The potential for cyberattacks on critical infrastructure providers is growing, but few targets warrant as much concern as the nuclear sector.

The NCSC has detected nation-state actors, including those from North Korea, targeting classified information, and the UK government has also raised concerns about the potential for unauthorised access to hazardous material.

Alongside the UK’s active nuclear power grid, there is also a growing threat to plants that are in the process of being decommissioned. While the UK recently announced steps to remove barriers to the increased use of nuclear power, many older sites are reaching the end of their life – nearly half of the country’s current nuclear power generation capacity is scheduled for decommissioning this year.

While these facilities will cease energy production, they will remain targets for cyberattacks, and their operational security requirements and compliance oversight will not diminish. Securing plants during decommissioning is crucial to national security and public safety, as it helps prevent the risk of a nuclear disaster.

Why decommissioned nuclear sites are still high-value targets

Decommissioning a nuclear facility is a monumental undertaking. The process typically takes anywhere from 15 to 30 years and can range from decontamination and partial deconstruction to the site being fully restored to greenfield status.

While nuclear sites may no longer generate power during this process, they remain valuable targets for threat groups. Geopolitical tensions further elevate the risk, and state-backed attackers view nuclear infrastructure as a strategic target.

These sites represent a treasure trove of sensitive data, including facility schematics, operational procedures, nuclear waste transport plans, and personnel data – plenty of information that could be leveraged for sabotage or espionage.

Recognising these threats, the Nuclear Decommissioning Authority (NDA) recently announced the establishment of a specialised cybersecurity hub to better protect the decommissioning process.

Key cybersecurity challenges in nuclear decommissioning

Ensuring cybersecurity during nuclear decommissioning involves the same risks as securing an active site, including managing data and digital tools brought in and removed by numerous visitors and organisations. However, there is an added layer of difficulty because budgets and personnel are often scaled back along with production activity.

This can lead to security gaps, particularly if cybersecurity is deprioritised. Additionally, the many third-party contractors brought in as part of the decommissioning process increase the potential for supply chain risks unless stringent security assessments are conducted.

As with active sites, legacy operational technology (OT) systems are among the most significant security concerns. Systems such as programmable logic controllers (PLCs) and supervisory control and data acquisition systems (SCADA) were not designed for modern cyber threats and are difficult to secure without specialised tools.

Further, many nuclear facilities rely on segmented and air-gapped networks to prevent cyber intrusions. However, decommissioning often requires increased data transfers using removable media, such as USB drives and portable hard drives.

If not properly sanitised before connecting, these devices can introduce malware into critical systems. Many facilities rely on a basic ‘sheep dip’ AV scan to check and sanitise removable media individually. However, this method is slow, difficult to scale, has limited effectiveness, poses reporting and monitoring challenges, and can delay critical decommissioning while impacting compliance audits.

The nuclear sector is among the most tightly regulated in the world, and sites remain under strict oversight even during decommissioning. Facilities must continuously update security measures to comply with NCSC, NDA, and other standards. Additionally, they must adhere to GDPR when handling confidential data, including employee and contractor records.

Best practices for securing nuclear decommissioning operations

As with currently operational sites, those undergoing decommissioning must adopt a proactive, multi-layered strategy for continued security.

Given the reliance on removable media for updates and data transfers, strict media control policies should be a priority. All devices must be scanned for malware before connecting to the network, using multi-scanning AV engines and behavioural sandboxes to detect threats.

Content Disarm and Reconstruction (CDR) should then sanitise files by removing malicious data and redacting or blocking sensitive information. Legacy ‘sheep dip’ scanning should be replaced with multi-scanning kiosks linked to managed file transfer, ensuring security checks do not hinder progress while guaranteeing the safe movement of legitimate data.

Enforcing mandatory encryption and data loss prevention capabilities will help prevent unauthorised data access or exfiltration. Sites must also reliably detect and mitigate cyber threats within their systems, including specialised and legacy OT assets.

Finally, it’s crucial to implement effective vendor security assessment processes alongside technical solutions. With external contractors accessing nuclear sites, regular audits, background checks, and contractual cybersecurity requirements help ensure that third-party suppliers do not introduce threats or remove unauthorised data.

Cybersecurity remains just as critical during nuclear decommissioning as it is during active operations. As more sites face closure, this will be a crucial issue in the year ahead.

With threat actors potentially viewing inactive sites as softer targets for sensitive and critical data or even access to nuclear material, nuclear facilities must ensure effective security long after reactors are shut down.

James Neilson SVP International OPSWAT