The 2026 NEI Cyber Security Implementation Workshop in Charlotte last week was a resounding success for InfraShield, and we saw up-close how leading utilities are grappling with the next wave of nuclear cyber transformation. This paradigm shift most notably includes NEI 08-09 Revision 7 implementation, AI adoption, and the deployment of wireless networking technologies.
Summary
InfraShield attended the 2026 NEI Cyber Security Implementation Workshop in Charlotte, where nuclear industry leaders explored the next phase of cyber transformation. Key themes included the rollout of NEI 08-09 Revision 7, the growing role of AI in high-consequence workflows, and the cautious adoption of wireless technologies in safety-related environments. While these innovations offer clear operational and efficiency gains, they also introduce new complexity and risk. The central takeaway: utilities must evaluate each initiative through a disciplined ROI and security lens, ensuring modernization efforts strengthen—not erode—defense-in-depth and long-term resilience.
The workshop reinforced NEI’s broader objective of bringing the nuclear cybersecurity community together to move beyond compliance and toward confident, best-in-class implementation. Across sessions, the focus was clear: practical, implementation-driven strategies that strengthen both current operations and next-generation reactor security.
As we met with utility leaders and listened to various presentations, we found ourselves grappling with the same questions: Where is the real value? How do we prove ROI? And how do we ensure that transformation doesn’t quietly erode the integrity of an established cyber risk posture?
In this recap of the event, InfraShield highlights the most prominent themes in nuclear cybersecurity and provides recommendations to help utility operators strategically align with digital transformation trends.
Rev 7: Is the Juice Worth the Squeeze?
Revision 7 provides an update to NEI 08-09, “Cyber Security Plan for Nuclear Power Reactors”, which is the industry playbook that provides a standardized framework for establishing a cyber security program that satisfies the stringent regulatory requirements of 10 CFR 73.54. The plan’s primary purpose is to protect digital computers, communications systems, and networks at nuclear power plants from cyber attacks that could impact safety, security, or emergency preparedness functions. The guidance outlines a defensive strategy based on “defense-in-depth,” utilizing a combination of technical, operational, and management security controls to ensure that digital systems remain resilient against evolving threats.
Revision 7 updates that playbook with clarified expectations for vulnerability management, wireless, defense-in-depth, and critical group criteria. The NRC has now approved it as an acceptable approach for licensees that choose to adopt it.
During NEI’s Rev 7 workshop, Zee Sultan and Justin Wearne of PSEG, together with Dave Feitl of Xcel Energy, walked through how the “early mover” adoption of Rev 7 at the Salem/Hope Creek and Prairie Island sites impacted both financial savings and operational efficiency. At a high level, the projected upside ultimately comes from major changes to how programs are run, like using dedicated software for program and vulnerability management, aggressively trimming CDA inventories, and integrating cyber into core nuclear processes like engineering change, work management, and procurement.
NEI’s broader messaging around Rev 7 is similar: licensees can streamline assessments, improve consistency, and modernize their cyber programs, but each site must still ensure changes do not decrease the effectiveness of their NRC-approved Cybersecurity Plan.
“This reflects a broader industry shift emphasized throughout the workshop,” says Rich Mogavero, NEI’s director of security and incident preparedness. “Success is no longer defined by meeting compliance requirements alone, but by how effectively those requirements are implemented, operationalized, and sustained across the fleet.”
For InfraShield, this is where the ROI questions come into sharp focus. If you are looking at multi-year, multi-million-dollar transformation, you have to ask the following questions:
- Will Rev 7 materially reduce recurring inspection findings, corrective action costs, and rework, or will it simply reshuffle where the work is done?
- Do you have the right tools such as automation, data quality, and cyber governance needed to capture the promised savings from inventory reduction and smarter assessments?
InfraShield’s guidance to customers and partners is straightforward: tame the compliance jitters and sharpen the business case. The question is not just, “Can we get to Rev 7 quickly,” but “Is the juice worth the squeeze for our site or fleet, and are we investing in capabilities like high-fidelity asset inventories, automated assessment workflows, and defensible traceability that will still make sense five inspections from now?”
AI in Nuclear Cyber: Powerful, but Not Plug-and-Play
AI’s growing role in nuclear operations and cybersecurity was on full display in the Nuclearn case study presented by Jerrold Vincent, CFO and Co-Founder, and Sonia Chakraborty, Customer Success Engineer and former nuclear cyber data scientist. Nuclearn focuses on automating high-consequence, process-heavy workflows in nuclear generation, bringing AI to areas where precision, traceability, and safety are non-negotiable.
Their featured example: an AI agent that helps determine if an event that has taken place at a site is required to be reported per the requirements in 10 CFR 50.72 and 50.73. The team mapped current processes against an AI agent’s work and found the payoff was faster, more consistent decisions under tight reporting timeframes, with clear links back to regulatory basis and prior Licensee Event Reports.
Their finding is emblematic of a wider trend: the value of emerging technologies like AI lies not in experimentation alone, but in their ability to solve real operational challenges with traceable, implementation-ready outcomes. Nuclear operators are exploring AI agents for inspection assistance, incident response screening, CDA classification support, CSAT assessment review, and cyber procedure gap analysis. These workflows naturally lend themselves to tools that can sift large document sets and apply standard reasoning patterns.
The IAEA has even launched a coordinated research project focused specifically on protecting AI applications in nuclear environments, recognizing both the operational upside and the new attack surface introduced when AI systems become part of safety or security-relevant decision chains.
To get to reliable, inspection-ready outputs, the Nuclearn team stressed that utilities need organized data, well-defined problems and “practice tests,” tight subject matter expert alignment, and governance and cyber controls from the outset.
For InfraShield, the message to nuclear cyber leaders is clear: AI should be deployed where it improves safety, compliance, or resilience, and only when identity, access, and auditability are hardcoded from day one. Otherwise, fleets risk adding complexity and attack vectors faster than they add value.
Wireless for Safety-Related and Important-to-Safety Equipment?
There is a growing regulatory consensus that measured wireless adoption, when paired with robust administrative and technical controls, is a viable path for modernization. A 2024 NRC analysis recognized that wireless can support nuclear operations but also acknowledged that wireless introduces new ways to potentially degrade defense-in-depth for critical systems and critical digital assets if not properly implemented. In a plant environment, it is difficult to restrict wireless signals to a specific area without also impeding communications that operators rely on. Concurrently, interference or spoofed data could directly affect how safety-related systems are monitored.
The NEI workshop’s wireless session, “Innovation in Practice at Wolf Creek – Wireless UT Monitoring,” grounded the debate about wireless adoption in a very concrete use case: remote void monitoring. Presenters Michael T. Rowland and Minami A. Tanaka from Sandia National Laboratories, together with Wolf Creek’s Justin Keim, described how the plant must monitor about 170 piping locations across auxiliary and containment buildings for gaseous voids, requiring scaffolds, ladders up to 24 feet, and roughly 200 climbs per year. Sessions like this emphasize one of the workshop’s core strengths: sharing best practices and lessons learned from real-world implementation, allowing utilities to evaluate innovation through the lens of operational risk, safety, and regulatory alignment.
Wolf Creek’s innovative solution involves using wireless ultrasonic gas monitoring devices to cut scaffolding, reduce personnel risk, and minimize containment entries. The plant’s initial deployment focused on 50 locations and, after evaluation, was classified as Non-CDA.
For InfraShield, wireless is another space where the ROI calculus must be disciplined. Operational gains like reduced scaffolding, fewer climbs, less radiation exposure, and more flexible monitoring are tangible and quantifiable. But each wireless deployment must pass a rigorous security impact analysis: understanding the change, assessing risk, characterizing the attack surface, evaluating existing controls, and planning mitigations that keep overall defense-in-depth intact.
The more wireless becomes intertwined in a nuclear environment, the more important it becomes to have unified models for asset classification, control allocation, and monitoring across both wired and wireless environments. In other words, wireless adoption in nuclear should be carefully analyzed, assessed, and tightly integrated with a robust cyber program design, not a parallel innovation track that grows faster than security can keep up.
Parting Thoughts
Beyond the technical discussions, the workshop also reinforced the importance of industry collaboration. Conversations with peers, regulators, and solution providers provided valuable perspective on how different organizations are approaching similar challenges, helping to accelerate learning and strengthen the collective cybersecurity posture of the nuclear industry. InfraShield left the workshop energized but cautious. The industry is pushing forward on three significant fronts: NEI 08-09 Rev 7 implementation, AI-driven automation, and wireless adoption. These next-generation technologies promise meaningful efficiency, safety, and compliance gains.
Our view is that the winners in this next phase will be the fleets that treat these initiatives as part of one coherent cyber and operational strategy. In practice, this means using NEI 08-09 Rev 7 to sharpen scope and controls, operationalizing AI where it augments expert judgment with traceable reasoning, and deploying wireless where it demonstrably reduces risk and cost without eroding defense-in-depth safeguards.
The central questions for every roadmap, and for every InfraShield engagement, remain the same: Is the juice worth the squeeze, does the ROI hold up under scrutiny, and does this change make the fleet safer and more resilient, not just more modern? The workshop ultimately reinforced its core objective: strengthening partnerships across industry and government while advancing practical cybersecurity implementation through shared insights and lessons learned.
