Lessons learned from the CyberCon26 conference

Lesku Gergely

Key lessons from CyberCon26 show why protecting nuclear facilities is no longer just technical: it depends on global cooperation, research, simulations, skilled people, and secure training.

1. International cooperation in a particularly sensitive area

Perhaps one of the most important lessons for outsiders from CyberCon26 is that, in the world of nuclear cybersecurity, cooperation carries a weight quite different from that in many other industries. The security of a nuclear power plant is never solely the internal affair of a single company or country. The impact of a serious incident can cross national borders, affecting energy supply, environmental safety, public confidence, and international relations.

This is why it is particularly important that the conference was organized by the IAEA, the International Atomic Energy Agency. The IAEA is a global professional forum linked to the UN system, whose membership provides a unique opportunity for authorities, operators, researchers, and industry players from different countries to develop a common language. This is particularly difficult in cybersecurity, as every country works with different technologies, regulatory traditions, and threat environments.

The International Conference on Computer Security in the Nuclear World: Securing the Future is taking place in Vienna from 11 to 15 May. (Picture: D.Calma/IAEA).

Recent events have also demonstrated why this is important. The incidents surrounding the Zaporizhzhia Nuclear Power Plant in Ukraine, drone activities, and the war environment have highlighted that the security of nuclear facilities can no longer be viewed solely as a technical issue. Rafael Mariano Grossi, Director General of the IAEA, has repeatedly emphasized that any risky military or technological activity near nuclear facilities is unacceptable. This principle also applies to cyberspace: nuclear safety is an international responsibility.

2. Without researchers and universities, there can be no real progress

Another key message from CyberCon26 was that there is a particularly great need for researchers, universities, and independent professional workshops in the field of nuclear cybersecurity. Hundreds of experts attended the conference, including representatives from regulatory agencies, plant operators, research institutes, university researchers, and industry partners. This may seem unusual from the outside, but in this field, scientific expertise has practical significance.

The systems used in nuclear power plants have long lifespans, are strictly regulated, and often operate for decades. Meanwhile, the risks associated with digital technologies, artificial intelligence, remote diagnostics, industrial control systems, and supply chains are changing rapidly. The researchers’ task is precisely to integrate these changes into operations in a way that leaves no room for error, and only experts with extensive operational experience can design such systems. This is a challenge that is almost exclusively within the reach of researchers at universities or experts with decades of experience working closely with them.

A good example of this is Slovenia, which presented both regulatory and operational experiences at the conference. For a smaller country, international knowledge sharing is particularly valuable, as it provides access not only to its own experiences but also to the methods and lessons learned by other nations. Researcher participation is therefore not merely a theoretical issue here; in nuclear cybersecurity, it is the only way for defenses to keep pace with the threats.

3. Why are models and simulations so important?

To an outsider, it may come as a surprise just how important theoretical models are in nuclear cybersecurity. In other sectors, learning often involves rapid testing, trial runs, or measurements taken on live systems. In the case of a nuclear power plant, the scope for experimentation is much narrower. With safety-critical systems, you can’t simply “test” what happens in the event of a serious failure or attack.

This is why concepts such as the digital twin, deterministic and probabilistic safety analysis, and fault tree and event tree analysis come into play. These may sound abstract at first, but the essence is simple: experts try to understand in advance what sequence of events could lead to a problem, what layers of protection are available, and at which points the process can be interrupted.

An example of just how important hands-on exercises are: training, tabletop exercises, penetration testing, CTFs, etc. (**Development of Cybersecurity Inspection Training for Asia, Integrated Support Center for Nuclear Nonproliferation, Security and Human Resource Development, Japan Atomic Energy Agency (ISCN/JAEA))**

Deterministic analysis examines whether security systems can perform their tasks in the event of a given hypothetical scenario. Probabilistic analysis adds to this by assessing the likelihood of certain events occurring and the potential consequences they may entail. In cybersecurity, these methods are important because an attack rarely consists of a single flaw. Often, minor weaknesses, human decisions, supplier risks, and technical vulnerabilities are interconnected. Modeling helps us identify these issues not after the fact, but in a timely manner.

4. Limits on Public Discourse: Why Is Everyone Speaking So Cautiously?

Discussions on nuclear cybersecurity often feature cautious, generalizing language. There is a good reason for this. Too much detail can aid attackers, while too little information hinders learning and professional dialogue. This duality was present throughout CyberCon26 as well: the conference functioned as an open professional forum, while every participant had to take into account the protection of sensitive nuclear security information.

As an outsider, this can sometimes be frustrating. In a presentation or report, we often see only terms like “supply chain risk,” “access control issue,” or “incident management lesson.” Behind these terms can lie very different real-world situations: a faulty software update, improper remote access, overly broad permissions, a compromised engineering workstation, or inadequate logging.

The case of Sellafield in the UK illustrates this difficult balance well. In 2024, the UK’s nuclear regulatory authority imposed a fine of £332,500 for cybersecurity deficiencies. Public communications provided limited specific technical details, while the message was clear: cybersecurity deficiencies in the nuclear sector must be taken seriously even if they do not lead to a direct accident.

5. Why is the implementation of practical results taking longer?

One of the conference’s key takeaways—one that is instructive even for outsiders—is that change in the nuclear industry is, by its very nature, slower. This is not simply a matter of organizational caution or technological conservatism. In a nuclear power plant, any modification can affect licensing, operating procedures, maintenance, training, and safety analyses. Implementing a new cybersecurity solution therefore raises far more questions than in an office IT system.

“Security by design”—that is, building security in from the early stages of design—is why it received special attention at CyberCon26. With advanced reactors, new digital systems, and modern operating models, it is no longer sufficient to add layers of protection after the fact. Security must be made an integral part of design, licensing, and operation.

This is particularly important in countries considering new nuclear power plant capacity, such as Poland or the United Arab Emirates. New investments provide an opportunity to integrate cybersecurity considerations from the very beginning. The task is more difficult for older power plants: there, existing systems must be made more secure while maintaining the priority of operational safety and nuclear safety.

6. The shortage of skilled workers is a daily challenge here as well

The shortage of cybersecurity professionals is a well-known problem worldwide, but it is particularly acute in the nuclear sector. Here, it is not enough to have general IT or cybersecurity knowledge. Specialists must also understand industrial control systems, operational technology, nuclear safety culture, the regulatory environment, and incident management. There are few people who can grasp all of this at once.

Meanwhile, the number of tasks is constantly growing. Experts must deal with protecting legacy systems, evaluating new digital solutions, managing the supply chain, conducting audits, providing training, running incident drills, and supporting day-to-day operations. This leads to overload in many organizations.

The slide below recommends a security-enabled middleware solution. („**Ensuring Safe and Explainable AI Integration in Nuclear Power Plants through Model Context Protocol**, Authors: Boyuan Li, Jianghai Li, Tien Anh Hoang, Chao Guo)

CyberCon26 therefore placed a strong emphasis on capacity building and knowledge sharing. According to a key insight from Japanese co-chair Yosuke Naoi, the threat of cyberattacks is evolving in both scale and complexity, while often remaining invisible. This invisibility makes it difficult for decision-makers and the broader public to grasp the urgency of the problem. The lesson is simple: nuclear cybersecurity will only be sustainable in the long term if we consistently invest not only in technology but also in training and retaining personnel.

7. Exercises, simulations, and CTFs: learning in a secure environment

The various exercises—simulations, tabletop exercises, capture-the-flag competitions, cyber range-style environments, and interactive demonstrations—were both engaging and informative highlights of the conference. While these may seem like games from the outside, they play a very serious role in nuclear cybersecurity.

Since testing on live systems is limited, experts need environments where they can practice without risk. During a tabletop exercise, for example, participants go through what each person would do in the event of a hypothetical incident: when to alert management, how to involve the authorities, what information can be shared, and how to communicate with the public. A CTF competition develops the same mindset from a technical perspective: participants must search for clues, understand systems, and recognize connections.

One of the greatest values of such exercises is that they also reveal organizational shortcomings. It may turn out that a process works on paper but is too slow in practice; that areas of responsibility are unclear; or that the technical team and management speak different languages. It is much better to recognize these issues in a simulation than during a real incident.

8. So what was this Vienna conference like?

The key message of CyberCon26 for outsiders is that nuclear cybersecurity is both an extremely complex and a very human field. Technology, regulation, modeling, and international cooperation are all indispensable, but ultimately, it is people who prepare for unexpected situations, people who make decisions under pressure, and people who learn from each other’s experiences.

The conference also demonstrated that there is reason for optimism in this field. The international community is active, the research base is growing stronger, exercises are becoming increasingly realistic, and the world of nuclear cybersecurity is becoming more attractive to younger professionals as well. It is particularly gratifying that our Hungarian colleagues performed well at the CTF, indicating that domestic expertise is competitive even in an international setting.

In addition to the serious topics, the conference also had a lighter side. The escape room was great fun, while teaching exactly what is needed in this field: cooperation, rapid situation assessment, creative problem-solving, and attention to the smallest details.