Strengthening Nuclear Energy Security: Key Considerations for Critical Infrastructure Protection and interdependency

Image from: Nuclear Energy Agency. ‘Examining the Safety of Small Modular Reactors’. Nuclear Energy Agency, 2022. https://www.oecd-nea.org/jcms/pl_71126/examining-the-safety-of-small-modular-reactors.

Strengthening Nuclear Energy Security: Key Considerations for Critical Infrastructure Protection and interdependency

As final-stage consultations are underway about a groundbreaking deployment of a Small Modular Reactors (SMRs) in Ontario, Canada,[1] the Canadian Nuclear Safety Commission (CNSC) has released a Discussion Paper called “Future Amendments the Nuclear Security Regulations: Granting Peace Officer Powers, Initiating a Complaints Investigation Mechanism, and Transferring of Firearm Ownership to Licensees”[2].

This is an ideal opportunity to consider critical infrastructure protection and the evolving nature of cyber security, using SMR energy as a highly relevant example.

Security and SMRs

SMRs are emerging as a key component of Canada’s nuclear energy strategy, but their reliance on remote access technologies poses unique security challenges. Unlike conventional reactors, SMRs are designed for remote monitoring and operation, requiring robust physical and cybersecurity measures to safeguard against cyber threats.

Ultimately, there needs to be a degree of collaboration and overlap between physical and cyber security. Otherwise, vulnerabilities are sure to open where the physical-cyber practices meet due to mis-understandings about mandates, roles and responsibilities.

Physical security providers need to be trained and equipped for basic cyber-surveillance capabilities, while cyber security providers need a keen awareness and surveillance of physical security status, safeguards and controls.

Physical Security for SMR communications infrastructure

Remote access ultimately depends on physical, real-world network connections —components that require physical protection. These communication links face risks such as disruption, unauthorized access, and localized cyberattacks (cyber attacks enabled by gaining local physical access to network connections).   Physical security staff need to protect the equipment and potentially be able to support emergency administration if remote administration is lost.

What are some examples of how physical security underpins cyber security?

1. Physical Protection of Communications Infrastructure: SMRs, due to their reliance on remote access technologies, will depend on a mix of wireless, fixed-line, and satellite connectivity. This infrastructure must be physically protected to ensure continued operational integrity. Communications infrastructure will be physically vulnerable where it enters and exits the SMR facility (aka demarcation points). This includes physical junctions, antennas, and exposed conduits, which may be susceptible to tampering, disruption, or sabotage.
2. Proximity protection: Beyond the demarcation points, infrastructure such as fiber optic cables, cellular towers, and satellite ground stations are also susceptible to jamming (availability), eavesdropping (confidentiality) and even injection (integrity) attacks. These sorts of attacks are probably easier in built-up areas where structures offer cover and power for attack-equipment, versus remote SMR installations.
3. Redundancy equals resilience: Given the importance of remote connectivity in SMR operations, diverse communication technologies (fiber, copper, cellular, satellite, and point-to-point radio) must be coordinated to ensure redundancy while maintaining stringent security protocols. This means that physical security must support multiple forms of communication infrastructure like wireless, fiber and satellite.
4. Management and coordination: as remote access technologies become critical supporting infrastructure for SMR, the coordination and collaboration of physical and cyber/logical security is imperative.

Addressing these risks effectively requires collaboration between SMR physical security officers and cybersecurity teams.

Cyber Security, Remote access and SMRs

Beyond the evolving physical communications infrastructure security, SMR cyber security is an active area of activity.

Canadian Nuclear Laboratories (CNL) is actively researching cybersecurity resilience for industrial control systems, essential to SMR functionality.[3] Similarly, the U.S. Nuclear Regulatory Commission (NRC) has explored the feasibility of remote operations for advanced reactors, noting that remote operation involves primary command and control of a nuclear power plant from a location outside the reactor site boundary.[4]  Meanwhile, companies like  GE Hitachi advocate cybersecurity programs for SMRs that assume remote access technologies will be employed[5].

Complimentary to need for remote access, the Canadian Nuclear Safety Commission (CNSC) has developed cybersecurity review criteria to assess how SMR designs meet regulatory requirements, underscoring the importance of robust cybersecurity measures in these reactors.[6]  CNL itself is actively engaged in enhancing cybersecurity resilience for critical infrastructure, including SMRs. Their efforts focus on providing capabilities and infrastructure necessary for research into cybersecurity for industrial control systems, which are integral to the operation of SMRs.[7]

Finally, the security of remote access technologies is grounded in cryptography. Today’s generation of cryptography is approaching a critical security inflection point in the face of rapidly scaling quantum computers; all secure remote access technologies in common use become vulnerable to attack once sufficient scale is achieved.

Estimates on when a cryptographically relevant quantum computer will become available  range from less than 5 years to greater than 15 years[8] – all within the typical 30+ year service-life of an SMR.

The Canadian federal government has recognized the risks to remote access and other cryptography-dependent technologies (like Identity and Access Controls) and actively promotes efforts around quantum safety in cybersecurity and cryptography.

• National Quantum Strategy (2023) prioritizes secure quantum communications and post-quantum cryptography (PQC)[9].
• Canadian Centre for Cyber Security (Cyber Centre) published quantum threat guidance in Feb 2025, urging transition to PQC[10].
• Cyber Centre supports NIST PQC standards (Aug 2024) to protect against quantum-enabled threats[11].
• Canada is exploring AUKUS membership to enhance quantum defense collaboration[12]

For remote access to SMRs the threat posed by quantum computers is forward-looking but existential.  The only reasonable means of risk management is to be prepared in advance, at time of deployment. Not only should post-quantum cryptography should be integrated into SMR remote access solutions, but physical security staff trained to verify that such measure are in place and properly managed as a form of oversight to IT management, ensure resilience.

Addressing Cybersecurity Policy Gaps

With the arrival of SMRs, the gaps in cybersecurity policy become evident; for instance, Ontario Power Generation’s (OPG) Cyber Security Policy does not address the integration of cyber and physical security for SMRs[13]. This gap presents an opportunity to equip physical security officers with the skills and resources needed to support the evolving security demands of power generation in Ontario and beyond.  Similarly, regulation and guidelines from CNSC are silent on the threats poses by quantum computers to nuclear infrastructure protection and security.

As Canada moves forward with nuclear security regulations and the deployment of SMRs, it is essential to balance regulatory amendments and cybersecurity advancements.

This also represents a golden opportunity for Canadian technology, where some of the most advanced post-quantum cryptography products, including remote access products, are available from Canadian companies.

[1] Source CNSC – https://open.canada.ca/data/en/dataset/0968ddc5-710e-4388-b379-184764df6f4c

[2] Source CNSC – https://open.canada.ca/data/en/info/2b91ba73-6b14-45cd-9659-211db5011e35

[3] See SAFETY AND SECURITY FOR SMALL MODULAR NUCLEAR REACTORS IN CANADA, Canadian Nuclear Labs – https://conferences.iaea.org/event/181/contributions/15437/attachments/9190/12388/Paper_-_Safety_Security_for_SMR_in_Canada_-_G._Bentoumi_final.pdf

[4] See Ground Rules for Regulatory Feasibility of Remote Operations of Nuclear Power Plants, U.S. Nuclear Regulatory Commission – https://www.nrc.gov/docs/ML2129/ML21291A024.pdf

[5] See – GE Hitachi – BWRX-300 UK Generic Design Assessment (GDA) Chapter 25 – Security

[6] See CNSC – https://www.cnsc-ccsn.gc.ca/eng/resources/research/technical-papers-and-articles/2019/assessing-cyber-security-smrs/

[7] See CNL – https://www.cnl.ca/safety-security/cyber-resiliency-for-critical-infrastructure/

[8] See Quantum Risk Report, Global Threat Institute – https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/

[9] See Capital Hill Group – https://capitalhillgroup.ca/canadas-national-quantum-strategy-unveiled/

[10] See CCCS – https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017

[11] See CCS – https://www.cyber.gc.ca/en/news-events/cyber-centre-celebrates-new-nist-post-quantum-standards

[12] See Reuters – https://www.reuters.com/world/canada-talks-about-joining-expanded-aukus-defence-chief-blair-says-2024-09-13/

[13] See – https://www.opg.com/documents/cyber-security-policy-pdf