Securing Digital Technologies of the Next Generation of Nuclear Reactors

All innovations bring potential benefits that could transform industries, but they also bring potential risks. In the nuclear field, advanced nuclear reactors, including small modular reactors (SMRs), are incorporating innovative technologies, particularly digital technologies that yield novel solutions.

There is growing interest in SMRs. These advanced nuclear reactors have a limited power capacity — typically up to 300 MW(e) per unit, which is about one third of the generating capacity of traditional nuclear power reactors. However, the use of cutting-edge digital technology in these new reactors brings new challenges in terms of nuclear safety and security. There are more than 80 SMR designs and concepts in various stages of development around the world.

“One challenge for deploying SMRs is how to accelerate the development of their technology and demonstrate their level of readiness while maintaining compliance with nuclear safety and security standards,” said Rodney Busquim e Silva, Information Technology Security Officer at the IAEA. “This reinforces the need for digital instrumentation and control and computer security solutions to be considered and maintained during the SMR life cycle.”

Computer-based solutions and challenges

The innovative designs of SMRs rely on digital instrumentation and control (I&C) systems that enable their innovative features. The increased digital technologies needed for automation, remote supervisory control and maintenance, along with other novel features, highlight the need for computer-based solutions.

Some SMRs are designed for nuclear power deployment in isolated areas and for a reduced number of on-site staff, which may result in the need for constant and reliable remote monitoring. Given the design of digital I&C systems, the application of computer security measures should be a prerequisite for secure communication between the SMR site and a support centre. “The need to exchange information may introduce pathways that can be exploited by cybercriminals and therefore require robust cybersecurity considerations applied to the communication infrastructure,” said Mike St. John-Green, a computer security expert based in the United Kingdom. “The confidentiality, availability and integrity of information must be protected for remote operations to ensure the safe and reliable operation of SMRs and associated infrastructure.”

Artificial intelligence (AI) and machine learning (ML) also support the operations of SMRs. AI refers to technologies that produce systems capable of tracking complex problems, while ML technologies learn how to complete a particular task based on data. By combining digital simulations of nuclear facilities and monitoring control systems with AI systems, the nuclear industry seeks to optimize complex functions, which could increase operational efficiency. These benefits do, however, come with the potential for cyberattacks. For example, the software-based algorithms needed for AI and ML rely on databases that could be manipulated to cause erroneous AI decision making.

“These systems may be subject to code injection, for example, feeding them intentionally with corrupt data, during the development process, delivery or software installation. The challenge overall is how to produce sufficient transparency of the AI/ML algorithms. The acceptable use of AI/ML must be clearly defined with acceptable levels of risk,” said Si Wen, a PhD student from Tsinghua University in China.

Security by design

Experts agree that the computer security of nuclear facilities must be considered from the outset. This proactive approach, known as security by design, draws on best practices and lessons learned from experience, and implements a ‘by design’ concept that is also applied to nuclear safety, safeguards and decommissioning.

Computer security by design aims to reduce security risks at the source through an approach that considers systematic and consistent security through all phases in the lifetime of the facility or process. “Computer security measures need to be considered and maintained during the entire SMR lifecycle, from design to operation to decommissioning,” Busquim e Silva said. “When security, including cybersecurity, is considered from the outset, facility developers can make design choices that will make facilities safer and more secure, efficient and cost-effective.”

The role of the IAEA

The IAEA connects experts from nuclear and other organizations to discuss and identify computer security related issues and challenges related to the technological and operational characteristics of SMRs. For example, in February 2022, the IAEA hosted a Technical Meeting on I&C systems and computer security for SMRs to foster cooperation and to facilitate information exchange among international experts. Participants agreed that there is a need to harmonize national approaches and regulations to make the international market for SMRs viable. “The I&C solutions on standardized SMRs open a whole new technical field. The increasing automation needed for new modes of operation, and the extensive use of digital systems, call for computer security measures and engineering solutions from the design level to guarantee safe and secure plant operation,” said Jorge Casanova, who attended the meeting as a representative of the Nuclear Regulatory Authority in Argentina.

In March 2023, the IAEA also conducted a workshop to further explore the development of technical capabilities related to computer security and I&C for SMRs. Furthermore, the IAEA plans to launch a coordinated research project on the topic in 2024.