ISA NATIONAL DEFENSE CYBER THREAT REPORT: NUCLEAR

The Nuclear-Cyber Convergence: America’s Energy Future Meets Its Greatest Security Challenge

Technology giants are investing billions in nuclear energy to power their artificial intelligence initiatives. Microsoft plans to restart the reactor at Three Mile Island, Google has contracted for 500 megawatts from small modular reactors, and Amazon has taken stakes in several nuclear projects¹. This wave of investment reflects AI’s unprecedented energy appetite, a demand that renewable sources alone cannot reliably satisfy².

But this nuclear expansion continues amid persistent cyber vulnerabilities. Nation-state adversaries have repeatedly penetrated nuclear facilities worldwide, proving that the systems driving America’s technological future remain prime targets for strategic exploitation.

 

Documented Intrusions

In March 2022, the Department of Justice unsealed indictments against three officers of Russia’s Federal Security Service for compromising the Wolf Creek Nuclear Operating Corporation in Kansas. These Russian operatives ran spear-phishing campaigns between 2012 and 2017 that targeted more than 500 companies and 3,300 individuals, successfully breaching Wolf Creek’s business network³.

Their success mirrors global trends. In 2019, North Korean hackers infiltrated India’s Kudankulam Nuclear Power Plant using custom-built malware⁴. In 2014, attackers breached South Korea’s Korea Hydro and Nuclear Power Company and stole reactor blueprints⁵. In 2016, malware infected Germany’s Gundremmingen nuclear power plant, disrupting systems that managed the fuel rods⁶.

These incidents show a consistent pattern: sophisticated actors gain access, maintain persistence, and extract intelligence from facilities built to resist physical attacks but not networked intrusions. Traditional nuclear safeguards are insufficient to counter adversaries who exploit human error, interconnected supply chains, and software flaws.

 

Regulatory Limits

Following the September 11 attacks, the Nuclear Regulatory Commission (NRC) implemented a comprehensive cybersecurity framework. Regulation 10 CFR 73.54, issued in 2009, requires operators to provide “high assurance” that digital systems can withstand cyberattacks¹. The NRC updated its guidance in 2023 to reflect lessons from past intrusions and evolving threats¹.

Even so, compliance frameworks cannot close the resource gap between private operators and state-sponsored attackers. Nuclear facilities spend tens of millions of dollars each year on cybersecurity, while adversaries command state-funded budgets measured in hundreds of millions. Regulation ensures accountability and minimum standards, but it cannot offset the inherent disadvantage civilian infrastructure faces when confronting military-grade operations.

The regulatory landscape itself compounds these challenges¹. Nuclear operators navigate cybersecurity requirements from multiple federal agencies—the NRC, Department of Energy, Department of Homeland Security, and sector-specific mandates—often addressing overlapping concerns through different compliance frameworks³. This fragmentation diverts limited resources toward documentation and process rather than operational security improvements. Few of these regulations have been subjected to rigorous cost-benefit analysis to determine whether their mandates actually deliver security improvements that justify the compliance burdens they impose. Without a systematic evaluation of whether regulatory requirements achieve meaningful risk reduction, operators allocate tens of millions to meet prescribed standards that may or may not address the threats posed by adversaries already operating within these networks.

 

The AI-Nuclear Expansion

The International Energy Agency projects that global data center electricity consumption will approach 1,000 terawatt-hours by 2030, more than double the 2025 levels, with AI driving much of the growth. Technology companies view nuclear power as uniquely suited to meet that demand.

Microsoft’s Three Mile Island agreement alone will add 835 megawatts dedicated to data-center operations². Each new reactor, control system, and network connection expands the attack surface adversaries can exploit. Small modular reactors promise faster deployment and scalability, but accelerated timelines often conflict with security-by-design principles². Globalized supply chains further complicate defense as components arrive from a wide range of vendors.

Financial pressure to deliver new capacity quickly can lead to shorter security-testing cycles. The pace of AI-driven energy demand and the deliberation required for rigorous cybersecurity remain fundamentally misaligned.

 

Strategic Dependencies

Facilities that power AI infrastructure are becoming as strategically significant as the AI systems themselves. Microsoft’s data centers will rely on electricity from Three Mile Island; disrupting that supply could have effects comparable to attacking the centers directly, while complicating attribution. Google’s future operations will depend on reactors still in development; designs that, if compromised today, could embed vulnerabilities lasting for decades.

The Department of War is increasingly relying on AI-enabled analysis and planning hosted on commercial cloud infrastructure powered by the same private facilities. Adversaries no longer need to breach military networks directly if they can degrade the civilian energy systems that sustain them.

China, Russia, Iran, and North Korea have all demonstrated both the capability and intent to target nuclear facilities. The Wolf Creek case showed that Russian hackers maintained access for 5 years before detection—persistence that enabled them to choose the timing and method for maximum disruption.

 

The Challenge

Nuclear cybersecurity poses a systemic challenge that extends beyond any single operator. Private companies cannot defend against state-sponsored campaigns with commercial-scale budgets. Classified threat intelligence further limits their situational awareness, leaving many without a complete understanding of the adversaries they face.

As nuclear energy becomes increasingly essential to sustaining AI innovation, the gap between the magnitude of threats and available resources continues to widen. Technology companies run data centers, not power plants. Nuclear operators generate electricity, not national-level cyber defense.

Policymakers must decide whether to treat nuclear cybersecurity as a national defense priority—resourced and coordinated accordingly—or to allow the infrastructure powering America’s next technological revolution to remain vulnerable to adversaries already inside its networks.

 

 

 

 

Endnotes:

1. Sebastian Moss, “Three Mile Island nuclear power plant to return as Microsoft signs 20-year, 835 MW AI data-center PPA,” DataCenterDynamics, September 20, 2024. https://www.datacenterdynamics.com/en/news/three-mile-island-nuclear-power-plant-to-return-as-microsoft-signs-20-year-835mw-ai-data-center-ppa/.
2. Associated Press, “New life proposed for Three Mile Island supplying power to Microsoft,” September 20, 2024. https://apnews.com/article/three-mile-island-nuclear-power-microsoft-8f47ba63a7aab8831a7805dfde0e2c39.
3. S. Department of Justice, “Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide,” Press Release, March 24, 2022. https://www.justice.gov/archives/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical.
4. Arms Control Association, “Cyberattack Hits Indian Nuclear Plant,” Dec 1, 2019. https://www.armscontrol.org/act/2019-12/news/cyberattack-hits-indian-nuclear-plant.
5. The Guardian, “South Korea’s nuclear-plant operator hacked, data on reactors leaked,” Dec 22, 2014. https://www.theguardian.com/world/2014/dec/22/south-korea-nuclear-power-cyber-attack-hack.
6. Christoph Steitz & Eric Auchard, “German nuclear plant infected with computer viruses, operator says,” Reuters, Apr. 27, 2016. https://www.reuters.com/article/technology/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS/.
7. 10 CFR 73.54 – Protection of Digital Computer and Communication Systems and Networks. https://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.
8. Federal Register notice: https://www.federalregister.gov/documents/2023/02/13/2023-02941/cyber-security-programs-for-nuclear-power-reactors.
9. Tannenbaum, A., Rudawski, A., Phillipson, R., Lancaster, K., & Whitby, I., “The cyber-nuclear nexus: safeguarding clean energy”, A&O Shearman on Technology Blog, June 5, 2025. Available at: https://www.aoshearman.com/en/insights/ao-shearman-on-tech/the-cyber-nuclear-nexus-safeguarding-clean-energy.
10. International Energy Agency, Energy and AI: Energy Demand from AI (Paris: IEA, 2024). Available at: https://www.iea.org/reports/energy-and-ai/energy-demand-from-ai.
11. International Atomic Energy Agency (IAEA), “Five Reports of the SMR Regulators’ Forum Published”, Dec 2023. https://www.iaea.org/newscenter/news/five-reports-of-the-smr-regulators-forum-published.