear facilities are well protected from cyberattacks.

To defend nuclear facilities from cyber-mediated attacks, countries and facility operators should:

  • Promote and invest in continuous improvement of cybersecurity measures at all nuclear facilities. Although nuclear operators struggle to prioritize cybersecurity efforts, today’s cyber threat continues to evolve, outpacing defenses and regulations in many countries. Like any new threat, restructuring or energizing teams to build systems and processes that are resilient to cyberattack requires consistent improvement and leadership. Dedicated efforts are needed to embed cybersecurity best practices into the culture of nuclear facilities. All countries should mandate that nuclear facilities be protected from cyberattack; sensitive digital assets must be protected in such a way that an attacker cannot compromise physical protection, control, accounting, or safety systems. The facility threat assessment should take into account the potential for cyberattacks, as well as for combined cyber-physical attacks. Ongoing tests and assessments should characterize the effectiveness, as well as the weaknesses, of cybersecurity measures. Each nuclear facility should have a cyber-incident response plan to limit damage and reduce recovery times in the event that a facility is successfully attacked. Regulators and nuclear facility leaders must invest in ongoing efforts to improve both regulatory frameworks and facilities’ cybersecurity protections. Physical and cybersecurity programs should be integrated and dynamic, incorporating threat intelligence from government entities and working to isolate and defend critical digital and operational assets.
  • Build mutual assistance mechanisms and shared resources for responding to cyberattacks. A cyberattack could affect a facility anywhere in the world, with lasting global consequences for the nuclear industry. Working collaboratively to ensure a rapid and effective response to a serious cyberattack on a global level allows countries—whether those with mature nuclear programs or emerging ones—to minimize the potential consequences. Mutual assistance efforts should take both formal and informal forms. Countries with technical capacity and experience could continue to extend support through existing bilateral or multilateral mechanisms. Sharing of threat information and vulnerabilities can provide additional benefits.
  • Increase the quality and quantity of cyber-nuclear experts. The global competition for cybersecurity talent is fierce, and developing, maintaining, and retaining the necessary capacity in every country with nuclear facilities will be difficult. States and facility leaders should consider developing alternative means of filling talent gaps, such as mutual support agreements and investments in the skill development of current workers.

Too often, conversations about nuclear facilities’ cybersecurity and physical security take place in silos. Bringing together experts in both areas to discuss concerns, trends, and strategies would bridge gaps and generate new ideas to enhance security.

The IAEA continues its important work of developing cybersecurity resources for its member states, providing training, and conducting reviews of national and facility plans. States should contribute financial and human resources to the IAEA, including to the Nuclear Security Fund. They should contribute to scientific and technical cooperation to provide sustained support to defend against cyberattacks. Likewise, states should take advantage of IAEA, World Institute for Nuclear Security (WINS), and other opportunities to strengthen capacity, boost awareness, and improve responses to cyberattacks.

Finally, countries should engage one another in additional discussions of norms, rules of the road, and cooperative opportunities to reduce the cyber threat to nuclear facilities, building on the United Nations Group of Government Experts’ discussions that developed an international consensus that states should not intentionally damage others’ critical infrastructure, such as nuclear facilities.