CyberCon26: Key Takeaways on Nuclear Cybersecurity

1. Security beyond national borders

CyberCon26 made clear that nuclear cybersecurity is never only a local or internal matter. A serious incident at a nuclear facility could affect energy supply, environmental safety, public trust, and international relations far beyond one country.

This is why the IAEA’s role was central. As a UN-linked global forum, it brings together regulators, operators, researchers, and industry experts who must work across different technologies, rules, and threat environments. Recent events around the Zaporizhzhia Nuclear Power Plant and drone activity near sensitive sites have also shown that nuclear security must be treated as an international responsibility, including in cyberspace.

2. Science as practical protection

The conference also highlighted the importance of universities, researchers, and independent expert communities. Nuclear systems often operate for decades under strict regulation, while digital risks connected to AI, remote diagnostics, industrial control systems, and supply chains are changing quickly.

Research helps turn these changes into safe, usable practice. Slovenia’s regulatory and operational examples showed how valuable international knowledge sharing can be, especially for smaller countries. In nuclear cybersecurity, research is not an abstract background activity; it is essential for keeping defenses up to date.

3. Modeling instead of risky testing

In many industries, new ideas can be tested directly. Nuclear power plants do not allow that level of experimentation, especially around safety-critical systems. This makes models and simulations particularly important.

Digital twins, deterministic and probabilistic safety analysis, fault trees, and event trees help experts understand what could go wrong, what protections are in place, and where a chain of events can be stopped. This is especially useful in cybersecurity, where attacks often result from several smaller weaknesses combining rather than from one single failure.

4. Careful words, clear message

Public discussion of nuclear cybersecurity is often cautious for good reason. Too much detail could help attackers, while too little would limit professional learning. CyberCon26 had to balance openness with the protection of sensitive nuclear security information.

General terms such as “supply chain risk” or “access control issue” can cover many real situations, from faulty updates to excessive permissions or poor logging. The Sellafield case in the United Kingdom showed this balance clearly: in 2024, the nuclear regulator imposed a £332,500 fine for cybersecurity deficiencies, while public technical details remained limited.

5. Change takes longer in nuclear environments

Another important takeaway was that implementation is naturally slower in the nuclear sector. Even a cybersecurity improvement can affect licensing, operating procedures, maintenance, training, and safety analyses.

That is why “security by design” received strong attention. Cybersecurity should be built into advanced reactors, new digital systems, and modern operating models from the beginning, not added later. This is especially relevant for countries planning new nuclear capacity, while older plants must strengthen protection without compromising operational and nuclear safety.

6. People are as important as technology

The shortage of cybersecurity specialists is a major challenge, and it is even more difficult in the nuclear field. Experts need more than general IT knowledge: they must also understand industrial control systems, operational technology, safety culture, regulation, and incident management.

CyberCon26 therefore emphasized training, capacity building, and knowledge sharing. As Japanese co-chair Yosuke Naoi noted, cyber threats are growing in scale and complexity while often remaining invisible. Long-term resilience depends on investing not only in systems, but also in people.

7. Practice in safe environments

Simulations, tabletop exercises, capture-the-flag competitions, cyber ranges, and interactive demonstrations were among the most useful parts of the conference. Although some formats may look playful from the outside, their purpose is serious.

They allow professionals to practice incident response without risking live systems. They also reveal weak points in procedures, unclear responsibilities, or communication gaps between technical teams and management. It is far better to discover these problems during an exercise than during a real incident.

8. A complex field with a human core

CyberCon26 showed that nuclear cybersecurity combines technology, regulation, modeling, and international cooperation, but its success ultimately depends on people making good decisions under pressure.

The conference also gave reason for optimism. International cooperation is active, research is strengthening, exercises are becoming more realistic, and younger professionals are showing growing interest in the field. The strong performance of Hungarian colleagues in the CTF also showed that domestic expertise can stand its ground internationally.

The lighter parts of the event, including the escape room, carried the same message in a different form: this field requires cooperation, fast assessment, creativity, and close attention to detail.

Read the full article on our International subsidiary’s website by clicking on the logo: