Skip to main content

Nuclear Cybersecurity Research


I am particularly interested in nuclear energy and its potential for a sustainable future. 

As nuclear energy production is becoming increasingly reliant on digital technologies, it is crucial to understand the potentials threats and develop robust cybersecurity measures to protect nuclear facilities from malicious actors.  

A more informed community can contribute to the collective effort of ensuring the peaceful, safe and secure utilization of this important energy source.

I run a newsletter called NeutronMode, where I cover the latest developments in nuclear cybersecurity, an area where technology, security, and public safety intersect. In each issue, I share original content, including in-depth analysis, news, curiosities and practical insights on the growing challenges and opportunities in securing nuclear facilities, systems, and data. 

Also, as part of this endeavor, I've published the following research papers:

2017  - Go Nuclear: Breaking Radiation Monitoring Devices 

The purpose of this research was to provide a comprehensive description of the technical details and approach used to discover vulnerabilities affecting widely deployed radiation monitoring devices (Portal and area monitors). This work involved software and firmware reverse engineering, RF analysis, and hardware hacking.

This research was presented at Black Hat USA 2017.

- Paper: https://www.blackhat.com/docs/us-17/wednesday/us-17-Santamarta-Go-Nuclear-Breaking%20Radition-Monitoring-Devices-wp.pdf

- Slides: https://www.blackhat.com/docs/us-17/wednesday/us-17-Santamarta-Go-Nuclear-Breaking%20Radition-Monitoring-Devices.pdf

2023 - Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication

Chernobyl, an iconic symbol in our social imaginary that represents everything that may go wrong with radioactivity, was taken by the Russian occupation forces, as part of a full-scale invasion of Ukraine. During the first 48 hours of this situation, it was officially reported that the Automatic Radiation Monitoring System (ASKRS) of the Chernobyl Exclusion Zone had detected abnormally high radiation values. The intense traffic of heavy military vehicles, which would be stirring up radioactive dust, was initially pointed out as the root cause for the reported radiation spikes.

This talk will comprehensively describe the research that has been performed around this incident. Among other things, I have reconstructed the events through OSINT, talked to nuclear experts and visited radiological laboratories to analyze equipment and software. Eventually, I gained access to the data transmitted during those days by the wireless radiation monitoring devices in Chernobyl, thus being able to demonstrate that the patterns identified in the radiation spikes detected during the 24th and 25th of February 2022 show the possibility that data may have been fabricated.

Evidence confirms that the radiation levels depicted by a very specific set of real-time radiation maps, which during those days were consulted by millions of people and also consumed as a single source of information by media outlets and official entities, did not correspond to the actual physical conditions of the Chernobyl Exclusion Zone.

This research, presented at Black Hat USA 2023, elaborates on the software-based data manipulation as a plausible explanation.

- Paper: https://drive.google.com/file/d/1Sxg7Do9DVs6xquv-j8gBUgN4RUZkMG2N/view?usp=sharing

- Slides: https://i.blackhat.com/BH-US-23/Presentations/US-23-Santamarta-Seeing-Through-The-Invisible.pdf

- Web version: https://www.reversemode.com/2024/01/what-really-happened-in-chernobyl.html


2024 - A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors

This research paper aims to provide a comprehensive technical analysis of hypothetical cyber-physical attacks targeting the safety systems of nuclear reactors (PWRs), such as the Reactor Protection System (RPS) and the Engineered Safety Features Actuation System (ESFAS).

The paper is structured to facilitate reading and understanding, making this analysis accessible to readers with varying levels of technical expertise. 

  • The “Introduction” describes the nuclear engineering and nuclear physics concepts behind nuclear fission, Pressurized Water Reactors (PWRs) and NPPs, which are required to follow the subsequent cyber-physical attack scenarios. Prior knowledge of nuclear physics or reactor engineering is not assumed, making it accessible to those without a formal background in these fields.
  • “Actors and motivations” describes the background of certain real-world operations involving cyber-physical attacks and nuclear facilities.
  • “Teleperm XS” introduces the commercial Instrumentation and Control (I&C) platform, including a detailed description of the hardware, software architecture, attack surface, and eventually those characteristics that could potentially be leveraged by malicious actors.
  • “Cyber-Physical Attacks” details an approach to analyzing the design of specific nuclear reactors in order to characterize a series of feasible cyber-physical attacks against their safety systems (e.g. RPS, ESFAS), according to the level of damage sought by the attackers

- Paper: https://drive.google.com/file/d/1qe_nBH1ACDX2ydmzcIhJnbdRGnoDvVfP/view?usp=preview


2025 - TBD

Please feel free to reach out if you are interested in funding this new research.

Popular posts from this blog

What Really Happened in Chernobyl During the Beginning of the Russian Invasion?

This blog post contains the web version of my research paper: " Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication ", which was unveiled at BlackHat USA 2023 . It is intended to ease the indexing and dissemination of the information collected during this research.  In a few days, I'll be in Brussels presenting this research.  The original paper (PDF) can be downloaded here . Additional references: https://www.wired.com/story/chernobyl-radiation-spike-mystery/  (Kim Zetter) https://www.zetter-zeroday.com/p/radiation-spikes-at-chernobyl-a-mystery  (Kim Zetter) https://medium.com/war-notes/chornobyl-3-92216d21b223  (Olegh Bondarenko) INDEX Foreword Executive summary Introduction 1. Physical      1986      Resuspension      Transport      Humidity      Traffic 2. Cyber    ...

De-Anonymization attacks against Proton services

  In November 2021 YesWeHack invited me to participate in a private bug bounty program organized by  Bug Bounty Switzerland on behalf of Proton AG.  The scope of the program was quite interesting and heterogeneous, as it covered most of the applications and services offered by Proton, such as ProtonMail and ProtonVPN. As a result, multiple technologies and codebases were in scope, ranging from typescript, in the open-source part of Protonmail, to .NET/Swift used by ProtonVPN apps for Windows and macOS respectively. Proton is well-known for its privacy-driven services offer, so they are based on Switzerland where the legislation seems to match Proton's requirements to provide that kind of services: thus maximizing the privacy of their communications, minimizing the amount of data they log from their users while keeping a law-abiding status.  It wouldn't be realistic to think of Proton users as an homogenous group; you may be using Proton because you're genuinely w...

Finding vulnerabilities in Swiss Post's e-voting system: part 3

Exactly two years ago I brought my blog back to life, after many years of hiatus, with " Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1 ". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program , which I personally recommend.   Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess.   When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community.  As a result, some significant issues were uncovered , so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl , Spanish company specializ...

Beware of Java's String.getBytes

Sometimes there are subtle bugs whose origin can be found in some quirks from the underlying language used to build the software. This blog post describes one of those cases in order to let both fellow security researchers and developers, who didn't know about it, become aware of this potential vulnerable pattern. In fact, I'm pretty sure that similar bugs to the one herein described likely affect a bunch of products/codebases out there. In previous posts , I've already described some bugs in the Swiss Post's future E-voting system. While reading their  Crypto-Primitives specification , which among other things describes the custom Hashing algorithm Swiss Post implemented, I noticed something potentially interesting. Basically, there are 4 different types that are supported: byte arrays, strings, integers and vectors. Before being hashed, strings are converted to a byte array via the ' StringToByteArray ' algorithm. However, by comparing ' StringToByteArray...

Losing control over Schneider's EcoStruxure Control Expert

  During Q2 2022, in view of the geopolitical situation that unfolded after the Russian invasion of Ukraine, I decided that it wouldn't do any harm to kill some bugs in some of the main players within the ICS arena. I focused in those software frameworks that are running on the engineering workstations so, if compromised, attackers would be in a privileged position to manipulate controllers logic, thus enabling sophisticated attacks with a potential physical impact (i.e triton). I responsibly reported a bunch a unauthenticated remotely exploitable bugs to the corresponding vendors. In one case, after being ignored for months, I had to resort to the 'twitter, do your magic' approach and tweeted that I would be disclosing the issues if the situation persisted. It took just few hours for the vendor to get back to me. The positive side is that they found the bugs interesting and all that mess ended up in paid work.   This blog post covers a similar scenario in a different ven...