Sector

Nuclear

Assurance for nuclear I&C systems, generation, and decommissioning — bridging IEC 62645, ONR expectations, and NCSC CAF obligations.

Threat Landscape

Nuclear facilities face threat profiles assuming the most capable adversaries. Nation-state actors with strategic motivations — intelligence collection, disruption capability development, sabotage — represent the primary concern. The Stuxnet campaign against Iranian enrichment facilities demonstrated that purpose-built cyber weapons can achieve physical destruction of nuclear infrastructure.

Supply chain compromise risk is particularly significant for digital instrumentation and control (I&C) components. Insider threat from personnel with privileged access to safety-critical systems is an explicit design basis consideration. The regulatory environment demands that cyber security be addressed as an integral part of nuclear safety.

Regulatory & Framework Landscape

IEC 62645 IEC 62859 IAEA Computer Security Series ONR Regulatory Expectations NCSC CAF v4.0 IEC 62443

Nuclear cybersecurity is governed by sector-specific standards (IEC 62645 for nuclear I&C, IEC 62859 for safety-security coordination), IAEA guidance, and national regulatory expectations. In the UK, the Office for Nuclear Regulation (ONR) sets cybersecurity expectations that nuclear licence holders must satisfy. The NCSC CAF applies to nuclear operators as designated operators of essential services under the NIS Regulations.

CCM Domain Alignment

D14 OT/ICS Security 24 controls

Nuclear organisations activate the D14 OT/ICS Security overlay for instrumentation and control systems, alongside the full mandatory baseline. The safety-security co-design principle embedded in D14 is particularly critical in nuclear environments where cybersecurity measures must not compromise nuclear safety functions.

Operating Context

OT/ICS Security Converged Assurance

How C-PAP Supports Nuclear

C-PAP provides a unified assurance platform bridging nuclear-specific standards (IEC 62645, IEC 62859) with broader UK cybersecurity requirements (CAF, NIS). The platform enables demonstration of cyber-informed engineering to ONR and international regulators.

C-PAP scales across operational phases from new-build through generation to decommissioning, with the CCM providing continuity of governance as the facility's risk profile evolves. The platform positions organisations for intensifying ONR expectations on digital I&C security.

Ready to discuss Nuclear assurance?

Request a sector-specific briefing or explore the full Nuclear brief through our resource portal.

Request Briefing Request Full Brief