In July, InfraShield President and CEO Mark Rorabaugh sat down with Information Security Media Group reporter Mathew Schwartz for a video interview focused on the state of the U.S. commercial nuclear industry’s security posture in the wake of reignited geopolitical hostility in the Middle East.
Summary
In a post–Midnight Hammer interview, InfraShield CEO Mark Rorabaugh discussed the rising threat of Iranian cyber reprisals targeting U.S. nuclear infrastructure. He emphasized nation-state threats, the critical risk posed by portable media, and the nuclear sector’s slow adoption of Zero Trust and AI-based defenses. While no operational tech breaches have been confirmed, state-backed hacktivists and ransomware actors continue to target the industry. Mark called for stronger media controls, smarter patching strategies, and more nuclear-aware cyber personnel to address growing vulnerabilities.
The interview, headlined “Securing US Nuclear Critical Infrastructure: What Next?”, specifically focused on how Iran could pursue a cyber-enabled counterattack in retaliation for American strikes that targeted three vital pillars of the Shi'a nation’s nuclear weapons program in June: A uranium enrichment facility, a power plant, and a nuclear technology center.
In the aftermath of so-called “Operation Midnight Hammer,” multiple domestic intelligence agencies immediately urged “organizations, especially those within U.S. critical infrastructure, to remain vigilant” against the threat of “Iranian state-sponsored or affiliated threat actors,” according to a press release.
Other themes Mark elaborated on included the accelerating adoption of AI by the nuclear industry, the sector’s slow embrace of Zero Trust security strategy, vulnerability management, and the outsized threat posed by portable media in nuclear environments. But geopolitically motivated cyberattacks targeting American nuclear organizations were the focal point of the discussion.
While a cyberattack on a U.S. commercial nuclear installation is hardly the most likely scenario for an Iranian counterstrike, such an event would constitute the most symmetric form of reprisal, given Iran’s relatively limited military capabilities.
In fact, Iran-nexus hacktivists like Lulzsecblack have already attempted post-Midnight Hammer cyber- psychological operations (PSYOPS) campaigns, with their boasts about hacking an Indian “company responsible for Indian nuclear reactors" and stealing 80 related databases.
The group made these claims in June in a listing posted on Dark Forums, which has become the premier English-language cybercriminal community in the wake of the latest Breach Forums disruption.
Lulzsecblack claims to have hacked Indian nuclear targets, Source: Dark Forums
However, multiple cybersecurity vendors debunked Lulzsecblack’s claims and assured the public that the group’s “statements are overstatements, having no connection to reality.” Instead, these 'pseudo-hacktivist' activities by Iran were “designed to provoke fear, uncertainty and doubt,” according to a vendor that spoke with BankInfoSecurity.
Beyond the threat of nuclear-related cyberattacks, Iran-sponsored hacktivists’ targeting of India also has a likely nexus to the South Asian nation’s most recent conflagration with neighboring Pakistan, a Muslim-majority country. Additionally, India is designated by the U.S. as a “Major Defense Partner.”
Recent Malicious Campaigns Targeting the Nuclear Sector
Nevertheless, the disturbing scenario of a successful Iranian cyberattack on a U.S. nuclear organization dovetails with a threat landscape where several cyber threat intelligence (CTI) firms have noted a marked rise in attacks and PSYOPS campaigns targeting the sector.
Fortunately, however, there are no indications that threat actors have successfully managed to breach mission-critical nuclear operational technology (OT) networks. Based on observed attacks, threat actors targeting the sector can generally be classified into three categories: Ransomware gangs, hacktivists, and state-sponsored advanced persistent threat (APT) groups.
In an April report, Resecurity noted how a “spin-off" group of the Babuk ransomware gang “targeted Nuclebrás Equipamentos Pesados S.A., commonly shortened to NUCLEP, a Brazilian state-owned nuclear company specialized in nuclear engineering.” In fact, this data was compromised eight months prior to the Babuk announcement by another ransomware gang that calls itself Meow.
NUCLEP ransomware announcement, Source: Hackmanac
The Resecurity report also highlighted the activity of the prolific pro-Russian hacktivist group NoName057(16). In March, the threat group claimed to have executed a successful distributed denial of service (DDoS) attack on Framatome, a French nuclear reactor company jointly owned by public utility Électricité de France and Mitsubishi Heavy Industries.
Framatome DDoS Announcement, Source: X
Fortunately, Europol announced last week that a joint international operation, cheekily codenamed “Eastwood,” significantly disrupted the gang’s infrastructure and operations. According to the Europol press release announcing this takedown, law enforcement actions “led to the disruption of an attack-infrastructure consisting of over one hundred computer systems worldwide, while a major part of the group's central server infrastructure was taken offline.”
“In total, national authorities have issued seven arrest warrants, which are directed, inter alia, against six Russian nationals for their involvement in the NoName057(16) criminal activities,” according to the press release. Additionally, the press announcement noted that six of these arrest warrants were issued for individuals living within the Russian Federation. All implicated NoName057(16) suspects are now internationally wanted, the press release said.
Operation Eastwood infographic, Source: Europol
Beyond these threat actors, Kaspersky research published last year highlighted a suspected Lazarus Group campaign that targeted several employees from a nuclear-related organization. Lazarus Group is a North Korean state-sponsored APT group.
In a campaign dubbed “Operation Dreamjob” by Kaspersky, these nuclear sector employees were lured by Lazarus threat actors with fake job recruitment pitches. Victims were “infected via three compromised archive files appearing to be skill assessment tests for IT professionals,” according to Kaspersky research.
The bottom line is nuclear sector-focused cyberattacks are a disturbing reality— and they’re on the rise, making Mark’s interview with ISMG critically relevant for the industry. Below are some of the key takeaways from Mark’s conversation with ISMG.
Key Takeaways from Mark’s Interview
The five topics elaborated upon by Mark include nation-state cyber threats to the nuclear sector, industry-wide deficiencies in portable media security, AI adoption, Zero Trust in nuclear environments, and vulnerability management and regulatory gaps.
1. Nation-State Threats & Anticipated Iranian Reprisal
- Cyberattack risk is rising, particularly from nation-state actors such as Iran, whose prior experience with Stuxnet informs the nuclear sector’s current threat model.
- The nuclear sector has long anticipated cyber reprisals following geopolitical events, leading to deliberate isolation strategies (e.g., eliminating internet ingress).
- Although radiological release is extremely difficult, a well-designed cyberattack could cause massive disruption, equipment damage, or prolonged outages with $50–60 million in losses and significant reputational damage.
- Mark warns that while physical attacks by nation-states are unlikely, cyber pathways provide a more realistic vector—and yet many plants still operate under the assumption that APT-level threats are outside their scope.
2. Deficiencies in Portable Media Security
- Mark identifies portable media as the single largest cybersecurity threat in the nuclear industry.
- Current controls largely rely on signature-based detection, which would fail against custom-built or lightly modified malware like Stuxnet. *Unlike leading competitors, InfraShield is the only vendor who scans for “known good” PM devices, as opposed to those indexed by signature-based AV and EDR databases.
- Mark criticizes the status quo as overly reliant on outdated AV scanning and lacking zero trust or behavioral validation models.
- InfraShield and others are advocating for strict whitelisting, device integrity validation, and physical access controls (e.g., port blockers) to mitigate both adversarial and human error risks.
- The performance-based regulatory model leads to uneven implementation of these controls across plants, with no uniform baseline enforced.
3. AI Adoption
- AI adoption is accelerating in the nuclear sector—not only in operations like predictive maintenance but also in cybersecurity.
- InfraShield is integrating AI-driven threat detection and event automation, while maintaining a “human-in-the-loop” approach due to risks like hallucinations and model drift.
- The industry is shifting from outright AI rejection to cautious, cost-effective integration for operational efficiency.
- Mark warns of potential AI vs. AI cyber warfare scenarios and believes organizations will need to participate at that level to stay competitive and secure.
4. Zero Trust in Nuclear Environments
- Mark strongly supports Zero Trust adoption in the nuclear sector, particularly as legacy systems are replaced or modular reactors are deployed.
-
Mark highlighted the following challenges:
- Lack of system visibility due to islanded OT networks, and
- The expectation that plants self-define cybersecurity strategy under a performance-based model, leading to inconsistent protections.
- Delays in adoption due to cost, complexity, and long upgrade cycles.
-
Mark recommends the following best practices:
- Apply Zero Trust incrementally, especially during system replacement.
- Role separation between monitoring and control functions.
- Use unidirectional monitoring (e.g., data diodes) and passive taps for observability without introducing inbound risk.
5. Vulnerability Management and Regulatory Gaps
- Mark notes that a “run-to-failure” mindset is common due to the high cost and regulatory burden of replacing nuclear-grade equipment.
- Auto-patching and modern vulnerability management are difficult, with validation processes rivaling the complexity and expense of FDA drug approval.
- Mark calls for better distinction between true safety-critical systems and associated but non-critical systems to allow more agile patching and maintenance.
-
Mark emphasizes the need to revisit and update regulatory assumptions, especially:
- The carryover from physical security policy that excludes nation-state threats.
- The expectation that plants self-define cybersecurity strategy under a performance-based model, leading to inconsistent protections.
Wrap-Up
Beyond the primary discussion topics noted above, Mark also touched on how the critical shortage of cybersecurity professionals, with expertise in both IT and OT, is an especially pressing issue in nuclear environments. Mark also addressed how third-party security operations center (SOC) teams offer value, but their limited understanding of plant operations reinforces the need for on-site, nuclear-aware cyber personnel.
In addition, Mark predicted that analog systems will be retired and that digital adoption in nuclear will rapidly accelerate. He noted how AI is gaining traction for predictive maintenance and cybersecurity, but cautioned that human oversight remains critical. Lastly, Mark highlighted how longstanding bans on wireless tech are being re-evaluated, signaling a shift toward more adaptive, risk-managed approaches.
To watch the full 40-minute interview with Mark click here!
If you are experiencing a security incident or need immediate assistance, contact InfraShield to Be Secure: Sales@Infrashield.com
