What the NCSC's New OT Cyber Guidance Signals for Nuclear Energy

InfraShield is tracking evolving OT and ICS attack trends for our nuclear customer base, and distilled a number of highly relevant security takeaways for the industry from the NCSC-led guidance. Highlighting eight foundational security principles, the guidance was designed to help organizations “mitigate exposed and insecure connectivity and protect networks from highly capable and opportunistic cyber threat actors, including nation state-sponsored actors,” according to a CISA press release.

Furthermore, this advisory arrives amidst rapidly intensifying IT-OT convergence—and as threat actors are increasingly targeting OT environments as primary objectives in their own right, rather than treating OT compromise solely as a stepping stone into IT networks. In this threat landscape, 22% of critical infrastructure organizations suffered a security incident impacting their OT and industrial control systems last year, according to the SANS Institute’s State of ICS/OT Security 2025 report.

The SANS report also found that “unauthorized external access accounted for half of all incidents, yet only 13% of organizations have fully implemented advanced controls such as session recording or ICS/OT-aware access.” Notably, joint research published by Cyolo and the Ponemon Institute in 2024 said that a wide array of third-party vendors and contractors are being given remote access to OT environments. The survey authors found that 73% of industrial organizations permit third-party access to OT environments, with an average of 77 third parties per organization granted such access.

From a risk perspective, this proliferation of third-party OT access provisioning is concerning because anywhere from a third to half of all critical infrastructure security breaches can be attributed to external vendors, according to SecurityScorecard research. Furthermore, and despite these increasing third-party remote access permissions in OT environments, the SANS report contends that “fewer than 15% of organizations have advanced remote access controls in place.”

With state-backed espionage actors like China’s Volt Typhoon seeking to preposition themselves in critical infrastructure networks, combined with the rising threat of various Russian hacktivist groups targeting the same organizations, the new wave of nuclear energy innovators cannot ignore the security disconnect identified by the SANS survey. Although nuclear energy installations have traditionally implemented the most stringent and risk-averse cybersecurity controls imaginable relative to other critical sectors, a new generation of nuclear technologists are embracing design concepts that radically amplify the attack surface.

As novel microreactor and advanced reactor programs explore remote operations and expanded access for staff and contractors, they cannot allow security deficits in converged IT and OT network operations to undermine the future of American energy. Nuclear innovators are keen on communication technologies that will enable remote operations (cloud, satellite) that interface directly with ICS and OT environments. While such approaches promise operational flexibility and efficiency, they also introduce myriad new attack paths, escalating new connectivity risks that must be addressed early through system design, licensing considerations, and cybersecurity strategy.

Against this backdrop, the following InfraShield blog post analyzes the NCSC’s latest guidance and focuses on four principles that have emerged as the most relevant to the rapidly emerging small modular reactor (SMR) and microreactor ecosystem. Ultimately, the guidance reinforces a shift the nuclear industry is already experiencing: cybersecurity is no longer merely a compliance requirement—it is a foundational design decision that shapes resilience, cost, and long-term operability. While many of the principles align with established nuclear practices, the NCSC’s framing underscores where utilities and developers can gain a strategic advantage by making the right security choices from the outset.

Supply-Chain Influence Matters More Than Ever

In Principle 1, the NCSC emphasizes balancing risk and opportunity by asking a simple question: Can you influence the security controls built into your supplier’s solution? Nuclear has long understood supply-chain controls, but this becomes mission-critical for new reactor deployments where architectures are still being defined. For advanced reactors, cybersecurity baked into supplier designs avoids costly retrofits later and strengthens regulatory confidence. Early collaboration with a knowledgeable security partner can help utilities and reactor designers align system architectures with regulatory cybersecurity expectations before designs are finalized.

Adopting Modern, Secure Protocols is Foundational Cyber Hygiene.

Principle 4 of the NCSC’s guidance urges organizations to move from legacy industrial protocols to secure versions (e.g., Modbus → Modbus Security, OPC DA → OPC UA). This principle serves as a timely reminder for nuclear operators. Protocol modernization is not just an IT best practice. This provision directly reduces the attack surface. Consider that Modbus, “the most popular and most often exposed, OT protocol, accounted for 57% of OT attacks in 2025, up from 40% in 2024,” according to Forescout Technologies’ just-published 2025 Threat Roundup report. While nuclear facilities often must wait for planned outages to implement protocol changes, incorporating these upgrades into lifecycle management is a critical step in strengthening security without introducing operational disruption.

The OT Boundary is the Front Line of Defense

Hardening the OT boundary, or Principle 5 as delineated by the NCSC, may be the most vital for SMR and microreactor defenders. The NCSC underscores that many OT systems are difficult to patch or replace. As such, the security boundary emerges as the primary defense against external threats. This directly aligns with nuclear defensive architecture principles and creates an opportunity to invest in modern, modular, and replaceable boundary solutions, such as deterministic, unidirectional protections. This is where purpose-built solutions, like data diodes, can help deliver long-term security without adding operational complexity.

Micro-Segmentation and Visibility are Emerging Best Practices

Principle 6 in the NCSC guidance focuses on limiting the impact of compromise and specifically highlights microsegmentation as a best practice. Although U.S. nuclear regulations mandate network segmentation—but not micro-segmentation or zero trust network access (ZTNA)—the guidance highlights micro-segmentation as a powerful way to limit the impact of compromise in mixed-trust and legacy environments. Similarly, while centralized OT logging is not a nuclear mandate, the NCSC’s recommendation reflects where the industry is heading. As older OT devices are replaced, built-in logging and monitoring capabilities will increasingly be the norm.

The Takeaway for Nuclear Leaders

The NCSC-led guidance doesn’t change nuclear regulations, but it signals where good cybersecurity design is headed. Utilities, SMRs, and microreactor concepts that align early with these principles will be better positioned to manage risk, control costs, and support future regulatory expectations. For advanced reactors in particular, security-by-design will increasingly represent a competitive advantage, given the rapid pace of technological change shaping 21st-century industrial architectures.

In this environment, it is prudent to design for adaptability and composability from the outset, with engineering, operations, and security stakeholders collaborating to assess how resilient and defensible their concepts will remain five, 10, and even 20 years into deployment.