On 5 May 2026, the Regulation on Cybersecurity in Nuclear Facilities was published in the Official Gazette No. 33244 and entered into force. I will examine the contents of this regulation in a separate article. Before doing so, however, it is worth asking the following questions: Are nuclear facilities vulnerable to cyberattacks? What types of risks do they face? In order to address these issues, I would like to share several notable incidents from the past.
The Slammer computer worm, also known as Sapphire, first emerged in January 2003. Exploiting a vulnerability in Microsoft SQL Server 2000, this malicious software infected numerous systems within a very short period of time and caused significant disruptions to internet traffic.
On 25 January 2003, the Slammer worm infiltrated the network of the Davis–Besse Nuclear Power Station in the State of Ohio, United States, through an internet-connected computer belonging to an outside contractor. Although the incident did not result in any physical damage, it had a significant impact on plant operations.
It should be noted that approximately one year earlier, in February 2002, the U.S. Nuclear Regulatory Commission (NRC) had issued a security advisory warning licensees about external connections capable of bypassing network perimeter protections. The Davis–Besse plant’s information technology personnel had implemented most of the requirements set forth in this advisory. However, a weakness in the application of cybersecurity procedures relating to contractors allowed the malware to gain access to the facility.
As a result of the attack, both the Safety Parameter Display System (SPDS) and the Plant Process Computer (PPC) were affected.
The SPDS is a critical system that monitors essential safety indicators such as reactor coolant systems, core temperature sensors, and environmental radiation sensors. The system was unavailable for approximately five hours, during which critical safety data could not be accessed. The PPC remained inoperable for more than six hours, temporarily interrupting access to certain operational data. The fact that the plant’s internet connection was severed during this period prevented the malware from spreading further and mitigated the overall impact of the incident.
The Davis–Besse incident clearly demonstrated that cybersecurity at nuclear facilities is not merely a matter of protecting information technology systems, but rather an integral component of nuclear safety itself. While important lessons were learned from this event, subsequent years have shown that nuclear facilities continue to be exposed to serious cyber threats.
One of the most prominent examples is the cyberattack targeting Iran’s Natanz nuclear facility. Although no official source has formally confirmed responsibility, New York Times journalist David Sanger alleged in a series of articles and later in his 2012 book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power that the attack formed part of a joint U.S.–Israeli covert operation known as “Operation Olympic Games.”
The attack involved the use of a malicious software program known as Stuxnet, which is regarded by some commentators as the world’s first true “cyber weapon ”. First identified in June 2010 by the Belarusian cybersecurity firm VirusBlokAda, Stuxnet was specifically designed to target a particular type of Industrial Control System (ICS). The malware focused on computer systems controlling physical infrastructure, including centrifuges and gas valves.
Stuxnet was engineered to remain undetected for extended periods while gradually imposing mechanical stress on centrifuges. In simplified terms, the malware increased the rotational frequency of IR-1 centrifuges to slightly above safe operating limits for a short period (approximately 15 minutes), then returned the system to normal operation for 10 to 20 days. It subsequently reduced the rotational speed below the level required for uranium enrichment for approximately 50 minutes, before again restoring normal operations for another 10 to 20 days. This cycle was repeated continuously.
As a result, operators at the Natanz facility were shown false data indicating that the centrifuges were functioning normally, while in reality the equipment was being subjected to repeated stress through constant acceleration and deceleration. It has been alleged that approximately 1,000 centrifuges—roughly 10 percent of those in operation at the time—were disabled or rendered unusable.
Duqu, another malware strain sharing significant technical similarities with Stuxnet and first detected in 2011, was also used in connection with Iran’s nuclear activities. According to findings by cybersecurity company Kaspersky, Duqu 2.0 was deployed targeting three European hotels that hosted negotiations among the P5+1 countries and the European Union in between 2013-2015 .
Another notable example occurred in Germany. During routine security inspections conducted on 24 April 2016, malware known as W32.Ramnit and Conficker was discovered on a computer system installed in 2008 in Unit B of the Gundremmingen Nuclear Power Plant, located approximately 120 kilometers northwest of Munich. The affected computer operated data visualization software associated with equipment used to transport nuclear fuel rods. Because the system was isolated from the internet, authorities stated that the malware did not pose a direct threat to the plant’s operational safety.
The same malware was also detected on 18 removable storage devices (USB drives) used with office computers that were kept separate from the plant’s operational systems. According to Symantec, W32.Ramnit is malware designed to steal files from infected systems. First discovered in 2010, it can spread through various means, including USB drives, and may provide attackers with remote access once an internet connection is established. Conficker, first identified in 2008, is a computer worm capable of spreading across networks, copying itself to removable media, and infecting millions of computers worldwide.
Although both malware strains were considered to present significant cybersecurity risks, investigations concluded that the infection remained confined to information technology (IT) systems and did not affect the Industrial Control Systems (ICS) or SCADA infrastructure used in nuclear fuel handling. Moreover, because Unit B was already offline for scheduled maintenance and refueling at the time, the incident had no physical impact on nuclear safety.
Examples of cyberattacks targeting nuclear facilities are numerous. In 2014, cyberattacks attributed to North Korea resulted in the theft of reactor drawings, technical documents, and employee information from Korea Hydro & Nuclear Power (KHNP). In 2022, the Russian hacking group known as Cold River targeted three U.S. nuclear research laboratories. In another incident, India’s Kudankulam Nuclear Power Plant was target of a cyber attack by the Lazarus Group in September 2019.
Ultimately, all of these incidents demonstrate that even facilities protected by the highest levels of security remain vulnerable to cyber threats. As technology evolves, so too do the associated risks. Accordingly, proper risk assessment and the development of legal frameworks that evolve in parallel with technological advances are essential to reducing potential threats.
I wish everyone safe and secure days ahead.
1. S. Sandu, “Conflict Analysis: Operation Olympic Games,” Academia.edu. [Online]. Available: https://www.academia.edu/42320191/CONFLICT_ANALYSIS_OPERATION_OLYMPIC_GAMES. [Accessed: May 9, 2026]
2. M. A. Kamiński, “Operation ‘Olympic Games’: Cyber-sabotage as a tool of American intelligence aimed at counteracting the development of Iran’s nuclear programme,” Security and Defence Quarterly, vol. 29, no. 2, pp. 63–71, 2020, doi: 10.35467/sdq/121974. [Online]. Available: https://securityanddefence.pl/Operation-Olympic-Games-nCyber-sabotage-as-a-tool-of-American-nintelligence-aimed,121974,0,2.html. [Accessed: May 9, 2026]
3. J. Alvarez, “Stuxnet: The World’s First Cyber Weapon,” , Feb. 3, 2015. [Online]. Available: https://cisac.fsi.stanford.edu/news/stuxnet. [Accessed: May 9, 2026]
4. J. Vijayan, “Duqu cyberespionage group compromised venues hosting Iran nuke talks,” Computerworld, Jun. 11, 2015. [Online]. Available: Duqu cyberespionage group compromised venues hosting Iran nuke talks – Computerworld [Accessed: May 9, 2026].
5. “Throwback Attack: The Slammer Worm Hits Davis-Besse Nuclear Plant,” Control Engineering, Nov. 1, 2003. [Online]. Available: https://www.controleng.com/throwback-attack-the-slammer-worm-hits-davis-besse-nuclear-plant/. Accessed: May 11, 2026.
6. Mariusz Antoni Kamiński, “Operation ‘Olympic Games.’ Cyber-sabotage as a Tool of American Intelligence Aimed at Counteracting the Development of Iran’s Nuclear Programme,” Security and Defence Quarterly, vol. 29, no. 2, pp. 63–71, 2020. doi: 10.35467/sdq/121974.
7. S. Gibbs, “Duqu 2.0: Computer virus ‘linked to Israel’ found at Iran nuclear talks venue,” The Guardian, Jun. 11, 2015. [Online]. Available: https://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks . [Accessed]: May 11, 2026.
8. Melissa Robbins, “Cyberattack Hits Indian Nuclear Plant,” Arms Control Today, vol. 49, no. 10, Dec. 2019. [Online]. Available: https://www.armscontrol.org/act/2019-12/news/cyberattack-hits-indian-nuclear-plant [Accessed]: May 11, 2026.