NRC’s Efforts in Promoting Cybersecurity Resilience in Nuclear Infrastructure

The Nuclear Regulatory Commission (NRC) is the primary federal agency responsible for ensuring the safe and secure operation of the United States’ civilian nuclear power plants and fuel cycle facilities. In an era of escalating cyber threats—from nation-state actors to ransomware groups—the NRC has made cybersecurity resilience a top priority. This means not only preventing attacks but also ensuring that critical systems can withstand, respond to, and recover from cyber incidents without compromising safety or security. The NRC’s regulatory framework, oversight activities, and collaborative initiatives form a comprehensive strategy to protect the nation’s nuclear infrastructure from digital adversaries. As technology evolves and threat actors become more sophisticated, the NRC continuously updates its approach to stay ahead of risks. This article examines the NRC’s regulatory posture, key programs, ongoing challenges, and future directions in cybersecurity.

Regulatory Framework and Guidelines

The foundation of NRC cybersecurity efforts rests on a robust set of regulations and guidance documents. The primary regulation is 10 CFR Part 73, “Physical Protection of Plants and Materials,” which includes specific cybersecurity requirements for nuclear power plants. These rules mandate that licensees develop and maintain a cybersecurity program that addresses the protection of digital computer and communication systems and networks, including any systems that could affect safety, security, or emergency preparedness. The NRC’s regulatory approach is risk-informed and performance-based, allowing licensees flexibility in how they meet requirements while ensuring a high level of protection.

Cybersecurity Plans and Defense-in-Depth

Each nuclear facility must submit a comprehensive cybersecurity plan for NRC approval. These plans are built on a defense-in-depth strategy, incorporating multiple layers of security controls such as firewalls, intrusion detection systems, access controls, and continuous monitoring. The plans must address critical digital assets (CDAs)—systems whose compromise could directly or indirectly affect safety or security. Licensees are required to identify CDAs, assess their vulnerabilities, and implement protective measures. The NRC’s guidance documents, including Regulatory Guide 5.71 and NEI 08-09 (the industry standard endorsed by the NRC), provide detailed methodologies for implementing cybersecurity programs. These guidelines cover areas such as network architecture (including air-gapped systems), supply chain risk management, and personnel security.

Inspections and Enforcement

The NRC conducts regular inspections of licensee cybersecurity programs. Inspectors evaluate the effectiveness of technical controls, review incident response plans, and test the ability of staff to detect and respond to simulated cyber events. The NRC’s Cybersecurity Inspection Program includes baseline inspections, targeted inspections, and force-on-force exercises that incorporate cyber attack scenarios. Findings are tracked, and licensees are required to correct deficiencies promptly. Enforcement actions, including civil penalties, are used when violations are identified. The NRC also requires mandatory reporting of cyber incidents that could affect safety or security, ensuring that lessons learned are shared across the industry. More information about the NRC’s inspection framework can be found on the NRC Reactor Oversight Process page.

Key Initiatives and Programs

Beyond regulatory oversight, the NRC leads and participates in a range of initiatives designed to strengthen nuclear cybersecurity resilience. These programs address assessment, information sharing, training, and incident response.

Cybersecurity Assessments and Exercises

The NRC conducts regular cybersecurity assessments at nuclear facilities. These include vulnerability scans, penetration testing, and tabletop exercises that simulate sophisticated cyber attacks. The NRC also participates in Force-on-Force (FOF) exercises, which evaluate both physical protection and cybersecurity in integrated scenarios. These exercises help identify gaps in defenses and improve coordination between security and IT teams. Additionally, the NRC collaborates with the Idaho National Laboratory (INL) to perform advanced cyber threat assessments using INL’s testbed capabilities, which replicate nuclear control systems in a controlled environment. Insights from these assessments inform updates to regulations and guidance. For more on INL’s cybersecurity work, visit the INL Cybersecurity Program page.

Information Sharing and Collaboration

Effective cybersecurity requires real-time threat intelligence. The NRC works closely with the Cybersecurity and Infrastructure Security Agency (CISA), the Electricity Information Sharing and Analysis Center (E-ISAC), and other federal partners to share indicators of compromise, threat actor tactics, and mitigation strategies. The NRC also maintains a dedicated information-sharing portal for licensees, providing access to advisories, best practices, and incident reports. Through the NRC’s Cyber Security Directorate, the agency participates in interagency working groups focused on critical infrastructure protection. This collaborative approach ensures that the nuclear industry benefits from intelligence gathered across the entire energy sector and government. The NRC also engages with international partners through the International Atomic Energy Agency (IAEA) to harmonize cybersecurity standards and share incident data globally.

Training and Education Programs

Human error remains a leading cause of cyber incidents. The NRC mandates ongoing cybersecurity training for all personnel with access to critical digital assets. Training covers phishing awareness, password hygiene, incident recognition, and reporting procedures. The NRC’s National Cybersecurity Center of Excellence (NCCoE) provides resources and workshops tailored to the nuclear sector. Additionally, the NRC supports the development of a cybersecurity workforce through partnerships with universities and industry associations. The Nuclear Energy Institute (NEI) offers certification programs for nuclear cybersecurity professionals, and the NRC encourages licensees to pursue industry-recognized credentials such as the Certified Information Systems Security Professional (CISSP) or the Global Industrial Cyber Security Professional (GICSP). The NRC also hosts an annual cybersecurity conference where regulators, licensees, and vendors share lessons learned and emerging threats. More details on training resources are available from CISA’s training and exercises page.

Incident Response Planning

Every nuclear facility must have a detailed incident response plan documented in its cybersecurity program. These plans outline procedures for detecting, analyzing, containing, eradicating, and recovering from cyber incidents. The NRC requires that plans be tested annually through exercises that involve both technical teams and executive leadership. The NRC maintains its own Incident Response Plan (IRP) to coordinate federal actions in the event of a significant cyber event affecting nuclear infrastructure. The IRP defines roles and responsibilities for the NRC, other federal agencies, and licensees. The NRC also participates in the Cyber Storm and Liberty Eclipse exercises, which are large-scale simulations involving multiple sectors and government agencies. These exercises test communication channels, decision-making processes, and recovery procedures under realistic stress conditions.

Challenges and Future Directions

Despite the NRC’s comprehensive efforts, the cybersecurity landscape for nuclear infrastructure faces persistent and emerging challenges. The agency is actively working to address these through policy updates, technology adoption, and international collaboration.

Evolving Threat Landscape

Cyber threats continue to grow in sophistication and frequency. Ransomware attacks have disrupted operations at energy facilities worldwide, and nation-state actors have demonstrated the ability to breach air-gapped systems (e.g., Stuxnet, Triton). The NRC recognizes that the threat is not static; adversaries are constantly developing new techniques to bypass existing controls. Supply chain attacks—where malicious code is inserted into hardware or software before installation—pose a particularly insidious risk because they can compromise trusted components. The NRC has tightened supply chain requirements, mandating that licensees assess vendors, verify integrity of software updates, and monitor for anomalous behavior in industrial control systems. The agency also works with CISA to disseminate indicators of compromise and vulnerability alerts specific to industrial control systems used in nuclear power generation.

Adoption of Advanced Technologies

To counter evolving threats, the NRC is encouraging the adoption of advanced cybersecurity technologies. Artificial intelligence (AI) and machine learning (ML) are being used to analyze network traffic for anomalies that could indicate a cyber intrusion. Behavioral baselining tools can detect deviation from normal operator actions, flagging potential insider threats or compromised credentials. Zero Trust Architecture (ZTA) principles—where every access request is verified regardless of origin—are being piloted at some facilities. The NRC has issued guidance on integrating AI/ML into cybersecurity monitoring without compromising safety. Another promising technology is moving target defense, which dynamically changes system configurations to increase attacker uncertainty. The NRC’s Office of Nuclear Reactor Regulation (NRR) has established a cross-cutting team to evaluate these emerging technologies and develop regulatory positions that allow innovation while maintaining security. More information about zero trust in operational technology can be found at CISA’s Zero Trust Maturity Model page.

Workforce Development and Cultural Integration

A significant challenge is the shortage of cybersecurity professionals with operational technology (OT) expertise. Nuclear facilities require personnel who understand both IT security and the unique physics and operations of nuclear reactors. The NRC is working with educational institutions and industry groups to expand the pipeline of talent. Internship programs, scholarships, and apprenticeship models are being promoted. In addition, the NRC is pushing to integrate cybersecurity into the broader safety culture of nuclear facilities. Rather than treating cybersecurity as a separate compliance function, the goal is to embed it into everyday operations—from design to decommissioning. This culture shift requires leadership commitment, regular communication, and metrics that link cybersecurity performance to safety outcomes. The NRC’s Safety Culture Policy Statement now explicitly includes cybersecurity as a component of a healthy safety culture.

International Cooperation and Standardization

Cyber threats are global, and no nation can defend its nuclear infrastructure alone. The NRC actively participates in the IAEA’s International Conference on Nuclear Security and contributes to the development of international cybersecurity guidelines for the nuclear sector. Bilateral agreements with countries such as Japan, the United Kingdom, and South Korea facilitate information sharing and joint exercises. The NRC also supports the World Institute for Nuclear Security (WINS) in developing training materials for cybersecurity professionals worldwide. Harmonizing regulatory approaches across countries reduces fragmentation and allows vendors to design secure systems that meet multiple jurisdictions’ requirements. As new reactor designs—including small modular reactors (SMRs) and advanced reactors—come online, the NRC is working with international partners to ensure that cybersecurity is built into them from the ground up.

Conclusion

The NRC’s multi-layered approach to cybersecurity resilience—combining stringent regulations, proactive assessments, robust information sharing, targeted training, and forward-leaning technology adoption—provides a strong defense for the nation’s nuclear infrastructure. However, the agency recognizes that cybersecurity is not a destination but a continuous process of improvement. As threats evolve, the NRC will continue to update its regulatory framework, incorporate advanced technologies, and deepen partnerships both domestically and internationally. By making cybersecurity an integral part of nuclear safety culture, the NRC ensures that America’s nuclear facilities remain secure, reliable, and resilient against the cyber risks of the 21st century.