Next Article in Journal
Blockchain-Enabled GDPR Compliance Enforcement for IIoT Data Access
Previous Article in Journal
Attacking Tropical Stickel Protocol by MILP and Heuristic Optimization Techniques
Previous Article in Special Issue
Microarchitectural Malware Detection via Translation Lookaside Buffer (TLB) Events
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JCP
Volume 5
Issue 4
10.3390/jcp5040083
jcp-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models

by
Michael B. Zamperini
* and
Diana J. Schwerha
School of Engineering, Liberty University, Lynchburg, VA 24515, USA
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv. 2025, 5(4), 83; https://doi.org/10.3390/jcp5040083
Submission received: 11 June 2025 / Revised: 22 August 2025 / Accepted: 30 September 2025 / Published: 3 October 2025
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Browse Figures
Review Reports Versions Notes

Abstract

This study proposes methods of computer simulation to study and optimize the cybersecurity of Small Modular Nuclear Reactors (SMRs). SMRs hold the potential to help build a clean and sustainable power grid but will struggle to gain widespread adoption without public confidence in their security. SMRs are emerging technologies and potentially carry higher cyber threats due to remote operations, large numbers of cyber-physical systems, and cyber connections with other industrial concerns. A method of agent-based computer simulations to model the effects, or payoff, of collaboration between cyber defenders, power plants, and cybersecurity vendors is proposed to strengthen SMR cybersecurity as these new power generators enter into the market. The agent-based model presented in this research is intended to illustrate the potential of using simulation to model a payoff function for collaborative efforts between stakeholders. Employing simulation to heighten cybersecurity will help to safely leverage the potential of SMRs in a modern and low-emission energy grid.

1. Introduction

In our post-September 11th world, security must always be vigilantly considered. Cybersecurity is of ever-growing importance and is closely related to physical and supply chain security. Breaches in physical security can facilitate cyber-attacks while successful cyber-attacks can damage physical systems. Weaknesses in supply chain security can introduce cyber vulnerabilities that could be exploited once a system is operational. When considering the cyber security of nuclear energy installations, the costs of successful cyber-attacks are potentially extreme. Whether outcomes include loss of electrical power, release of nuclear contamination, or theft of nuclear material, nuclear cybersecurity must be as close to perfect as possible. The assessment of cybersecurity in new technologies such as Small Modular Nuclear Reactors (SMRs) can be especially challenging. While existing nuclear power plants rely heavily on analog equipment with fewer cyber vulnerabilities, new SMR designs will likely rely more heavily on cyber-physical control systems that also introduce cybersecurity risks [1,2,3].
As new cyber-physical control systems are designed to meet the novel needs of SMRs, collaboration between SMR designers and builders/vendors of these control systems will be needed to ensure that functionality and cybersecurity are equally emphasized [4]. Though this research is motivated by SMR cybersecurity, many of the ideas can be applied to cybersecurity in general and emerging technologies such as SMRs. Computer simulation that explores the randomness of cyber-attacks and cyber defense systems is a powerful tool to maximize cybersecurity plans and probe potential weaknesses. Two leading stochastic simulation modeling approaches are discussed with one paradigm showing special promise. This paper is intended to fill a gap in the research by proposing the use of agent-based modeling computer simulation to study the effects of cyber-defender collaboration in SMR cybersecurity.
As the world strives to move away from fossil fuels, nuclear energy is gaining renewed interest. Despite lingering concerns over past nuclear energy safety concerns, support for increased use of nuclear power is growing internationally [5]. Construction of traditional large nuclear reactors is becoming increasingly expensive and challenging. Two large partially constructed nuclear plants were abandoned in South Carolina in 2017 with the loss of billions of dollars of expended construction costs [6,7]. This failure was partially attributed to the attempt to build an untested design which led to construction complications, along with the fracking boom that produced very inexpensive natural gas [8]. Accordingly, interest in new SMR technology is growing with their potential simplified construction in specialized factories and improved safety profiles, though cost-effectiveness is still a concern [9]. Several electric utilities are planning to implement SMRs into their power generation portfolio and the governor of Virginia has expressed interest in using SMRs in the state [10,11]. Major technology companies have recently begun investing in SMRs to power artificial intelligence and cloud computing operations [12,13]. Given the success of the U.S. Navy with nuclear power, SMRs are also being considered for use on commercial ocean-going ships [14]. With this growing interest in SMRs along with a zero tolerance for mistakes in the nuclear industry, their cybersecurity must be at the forefront of strategic planning.
SMRs are smaller reactors that can be fabricated at a factory and linked together to provide the power needs for a particular application. Interest in this technology began to grow around the year 2000 and by 2010, there were increasing numbers of SMR designs being proposed along with customer interest [15]. SMR designs are often derived from the nuclear propulsion used for decades by U.S. Navy submarines and aircraft carriers along with Russian ice-breaking ships. A Russian SMR based on the ice breaker design was put into use in 2020 as an offshore installation used to provide electricity, heat, and freshwater to secluded coastal communities. An advantage to SMRs can be their relatively small geographic footprint (see Table 1). Typical large nuclear plants require very large emergency zones governed by plans for evacuation and other contingencies.
Liu and Fan [20] discussed the superior self-cooling capacity of SMRs as compared to large nuclear power plants, reducing or even eliminating the probability of a melt-down. Yin et al. [21] validated these self-cooling properties with simulations that demonstrated a low probability of reactor core damage during an emergency blackout of an SMR. SMRs can also be installed underground for added safety. SMRs based on a light water design currently have a licensing advantage due to existing government regulations and expertise. Other more novel SMR designs using coolants such as molten salts may have a steeper hill to climb to gain licensure for operation. SMR designs can produce higher levels of safety as compared with large nuclear plants, with less possibility of a nuclear meltdown and improved cybersecurity profiles. Based on inherent capital costs and fuel requirements, nuclear energy is best suited as a base energy source that runs constantly with other green energy and fossil fuel energy sources rounding out the power supply [22].
The research question or problem addressed in this paper is whether agent-based modeling simulations can prove useful in studying the effects of stakeholder collaboration in SMR cybersecurity. The objectives of this paper are to review the unique issues surrounding the cybersecurity of SMRs, call attention to the role of a cybersecurity international agreement called the Common Criteria [23] in meeting the cybersecurity needs of SMRs, and propose and demonstrate the use of agent-based modeling simulations to study the results of stakeholder collaboration resulting from the Common Criteria. We accomplish these objectives by specifying the contributions of this research, reviewing existing nuclear industry cybersecurity standards, examining the types of simulation tools that could prove helpful in studying cybersecurity issues, exploring the existing research on the use of simulation in cybersecurity, and highlighting the importance of stakeholder collaboration and the Common Criteria. Lastly, we make recommendations for the use of agent-based modeling (ABM) to study the payoffs of collaboration between SMR operators and the vendors of cyber-physical control systems used in SMRs and demonstrate the usage of ABM in a test case of this objective.

Contributions

This paper is focused on contributing to the understanding of the unique cybersecurity needs of SMRs, calling attention to the need for stakeholder collaboration for SMR cybersecurity, and showing the utility of agent-based modeling to study the results of collaboration to strengthen SMR cybersecurity. Following are our specific contributions:
  • We review existing nuclear cybersecurity standards, provide a history and description of types of computer simulation which could be helpful in studying SMR cybersecurity, and review the current research on computer simulation in cybersecurity.
  • We point out the value of collaboration in cybersecurity, identify the Common Criteria as an underutilized tool in nuclear cybersecurity, and provide recommendations for using agent-based modeling to study the effects of collaboration through the Common Criteria on SMR cybersecurity.
  • We propose, build, and study the results of an agent-based model to examine the effects of collaboration between SMRs and vendors of cyber-physical control systems to harden the cybersecurity of SMRs. To our knowledge, no other published research has employed ABM to model the effects of collaboration with third parties in nuclear cybersecurity.
While this research is focused on stakeholder collaboration to strengthen the cybersecurity of SMRs, the generalized use of agent-based modeling to model the effects or payoffs of collaboration in a broad spectrum of applications also builds on the literature in this field including Francia III et al. [24]; Husák and Kašpar [25]; and Rajivan and Cooke [26]. This study could prove helpful to SMR builders, SMR operators, vendors of cyber-physical control systems used in SMRs, nuclear regulators considering adoption of the Common Criteria, and any of the researchers in a wide variety of fields of study who are interested in using agent-based modeling to study the effects of collaboration.

2. Existing Nuclear Cybersecurity Standards

To consider the future of SMR cybersecurity, the present and past of nuclear cybersecurity must be understood. Though SMR designs and cybersecurity risks are still evolving, cybersecurity standards for nuclear installations are well-developed. The U.S. Nuclear Regulatory Commission [27] regulatory guide 5.71 provides guidance on how nuclear facilities can comply with 10 CFR 73.54 regulations on protection against cyber-attacks. This guide covers cybersecurity plans, implementation and maintenance of a cybersecurity program, and records handling. Defense-in-depth strategies with multiple layers of redundant cybersecurity controls should be employed. These ideas of defense-in-depth and multiple layers of security were also promoted by the International Nuclear Safety Advisory Group [28] and Krause et al. [29]. Critical digital assets should be organized into layers of higher to lower cyber risks. Data should only flow through these levels through gateways with rigorous security protocols. Plans should be continuously monitored to ensure that changes in the actual cyber system are accounted for in the cybersecurity programs. Additionally, cyber vulnerabilities should be assessed at least quarterly.
Related to defense-in-depth concepts, Duguay [30] documented security-by-design concepts specifically for SMRs. Proper use of security-by-design principles can help to elevate security concerns amongst all stakeholders as early as possible in the design phase. Both cyber and physical security should be analyzed holistically and potential threats that coordinate both cyber and physical attacks together should be considered. As much as possible, the future evolution of possible security threats should be accounted for in the design phase. This is an area where computer simulation could help to identify possible future threats and validate the effectiveness of cybersecurity alternatives early in the design process. Security-by-design should build in the capability to scale up security postures as threat levels increase. Future security forces could make use of resources such as autonomous lethal robots. Such a development would introduce high-consequence cyber-threats of a hacker gaining digital control of these robotic security forces. Relying on air gaps for cybersecurity does not solve all risks, as evidenced by the Stuxnet attack [31] and can elevate the potential impacts of an insider cyber threat. A question remains regarding whether existing nuclear cybersecurity standards are appropriate for new technologies such as SMRs, or if changes need to be made.
Ayodeji et al. [1] wrote that while increased use of digital automation in nuclear power plants can increase efficiency and reduce costs, it can also create exposure to cybersecurity risks. Though existing cybersecurity regulations for the nuclear industry are very comprehensive, case-specific compliance is nuanced due to the specifics of each installation. Similarly, assessing the cyber weaknesses of nuclear digital controls is very challenging because of their uniqueness with potential connections to other devices and network characteristics. The potential uniformity brought on by SMRs constructed at the same plant could help to reduce some of this complexity and the accompanying lack of clarity on exact cyber vulnerabilities. Of course, a potential downside of such uniformity of design is the potential for adversaries to formulate attacks tailored to a widespread design. The idea of improving cybersecurity by reducing complexity in digital controls is echoed by Gibson et al. [32]. Van Dine et al. [33] also called on nuclear supply vendors to improve cybersecurity by simplifying their products. It is also important to understand the capabilities and motivations for cyber attackers. Are they working to steal technology, creating awareness for their cause, terrorists, unhappy employees, or simply having fun with the challenge? Once these motivations and skill levels are understood, computer simulation could help to study attack patterns. The MIT Research Establishment (MITRE) Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrices can help to map out and better understand adversary behaviors for specific applications [34]. Energy producers implementing SMRs must study the class of threats likely to focus on this new technology. Table 2 provides a summary of hacker types and motivations.

3. History and Description of Simulation Types

Past simulations of cyberattacks have been largely based on discrete event simulation, with others employing agent-based modeling, game theory paradigms, and Monte Carlo simulation [35]. Other methods such as stochastic modeling [36] and hybrids of various techniques [37] have shown promise. A combination of continuous and discrete event simulation methods [38] can also create a powerful simulation tool. Still others have focused on the tools of neural networks and deep learning [39] for cybersecurity studies. However, a primary objective of this research is to highlight the capabilities of agent-based modeling (ABM) in assessing the benefits of stakeholder collaboration in SMR cybersecurity. In order to build the case for using ABM in this way, comparisons are focused between ABM and one of the most common and traditional simulation tools, discrete event simulation (DES).
DES is a more established field of study while ABM is relatively new. DES has been used in the field of operations research for over 50 years while ABM began to emerge in the early 1990s [40]. Robinson [41] described the history of DES with its discovery in the 1950s, innovation in the 1970s, and widespread adoption in the 1980s. The names of these two simulation approaches are indicative of their nature. ABM employs individual agents with specific characteristics that interact with built-in levels of randomness with other agents. The totality of these interactions determines the outcomes and lessons to be derived from such a simulation. On the other hand, DES focuses on events that take place on a timeline, often based on random draws from stipulated probability distributions. For instance, customers might arrive in a DES of a restaurant with random interarrival times and receive service of random times, yielding random customer queue sizes, time in the system, and other specified metrics. Each of these two stochastic simulation paradigms has strengths and weaknesses that may lend themselves to specific SMR cybersecurity studies. Table 3 summarizes comparisons between ABM and DES.
Macal and North [42] described ABM as containing agents that act on their own and can interact with other agents. These agents can attempt to influence one another, have goals that they work towards, and can learn and adjust their tactics throughout a simulation run. These characteristics of ABM match nicely with cybersecurity wherein cyber defenders or attackers try to manipulate each other’s behavior, have goals of defending or breaching cybersecurity barriers, and will adjust based on lessons learned from successful or failed cyber defense strategies or attacks. Furthermore, ABM can have agents acting as cyber attackers, defenders, and digital users going about their normal business. These agents can form relationships with each other as cyber defenders coordinate with one another, or attackers attempt to build relationships with unsuspecting digital users for exploitative purposes.
Decision-making characteristics and behaviors of cyber defense agents or attackers can be programmed into an ABM with attackers working to access digital information or controls while defenders try to keep these elements secured. This is an important point as the behavior of human agents must be considered in addition to technology in modeling cyber-attacks and security [44]. Milov et al. [44] provided alternatives of varying degrees of complexity in modeling the behavior of cyber attackers. Relatively simple agent rules may suffice in determining model outcomes for large organizations whereas more complex agent behavior modeling is likely to be needed for the study of individual or smaller group dynamics. Cybersecurity can also be viewed as an arms race with attackers and defenders becoming increasingly sophisticated in their methods based on lessons learned and new technology. Again, ABM aligns with this characteristic of cybersecurity as agents can adapt and change based on the successes or failures experienced within the simulation.
On the other hand, DES is a simulation paradigm that captures discrete events at specific periods in time, allows a system to constantly change, and allows for stochastic processes [43,45]. For a complex model, tracking the constant change of discrete events changing variables, and the state of the system over time can be extremely cumbersome. Fortunately, a wide variety of DES software packages will keep track of these events, timelines, and variables. Concerning cybersecurity, the DES strengths with stochastic and dynamic systems could prove useful in modeling cyber-attacks that arrive randomly in time and employ a random assortment of attack strategies. Similarly, cyber defense systems may not always perform as designed (especially regarding training users to detect and thwart cyber-attacks), so DES could be used to model uncertainty in the effectiveness of cyber defenses. The stochastic nature of DES can be useful in modeling systems that tend to form queues. This characteristic of DES does not lend itself as directly to cybersecurity modeling as compared with many elements of ABS. Kara et al. [46] used logic rules to determine the outcome of cyberattacks. Adopting this logic flow method in DES would be limited in its ability to model the complexity that can be achieved through the interaction of autonomous agents in ABM.

4. Review of Computer Simulation in Cybersecurity

Computer simulation has been used to evaluate cybersecurity, but the research is still relatively underdeveloped. Such simulation research is further lacking in the specific field of nuclear power cybersecurity. Engström and Lagerström [35] conducted a literature review of research on cyber-attack simulations over the past 20 years. Starting with keyword searches, they sifted through hundreds of papers to narrow their search down to 11 research efforts that met strict definitions of computer simulations and cyber-attacks. Of these 11 papers, six were based on DES methods while only two made use of ABM. Cyber-attack simulations can address high-level strategic targeting, tactical methods of attack, or the impact of successful cyber-attacks on the system in question. ABM may prove more useful in mimicking the complexity of the dynamics of stakeholder behavior in a cyber-attack, yielding more realistic models that could highlight emergent conditions of which cyber planners and designers should be aware.
Abercrombie et al. [47] employed game theory scenarios along with ABM to simulate the confidentiality, integrity, and availability of information in an electrical power distribution system. The agents in the model were cyber attackers and defenders. To model realism with human agents, defender characteristics were controlled to explore scenarios with agents dealing with misinformation or enduring a bad day when mistakes were more likely. Each of these ABM simulations only modeled one attacker and one defender, but this could easily be scaled up to larger numbers. Similarly, Rafferty et al. [48] used ABM to assess the cybersecurity of an internet-of-things home device network. Agents were programmed with beliefs, desires, and intentions to introduce artificial intelligence in their decisions and interactions with other agents. The objective of this study was to find a level of security that satisfactorily dealt with threats while not undermining the usefulness of the internet-of-things installation.
One open question in the body of cybersecurity simulation research is how to generate probability distributions to model cyber-attack or defense success rates [35]. Validating the realism of cyberattack simulation models is also very challenging. A proposed solution to this problem could be building simulation models based on actual cyber-attacks with forensic data available for study. A cyber-attack taxonomy specifically created for nuclear power plants by Kim et al. [49] could provide a useful structure for creating more accurate computer simulations. Cyber-attack taxonomy is well developed for information technology scenarios, but less so for industrial control systems used in nuclear power plants. The proposed taxonomy in this research consisted of, “attack procedure, attack vector, attack consequence, vulnerability, and countermeasure” [49]. ABM simulations could be especially valuable in modeling agent interactions and outcomes in any or multiple of the levels listed in this taxonomy. Insider cyber-attacks are often the weakest link in a cyber defense system and could also manifest themselves in malicious code installed in nuclear equipment in various stages of the supply chain. ABM holds significant advantages over DES in attempting to model these human aspects of cybersecurity.
It is challenging to obtain actual benchmark levels of cybersecurity with which to compare suggested improvements. Therein lies a benefit of the use of simulation studies, in which performance metrics of a base case can easily be compared against alternatives being considered. Given the susceptibility of humans to be taken in by cyber-attacks, Chaudhary et al. [50] proposed metrics to gauge the effectiveness of a cybersecurity training program. Such training must be continuous with a focus on incremental improvement. Measuring workforce participation in cybersecurity training does not capture the effect of the training on employee skills or behaviors. Tracking numbers of human-related cyber incidents does not show whether training or other factors drive any noted changes. Gauging changes to workforce cybersecurity skills, attitudes, and behavior may be the best indicator of training success but can be challenging to obtain. Good options to measure workforce cyber awareness, knowledge, and actions can include surveys, quizzes, or simulated phishing attacks.
The prediction of novel cyber-attacks is a challenging field of research. Even data for cyber-attacks is difficult to obtain. The Massachusetts Institute of Technology previously cataloged Defense Advanced Research Projects Agency (DARPA) data sets for cybersecurity, which have been widely studied. However, these DARPA sets are old and may not be useful for current cyber threats and network configurations [51]. President Dwight D. Eisenhower is credited with saying, “Plans are worthless, but planning is everything” [52]. While contingency planning for the future of cybersecurity may not directly shed insight on the exact next cyber-attack scenario, the planning process is sure to yield powerful advantages. Prediction of future attack vectors should be considered as a proactive approach to cybersecurity [51].
Husák et al. [51] listed four categories of cyber-attack forecasting research which deal with predicting the next steps of an adversary for an attack that is already underway, determining the goals of an attack, predicting the mechanics and timing of future attacks, and forecasting how the security state of a network may change. Models for cyber-attack prediction include attack graphs, Markov models, or game theory applications. For game theory models, attacker and defender behavior can be analyzed to determine the best strategies for each. Game theory assumes that the players are rational and strategic, which could lend itself well to the ABM style of simulation. Game theory analysis can look for a Nash equilibrium that occurs when changing from the current strategy would not benefit either the attackers or defenders [51]. Again, ABM could be employed to seek such steady-state scenarios.
A different paradigm that could be helpful in building computer simulations to assess cybersecurity is through comparisons with the complexity of biological immune and defense systems [53]. Cybersecurity and immune systems must both deal with diverse and ever-evolving attacks. These attacks must be defeated without excessive damage to the healthy parts of the system. Randomness in the attacks makes defense especially challenging. The defense of both individuals and the community at large must be considered. Outside parties beyond the attackers and defenders can play a role in the success or failure of defense systems. In both cybersecurity and immunology, it is desirable to maximize security while minimizing cost. Accordingly, it is optimal to avoid attacks altogether rather than combat them. Autoimmune diseases can attack healthy cells while over-eager cyber defense systems can endanger operations by restricting computer systems unnecessarily.

5. Cyber Collaboration and the Common Criteria

The powerful effects of human collaboration have been recognized as an important strategy for improving cybersecurity [54,55]. Computer simulation has been widely researched for the cybersecurity of engineered systems, but much less for human behaviors such as collaboration [56]. We propose a novel research area in which ABM can be useful in studying emerging SMR cybersecurity concerns through the collaborative potential of the Common Criteria (CC). The CC is an international collaborative organization working to coordinate the creation of secure information technology products that are tested and recognized by the member nations and organizations [23]. Essentially, nuclear stakeholders can use the CC to enumerate their cyber needs seeking verified and recognized solutions. The International Organization for Standardization [57] defined CC security problems as open threats in need of a technical solution. Cyber threats should be detailed as clearly as possible so that resulting evaluations and proposed solutions can address the right problem. Recall that the agents modeled in ABM can learn and adapt over the course of a simulation, along with forming coalitions with other agents. These characteristics of ABM can be leveraged to model the effect of the CC on the evolution of cybersecurity in the nascent stages of SMR development.
Linnosmaa et al. [4] noted that the CC provides a framework for nuclear stakeholders to document cybersecurity needs, prompting vendors to work on solutions that can be certified through independent laboratories. While the CC does not directly mandate or quantify collaboration between stakeholders, “real value” is created when participants choose to engage by generating specifications unique to a specific industry (such as SMRs) [4]. Ding et al. [2] recommended the type of communication and collaboration between stakeholders in advanced power grids that the CC can facilitate. Abdelkader et al. [3] declared collaboration among stakeholders including industry partners as foundational to the protection of modern power generation and distribution systems. Dar and Shairgojri [58] provided an assessment of India’s nuclear infrastructure and cyber vulnerabilities, highlighting a need for increased cooperation between industry and regulators on cybersecurity challenges. The CC are poised to facilitate this collaboration to combat ever-evolving cyber threats. Such industry collaboration in meeting cybersecurity challenges through the CC can provide significant value and can be modeled insightfully with ABM. Despite the diligent planning and adoption of cybersecurity best practices as SMRs begin to gain market traction, unforeseen cyber vulnerabilities are certain to arise. The unique and evolving cybersecurity needs of SMRs could benefit from the combination of flexibility and structure provided by the CC.
A lack of communication between cyber defenders is a security constraint that can be eliminated with intentional catalysts for collaboration. Ecclesiastes 4:12 says, “Though one may be overpowered by another, two can withstand him. And a threefold cord is not quickly broken” [59]. Collaboration makes us stronger, and information is power, so the sharing of information among cyber defenders can help to strengthen security for all. Husák and Kašpar [25] studied the real-time sharing of cybersecurity information from collaborating partners to accelerate attack prevention and response. A cybersecurity alert-sharing platform with 27 participating college campuses was used to search for cyber-attack patterns using data mining techniques. A structured data reporting method was agreed upon to aid the necessary data mining. Cyber sensors such as intrusion detectors or honeypots (cyber traps intentionally set to lure hackers) monitors automatically reported cyber alerts to the platform. Over one million alerts were processed in a five-day test period, so automated data mining tools were necessary to keep up with the task of clustering and projecting cyber-attack activity. The study demonstrated that the detection of emerging attack patterns could give participating organizations a cyber advantage likely to be useful for days or weeks after discovery.
While the CC are prevalent in other industries, Son et al. [60] noted that nuclear instrumentation and control systems are not included in the CC certification framework, prompting a call for the nuclear power industry to adopt and work with the CC system. Typical existing cybersecurity practices may not translate easily to the evolving needs of SMRs. The CC can help to match the best practices of cybersecurity protocols with the special needs of this emerging nuclear power technology. Turner [61] echoed the recommendations of Son et al. [60]. Specifically, Turner [61] likened the CC to a “tool box” that, when properly employed through stakeholder collaboration, can signal a market demand for specific cyber-physical controls and ensure that security needs are understood by all parties. The CC stand alone as a mature standard for cybersecurity with international recognition. If nuclear regulators adopt the CC criteria, this will help to grow the market for vendors working to meet SMR cybersecurity needs. The CC forum can also be used by SMR stakeholders to collaboratively share intelligence on cyber threats with one another. Simulating such collaboration with ABM can help to shed light on the ability of the SMR industry to launch safely and adapt to evolving cyber threats. SMR cyber defenders, cybersecurity firms, independent laboratories, and government regulators could all be modeled as agents working together to neutralize cyber threats before they can create widespread damage in SMR power generation installations. See Table 4 for summarized benefits of the CC.

5.1. Recommendations for SMR Cybersecurity

When analyzing the cybersecurity of a new technology such as SMRs, it is helpful to consider how the profile may be different from other comparable existing systems. Aamoth et al. [62] listed some of the emerging cybersecurity considerations applicable for SMRs. With SMRs being constructed off-site at an assembly plant, the supply chain of the parts could introduce cyber vulnerabilities. If SMRs rely on more use of digital systems to control physical systems, successful cyberattacks could affect the physical security of the reactor. Furthermore, the study of these cyber-physical system vulnerabilities is challenging due to their speedy evolution. Certainly, increased remote operation of SMRs will introduce more cyber risks. If SMRs have minimal on-site workers, the stake of an insider cyberattack could be much higher.
Adding to these considerations, SMR installations are being widely considered to provide not just electricity but also heat for various industrial applications. Dow Chemical (Seadrift, TX, USA) has announced plans to power a chemical plant in Texas with an SMR [63]. Water desalination processes consume large amounts of both electricity and heat, making SMR power an intriguing choice [64]. Shropshire et al. [65] explored the possibility of using SMRs in conjunction with an offshore wind energy farm to produce a steady supply of electricity. These notions of having SMRs digitally connected with other industrial, or energy production systems also likely employ technologies such as the internet of things and the smart grid as described by Khan and Beg [66], introducing additional sources of cybersecurity weaknesses. Table 5 lists these potential SMR cyberattack routes and the possible uses of ABM for simulation studies into stakeholder collaboration.
As has been discussed, ABM is a unique and promising tool to study new and evolving systems such as SMR cybersecurity. Macal [67] employed an ABM of a hypothetical zombie apocalypse to demonstrate the capabilities of this simulation paradigm. Macal’s model could be customized to simulate cybersecurity applications. In the zombie apocalypse model, agents were either zombies or humans. For cybersecurity, agents can be either well-intentioned or nefarious actors. The zombie model can be used to explore interventions that could save humans from zombies. A cybersecurity version can search for conditions that thwart attackers. The zombies can be programmed to move fast, or slow, as cyber attackers and network users can be initialized with advanced or low-level hacking or defense skills. Human agents can be set to fight or flee from zombies, as computer users can be programmed with different methods of dealing with cyber attackers. The zombie apocalypse may seem like a fun way to demonstrate ABM capabilities, but this example goes deeper than what might first meet the eye. It is difficult to see how DES could be used to model such systems as readily as ABM.
In fact, research has been performed to extend the zombie apocalypse ABM to the human side of cybersecurity. Francia III et al. [24] did this by adapting the zombie model to simulate human trust and other factors in a cybersecurity setting. Trust between cyber actors is an important element in cybersecurity but can be very difficult to quantify. ABM readily allows the modeling of trust between individuals or groups. Humans are often the weak link in a cybersecurity system and trust can heavily impact human decisions. Using ABM to account for different levels of attacker sophistication, trust in system users, cybersecurity training, and strength of the overall defense system, Francia III et al. [24] simulated the spread of a computer virus. While Francia III et al. [24] investigated the spread of a computer virus based on interactions between attackers and defenders, they did not research effects of collaboration between defender groups. Such ABM of the effects of stakeholder collaboration on cybersecurity of SMRs is the main focus of this paper.
Rajivan and Cooke [26] also used ABM to study the effects of collaboration within a team of cybersecurity analysts. Specifically, Rajivan and Cooke [26] studied the effects of team sharing of knowledge while attempting to triage challenging cyberattacks and how team members search through their knowledge bank to contribute to teamwork. In contrast, this paper focuses on collaboration between cyber defenders and external vendors of cyber-physical control systems to reduce an SMR’s threat profile by obtaining better designed and more secure equipment. There is a clear research gap and need for further cybersecurity ABM simulation studies to investigate the human side of cybersecurity, especially with collaboration between stakeholders through the Common Criteria for SMRs, which has not yet been researched. Despite the promise of such simulation studies, care must be taken to not place false confidence in research results as cyber attackers will always be looking to exploit previously unknown asymmetric threat vectors.

5.2. Proposed ABM Model

Theoretical underpinnings for an agent-based model simulating collaboration between SMRs and vendors were found in Wood and Gray [68] in which various research on collaboration were analyzed for common themes. One theme was that effective collaboration often needs a person or entity to convene the efforts. For the purposes of this study, the Common Criteria or some other similar platform will be assumed to play the role of convening the SMR and vendor collaboration. A second theme is the collaboration can be an effective strategy for dealing with environmental complexity, such as attempts to control the chaos created by cyber-attacks. Another theme is that access to needed resources can be facilitated through collaboration. In this study the improved SMR cyber physical control systems would be the resources yielded from collaborative efforts. A final theme from Wood and Gray [68] implemented in this study is that the self-interests of the SMRs (strong cyber infrastructure) and the vendors (improved products and profits) can, through collaboration, benefit the collective interest of all involved parties.
What is meant by the term collaboration? Wood and Gray [68] drew from existing definitions of collaboration to attempt a holistic definition that kept the best parts of the predecessors and attempted to fill in the gaps:
Collaboration occurs when a group of autonomous stakeholders of a problem domain engage in an interactive process, using shared rules, norms, and structures, to act or decide on issues related to that domain [68] (p. 146).
Wood and Gray’s definition fits the purposes of this research well. The autonomous stakeholders would be the SMRs and the Vendors. The problem domain is cybersecurity for the SMRs and developing market-leading products for the vendors. The interactive process, through the structure of the Common Criteria, defines gaps in the existing cyber-physical control systems and seeks to find better solutions. Acting on the issues would entail designing, testing, and implementing the improved controls for enhanced cybersecurity of the SMRs.
More recently, Alozie et al. [69] produced a definition of collaboration drawing from 52 scholarly articles and 87 practitioners. Key elements of the Alozie et al. [69] amalgamated definition include parties working “interdependently” and creating their own “socio-cognitive space” to jointly “create high quality products.” This definition matches well with the Wood and Gray definition and also supports this research effort. The interdependent work can be supported through the Common Criteria. The “shared rules, norms, and structures” from Wood and Gray [68] can be enhanced by the “socio-cognitive space” mentioned by Alozie et al. [69]. The creation of “high quality products” supports the goal in this research of creating more secure cyber-physical systems for the operation of the SMRs.
To test the effects of SMR collaboration with vendors of cyber-physical control systems through the Common Criteria, an ABM simulation was created using version 6.4.0 of NetLogo software [70]. The primary output of the simulation is the time-average of SMRs in a hacked state. This metric will be compared under equivalent conditions with and without collaboration efforts between SMRs and Vendors to design more secure cyber-physical control systems for the SMRs. Figure 1 shows the ABM in NetLogo. The red people represent hackers, the blue triangles are SMRs, and the yellow squares are vendors. The links between each agent are the pathways for cyberattacks or collaboration efforts. A toggle switch turns collaboration on or off, while sliders control the numbers of each agent along with the baseline cyberattack vulnerability of the SMRs. The setup and go boxes are used to randomize and run each simulation. At each setup, the positions of the agents are randomly assigned, while the characteristics of the agents are randomized based on the criteria explained in the following.
Assumptions built into this model include the condition that SMRs and hackers have varying cyber-defense and hacker skills, hacker skills improve with successful hacks, and that SMRs and vendors have varying collaboration skills. These skills can grow with successful collaborations. The success of hacking attempts depends on the skills of the defender and hacker along with random factors. Similarly, the success of collaboration attempts depends on the collaborative skills of both parties along with random factors. SMRs and vendors will attempt to collaborate based on the impetus provided by the CC, so the initial formation of collaborative relationships is not considered. SMRs are assumed to possess an inherent and unknown vulnerability level from their cyber-infrastructure arrangement. This vulnerability is reduced according to a random function when a number (ten) of successful collaboration attempts have been accumulated. An accumulation of ten positive collaborations was chosen to reflect the notion of “delayed effects” of collaboration mentioned by Howe et al. [71]. This modeling rule was adopted to provide a demonstration of the proposed simulation and could be tailored to specific situations based on applicable circumstances or theories of collaboration. This deferred outcome of collaboration principle could also be subjected to sensitivity analysis and alternative methods of modeling. Once SMRs are successfully hacked, they are assumed to stay in that condition for a randomized amount of time until they come back online.
According to Axelrod [72], “Although the topic being investigated may be complicated, the assumptions underlying the agent-based model should be simple.” In the spirit of this precept, the goal of this model is not to closely mimic the details of an actual cyber-physical system, but to demonstrate a method of testing the effects of collaboration using relatively simple rules of agent interaction. A payoff function for the effects of the collaboration was developed based on generally agreed-upon precepts of collaboration [68]. If more data was available for a particular scenario regarding the baseline vulnerability of the SMRs, the probabilities of successful cyberattacks, the impacts of collaboration, etc., the model could be updated with these specifics. Since a conceptual framework is being simulated, verification that the model works as intended is more important than validation against an actual real-world system. Verification of this model was accomplished through investigating numerous scenarios, discussing with research partners, and thorough debugging.
The simulation contains three types of agents, including SMRs, Vendors, and Hackers. SMRs begin each simulation with a cybersecurity skill level, a collaborative skill level, and an inherent vulnerability of their cyber infrastructure. Vendors start with a collaborative skill level and Hackers begin with a cyber-attack skill level. All of these characteristics are randomized within parameters for each individual agent. Simulation steps (named ticks in NetLogo) mark the passage of time. Though not specifically defined, the steps may be thought of as days or weeks for the purposes of this simulation. At the beginning of each step in the simulation, Hackers launch cyberattacks on some random number of the unhacked SMRs (assuming that some hacking attempts may be scaled to multiple targets). The success of each hack is determined by comparing the product of the Hacker skill and the SMR vulnerability, divided by the skill of the SMR, with a randomly generated number. Similarly, if the collaboration feature is turned on, SMRs launch a collaboration attempt with one of the Vendors during each step (limited to one-on-one collaboration due to the focus required on the effort). The success of the collaboration effort is determined by comparing the product of the collaborative skill of each agent with a randomly generated number.
If a hacking attempt is successful, the SMR goes into a hacked state for a number of steps pulled from a Poisson (2) random distribution. The Hacker also gets a small increase to its hacking skill level. This boost in hacking skill gradually attenuates as the simulation progresses. If a collaboration attempt is successful, a counter is incremented for the SMR. Once the SMR reaches ten successful collaboration efforts, a random improvement of up to some specified percentage is applied to its infrastructure vulnerability. This may be thought of as the payoff function for the collaboration. Additionally, after successful collaboration efforts, the collaborative skills of both parties increase by ten percent, up to a limit of 0.8. As a primary output of the simulation, the average percentage of SMRs in a hacked state per step is calculated.
The overview, design concepts, and details (ODD) protocol was refined by Grimm et al. [73], lauded by Macal [74], and clarified by Grimm et al. [75]. The ODD guidelines can be a helpful method of encapsulating an ABM simulation. Grimm et al. [76] validated the usefulness of the ODD protocol by recreating models used by other researchers using NetLogo software and the ODD descriptions provided in the original research. Following are elements of this protocol that can be helpful in understanding the model hereby proposed. Though some of this information has already been described, this summary from the ODD framework may prove helpful. Sections of the NetLogo code created for this study are attached to make research replication efforts more streamlined [75]. The code commentary and code snippets are found in the following sub-bullet points. NetLogo code is listed in italics.
  • Purpose—to demonstrate the concept of using ABM to study the benefits of collaboration between SMRs and cyber physical system vendors to improve cybersecurity infrastructure.
  • Entities—include SMRs, vendors, and hackers. SMRs are characterized by randomized cyber-defense skills, collaboration skills, cyber vulnerability levels, and status as operating normally or hacked. Vendors share the characteristic of collaboration skills. Hackers have cyber-attack skills.
    SMR and Hacker randomized initial cyber defense or attack skill designed to have a mean of 1 with high values being stronger
    set skill 0.1 + random-float 1.8
    SMR and Vendor initial collaboration skill
    set collaborative-ability 0.1 + random-float 0.6
    SMR initial cyber vulnerability level set to a base level ± some randomized amount of the base level
    set vulnerability base-vulnerability + (−1 ^ (random 2) * random-float (0.5 * base-vulnerability))
  • Process—each hacker first launches attacks on some number of the unhacked SMRs during each step in the simulation. Next, SMRs initiate collaboration efforts with one of the vendors during each step. Successful hacks result in the SMR changing color and the skill of the hacker increasing by some small random increment. Hacked SMRs come back online after a random number (Poisson (2)) of simulation steps. Successful collaboration efforts result in the skills of both the SMR and vendor increasing by some small random increment up to some limit (0.8). Also, a counter is incremented that results in a decrease in SMR cyber vulnerability once a specific number (10) of successful collaborations is met.
    Hacker attack strength and randomized success of attack effort (SMRs turn red when successfully hacked)
    let attack-strength [vulnerability] of target * skill/[skill] of target
    if attack-strength > random-float 100 [ask target [set color red + 2]
    SMR-Vendor collaboration effort strength and randomized success leading to increase in collaboration counter and randomized decrease in SMR cyber vulnerability (with diminishing returns) after 10 successful collaboration attempts
    let collaboration-strength [collaborative-ability] of collaborator * collaborative-ability
    if collaboration-strength > random-float 1 [
    set collaboration-counter collaboration-counter + 1
    if collaboration-counter >= 10 [
    set change-in-vulnerability vulnerability *
    random-float 0.15 * (exp (−0.003 * ticks))
    set vulnerability (vulnerability—change-in-
    vulnerability)
    set collaboration-counter 0
    Hacked SMRs (color red+2) come back online after randomized down time
    ask turtles with [color = red + 2] [
    ifelse countdown <= 0
    [set color blue
    set countdown random-poisson 2]
    [set countdown countdown—1]]
  • Emergence—the primary emergent output of the model is the time-average of SMRs in a hacked state.
  • Adaptation—the attack skills of the hackers and collaboration skills of the SMRs and vendors adapt to the progressions of the model.
    Change in hacker skill after successful hack is random with diminishing returns
    set change-in-skill skill * (random-float 0.003) * (exp (−0.003 * ticks))
    set skill skill + change-in-skill
    Change in collaboration skills of SMRs and Vendors after successful collaboration, randomized, up to a determined limit. Note that the initiator is the SMR and the collaborator is the Vendor.
    if collaborative-ability < 0.8 [
    set collaborative-ability collaborative-ability * (1 +
    random-float 0.03)]
    if [collaborative-ability] of collaborator < 0.8 [
    ask collaborator [set collaborative-ability
    collaborative-ability * (1 + random-float 0.03)]]
  • Interactions—attacks by hackers on SMRs as well as collaboration between SMRs and vendors are assumed in this model.
  • Stochasticity—randomization is introduced in:
    the outcomes of cyber-attacks and collaboration efforts,
    the recovery timeline of hacked SMRs,
    the incremental increases of hacker skills or SMR/vendor collaboration skills,
    and the decrease in SMR vulnerability due to successful collaborations.
  • Initialization—the simulation initialization of variables includes numbers of each agent type and base vulnerability of the SMRs.

5.3. Simulation Results and Experimentation

For simulation model experimentation, the numbers of entities involved, SMRs, Hackers, and Vendors were set to low or high (5 or 15) numbers. The initial inherent vulnerability of the SMRs was set to 2.5% for all of these simulations. To tame the high variability involved in the random simulations, 50 replications of 2000 steps were conducted for each scenario. Variance was especially high in the treatments with low numbers of SMRs and Hackers due to the random assignment of defense and hacking skills to these agents. Table 6 shows the average percentage of SMRs in a hacked state per simulation step, along with the 95% confidence intervals listed for each of the scenarios. Unsurprisingly, the scenarios with a high number of hackers had the largest impact in overall results with the percentage of SMRs in a hacked state shown to be considerably elevated. The number of SMRs had a minimal impact on the total results.
As a major finding in this study, the means of the “No Collaboration” rows in Table 6 for percentages of SMRs in a hacked state were greater than the “With Collaboration” means for each of the eight scenarios. The differences observed between these two rows demonstrate the effects of the collaboration between SMRs and Vendors (as manifested in this simulation study) to reduce successful cyber hacks. A non-paired one-tailed t-test was employed to check for statistical differences of the means with the hypothesis that the means without collaboration were greater than the means with collaboration. With a null hypothesis that the means were equal, the t-tests for all of the pairs of means rejected the null for an α of 0.05. In the closest t-test, the largest of the p-values was 0.015 in the low SMR, high Hacker, low Vendor experiment. Interestingly, simulation results with low numbers of vendors seemed to show better with-collaboration reductions in successful hacks than high numbers of vendors. This observation may be the result of easier paths for the SMRs to develop collaborative relationships with a smaller number of vendors. In a similar sense, Son and Rojas [77] limited the number of collaborative relationships in their agent-based model to three per agent in an effort to recognize the ongoing time and effort required to grow and maintain the partnerships. The nonlinear responses in the number of hacked SMRs seen in these results demonstrate the complexity of the system and the utility of ABM in studying such problems.
In another experiment, the SMR base cyberinfrastructure vulnerability was set to low, medium, and high levels (1%, 2.5%, and 4%) while the numbers of agents were fixed at ten for the SMRs, Hackers, and Vendors. Figure 2 displays these results. Note that the time (simulation step) average of hacked SMRs is very sensitive to this initial setting of base vulnerability. Each of the paired sets of data moving vertically in Figure 2 are the no-collaboration and with-collaboration settings for the three initial vulnerability level. The no-collaboration results settle into a steady state average while the with-collaboration results show a decrease in hacked SMRs over time as the results of the collaboration to strengthen the designs of the cyber-physical controls begin to take effect. The pattern of an initial jump in the hacked states of SMRs with collaboration as compared to no collaboration (before the effects of collaboration begin to harden the SMRs against attacks) may simply be the noise of variability between simulation replications or an interesting phenomenon that could bear further investigation.
The simulation was also used to investigate the change in the collaborative skills of the SMRs and Vendors as the simulation progressed. The data in Figure 3 represent the average of the collaborative abilities of the agents across 50 simulation replications with ten of each agent type and an initial cyberinfrastructure vulnerability of 2.5%. Recall that each SMR and Vendor was randomly assigned a collaborative skill between 0.1 and 0.7 in the beginning of the simulation. The success of the collaboration efforts was determined by comparing and random draw from a uniform 0, 1 distribution of the product of the collaborative abilities. When a successful collaboration effort was generated, the skills of each participating SMR and Vendor grew by a small amount. The collaborative skills of the agents were limited at 0.8 on the high end. Note the growth in the collaborative abilities, made irregular by the randomness of the simulation, and asymptotically approaching the 0.8 limit. Based on the settings of this simulation, the agents grew into their full collaborative abilities a little before 1000 simulation steps.

6. Conclusions, Limitations, and Future Research

While other researchers such as Son and Rojas [77] focused on the formation of collaborative relationships, this study sought to provide a framework for studying the effects of collaboration that is taking place. See Table 7 for a summary of the findings and implications of this study. The key to this effort is that a payoff function for the collaborative efforts must be developed, ideally descending from one or more well-respected theories of collaboration. Initiating effective collaboration may be difficult in and of itself. Human nature seems to lend itself to working in hierarchical stovepipes rather than horizontal networks that can help breed collaboration [78]. Managers can take steps to encourage collaboration. To start, a mindset that working with others is the only way to accomplish big things should be consistently communicated and modeled [79]. Then, hosting regular meetings with potential collaborative partners can help to eventually bear collaborative fruit. For this SMR study, potential partners should include government regulators as well as vendors of cybersecurity equipment (for SMRs) or customers of equipment (for vendors) [80] (p. 124). In the long run, both industry operators and government regulators want cybersecurity in critical infrastructure, so building on these mutual interests can accelerate collaborative efforts.
One limitation of this research is the assumption that collaboration was taking place between SMRs and vendors. While the results of this study on the effects of collaboration add to the existing research, a more holistic study could simulate both the formation of collaborative relationships along with the fruits of the teamwork. Another limitation is the relatively small numbers of SMRs, hackers, and vendors built into the simulation. The small numbers likely increased variability in simulation replications since random differences in the cyber hacking and defense skills of the agents were not subjected to the law of large numbers with more of each type of agent. The models could be scaled up to account for this concern, at the cost of more computing power. A third limitation is that the conditions dictating the design of this simulation were generated simply to prove the concept of using ABM to study the effects of collaborative efforts, not to mimic any real life historical cyber-attack scenarios. While the details of cyber-attacks are generally considered confidential, insiders with access to real data could adjust the simulation to closer mimic actual circumstances.
Further limitations to consider include the fact that this study proposes only one method of studying the effects of collaboration on SMR cybersecurity using ABM. Cybersecurity of SMRs is critically importance and all relevant tools and technologies must be leveraged to keep these reactors safe from cyber breaches. While this study demonstrates a potential method of modelling the payoffs of collaboration, the associated costs of collaboration have not been accounted for. Further research could assign costs to the time associated with levels of collaboration and accompanying fees. These costs could then be compared to a financial estimate of the cybersecurity benefits derived. Also, this study modeled hacker success rates that were dependent upon a randomized and evolving skill of the hackers, but not other related hacker characteristics. For instance, finding a way to model the effectiveness of different hacker strategies and attack vectors could strengthen the usefulness of this model.
This study demonstrated the feasibility of using ABM to study the effects of collaboration (via a payoff function) between SMRs and cyber-physical equipment vendors through the Common Criteria to harden nuclear installations against cyberattacks. This is an important result in light of the growing interest in using SMRs to meet growing artificial intelligence and data needs for electrical power as well as the overall need for non-carbon-based power generation. The use of ABM to study the effects of collaboration can also be extended to countless other applications, including business, industry, academia, and competitive games. Nearly all critical infrastructure security schemes can be strengthened with more intentional collaboration between stakeholder businesses and government agencies. SMRs belong to the energy critical infrastructure sector [81], but other sectors ranging from communications, to dams, to water systems could employ similar studies to model the benefits of stakeholder collaboration. Extensions of this research can include testing various theories of collaboration in the setting of cybersecurity or other applications. An interesting part of this research will be the need to translate existing theories into mathematical manifestations that will sufficiently represent payoff functions for the collaborative efforts in a simulation model. Specific to SMRs, future research could test the effects of collaboration on physical or supply chain security in addition to cybersecurity. While ABM was used for this study, further research could also investigate the efficacy of different modes of simulation to study collaboration.

Author Contributions

Conceptualization, M.B.Z. and D.J.S.; Writing—Original Draft Preparation, M.B.Z.; Writing—Review & Editing, M.B.Z. and D.J.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Ayodeji, A.; Mohamed, M.; Li, L.; Di Buono, A.; Pierce, I.; Ahmed, H. Cyber security in the nuclear industry: A closer look at digital control systems, networks and human factors. Prog. Nucl. Energy 2023, 161, 104738. [Google Scholar] [CrossRef]
  2. Ding, J.; Qammar, A.; Zhang, Z.; Karim, A.; Ning, H. Cyber threats to smart grids: Review, taxonomy, potential solutions, and future directions. Energies 2022, 15, 6799. [Google Scholar] [CrossRef]
  3. Abdelkader, S.; Amissah, J.; Kinga, S.; Mugerwa, G.; Emmanuel, E.; Mansour, D.A.; Bajaj, M.; Blazek, V.; Prokop, L. Securing modern power systems: Implementing comprehensive strategies to enhance resilience and reliability against cyber-attacks. Results Eng. 2024, 23, 102647. [Google Scholar] [CrossRef]
  4. Linnosmaa, J.; Papakonstantinou, N.; Malm, T.; Kotelba, A.; Pärssinen, J. Survey of Cybersecurity Standards for Nuclear Instrumentation and Control Systems. In International Symposium on Future I&C for Nuclear Power Plants, ISOFIC 2021: Online; Okayama University: Okayama, Japan, 2021; Available online: https://cris.vtt.fi/ws/portalfiles/portal/53942179/Linnosmaa_ISOFIC_2021.pdf (accessed on 22 August 2025).
  5. World Nuclear News. High Support for Advanced Nuclear Worldwide, Survey Finds. 10 May 2023. Available online: https://world-nuclear-news.org/Articles/High-support-for-advanced-nuclear-worldwide,-surve (accessed on 22 August 2025).
  6. Collins, J. Executive Gets 15 Months in Prison in Doomed Nuclear Project; The Associated Press: New York City, NY, USA, 8 March 2023; Available online: https://apnews.com/article/stephen-byrne-scana-power-plant-prison-c97cb1aaa33c991020551b2ae5c4dd85 (accessed on 22 August 2025).
  7. Crumbley, D.L. Sad Saga of the Financial Fraud of South Carolina’s Two Failed Nuclear Power Plants. J. Forensic Investig. Account. 2022, 14, 212–228. [Google Scholar]
  8. Plumer, B. U.S. Nuclear Comeback Stalls as Two Reactors Are Abandoned. The New York Times. 31 July 2017. Available online: https://www.nytimes.com/2017/07/31/climate/nuclear-power-project-canceled-in-south-carolina.html (accessed on 22 August 2025).
  9. Mignacca, B.; Locatelli, G. Economics and finance of Small Modular Reactors: A systematic review and research agenda. Renew. Sustain. Energy Rev. 2020, 118, 109519. [Google Scholar] [CrossRef]
  10. Dominion Energy. Virginia Elective and Power Company’s Report of its 2023 Integrated Resource Plan. 1 May 2023. Available online: https://rga.lis.virginia.gov/Published/2023/RD214 (accessed on 22 August 2025).
  11. Hoak, A. Gov. Youngkin’s Plan to Bring Small Modular Reactor to Southwest Virginia Hits Roadblock. WCYB, 3 March 2023. Available online: https://wcyb.com/news/local/plan-to-bring-small-modular-reactor-to-southwest-virginia-hits-roadblock-governor-glenn-youngkin-smr-energy-innovation-hub-lawmakers-republican-delegate-israel-oquinn-invest-swva-will-payne-southwest-virginia-energy-and-research-development-authority (accessed on 22 August 2025).
  12. Conover, E. Tech Companies Want Small Nuclear Reactors. Here’s How They’d Work. ScienceNews, 23 October 2024. Available online: https://www.sciencenews.org/article/small-modular-nuclear-reactors-amazon (accessed on 22 August 2025).
  13. Dalton, D. Nuclear Investment Makes Comeback, with Spending Set to Exceed $70 Billion and Promise of Further Growth. Nucnet, 5 June 2025. Available online: https://www.nucnet.org/news/nuclear-investment-makes-comeback-with-spending-set-to-exceed-usd70-billion-and-promise-of-further-growth-6-4-2025 (accessed on 22 August 2025).
  14. Hirdaris, S.E.; Cheng, Y.F.; Shallcross, P.; Bonafoux, J.; Carlson, D.; Prince, B.; Sarris, G.A. Considerations on the potential use of Nuclear Small Modular Reactor (SMR) technology for merchant marine propulsion. Ocean Eng. 2014, 79, 101–130. [Google Scholar] [CrossRef]
  15. Ingersoll, D.T.; Carelli, M.D. (Eds.) Handbook of Small Modular Nuclear Reactors; Woodhead Publishing: Sawston, UK, 2020. [Google Scholar]
  16. Derr, E. Nuclear Needs Small Amounts of Land to Deliver Big Amounts of Electricity. NEI, 29 April 2022. Available online: https://nei.org/news/2022/nuclear-brings-more-electricity-with-less-land (accessed on 22 August 2025).
  17. GAO. Nuclear Microreactors; U.S. Government Accountability Office: Washington, DC, USA, 2020. Available online: https://www.gao.gov/products/gao-20-380sp (accessed on 22 August 2025).
  18. NuScale. VOYGR Power Plants; NuScale: Corvallis, OR, USA, 2023; Available online: https://www.nuscalepower.com/en/products/voygr-smr-plants (accessed on 22 August 2025).
  19. Testoni, R.; Bersano, A.; Segantin, S. Review of nuclear microreactors: Status, potentialities and challenges. Prog. Nucl. Energy 2021, 138, 103822. [Google Scholar] [CrossRef]
  20. Liu, Z.; Fan, J. Technology readiness assessment of small modular reactor (SMR) designs. Prog. Nucl. Energy 2014, 70, 20–28. [Google Scholar] [CrossRef]
  21. Yin, S.; Zhang, Y.; Tian, W.; Qiu, S.; Su, G.H.; Gao, X. Simulation of the small modular reactor severe accident scenario response to SBO using MELCOR code. Prog. Nucl. Energy 2016, 86, 87–96. [Google Scholar] [CrossRef]
  22. Locatelli, G.; Boarin, S.; Pellegrino, F.; Ricotti, M.E. Load following with Small Modular Reactors (SMR): A real options analysis. Energy 2015, 80, 41–54. [Google Scholar] [CrossRef]
  23. Common Criteria. The Common Criteria. Available online: https://www.commoncriteriaportal.org/ (accessed on 22 August 2025).
  24. Francia, G.A., III; Francia, X.P.; Bridges, C. Agent-Based Modeling of Entity Behavior in Cybersecurity. In Advances in Cybersecurity Management; Springer International Publishing: Cham, Switzerland, 2021; pp. 3–18. [Google Scholar] [CrossRef]
  25. Husák, M.; Kašpar, J. Towards predicting cyber attacks using information exchange and data mining. In Proceedings of the 2018 14th International Wireless Communications & Mobile Computing Conference (IWCMC), Limassol, Cyprus, 25–29 June 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 536–541. [Google Scholar] [CrossRef]
  26. Rajivan, P.; Cooke, N. Impact of team collaboration on cybersecurity situational awareness. In Theory and Models for Cyber Situation Awareness; Springer International Publishing: Cham, Switzerland, 2017; pp. 203–226. [Google Scholar] [CrossRef]
  27. U.S. Nuclear Regulatory Commission. Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities; Office of Nuclear Regulatory Research: Rockville, MD, USA, 2010. Available online: https://www.nrc.gov/docs/ML0903/ML090340159.pdf (accessed on 22 August 2025).
  28. International Nuclear Safety Advisory Group. Defense in Depth in Nuclear Safety, INSAG-10; International Atomic Energy Agency: Vienna, Austria, 1996; Available online: https://www-pub.iaea.org/MTCD/Publications/PDF/Pub1013e_web.pdf (accessed on 22 August 2025).
  29. Krause, T.; Ernst, R.; Klaer, B.; Hacker, I.; Henze, M. Cybersecurity in Power Grids: Challenges and Opportunities. Sensors 2021, 21, 6225. [Google Scholar] [CrossRef] [PubMed]
  30. Duguay, R. Small modular reactors and advanced reactor security: Regulatory perspectives on integrating physical and cyber security by design to protect against malicious acts and evolving threats. Int. J. Nucl. Secur. 2020, 7, 2. [Google Scholar] [CrossRef]
  31. Langner, R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Secur. Priv. 2011, 9, 49–51. [Google Scholar] [CrossRef]
  32. Gibson, M.; Elks, C.; Tantawy, A.; Hite, R.; Gautham, S.; Jayakumar, A.; Deloglos, C. Achieving Verifiable and High Integrity Instrumentation and Control Systems Through Complexity Awareness and Constrained Design; No. DOE/NEUP-15-8044; Electric Power Research Institute (EPRI): Charlotte, NC, USA, 2019. Available online: https://www.osti.gov/servlets/purl/1547345 (accessed on 22 August 2025).
  33. Van Dine, A.; Assante, M.; Stoutland, P. Outpacing Cyber Threats. Priorities for Cybersecurity at Nuclear Facilities; Nuclear Threat Initiative: Washington, DC, USA, 2016; Available online: https://media.nti.org/documents/NTI_CyberThreats__FINAL.pdf (accessed on 22 August 2025).
  34. MITRE. MITRE ATT&CK. Retreived June 4, 2025. Available online: https://attack.mitre.org/ (accessed on 22 August 2025).
  35. Engström, V.; Lagerström, R. Two decades of cyberattack simulations: A systematic literature review. Comput. Secur. 2022, 116, 102681. [Google Scholar] [CrossRef]
  36. Chen, J.; Shi, Y. Stochastic model predictive control framework for resilient cyber-physical systems: Review and perspectives. Philos. Trans. R. Soc. A 2021, 379, 20200371. [Google Scholar] [CrossRef]
  37. Kotenko, I.; Saenko, I.; Privalov, A.; Lauta, O. Ensuring SDN resilience under the influence of cyber attacks: Combining methods of topological transformation of stochastic networks, markov processes, and neural networks. Big Data Cogn. Comput. 2023, 7, 66. [Google Scholar] [CrossRef]
  38. Brito, T.B.; Trevisan, E.F.C.; Botter, R.C. A conceptual comparison between discrete and continuous simulation to motivate the hybrid simulation methodology. In Proceedings of the 2011 Winter Simulation Conference (WSC), Phoenix, AZ, USA, 11–14 December 2011; IEEE: Piscataway, NJ, USA; pp. 3910–3922. [Google Scholar] [CrossRef]
  39. Sarker, I.H. Deep cybersecurity: A comprehensive overview from neural network and deep learning perspective. SN Comput. Sci. 2021, 2, 154. [Google Scholar] [CrossRef]
  40. Siebers, P.O.; Macal, C.M.; Garnett, J.; Buxton, D.; Pidd, M. Discrete-event simulation is dead, long live agent-based simulation! J. Simul. 2010, 4, 204–210. [Google Scholar] [CrossRef]
  41. Robinson, S. Discrete-event simulation: From the pioneers to the present, what next? J. Oper. Res. Soc. 2005, 56, 619–629. [Google Scholar] [CrossRef]
  42. Macal, C.; North, M. Introductory tutorial: Agent-based modeling and simulation. In Proceedings of the Winter Simulation Conference 2014, Savannah, GA, USA, 7–10 December 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 6–20. [Google Scholar] [CrossRef]
  43. Kelton, W.D.; Zupick, N.B.; Ivey, N.; Sadowski, R.P. Simulation with Arena, 7th ed.; McGraw Hill Education: Columbus, OH, USA, 2024. [Google Scholar]
  44. Milov, O.; Hrebeniuk, A.; Nalyvaiko, A.; Nyemkova, E.; Opirskyy, I.; Pasko, I.; Rzayev, K.; Salii, A.; Synytsina, U.; Soloviova, O. Development of the space-time structure of the methodology for modeling the behavior of antagonistic agents of the security system. East.-Eur. J. Enterp. Technol. 2020, 6, 108. [Google Scholar] [CrossRef]
  45. Law, A.M.; Kelton, W.D. Simulation Modeling and Analysis, 3rd ed.; McGraw Hill: Columbus, OH, USA, 2000. [Google Scholar]
  46. Kara, S.; Hizal, S.; Zengin, A. Design and Implementation of a DEVS-Based Cyber-Attack Simulator for Cyber Security. Int. J. Simul. Model. (IJSIMM) 2022, 21, 53–64. [Google Scholar] [CrossRef]
  47. Abercrombie, R.K.; Schlicher, B.G.; Sheldon, F.T. Security analysis of selected AMI failure scenarios using agent based game theoretic simulation. In Proceedings of the 2014 47th Hawaii International Conference on System Sciences, Waikoloa, HI, USA, 6–9 January 2014; IEEE: Piscataway, NJ, USA, 2014; pp. 2015–2024. [Google Scholar] [CrossRef]
  48. Rafferty, L.; Iqbal, F.; Aleem, S.; Lu, Z.; Huang, S.C.; Hung, P.C. Intelligent multi-agent collaboration model for smart home IoT security. In Proceedings of the 2018 IEEE international congress on internet of things (ICIOT), San Francisco, CA, USA, 2–7 July 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 65–71. [Google Scholar] [CrossRef]
  49. Kim, S.; Heo, G.; Zio, E.; Shin, J.; Song, J.G. Cyber attack taxonomy for digital environment in nuclear power plants. Nucl. Eng. Technol. 2020, 52, 995–1001. [Google Scholar] [CrossRef]
  50. Chaudhary, S.; Gkioulos, V.; Katsikas, S. Developing metrics to assess the effectiveness of cybersecurity awareness program. J. Cybersecur. 2022, 8, tyac006. [Google Scholar] [CrossRef]
  51. Husák, M.; Komárková, J.; Bou-Harb, E.; Čeleda, P. Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun. Surv. Tutor. 2018, 21, 640–660. [Google Scholar] [CrossRef]
  52. Garcia Contreras, A.F.; Ceberio, M.; Kreinovich, V. Plans are worthless but planning is everything: A theoretical explanation of Eisenhower’s observation. In Decision Making Under Constraints; Springer: Cham, Switzerland, 2020; pp. 93–98. [Google Scholar] [CrossRef]
  53. Schrom, E.; Kinzig, A.; Forrest, S.; Graham, A.L.; Levin, S.A.; Bergstrom, C.T.; Castillo-Chavez, C.; Collins, J.P.; De Boer, R.J.; Doupé, A.; et al. Challenges in cybersecurity: Lessons from biological defense systems. Math. Biosci. 2023, 362, 109024. [Google Scholar] [CrossRef]
  54. Tagarev, T. Towards the design of a collaborative cybersecurity networked organisation: Identification and prioritisation of governance needs and objectives. Future Internet 2020, 12, 62. [Google Scholar] [CrossRef]
  55. Yoon, K.; Chang, S.Y. Teaching team collaboration in cybersecurity: A case study from the transactive memory systems perspective. In Proceedings of the 2021 IEEE Global Engineering Education Conference (EDUCON), Vienna, Austria, 21–23 April 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 841–845. [Google Scholar] [CrossRef]
  56. Kavak, H.; Padilla, J.J.; Vernon-Bido, D.; Diallo, S.Y.; Gore, R.; Shetty, S. Simulation for cybersecurity: State of the art and future directions. J. Cybersecur. 2021, 7, tyab005. [Google Scholar] [CrossRef]
  57. International Organization for Standardization. ISO/IEC 15408 Information Security, Cybersecurity and Privacy Protection. 2022. Available online: https://www.iso.org/standard/72891.html (accessed on 22 August 2025).
  58. Dar, S.A.; Shairgojri, A.A. Proposed Arrangements and Cyber Security Challenges in Nuclear Domain: An Explanatory study Of India. BOHR Int. J. Comput. Sci. 2022, 1, 104–109. [Google Scholar] [CrossRef]
  59. King James Bible; Cambridge University Press: Cambridge, UK, 2017.
  60. Son, J.; Choi, J.; Yoon, H. New complementary points of cyber security schemes for critical digital assets at nuclear power plants. IEEE Access 2019, 7, 78379–78390. [Google Scholar] [CrossRef]
  61. Turner, L. Common Criteria for Nuclear Cyber Security. In Proceedings of the International Conference on Nuclear Security 2020, Vienna, Austria, 10–14 February 2020; Available online: https://conferences.iaea.org/event/181/contributions/15797/ (accessed on 22 August 2025).
  62. Aamoth, B.; Lee, W.E.; Ahmed, H. Net-Zero Through Small Modular Reactors-Cybersecurity Considerations. In Proceedings of the IECON 2022—48th Annual Conference of the IEEE Industrial Electronics Society, Brussels, Belgium, 17–20 October 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 1–5. [Google Scholar] [CrossRef]
  63. CNBC. Dow CEO Jim Fitterling on Advanced Nuclear Reactor Project in Texas. Squawk on the Street. 12 May 2023. Available online: https://www.cnbc.com/video/2023/05/12/dow-ceo-jim-fitterling-on-advanced-nuclear-reactor-project-in-texas.html (accessed on 22 August 2025).
  64. Ingersoll, D.T.; Houghton, Z.J.; Bromm, R.; Desportes, C. NuScale small modular reactor for co-generation of electricity and water. Desalination 2014, 340, 84–93. [Google Scholar] [CrossRef]
  65. Shropshire, D.; Purvins, A.; Papaioannou, I.; Maschio, I. Benefits and cost implications from integrating small flexible nuclear reactors with off-shore wind farms in a virtual power plant. Energy Policy 2012, 46, 558–573. [Google Scholar] [CrossRef]
  66. Khan, A.A.; Beg, O.A. Cyber Vulnerabilities of Modern Power Systems. In Power Systems Cybersecurity. Power Systems; Haes Alhelou, H., Hatziargyriou, N., Dong, Z.Y., Eds.; Springer: Cham, Switzerland, 2023. [Google Scholar] [CrossRef]
  67. Macal, C.M. Tutorial on agent-based modeling and simulation: ABM design for the zombie apocalypse. In Proceedings of the 2018 Winter Simulation Conference (WSC), Gothenburg, Sweden, 9–12 December 2018; IEEE: Piscataway, NJ, USA, 2018; pp. 207–221. [Google Scholar] [CrossRef]
  68. Wood, D.J.; Gray, B. Toward a Comprehensive Theory of Collaboration. J. Appl. Behav. Sci. 1991, 27, 139–162. [Google Scholar] [CrossRef]
  69. Alozie, N.; Yang, H.; Rachmatullah, A.; Lopez-Prado, B. Toward A More Comprehensive Definition of Collaboration: Scholarly Literature vs. Practitioners. In Proceedings of the 17th International Conference of the Learning Sciences—ICLS 2023; International Society of the Learning Sciences: Montreal, QC, Canada, 2023; pp. 1246–1249. [Google Scholar] [CrossRef]
  70. Wilensky, U. NetLogo. 1999. Available online: https://www.netlogo.org/ (accessed on 22 August 2025).
  71. Howe, C.; McWilliam, D.; Cross, G. Chance favours only the prepared mind: Incubation and the delayed effects of peer collaboration. Br. J. Psychol. 2005, 96, 67–93. [Google Scholar] [CrossRef]
  72. Axelrod, R. The Complexity of Cooperation: Agent-Based Models of Competition and Collaboration: Agent-Based Models of Competition and Collaboration; Princeton University Press: Princeton, NJ, USA, 1997. [Google Scholar]
  73. Grimm, V.; Berger, U.; DeAngelis, D.L.; Polhill, J.G.; Giske, J.; Railsback, S.F. The ODD protocol: A review and first update. Ecol. Model. 2010, 221, 2760–2768. [Google Scholar] [CrossRef]
  74. Macal, C.M. Everything you need to know about agent-based modelling and simulation. J. Simul. 2016, 10, 144–156. [Google Scholar] [CrossRef]
  75. Grimm, V.; Railsback, S.F.; Vincenot, C.E.; Berger, U.; Gallagher, C.; DeAngelis, D.L.; Edmonds, B.; Ge, J.; Giske, J.; Groeneveld, J.; et al. The ODD protocol for describing agent-based and other simulation models: A second update to improve clarity, replication, and structural realism. J. Artif. Soc. Soc. Simul. 2020, 23, 7. [Google Scholar] [CrossRef]
  76. Grimm, V.; Berger, U.; Calabrese, J.M.; Cortés-Avizanda, A.; Ferrer, J.; Franz, M.; Groeneveld, J.; Hartig, F.; Jakoby, O.; Jovani, R.; et al. Using the ODD protocol and NetLogo to replicate agent-based models. Ecol. Model. 2025, 501, 110967. [Google Scholar] [CrossRef]
  77. Son, J.; Rojas, E.M. Evolution of collaboration in temporary project teams: An agent-based modeling and simulation approach. J. Constr. Eng. Manag. 2011, 137, 619–628. [Google Scholar] [CrossRef]
  78. O’Sullivan, T.M.; Ramsay, J. Science and stovepipes: The covid/climate mandate for intelligence analysis and education. J. Homel. Secur. Educ. 2023, 16, 1–7. [Google Scholar]
  79. Schot, E.; Tummers, L.; Noordegraaf, M. Working on working together. A systematic review on how healthcare professionals contribute to interprofessional collaboration. J. Interprofessional Care 2020, 34, 332–342. [Google Scholar] [CrossRef] [PubMed]
  80. Morgan, G.; Gordijn, B. A care-based stakeholder approach to ethics of cybersecurity in business. In The Ethics of Cybersecurity; Springer International Publishing: Cham, Switzerland, 2020; pp. 119–138. [Google Scholar]
  81. CISA. Critical Infrastructure Sectors; Cybersecurity & Infrastructure Security Agency: Washington, DC, USA. Available online: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors (accessed on 22 August 2025).
Jcp 05 00083 g001
Figure 1. NetLogo ABM Simulation of Cyberattacks and Collaboration. Note: Agents include red people hackers, blue triangle SMRs, and yellow square vendors.
Figure 1. NetLogo ABM Simulation of Cyberattacks and Collaboration. Note: Agents include red people hackers, blue triangle SMRs, and yellow square vendors.
Jcp 05 00083 g001
Jcp 05 00083 g002
Figure 2. Percent Hacked SMRs Based on Initial Vulnerability. Note: The simulations included collaboration (C) and no collaboration (NC) at three different levels of baseline SMR cyber vulnerability.
Figure 2. Percent Hacked SMRs Based on Initial Vulnerability. Note: The simulations included collaboration (C) and no collaboration (NC) at three different levels of baseline SMR cyber vulnerability.
Jcp 05 00083 g002
Jcp 05 00083 g003
Figure 3. Change in SMR and Vendor Collaborative Skills. Note: As SMRs and Vendors successfully collaborate, they improve in their collaborative skills up to a specified ceiling.
Figure 3. Change in SMR and Vendor Collaborative Skills. Note: As SMRs and Vendors successfully collaborate, they improve in their collaborative skills up to a specified ceiling.
Jcp 05 00083 g003
Table 1. Power output and size of SMRs compared to conventional reactors and microreactors.
Table 1. Power output and size of SMRs compared to conventional reactors and microreactors.
Nuclear Reactor TypePower OutputInstallation Size
Conventional Reactor~1000 MWe1.3 square miles
Small Modular Reactor<300 MWe0.05 square miles
Microreactor<20 MWeOne shipping container
Note. Data obtained from Derr [16], GAO [17], NuScale [18], and Testoni et al. [19].
Table 2. Possible hacker identity and motivations.
Table 2. Possible hacker identity and motivations.
Hacker IdentityHacker Motivations
TerroristsObtain nuclear material for weapons use or initiate nuclear
accident to create chaos.
Nation-statesWeaken enemies or steal information.
Ransomware hackersProfit by locking and/or threatening powerplant systems for a
ransom.
ActivistsGain awareness for a specific social or civil cause.
Note. Information derived from Van Dine et al. [33].
Table 3. Agent-based modeling vs. discrete event simulation.
Table 3. Agent-based modeling vs. discrete event simulation.
Agent-Based Modeling (ABM)Discrete Event Simulation (DES)
  • Relatively new
  • Studies the interactions of autonomous agents
  • Intuitively aligned with modeling cyber security stakeholders
  • Can show emerging patterns in agent interactions
  • Follows a list of instructions for agents at each simulation step
  • More well established
  • Studies systems by tracking the occurrence of randomized events
  • Less well-equipped to model agent interactions
  • Can be used to estimate steady state behavior of the system
  • Maintains an event calendar for the randomized events
Note. Information derived from Macal and North [42] and Kelton et al. [43].
Table 4. Common Criteria Benefits, Uses, and Features.
Table 4. Common Criteria Benefits, Uses, and Features.
  • Designer/Vendor collaboration
  • Penetration tests
  • Updates based on lessons from new cyber attacks
  • Validation of encryption
  • Security of computer code
  • Matching of security to use case
Note. Information from Linnosmaa et al. [4] and Son et al. [60].
Table 5. Possible SMR cyberattack routes and potential uses of ABM.
Table 5. Possible SMR cyberattack routes and potential uses of ABM.
Possible SMR Cyberattack RoutesABM/Common Criteria Simulation Options
Part supply chainCollaboration among members of the supply chain to improve cybersecurity
Enhanced use of digital controlsCyber-defense agents coordinating with vendor agents through the Common Criteria to reduce vulnerabilities
Minimal on-site staffingLow staffing worker agents to study threat of inside attack or outcomes of successful cyberattack
Digital integration with other industrial systemsCyber-attack agents attempting to attack SMRs through the connected industrial systems, along with the effects of collaboration among the connected industries
Note. Information obtained from Aamoth et al. [62] and Ingersoll et al. [64].
Table 6. Percentage of SMRs in a hacked state for high and low numbers of agent types.
Table 6. Percentage of SMRs in a hacked state for high and low numbers of agent types.
Low Small Modular ReactorHigh Small Modular Reactor
Low HackerHigh HackerLow HackerHigh Hacker
Low VendorHigh VendorLow VendorHigh VendorLow
Vendor		High VendorLow VendorHigh Vendor
No Collaboration17.4% ± 2.0%16.6% ± 1.6%34.5% ± 2.1%34.8% ± 1.9%16.4% ± 1.0%15.3% ± 1.1%33.4% ± 1.1%32.3% ± 1.2%
With Collaboration11.9% ± 1.3%13.6% ± 1.7%31.1% ± 2.2%29.1% ± 1.9%9.5% ± 0.9%11.5% ± 1.3%24.4% ± 1.3%25.9% ± 1.6%
Reduction in means w/& w/o collab31.67%18.06%10.02%16.42%42.01%24.72%26.88%19.94%
p-value for one-sided T-test<0.0010.0060.015<0.001<0.001<0.001<0.001<0.001
Note. Each agent was set at high and low levels, experiments were performed with and without agent collaboration, and 50 simulation replications were performed for each treatment.
Table 7. Research Findings and Implications.
Table 7. Research Findings and Implications.
  • Agent-based modeling can be used to simulate the effects of collaboration in reducing cybersecurity risks.
  • The demonstrated model can investigate reductions in risk due to collaboration, sensitivity to base vulnerability levels, and growth of collaborative skills.
  • The nuclear power industry should consider use of the Common Criteria to collaborate with cyber equipment vendors for SMR needs.
  • This research could be extended to collaboration of the security of other critical infrastructure or stakeholder collaboration in nearly any context.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zamperini, M.B.; Schwerha, D.J. Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models. J. Cybersecur. Priv. 2025, 5, 83. https://doi.org/10.3390/jcp5040083

AMA Style

Zamperini MB, Schwerha DJ. Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models. Journal of Cybersecurity and Privacy. 2025; 5(4):83. https://doi.org/10.3390/jcp5040083

Chicago/Turabian Style

Zamperini, Michael B., and Diana J. Schwerha. 2025. "Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models" Journal of Cybersecurity and Privacy 5, no. 4: 83. https://doi.org/10.3390/jcp5040083

APA Style

Zamperini, M. B., & Schwerha, D. J. (2025). Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models. Journal of Cybersecurity and Privacy, 5(4), 83. https://doi.org/10.3390/jcp5040083

Article Metrics

Back to TopTop