Reasons To Be On High Alert When Securing Nuclear Sites Through Decommissioning

Uploaded on 2025-07-03 in FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

Few targets present a more alarming prospect for a cyber attack than a nuclear power plant. From stolen state secrets to national blackouts and the spectre of a radiation leak, there are many disturbing possibilities. 

But while we naturally think of the risk to an active facility, decommissioned sites represent a hidden cyber threat. there are good reason why decommissioned nuclear sites remain targets for cyber threats and why facilities need to ensure long-term security as they shut down. 

The UK is on track to decommission nearly half of its nuclear capacity by the end of this year, and the energy landscape around the world is undergoing a similar shift. But while attention often turns to new reactors and clean energy goals, the sites being retired still carry considerable cyber risk. 

It’s easy to assume the risk dissipates once a nuclear plant stops producing energy. Why is that not the case?That’s a really common assumption, but unfortunately, inactive sites are still on the radar for threat actors.

These facilities still contain incredibly valuable data such as schematics, operational records, transport plans for nuclear waste, as well as the personnel files that are common targets in any attack. There’s also a physical threat factor, as some sites still hold radiological materials that are yet to be removed.

On top of that, these facilities stay in a transitional state for decades. During that extended time, they retain many features of live critical infrastructure, while the level of staffing is reduced once energy production stops.

So, there’s plenty of motivation from a threat perspective. Nation-state actors, in particular, are very interested in anything related to nuclear operations. While attention might shift to newer projects, decommissioned sites are still very much of interest for threat actors.. 

It's also important to consider just how many of these sites there are – in the UK, nearly half of all nuclear facilities are scheduled for shutdown this year, for example. This is an increasingly well-understood risk in the energy industry, which is why the Government’s Nuclear Decommissioning Authority (NDA) recently moved to set up a cybersecurity hub.

So, what kind of cybersecurity challenges come up during decommissioning that might not be obvious?
There are a few that stand out. One of the biggest is the impact of downsizing. Once a site is offline, staffing and budgets naturally shrink. That’s understandable, but it also means fewer eyes on the systems and potentially less day-to-day oversight of security. The risk doesn’t go away, but active threats can become easier to miss.

Then you’ve got the technology itself. Most of these sites rely on legacy operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs), which weren’t typically built with cybersecurity front of mind.
 
Such OT infrastructure is often hard to update and difficult to monitor using standard tools designed for IT networks. Even if they’re air-gapped, teams still need to extract telemetry data or push updates. That creates opportunities for unintended exposure, especially if safeguards are outdated or not rigorously followed.

Another key point is the number of external contractors involved. Decommissioning is a complex process that brings in a rotating cast of third-party specialists in and out of site. Each one likely brings their own devices, software tools and personnel, creating a larger attack surface that must be managed with rigorous access control, secure onboarding and background checks. With scaled-back teams, it’s easier for those risks to slip through the cracks.

Removable media often gets used in air-gapped environments. How can sites manage that risk effectively?
It’s a tricky one because you can’t just stop using removable media. For many of these environments, it’s the only way to transfer data or install updates in and out of air-gapped and highly segmented OT networks.

But every USB drive or external hard drive you bring could contain a potential risk. You have to assume it could carry malware, whether that’s intentional or accidental.

The good news is there are practical solutions. It starts with replacing basic antivirus scans with multi-engine scanning. Using several AV engines in parallel  boosts your chances of catching advanced or hidden threats. You can also add behavioural sandboxes to see how files act in a controlled space, particularly effective in finding previously unknown threats that do not yet have an AV signature.

Then there’s Content Disarm and Reconstruction, or CDR. Rather than just flagging risky files, CDR actively sanitises all files, removing any active content while keeping the files usable. It’s a safer, more effective way to neutralise threats without disrupting work

Automated media scanning kiosks make all of this manageable at scale as again, there might be a lot of people coming and going on site, so any security processes need to be built to manage this. 

Kiosks process incoming media quickly and can be linked to managed file transfer systems for secure tracking. That means facilities can stay compliant and protected without slowing things down. With decommissioning already being a long, resource-intensive project, this efficiency is really important.  

What else can be done to keep these sites secure without putting unnecessary barriers in the way of progress?
That balance is really important. You don’t want security to be a bottleneck, but you also can’t afford to relax just because the site isn’t producing energy anymore. The best approach is to ensure security is part of the decommissioning process itself.

Specialist tools are really important here since many legacy OT systems aren’t compatible with traditional endpoint protection. Decommissioning projects need to ensure they have solutions that are designed to monitor activity and spot anomalies in OT systems. 

Secure workflows also play a big role. Managed secure file transfer tools help you control and track data movement, while encryption and data loss prevention keep sensitive information protected. 

Data diodes are another powerful tool for segmenting and controlling how and where data is able to flow inside the OT network. These are hardware devices that physically enforce a unidirectional data flow, ensuring that traffic flows only from one network to another, making it impossible to inject data or exert command and control (C2) necessary for remotely orchestrated attacks. Such controls should all be tied into the removable media data security.

In the end, the goal is to treat decommissioned sites with the same level of security rigour as operational ones. That mindset shift is key, because in the eyes of threat actors, these sites are still tantalisingly valuable and potentially vulnerable.

James Neilson is SVP International at OPSWAT

Image: Jasom Hu

You Might Also Read:

The UK Needs To Move Faster On Nuclear Energy Cybersecurity:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Why DevOps Security Must Be On Every Leader's Agenda

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Odix

Odix

Odix security software neutralizes file embedded targeted cyber attacks before they enter your organization’s network.

CTERA Networks

CTERA Networks

CTERA provides cloud storage solutions that enable service providers and enterprises to launch managed storage, backup, file sharing and mobile collaboration services using a single platform.

Aspen Insurance

Aspen Insurance

Aspen is a leading diversified specialty insurance and reinsurance company. Products offered include cyber insurance.

Ogasec

Ogasec

Ogasec is a cybersecurity company formed by the merger between Aker and N-Stalker in 2017. Solutions include Security & Connectivity Networking, Application Security, and Managed Security Services.

GrrCON

GrrCON

GrrCON is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and engage with like minded people.

Collins Aerospace

Collins Aerospace

Collins Aerospace provides cybersecurity services and systems to protect critical infrastructure facilities and railroad operations.

e360

e360

e360 (formerly Entisys360) is an award-winning IT consultancy specializing in advanced IT infrastructure, virtualization, security, automation and cloud first solutions.

tTech

tTech

tTech is the first and foremost company providing outsourced Information Technology solutions to businesses in Jamaica.

Telesystem

Telesystem

Telesystem empowers businesses across the USA with a range of innovative network, communication and collaboration solutions.

Klaatu IT Security (KITS)

Klaatu IT Security (KITS)

Klaatu IT Security is a boutique provider of cyber security services, empowering our clients to prioritise and reduce their cyber risk.

XpertDPO

XpertDPO

XpertDPO provides data security, governance, risk and compliance, GDPR and ISO consultancy to public and private sector organisations.

Brightworks Group

Brightworks Group

BrightWorks Group offer comprehensive technology operations and security operations consulting services, tailored to meet your specific needs.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.

Iron Mountain

Iron Mountain

Iron Mountain Incorporated is a global business dedicated to storing, protecting and managing, information and assets.

Tech Data

Tech Data

Tech Data, a TD Synnex company, is a leading global distributor and solutions aggregator for the IT ecosystem.

DevSecFlow

DevSecFlow

DevSecFlow is at the forefront of enterprise-grade cybersecurity solutions, specializing in secure product and software development.