A Guide to NEI 08-09 Compliance for Nuclear Power Operators

April 26, 2021

What Is NEI 08-09?

The nuclear energy industry has a reputation for being one of the safest in the world. Because of the potentially devastating effects of a radioactive release resulting from any kind of sabotage on these facilities, they have been highly regulated and highly protected for decades. In March 2009, the U.S. Nuclear Regulatory Commission (NRC) revised certain cybersecurity requirements found in Title 10 of the Code of Federal Regulations (CFR). Specifically, Section 10 CFR 73.54 “Protection of Digital Computer and Communication Systems and Networks”, requires nuclear facilities to “provide high assurance that digital computer and communication systems and networks are adequately protected against cyberattacks.” The goal of Section 10 CFR 73.54 is to protect the health and safety of the public from radiological sabotage as a result of a cyberattack.

To support the implementation of this requirement, the Nuclear Energy Institute established the NEI 08-09 Cyber Security Plan for Nuclear Power Reactors. NEI 08-09 describes a defensive strategy that consists of a defensive architecture and a set of security controls based on the NIST SP 800-82, “Guide to Industrial Control System Security” and NIST SP 800-53 “Recommended Security Controls for Federal Information Systems” standards.

The most recent version, NEI 08-09 rev. 6, included input from various nuclear power industry leaders, including Luminant Power, Arizona Public Service Company, Progress Energy, Florida Power & Light, Exelon Corporation, American Electric Power, Duke Energy, South Carolina Electric & Gas Company, Ameren, FirstEnergy, Entergy and Southern Nuclear Operating Company.

The Plan establishes a means to achieve high assurance that digital computer and communication systems and networks associated with the following functions are adequately protected against cyberattacks:

  • Safety-related and important-to-safety functions
  • Security functions
  • Emergency preparedness functions including offsite communications
  • Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions

Complying with NEI 08-09

A key characteristic of this regulation is the application of a defense in depth strategy for nuclear systems. Nuclear operators need to continuously evaluate their current cybersecurity posture to identify potential gaps in their programs. To do this effectively, they need to have well-defined benchmarks.

Although regulations like NEI 08-09 are quite comprehensive, they’re often difficult to interpret and aren’t always organized chronologically. Choosing a simpler standard such as the NIST Cybersecurity Framework or 20 CIS Controls to conduct your internal security assessments may help make the process a bit smoother for all involved. Many utility companies already apply this same principle when it comes to NERC CIP compliance.

When gaps are identified in a program, nuclear operators then need to prioritize which controls they need to implement to fill them. Continuous operational technology (OT) asset inventory and management are a must for nuclear operators. Although OT systems have a reputation for changing slowly, they can actually change quite a bit from day to day, so manually tracking assets in an industrial environment as sophisticated as nuclear is a no-go. Other security controls like privileged access management, secure remote access, network segmentation and threat detection tools are important cybersecurity layers to include, as well.


Once you’ve plugged any potential gaps in your security program, you need to ensure that you can verify it for NEI 08-09 compliance audits. Having all those impressive security controls in place won’t do you much good if you can’t prove it when an auditor comes around, so choosing a solution that can automate policies and reporting for NEI 08-09 compliance is critical.

If you’re looking for more information, check out our NEI 08-09 compliance guide, which provides an overview of how Industrial Defender can help you automate and document some of the Technical Security Controls and Operational & Management Cyber Security Controls in this regulation.