IGF 2023 WS #220 Cybersecurity of Civilian Nuclear Infrastructure

Thursday, 12th October, 2023 (04:00 UTC) - Thursday, 12th October, 2023 (05:30 UTC)
WS 2 – Room A

Cybersecurity, Cybercrime & Online Safety
Cyberattacks, Cyberconflicts and International Security

Organizer 1: Priya Urs, University of Oxford
Organizer 2: Talita Dias, Chatham House - The Royal Institute of International Affairs

Speaker 1: Michael Karimian, Private Sector, Asia-Pacific Group
Speaker 2: TARIQ RAUF, Intergovernmental Organization, Intergovernmental Organization
Speaker 3: Pulkit Mohan, Civil Society, Asia-Pacific Group
Speaker 4: Priya Urs, Civil Society, Asia-Pacific Group

Additional Speakers

Tomohiro Mikanagi, Japanese Ministry of Foreign Affairs

Giacomo Persi Paoli, UN Institute for Disarmament Research

Marion Messmer, Chatham House


Talita Dias, Civil Society, Western European and Others Group (WEOG)

Online Moderator

Priya Urs, Civil Society, Asia-Pacific Group


Talita Dias, Civil Society, Western European and Others Group (WEOG)


Round Table - 90 Min

Policy Question(s)

A. What are the risks and potential consequences of cyber operations targeting civilian nuclear infrastructure? B. To what extent do existing international law and non-binding norms protect civilian nuclear systems and how can such legal and normative protections be strengthened? C. What policies and cybersecurity best practices, including multistakeholder efforts, are needed to implement legal and normative protections of civilian nuclear technologies online?

What will participants gain from attending this session? Participants will gain an understanding of the risks and potential consequences of cyber operations targeting civilian nuclear infrastructure, as well as the legal and practical challenges of protecting relevant systems. In particular, they will be exposed to concrete examples of such operations – from malware and ‘denial of service’ attacks to information operations – and their actual impact on individuals and other actors. Participants will also learn about the extent to which existing international legal and normative protections apply to these systems, the importance of upholding applicable protections, and ways in which they can be strengthened, including through multistakeholder coalitions. An interactive discussion of policy measures and cybersecurity best practices to implement existing rules and norms will allow participants to express their views and influence those policies and practices moving forward.


The convergence of cyber and nuclear risks poses a significant threat to national security and global stability. Cyberattacks targeting civilian and military nuclear systems have been reported in developed and developing countries around the world. Even the International Atomic Energy Agency (IAEA) has been the target of malicious cyber operations. The actual and potential risks of such attacks include the extraction of sensitive information about nuclear capabilities, malfunctioning of equipment, such as nuclear enrichment centrifuges, disruption of energy supplies, increased radiation levels, and potentially disastrous consequences for the environment and human life and health. This session will explore how existing rules of international law and non-binding norms of responsible State behaviour protect the cybersecurity of civilian nuclear infrastructure. It will examine whether the current legal and normative frameworks, along with cybersecurity policies and best practices, are adequate for this task. The session will kick off with a simulation of a cyberattack against a civilian nuclear system. This exercise will showcase the attack’s potential consequences and raise awareness of the need to uphold the applicable rules, norms, and best practices to safeguard civilian nuclear infrastructure against cyber threats. The session will then turn to the extent to which applicable rules and principles of international law protect such infrastructure, notably the prohibition of intervention in the affairs of other States, due diligence obligations, international human rights law, and nuclear-specific treaties, highlighting areas of interpretative consensus and gaps in protection. A discussion of relevant norms of responsible State behaviour, adopted by the United Nations Group of Governmental Experts on information and communications technologies, will follow. The session will conclude by addressing practical policy and cybersecurity measures needed to give effect to the existing legal and normative frameworks. Speakers include representatives from Microsoft, the Japanese Government, and the IAEA.

Chatham House Report, Cybersecurity at Civil Nuclear Facilities: https://www.chathamhouse.org/sites/default/files/field/field_document/2…


Expected Outcomes

The session is expected to inform different stakeholders about the threats to the cybersecurity of civilian nuclear infrastructure as well their international legal and normative protections (e.g., which State and non-State behaviours are off-limits, limited, or required). This will raise awareness of the importance of strengthening existing legal and normative frameworks. The session will also enable speakers and participants to exchange views on and shape policy strategies and cybersecurity best practices needed to give effect to those frameworks. An outcome document prepared after the session will flesh out key legal and normative protections and outline a roadmap of policy recommendations and best practices for governments, international organisations, and the private sector to improve the cybersecurity of civilian nuclear systems. Emphasis will be placed on actions to protect the most vulnerable and marginalised groups, such as civilian populations in developing countries, women, children, and the elderly.

Hybrid Format: To facilitate interaction between onsite and online speakers and participants, the session will have a dedicated online moderator who will take online questions first. The onsite moderator will also invite questions from both online and onsite attendees, encouraging use of the ‘raise hand’ function to speak. To ensure that the speakers have understood the attendees’ questions/comments, particularly online, the moderator will summarise/clarify these as needed. To ensure the best possible experience for onsite and online participants, the session will have a dedicated Q&A. This will allow onsite and online speakers and participants to engage directly with one another, with the help of the onsite and online moderators. To increase participation during the session, an online survey tool (e.g. SurveyMonkey, Polis) will be used to collect the insights of all participants on the three policy questions at the end of the session. These views will feed into the session’s outcome document.

Key Takeaways (* deadline 2 hours after session)

The variety of risks posed by cyber operations against civilian nuclear infrastructure - ranging from harm to the life and health of individuals and environmental damage to significant psychological impact - should be balanced with the opportunities that the nuclear energy sector offers for clean and accessible energy, particularly thanks to small modular reactors and their use to power remote areas and AI.

States are chiefly responsible for formulating and adopting relevant technical regulations, norms, and legal obligations to protect civilian nuclear infrastructure against cyber operations. These may be negotiated and agreed through the International Atomic Energy Agency (IAEA), the UN Open-Ended Working Group, or other forums. But since cybersecurity cuts across sectors, actors and disciplines, states need to work with other stakeholders.

Call to Action (* deadline 2 hours after session)

There is a need to pay greater attention to cybersecurity in the context of civilian nuclear infrastructure to avoid a variety of risks posed by cyber operations in this context. This includes better understanding the threat landscape, demystifying myths about the interface between cyber and nuclear safety and security, and enhancing dialogue between actors operating in both sectors - including technical, policy and legal actors.

In light of the human, environmental, and national and international security risks posed by cyber operations against civilian nuclear infrastructure, states need to enhance the cybersecurity of the sector by different means, including technical, legal, and policy approaches. They should cooperate with the IAEA and the private sector and bring the issue to the agenda of existing multilateral discussions.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

This session was co-chaired by Dr Talita Dias and Rowan Wilkinson from the International Law Programme, Chatham House). It focused on the convergence of cyber and nuclear risks from a technical, policy, security, and legal perspective. To shed light on those different perspectives, the session benefited from the inputs of Marion Messmer (International Security Programme, Chatham House), Tariq Rauf (former Head of Nuclear Verification and Security Policy Coordination at the International Atomic Energy Agency (IAEA), Dr Giacomo Persi Paoli (Head of the Security and Technology Programme at the United Nations Institute for Disarmament Research – UNIDIR), Michael Karimian (Director for Digital Diplomacy at Microsoft, Asia Pacific), Tomohiro Mikanagi (Legal Advisor to the Japanese Ministry of Foreign Affairs), and Dr Priya Urs (Junior Research Fellow in Law at St John’s College, University of Oxford).

As previous examples of cyberattacks against nuclear infrastructure in Iran, India, North and South Korea, Norway, Germany, the US, Ukraine, and the International Atomic Energy Agency (IAEA) illustrate, the actual and potential risks of such attacks include both physical and non-physical harms such as: a) extraction of sensitive information about nuclear capabilities; b) malfunctioning of equipment, including nuclear enrichment centrifuges; c) disruption of energy supplies; d) increased radiation levels; e) potentially disastrous consequences for the environment, human life and health; f) psychological harm to individuals, such as trauma and fear arising from the threat of those consequences; and g) reputational harm to the nuclear energy sector, as well as States, international organisations and companies involved the provision of nuclear energy or cybersecurity. According to the results of our interactive survey during the session (using Mentimeter), physical consequences, in particular increased radiation levels, are the number one concern among both in-person and online participants.

Malicious cyber operations threatening civilian nuclear infrastructure may take a variety of forms. They primarily include: a) disruption of software (e.g., through malware or other forms of malicious code); b) disruption of hardware, including malfunction of equipment (e.g., through physical penetration via USB sticks); c) data gathering or surveillance operations (e.g., through phishing and other social engineering tactics), and d) information operations (e.g., mis- and disinformation about nuclear risks). Such operations can either intentionally target civilian nuclear infrastructure or cause collateral damage to it. The session also highlighted that these risks have now been amplified by: a) the push for green energy; b) the increased use of small modular reactors and microreactors; c) the use of nuclear energy, including those reactors by private companies, to power AI systems; d) the use of AI to automate and diversify the types of cyber operations against different targets, including critical infrastructure and potentially nuclear infrastructure.

There was agreement that these risks remain significant and concerning, as even remote or uncertain risks can have catastrophic consequences for humanity. While it was once thought that civilian nuclear infrastructure was safe from cyber threats because of the use of specific controlling systems, the need to upload these systems, including to off-the-shelf software, has meant that cybersecurity is now a sector-wide concern. New developments in the civilian nuclear sector, such as small modular and micro nuclear reactors pose both challenges and opportunities. On the one hand, they are safer by design and have enabled nuclear energy to reach remote parts of the world. At the same time, the increasing number and variety of those reactors, coupled with the fact that many use off-the-shelf software, may also increase the attack surface and raise cybersecurity vulnerabilities, particularly given long IT supply chains and inconsistent national standards for their development and operation. The war in Ukraine has also highlighted the vulnerability of civilian nuclear infrastructure to cyber and physical attacks in parallel. A particular risk of these attacks is that they lead to nuclear reactors being switched off or disconnected from the power grid, which could interfere with their cooling system and lead to a meltdown situation. These risks could be mitigated by, inter alia, having sufficient backup generators on site.

The IAEA has issued more than 30 technical guidelines and recommendations to try and mitigate the risks arising from cyber operations against the civilian nuclear sector. Their main message is that cybersecurity is vital for nuclear safety, i.e. the physical integrity of nuclear power plants, radioactive materials, and nuclear personnel, as well as nuclear security, i.e., protection from criminal or other intentional unauthorized acts involving or directed at nuclear and other radioactive material, associated facilities and associated activities, including confidential information and nuclear control systems. However, it was stressed that, despite the IAEA’s efforts, at the end of the day, nuclear security is a national responsibility. Thus, the IAEA Nuclear Security Series complements international legal instruments on nuclear security and serves as a global reference to help parties meet their obligations. While the security guidance is not legally binding on Member States, it is widely applied. It has become an indispensable reference point and a common denominator for the vast majority of Member States that have adopted this guidance for use in national regulations to enhance nuclear security in nuclear power generation, research reactors and fuel cycle facilities as well as in nuclear applications in medicine, industry, agriculture, and research. Key measures recommended in the Series include audits, risk assessments, training, awareness, and capacity-building, as well as international cooperation. It was also noted that the Convention on the Physical Protection of Nuclear Material (CPPNM) requires States Parties to protect nuclear material used for civilian purposes from cyber operations but lacks universality (notably, Iran is not a party to it).

Within the United Nations (UN), States have been discussing cybersecurity for 25 years. Notably, UN Member States have endorsed 11 Norms of Responsible State Behaviour in cyberspace, most of which seek to protect critical infrastructure from malicious cyber operations. However, the protection of the nuclear sector from cyber operations has not been specifically raised or addressed as of yet. It was argued that the main UN forum for cybersecurity discussion – the Open-Ended Working Group on the security of and in the use of information and communications technologies – is probably not well-placed to discuss how those general norms can be implemented in specific sectors, such as nuclear energy. The idea was put forward to establish a dedicated forum, within or outside the UN, to discuss the operationalisation of the Norms, including in the nuclear sector.

The key role that the private sector plays in the protection of the civilian nuclear infrastructure, including power plant operators and software companies, was also discussed. Steps that can be taken by private actors to increase such protection include embedding cybersecurity by design in product development, staying ahead of malicious cyber actors, such as by better understanding the cyber threat landscape and sharing threat intelligence, providing appropriate education and training on the cybersecurity of their products, as well as engaging with States and civil society to strengthen existing technical, policy and legal protection. One prime example of a multistakeholder initiative pushing for the protection of critical infrastructure is the Cybersecurity Tech Accord. This could serve as inspiration for future policy efforts to enhance the cybersecurity of the civilian nuclear sector.

The session concluded with a discussion of the international legal framework applicable to the issue. It was noted that while international law lacks specific rules on the cybersecurity of the civilian nuclear sector, existing rules apply. Notable among these are the rules of sovereignty, non-intervention, and due diligence, which apply by default in cyberspace, including in the context of cyber operations against the civilian nuclear sector. Sovereignty prohibits States from carrying out cyber operations that cause physical or functional effects in the territory of another State, or that undermine inherently governmental functions, including in the context of civilian nuclear infrastructure. Non-intervention prohibits States from carrying out or supporting cyber operations that coercively interfere in the internal or external affairs of another State. Insofar as nuclear energy policy falls within this ambit, cyber operations that threaten the sector are prohibited intervention. Finally, it was noted that States must exercise due diligence in protecting domestic and foreign civilian nuclear infrastructure from cyber operations as far as possible. Specific duties to protect the civilian nuclear sector from harmful operations, including by digital means, arise from the Nuclear Terrorism Convention and the CPPNM.