Reasons To Be On High Alert When Securing Nuclear Sites Through Decommissioning

Uploaded on 2025-07-03 in FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

Few targets present a more alarming prospect for a cyber attack than a nuclear power plant. From stolen state secrets to national blackouts and the spectre of a radiation leak, there are many disturbing possibilities. 

But while we naturally think of the risk to an active facility, decommissioned sites represent a hidden cyber threat. there are good reason why decommissioned nuclear sites remain targets for cyber threats and why facilities need to ensure long-term security as they shut down. 

The UK is on track to decommission nearly half of its nuclear capacity by the end of this year, and the energy landscape around the world is undergoing a similar shift. But while attention often turns to new reactors and clean energy goals, the sites being retired still carry considerable cyber risk. 

It’s easy to assume the risk dissipates once a nuclear plant stops producing energy. Why is that not the case?That’s a really common assumption, but unfortunately, inactive sites are still on the radar for threat actors.

These facilities still contain incredibly valuable data such as schematics, operational records, transport plans for nuclear waste, as well as the personnel files that are common targets in any attack. There’s also a physical threat factor, as some sites still hold radiological materials that are yet to be removed.

On top of that, these facilities stay in a transitional state for decades. During that extended time, they retain many features of live critical infrastructure, while the level of staffing is reduced once energy production stops.

So, there’s plenty of motivation from a threat perspective. Nation-state actors, in particular, are very interested in anything related to nuclear operations. While attention might shift to newer projects, decommissioned sites are still very much of interest for threat actors.. 

It's also important to consider just how many of these sites there are – in the UK, nearly half of all nuclear facilities are scheduled for shutdown this year, for example. This is an increasingly well-understood risk in the energy industry, which is why the Government’s Nuclear Decommissioning Authority (NDA) recently moved to set up a cybersecurity hub.

So, what kind of cybersecurity challenges come up during decommissioning that might not be obvious?
There are a few that stand out. One of the biggest is the impact of downsizing. Once a site is offline, staffing and budgets naturally shrink. That’s understandable, but it also means fewer eyes on the systems and potentially less day-to-day oversight of security. The risk doesn’t go away, but active threats can become easier to miss.

Then you’ve got the technology itself. Most of these sites rely on legacy operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs), which weren’t typically built with cybersecurity front of mind.
 
Such OT infrastructure is often hard to update and difficult to monitor using standard tools designed for IT networks. Even if they’re air-gapped, teams still need to extract telemetry data or push updates. That creates opportunities for unintended exposure, especially if safeguards are outdated or not rigorously followed.

Another key point is the number of external contractors involved. Decommissioning is a complex process that brings in a rotating cast of third-party specialists in and out of site. Each one likely brings their own devices, software tools and personnel, creating a larger attack surface that must be managed with rigorous access control, secure onboarding and background checks. With scaled-back teams, it’s easier for those risks to slip through the cracks.

Removable media often gets used in air-gapped environments. How can sites manage that risk effectively?
It’s a tricky one because you can’t just stop using removable media. For many of these environments, it’s the only way to transfer data or install updates in and out of air-gapped and highly segmented OT networks.

But every USB drive or external hard drive you bring could contain a potential risk. You have to assume it could carry malware, whether that’s intentional or accidental.

The good news is there are practical solutions. It starts with replacing basic antivirus scans with multi-engine scanning. Using several AV engines in parallel  boosts your chances of catching advanced or hidden threats. You can also add behavioural sandboxes to see how files act in a controlled space, particularly effective in finding previously unknown threats that do not yet have an AV signature.

Then there’s Content Disarm and Reconstruction, or CDR. Rather than just flagging risky files, CDR actively sanitises all files, removing any active content while keeping the files usable. It’s a safer, more effective way to neutralise threats without disrupting work

Automated media scanning kiosks make all of this manageable at scale as again, there might be a lot of people coming and going on site, so any security processes need to be built to manage this. 

Kiosks process incoming media quickly and can be linked to managed file transfer systems for secure tracking. That means facilities can stay compliant and protected without slowing things down. With decommissioning already being a long, resource-intensive project, this efficiency is really important.  

What else can be done to keep these sites secure without putting unnecessary barriers in the way of progress?
That balance is really important. You don’t want security to be a bottleneck, but you also can’t afford to relax just because the site isn’t producing energy anymore. The best approach is to ensure security is part of the decommissioning process itself.

Specialist tools are really important here since many legacy OT systems aren’t compatible with traditional endpoint protection. Decommissioning projects need to ensure they have solutions that are designed to monitor activity and spot anomalies in OT systems. 

Secure workflows also play a big role. Managed secure file transfer tools help you control and track data movement, while encryption and data loss prevention keep sensitive information protected. 

Data diodes are another powerful tool for segmenting and controlling how and where data is able to flow inside the OT network. These are hardware devices that physically enforce a unidirectional data flow, ensuring that traffic flows only from one network to another, making it impossible to inject data or exert command and control (C2) necessary for remotely orchestrated attacks. Such controls should all be tied into the removable media data security.

In the end, the goal is to treat decommissioned sites with the same level of security rigour as operational ones. That mindset shift is key, because in the eyes of threat actors, these sites are still tantalisingly valuable and potentially vulnerable.

James Neilson is SVP International at OPSWAT

Image: Jasom Hu

You Might Also Read:

The UK Needs To Move Faster On Nuclear Energy Cybersecurity:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Why DevOps Security Must Be On Every Leader's Agenda
Cyber Resilience Must Start With Visibility »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

NQA Certification

NQA Certification

NQA provides certification to a range of ISO standards including ISO 27001 for information security management.

AA Certification (AAC)

AA Certification (AAC)

AAC provide ISO Quality Management System certification services including ISO 27001.

Australian Cyber Security Centre (ACSC)

Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together into a single location.

BitSight Technologies

BitSight Technologies

BitSight transforms how companies manage information security risk with objective, verifiable and actionable Security Ratings.

BlueFiles

BlueFiles

BlueFiles enables users to send encrypted files securely while maintaining full control over recipients, access periods, downloads, and printing.

Slovenska Akreditacija (SA)

Slovenska Akreditacija (SA)

Slovenska Akreditacija (Slovenia Accreditation) is the national standards accreditation body for Slovenia.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

Global Lifecycle Solutions EMEA (Global EMEA)

Global Lifecycle Solutions EMEA (Global EMEA)

Global EMEA provides full lifecycle services to corporate Clients covering procurement, configuration, support, maintenance and end-of-life asset management.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

NuCrypt

NuCrypt

NuCrypt is developing technology that is applicable to ultrahigh security data encryption as well as key distribution.

NetWitness

NetWitness

NetWitness empowers security teams to rapidly detect today’s targeted and sophisticated attacks with unparalleled visibility.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.

Blockfence

Blockfence

Blockfence are a seasoned crew versed in enterprise-grade cybersecurity and crypto, on a mission to collaboratively shape the future of Web3 security.

Modat

Modat

Modat is an AI-powered, research-driven company focused on developing products and services that enable cybersecurity professionals to outpace adversaries.