How does NRC Technical Specification 3.4.13 relate to AI-assisted RCS leak rate calculation?

TS 3.4.13 sets the 0.1 gpm unidentified RCS leakage action threshold. AI-assisted leak rate calculation programs process multiple trend chart images; adversarial pixel perturbations can suppress individual indicator values to keep the aggregate AI-calculated leak rate below this action threshold, delaying required LCO entry.

What is the spent fuel pool cooling failure risk that makes SFP monitoring AI integrity a nuclear safety priority?

Following Fukushima Daiichi Unit 4, the NRC significantly elevated SFP cooling as a nuclear safety function. High-burnup spent fuel inventories at multi-unit sites require continuous active cooling; adversarial suppression of SFP monitoring AI alerts delays recognition of degraded cooling performance, compressing the operator response window before boiling conditions develop.

Reactor predictive maintenance AI · RCS leak detection AI · Spent fuel pool monitoring AI · Nuclear physical security AI

Prompt injection in nuclear power plant AI

Q: What regulatory framework governs AI cybersecurity at U.S. commercial nuclear power plants?

The primary regulatory framework is 10 CFR 73.54, which requires nuclear power plant licensees to establish a Cybersecurity Program protecting digital computer and communication systems associated with safety, security, and emergency preparedness functions. NRC Regulatory Guide 5.71 and NEI 08-09 provide the implementation framework. NEI 21-07 addresses AI/ML-specific cybersecurity considerations for nuclear applications.

Q: How does NEI 08-09 cybersecurity baseline control architecture apply to AI-based nuclear access control systems?

NEI 08-09 assigns physical protection digital assets to Security Level 1 or 2, requiring the most stringent cybersecurity controls including integrity verification of digital inputs. AI-assisted biometric and video access control systems at vital area entry points are within 10 CFR 73.54 scope, and their NEI 08-09 control implementations should address adversarial pixel injection as an integrity violation vector.

Q: What international nuclear AI cybersecurity standards apply to EDF, Ontario Power Generation, and IAEA member-state reactor operators?

IAEA NST047 (Computer Security Techniques for Nuclear Facilities, 2021) provides the international normative framework. EDF France operates under ASN Order of 7 February 2012; EDF Energy UK operates under ONR Security Assessment Principles. Ontario Power Generation operates under CNSC REGDOC and CSA N290.7 (implementing IEC 62645) for CANDU reactor cybersecurity.

Commercial nuclear power plants represent the most tightly regulated industrial AI deployment environment in the world, yet the past decade’s integration of AI-assisted condition monitoring, leak rate calculation, spent fuel pool surveillance, and physical access control has created a class of adversarial pixel injection vulnerabilities that existing Nuclear Regulatory Commission cybersecurity frameworks were not designed to address. The United States fleet of 93 operating commercial nuclear reactors — operated by Exelon Generation (21 plants including Braidwood, Byron, and Peach Bottom), Duke Energy Carolinas (11 reactors including McGuire, Catawba, and Oconee), Southern Nuclear (Plant Vogtle Units 3 and 4, the only AP1000 PWR fleet in commercial operation, certified under 10 CFR Part 52 combined license), Constellation Energy, Dominion Energy Nuclear (North Anna, Surry, Millstone), Entergy Nuclear (Indian Point decommissioned, Grand Gulf, River Bend), NextEra Energy Nuclear (Turkey Point, Seabrook, Duane Arnold), and Tennessee Valley Authority (Browns Ferry, Sequoyah, Watts Bar) — collectively transmit terabytes of plant sensor data daily to AI-assisted analysis platforms that process this data as rendered trend images, spectrogram visualizations, and video streams. The UK fleet operated by EDF Energy (Sizewell B, Heysham, Hartlepool, Hinkley Point B) and EDF’s 56-reactor French fleet, together with Ontario Power Generation’s CANDU pressurized heavy water reactor fleet at Darlington and Pickering, extends the AI-monitored nuclear reactor population to more than 400 units globally. Bently Nevada 3500 Series machinery protection systems, deployed at virtually every nuclear plant turbine hall in the United States, transmit vibration sensor data from reactor coolant pump motors, main turbine-generators, and feedwater pump turbines to Emerson AMS Machinery Health Advisor, GE Digital APM (formerly Asset Performance Management), and Baker Hughes SmartSignal cloud-connected predictive maintenance AI platforms that process vibration spectrogram images for bearing fault and imbalance signature detection. Westinghouse Electric Company’s LEFM CheckPlus ultrasonic leak flow measurement system and Combustion Engineering (now Framatome) reactor coolant system leak detection instrumentation networks feed radiation monitor readings, sump pump activation records, and drywell humidity sensor data as rendered trend charts to AI-assisted leak rate calculation programs that classify primary coolant leak status against the 0.1 gallon-per-minute NRC action threshold defined in 10 CFR Part 50 and Technical Specification 3.4.13. Holtec International HI-TRAC and MAGNASTOR independent spent fuel storage installation monitoring systems, along with GE Hitachi NUMAC RPS/ATWS instrumentation for reactor protection system trend analysis, process pool water level, temperature, and boron concentration time-series as AI-readable trend images at plants across the United States. NRC Regulatory Guide 5.71 (Cybersecurity Programs for Nuclear Facilities), NEI 21-07 (Guidance for the Application of Artificial Intelligence and Machine Learning in the Nuclear Industry, issued 2021), and IAEA Nuclear Security Series document NSS-G-1.3 collectively establish the regulatory framework for nuclear AI cybersecurity — but none of these documents specifically addresses adversarial pixel perturbation attacks at the AI inference boundary for image-input nuclear monitoring systems. When vibration spectrograms, RCS leak rate trend charts, SFP parameter trend images, and vital area video frames are the pixel-level inputs to nuclear AI systems, adversarial injection is a credible attack pathway that demands pre-inference scanning.

TL;DR

Bently Nevada / Emerson AMS / GE Digital APM predictive maintenance AI, Westinghouse LEFM / CE RCS leak detection AI, Holtec HI-TRAC / MAGNASTOR SFP monitoring AI, and NRC 10 CFR Part 73.55 physical security biometric-video AI — all process rendered sensor data trend images, vibration spectrograms, or live video frames. Adversarially crafted images can suppress reactor coolant leak alerts below the 0.1 gpm action threshold, conceal turbine bearing fault signatures, mask spent fuel pool cooling degradation, and defeat vital area video access control — at thresholds of 50 for RCS leak detection AI, 50 for spent fuel pool monitoring AI, 45 for predictive maintenance AI, and 60 for physical security AI. Free tier — 10 scans/day, no card required.

Four adversarial injection surfaces in nuclear power plant AI

1. Reactor equipment condition monitoring AI injection (Bently Nevada 3500, Emerson AMS Machinery Health, GE Digital APM, Baker Hughes SmartSignal)

Every commercial nuclear power plant in the United States operates a fleet of rotating machinery — reactor coolant pumps (RCPs), main turbine-generators rated between 600 MWe and 1,400 MWe, boiler feed pump turbines, circulating water pumps, and emergency diesel generators — that is continuously monitored by online vibration protection and surveillance systems. Bently Nevada’s 3500 Series rack-based machinery protection system, the industry-standard platform installed at more than 80% of U.S. nuclear plants, collects proximity probe, accelerometer, and velocity transducer signals from bearing journals, casing measurement points, and shaft reference keyphasors at sample rates of up to 65,536 samples per second, providing both protection-level (hard-trip) and surveillance-level (condition monitoring) output channels. The surveillance-level vibration data — sampled continuously and buffered for trending — is transmitted to plant process computers and, increasingly, to cloud-connected predictive maintenance AI platforms operated by the plant’s maintenance organization. Emerson Automation Solutions AMS Machinery Health Advisor, the dominant predictive maintenance AI platform in the U.S. nuclear fleet following Emerson’s acquisition of CSi Technologies, processes vibration spectrum data by rendering raw Fast Fourier Transform (FFT) vibration spectrogram images and bearing defect frequency waterfall plots that are submitted to AI pattern recognition models trained to identify bearing outer race defects, inner race defects, rolling element defects, and cage defects by their characteristic spectral signatures (BPFO, BPFI, BSF, FTF frequencies). GE Digital APM and Baker Hughes SmartSignal similarly process rendered spectrogram images and trend visualization charts through AI models that assess equipment health and generate work order recommendations. NRC 10 CFR 50.65 (the Maintenance Rule) and NEI 21-07 Section 4.3 on AI-assisted predictive maintenance establish the regulatory framework within which these AI-generated maintenance recommendations influence outage planning and corrective maintenance scheduling at nuclear facilities.

The adversarial injection attack against nuclear predictive maintenance AI targets the rendered vibration spectrogram image at the boundary where FFT data is converted to a spectrogram display image before submission to the AI pattern recognition engine. Adversarial pixel perturbations applied to turbine-generator or RCP motor vibration spectrogram images can cause the AI to suppress bearing defect frequency amplitude indicators even when the underlying vibration data clearly shows defect signature growth — causing the AI to report “healthy” bearing condition for a bearing accumulating fatigue damage toward failure. For reactor coolant pump motors, where bearing failure can lead to increased RCP seal leakoff and ultimately to a loss-of-coolant accident (LOCA) precursor condition, suppression of bearing condition monitoring AI alerts has direct nuclear safety significance. The 10 CFR 50.65 Maintenance Rule requires plants to monitor the effectiveness of maintenance against pre-established goals and take corrective action when goals are not met — a requirement that AI-suppressed bearing fault alerts would cause the plant to fail silently, believing maintenance program effectiveness is satisfactory when the monitored component is actually degrading. NEI 21-07 Section 5.1 notes that AI-generated maintenance recommendations must be subject to human oversight commensurate with the safety significance of the affected component, but the specific adversarial robustness of image-input spectrogram AI is not addressed. Adversarial manipulation of predictive maintenance AI at nuclear facilities operated by Exelon, Duke Energy, or Southern Nuclear could allow equipment degradation to proceed undetected through multiple surveillance intervals, increasing the probability of forced outages, equipment failures, or safety system unavailability.

2. Reactor coolant system (RCS) leak detection AI injection (Westinghouse LEFM, Combustion Engineering, GE Hitachi NUMAC RPS/ATWS)

Nuclear reactor coolant system leak rate monitoring is among the most safety-critical instrumentation functions in a pressurized water reactor (PWR) or boiling water reactor (BWR) plant. The reactor coolant system pressure boundary — encompassing the reactor vessel, pressurizer, steam generators, and interconnecting primary piping — must be maintained at a high level of structural integrity to prevent loss-of-coolant accidents, and continuous leak rate monitoring provides the earliest indication of developing pressure boundary degradation. NRC Technical Specification 3.4.13 requires PWR plants to identify and quantify RCS leakage, with action levels triggered when identified leakage exceeds 10 gallons per day (approximately 0.007 gpm) or unidentified leakage exceeds 0.1 gpm. 10 CFR Part 50 Appendix J primary containment integrity testing requirements and Regulatory Guide 1.45 (Guidance on Monitoring and Responding to Reactor Coolant System Leakage) provide the broader regulatory framework. Westinghouse Electric Company’s LEFM CheckPlus ultrasonic leak flow measurement system uses clamp-on ultrasonic transducers on primary coolant piping to measure flow directly, providing leak rate data with sensitivity below the TS 3.4.13 threshold. Combustion Engineering (now Framatome) designed RCS leak detection systems for CE-designed PWRs (Calvert Cliffs, Palo Verde, Fort Calhoun before shutdown) that integrate containment sump level indication, radiation monitor readings (R-11, R-12 area radiation monitors and particulate monitors), and makeup water usage rates into a calculated leak rate. GE Hitachi’s NUMAC-based Reactor Protection System and ATWS (Anticipated Transient Without Scram) instrumentation, deployed across the BWR fleet, integrates drywell pressure, drywell temperature, drywell humidity, and suppression pool level signals that inform AI-assisted primary boundary leak status assessment.

The adversarial injection attack against RCS leak detection AI exploits the pipeline segment where radiation monitor readings, containment sump level trends, and RCS inventory makeup rate measurements are rendered as time-series trend charts and submitted to AI analysis models for leak rate classification and trending. Modern plant process computer systems at plants such as Dominion Energy’s North Anna and Surry stations, Duke Energy’s McGuire and Catawba stations, and NextEra’s Turkey Point station render RCS leakage indicator trend data as visualization charts that are ingested by AI-assisted leak rate calculation programs and operational decision support systems for shift supervisor review. Adversarial pixel perturbations applied to these trend chart images can cause the AI to classify a leak rate trend showing gradual growth toward the 0.1 gpm TS 3.4.13 action threshold as a stable, below-threshold condition — delaying or preventing operator recognition of developing primary coolant leakage. At NRC-regulated plants, the shift supervisor’s TS Limiting Condition for Operation (LCO) entry decision for TS 3.4.13 is the primary mechanism for ensuring continued safe operation with identified leakage; adversarial suppression of the RCS leak AI’s trend alert delays LCO entry, potentially allowing leakage to exceed the action threshold without prompting the required corrective actions (identifying leak source, reducing leakage to within limits, or entering the applicable action statement for plant shutdown if the LCO is not met within the allowed outage time). For plants operating under NRC Initial License Conditions or operating under Increased Inspection findings for leakage-related issues — as have occurred at several BWR plants in the Southeast with drywell leakage history — adversarial suppression of AI-assisted leakage trend monitoring has direct implications for the plant’s NRC performance indicator standing.

3. Spent fuel pool (SFP) monitoring AI injection (Holtec International HI-TRAC, MAGNASTOR, NRC Generic Letter 2012-06)

Spent nuclear fuel removed from the reactor core is stored in on-site spent fuel pools — large, deep pools of borated water that provide cooling and radiation shielding for the highly radioactive spent fuel assemblies. The spent fuel pool at a typical large PWR plant holds 600 to 1,500 spent fuel assemblies, each continuing to generate significant decay heat for years after discharge from the reactor. SFP cooling system integrity is essential to preventing fuel clad damage, zircaloy fire scenarios, and fission product release — the scenario that drove NRC regulatory attention following the Fukushima Daiichi accident in March 2011, where spent fuel pool cooling was lost at Unit 4 due to station blackout and SFP water evaporation. NRC Generic Letter 2012-06 (Proposed Resolution of Challenges to Defense in Depth for Loss of Large Areas of the Plant Due to Explosions or Fire) and NRC Bulletin 2012-01 (Design Vulnerability in Electric Power System) directly addressed spent fuel pool cooling robustness following Fukushima. 10 CFR Part 72 (Licensing Requirements for the Independent Storage of Spent Nuclear Fuel, High-Level Radioactive Waste, and Reactor-Related Greater Than Class C Waste) governs Independent Spent Fuel Storage Installations (ISFSIs) at nuclear sites where dry cask storage has been established — with Holtec International HI-TRAC, HI-STORM, and MAGNASTOR dry cask systems deployed at more than 70 U.S. nuclear sites. Holtec’s HI-TRAC and MAGNASTOR systems include instrumented monitoring packages for dry cask storage canister temperature and shielding performance; the most advanced deployments transmit canister temperature telemetry data to site monitoring servers and to Holtec’s remote monitoring infrastructure, with trend visualization of canister temperature against design thermal limits.

The adversarial injection attack against SFP monitoring AI targets the rendered trend chart images showing pool water level, pool water temperature, boron concentration trending, and SFP cooling pump differential pressure — the four primary SFP health indicators whose AI-assisted trending provides early warning of SFP cooling degradation before it reaches the threshold for operator action under plant Emergency Operating Procedures. AI-assisted SFP monitoring platforms deployed at Exelon’s multi-unit sites (Braidwood, Byron, Quad Cities, Limerick, each with substantial SFP inventories from decades of operation) and at TVA’s Browns Ferry and Watts Bar stations render SFP parameter trend data as visualization images for AI trend analysis and automated notification generation. Adversarial perturbations applied to SFP temperature trend chart images can cause the AI to classify a gradually rising pool temperature trend — indicating degraded SFP cooling capacity — as a stable, within-normal-limits condition, suppressing the early warning notification that would prompt operator investigation of SFP cooling system performance before the temperature reaches the threshold at which Emergency Operating Procedures direct declaration of an Unusual Event under 10 CFR Part 50.72 event notification. For on-site ISFSI dry cask storage systems, adversarial suppression of canister temperature trend alert AI delays recognition of canister thermal performance degradation, potentially allowing a cask with blockage of annular air cooling flow to continue operating without the prompt corrective maintenance that 10 CFR Part 72 Technical Specifications require. The NRC’s Generic Letter 2012-06 actions required plants to establish SFP instrumentation capable of providing operators with accurate indications of SFP level, temperature, and radiation in the event of a beyond-design-basis external event — requirements that adversarial injection attacks on AI-assisted SFP monitoring systems directly undermine by corrupting the AI’s interpretation of that instrumentation data.

4. Nuclear security / protected area access control AI (NRC 10 CFR Part 73.55, NEI 08-09 Cybersecurity Baseline Controls, vital area video AI)

Nuclear power plant physical protection programs required under 10 CFR Part 73.55 represent the most stringent mandated physical security regime for any civilian industrial facility in the United States. NRC regulations require licensees to establish and maintain a Physical Protection Program that includes detection of, and protection against, design basis threats — including adversaries with the intent and capability to cause radiological sabotage of the plant. The protected area (PA) and vital area (VA) access control infrastructure at U.S. nuclear plants combines multiple independent layers: two-person rule requirements for vital area entry, personnel identification systems, search detection devices (magnetometers, X-ray equipment), and continuous video surveillance of vital area access points. Modern nuclear plant physical protection programs integrate AI-assisted biometric systems and video analytics at vital area access points — the reactor control room entry vestibule, the reactor building airlock entry point, the auxiliary building access corridors leading to safety system equipment rooms — where AI processes biometric data (fingerprint, iris, or facial recognition) and video feeds to verify personnel identity and detect unauthorized access attempts. NEI 08-09 (Cyber Security Plan for Nuclear Power Reactors) Appendix D identifies digital I&C systems, security-related digital systems, and digital monitoring systems associated with NRC-required security functions as within-scope for cybersecurity controls; AI-assisted access control and video surveillance systems at vital area entry points fall squarely within the NEI 08-09 scope. NRC Regulatory Guide 5.71 (Cybersecurity Programs for Nuclear Facilities) provides the NRC-endorsed framework for implementing 10 CFR 73.54 cybersecurity requirements, including protections for digital assets that are associated with safety, security, and emergency preparedness functions.

The adversarial injection attack against nuclear physical security AI exploits the image input boundary where biometric enrollment templates, live video frames from vital area entry point cameras, and badge photo comparison images are submitted to AI authentication and anomaly detection models. Adversarial pixel perturbations applied to facial recognition enrollment images or live camera frames at vital area entry vestibules can cause the AI to authenticate an unauthorized individual as an authorized employee — bypassing the identity verification layer of the multi-layer vital area access control system. This is not a theoretical concern: academic adversarial attacks on facial recognition systems (see Sharif et al., “Accessorize to a Crime,” CCS 2016; Eykholt et al., “Robust Physical Perturbations,” CVPR 2018) have demonstrated reliable physical-world adversarial image attacks against commercial facial recognition systems at attack success rates above 70% for targeted impersonation. For nuclear vital area access AI, the consequence of a successful adversarial authentication bypass is access to the reactor control room, reactor building, or safety system equipment rooms — the highest-consequence physical access compromise scenario for nuclear safety and security. Conversely, adversarial perturbations applied to motion detection and behavioral anomaly AI video feeds covering protected area perimeter sectors could suppress intrusion detection AI alerts for an active adversary moving through the protected area, defeating the detection layer that triggers armed response team deployment. NEI 08-09’s Appendix D cybersecurity controls and NRC Regulatory Guide 5.71’s defense-in-depth requirements for digital security systems do not specifically address adversarial pixel perturbation as an attack vector against AI-based biometric and video security systems — leaving inference-time adversarial scanning as the primary technical control available to plant cybersecurity programs to address this attack surface.

Integration: nuclear power plant AI sensor visualization ingestion with Glyphward pre-scan

The Glyphward scan gate belongs at the sensor data visualization ingestion point in each nuclear plant AI pipeline — before the vibration spectrogram reaches Emerson AMS or GE Digital APM; before the RCS leak rate trend chart reaches the AI-assisted leak rate calculation program; before the SFP parameter trend chart reaches the AI monitoring alert engine; and before the vital area video frame reaches the biometric access control AI. The async pattern below handles all four nuclear AI contexts through a shared scan_nuclear_ai_image function, with safety-calibrated thresholds and structured JSONL audit output suitable for 10 CFR Part 73 cybersecurity incident reporting under NRC Regulatory Guide 5.71.

import asyncio, base64, hashlib, json
from datetime import datetime, timezone
from enum import Enum
from pathlib import Path

import httpx

GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"

# Per-context thresholds reflecting nuclear AI safety significance
PREDICTIVE_MAINT_THRESHOLD    = 45  # Bently Nevada / Emerson AMS / GE Digital APM / SmartSignal
RCS_LEAK_DETECTION_THRESHOLD  = 45  # Westinghouse LEFM / CE / GE Hitachi NUMAC RCS leak AI
SFP_MONITORING_THRESHOLD      = 45  # Holtec HI-TRAC / MAGNASTOR / SFP cooling AI
PHYSICAL_SECURITY_THRESHOLD   = 60  # 10 CFR 73.55 vital area biometric/video access AI


class NuclearAIContext(Enum):
    PREDICTIVE_MAINT    = "predictive_maint"    # threshold 45
    RCS_LEAK_DETECTION  = "rcs_leak_detection"  # threshold 45
    SFP_MONITORING      = "sfp_monitoring"      # threshold 45
    PHYSICAL_SECURITY   = "physical_security"   # threshold 60


_CONTEXT_THRESHOLDS: dict[NuclearAIContext, int] = {
    NuclearAIContext.PREDICTIVE_MAINT:   PREDICTIVE_MAINT_THRESHOLD,
    NuclearAIContext.RCS_LEAK_DETECTION: RCS_LEAK_DETECTION_THRESHOLD,
    NuclearAIContext.SFP_MONITORING:     SFP_MONITORING_THRESHOLD,
    NuclearAIContext.PHYSICAL_SECURITY:  PHYSICAL_SECURITY_THRESHOLD,
}


class AdversarialNuclearAIImageError(Exception):
    """Raised when Glyphward detects adversarial pixel content in a
    nuclear plant AI sensor visualization image above the context threshold.

    Attributes:
        scan_id: Glyphward scan identifier for NRC cybersecurity audit records.
        score: Adversarial signal score (0-100).
        context: The NuclearAIContext in which detection occurred.
        plant_unit_id: Anonymized plant/unit identifier for audit correlation.
        flagged_region: Optional dict describing the flagged pixel region.
    """

    def __init__(
        self,
        scan_id: str,
        score: int,
        context: NuclearAIContext,
        plant_unit_id: str,
        flagged_region: dict | None = None,
    ) -> None:
        self.scan_id = scan_id
        self.score = score
        self.context = context
        self.plant_unit_id = plant_unit_id
        self.flagged_region = flagged_region
        super().__init__(
            f"Adversarial nuclear plant AI image detected: "
            f"context={context.value} score={score} "
            f"plant_unit={plant_unit_id} scan_id={scan_id}"
        )


async def scan_nuclear_ai_image(
    image_path: Path,
    context: NuclearAIContext,
    plant_unit_id: str,
    system_tag: str,
    recording_ts: str,
    client: httpx.AsyncClient,
) -> dict:
    """Scan a nuclear plant AI sensor visualization for adversarial pixel content.

    Args:
        image_path: Absolute path to the sensor visualization or video frame image.
        context: NuclearAIContext enum value identifying the nuclear AI pipeline.
        plant_unit_id: Anonymized plant/unit identifier (e.g., SHA-256 of plant DUNS).
        system_tag: Plant instrument tag identifier for the source sensor system.
        recording_ts: ISO 8601 timestamp of sensor recording or video frame capture.
        client: Shared httpx.AsyncClient for connection reuse across batch scans.

    Returns:
        Glyphward scan result dict: scan_id, score, flagged_region, modality.

    Raises:
        AdversarialNuclearAIImageError: if score exceeds context threshold.
            Caller MUST NOT pass the image to the nuclear AI system.
        httpx.HTTPStatusError: on Glyphward API errors (fail-closed by design —
            do not pass unscanned images to nuclear AI on API unavailability).
    """
    threshold = _CONTEXT_THRESHOLDS[context]
    image_bytes = image_path.read_bytes()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    payload = {
        "image": base64.b64encode(image_bytes).decode(),
        "source": f"nuclear:{context.value}:{recording_ts}",
        "metadata": {
            "plant_unit_id": plant_unit_id,
            "system_tag": system_tag,
            "recording_ts": recording_ts,
            "image_sha256": image_hash,
        },
    }

    resp = await client.post(
        GLYPHWARD_SCAN_URL,
        headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
        json=payload,
        timeout=5.0,
    )
    resp.raise_for_status()
    result = resp.json()

    await write_nuclear_scan_audit(
        image_hash=image_hash,
        scan_id=result["scan_id"],
        score=result["score"],
        context=context,
        threshold=threshold,
        plant_unit_id=plant_unit_id,
        system_tag=system_tag,
        recording_ts=recording_ts,
        flagged=result["score"] > threshold,
    )

    if result["score"] > threshold:
        raise AdversarialNuclearAIImageError(
            scan_id=result["scan_id"],
            score=result["score"],
            context=context,
            plant_unit_id=plant_unit_id,
            flagged_region=result.get("flagged_region"),
        )

    return result


async def write_nuclear_scan_audit(
    *,
    image_hash: str,
    scan_id: str,
    score: int,
    context: NuclearAIContext,
    threshold: int,
    plant_unit_id: str,
    system_tag: str,
    recording_ts: str,
    flagged: bool,
) -> None:
    """Append structured JSON audit record to nuclear AI scan log.

    Satisfies NRC 10 CFR Part 73.54 cybersecurity event recordkeeping,
    NRC Regulatory Guide 5.71 cybersecurity controls audit documentation,
    and NEI 08-09 Appendix D digital asset cybersecurity audit trail
    requirements. No raw sensor data is stored — only hash and metadata.
    """
    record = {
        "ts": datetime.now(timezone.utc).isoformat(),
        "scan_id": scan_id,
        "image_sha256": image_hash,
        "context": context.value,
        "score": score,
        "threshold": threshold,
        "flagged": flagged,
        "plant_unit_id": plant_unit_id,
        "system_tag": system_tag,
        "recording_ts": recording_ts,
    }
    audit_path = Path("/var/log/glyphward/nuclear_ai_scan_audit.jsonl")
    audit_path.parent.mkdir(parents=True, exist_ok=True)
    with audit_path.open("a") as fh:
        fh.write(json.dumps(record) + "\n")


async def process_nuclear_image_batch(
    images: list[tuple[Path, NuclearAIContext, str, str, str]],
) -> list[dict]:
    """Process a batch of (path, context, plant_unit_id, system_tag, ts) tuples.

    Fail-closed: quarantines flagged images; httpx errors propagate upward
    to prevent unscanned images from reaching nuclear AI systems.
    """
    async with httpx.AsyncClient() as client:
        tasks = [
            scan_nuclear_ai_image(
                image_path=path,
                context=ctx,
                plant_unit_id=puid,
                system_tag=tag,
                recording_ts=ts,
                client=client,
            )
            for path, ctx, puid, tag, ts in images
        ]
        results = []
        for coro in asyncio.as_completed(tasks):
            try:
                results.append(await coro)
            except AdversarialNuclearAIImageError as exc:
                results.append({
                    "status": "quarantined",
                    "context": exc.context.value,
                    "scan_id": exc.scan_id,
                    "score": exc.score,
                    "plant_unit_id": exc.plant_unit_id,
                    "flagged_region": exc.flagged_region,
                })
        return results

Deploy scan_nuclear_ai_image at each sensor visualization ingestion boundary: before a vibration spectrogram reaches Emerson AMS Machinery Health Advisor or Baker Hughes SmartSignal predictive maintenance AI; before an RCS leak rate trend chart reaches the plant process computer’s AI-assisted leak rate calculation module; before an SFP parameter trend image reaches the SFP monitoring AI alert engine; and before a vital area camera frame reaches the biometric or video access control AI at any NRC 10 CFR 73.55 vital area entry point. The audit JSONL file written by write_nuclear_scan_audit provides the cybersecurity event record required by NRC Regulatory Guide 5.71 Section C.5 for digital asset cybersecurity controls documentation, and supports 10 CFR Part 73.54(e) reporting obligations for cybersecurity events at nuclear facilities. Get early access

FAQ: prompt injection in nuclear power plant AI

What regulatory framework governs AI cybersecurity at U.S. commercial nuclear power plants?

The primary regulatory framework is 10 CFR 73.54 (Protection of Digital Computer and Communication Systems and Networks), which requires nuclear power plant licensees to establish, implement, and maintain a Cybersecurity Program that provides high assurance that digital computer and communication systems and networks associated with safety, security, and emergency preparedness functions are adequately protected against cyber attacks. NRC Regulatory Guide 5.71 (Cybersecurity Programs for Nuclear Facilities, January 2010) is the NRC-endorsed framework document for implementing 10 CFR 73.54, providing detailed guidance on cybersecurity controls for digital assets within scope of the cybersecurity rule. NEI 08-09 (Cyber Security Plan for Nuclear Power Reactors) provides the industry’s implementation methodology for 10 CFR 73.54 compliance, with Appendix D identifying cyber security controls applicable to digital assets in each of the four security levels defined in the NEI 08-09 framework.

NEI 21-07 (Guidance for the Application of Artificial Intelligence and Machine Learning in the Nuclear Industry, issued 2021 by the Nuclear Energy Institute) addresses AI/ML-specific considerations including data quality, model validation, and operational monitoring for AI systems used in nuclear applications. Section 6 of NEI 21-07 addresses cybersecurity for AI/ML systems, noting that AI systems used in nuclear applications must be subject to the cybersecurity controls applicable to digital assets of the same security level — meaning AI systems used in safety-related or security-related functions at nuclear plants are subject to the full NEI 08-09 / 10 CFR 73.54 cybersecurity control framework. Neither NEI 21-07 nor Regulatory Guide 5.71 contains specific technical controls for adversarial pixel perturbation attacks against image-input AI systems — leaving inference-time adversarial scanning as an implementation choice for the plant’s Cybersecurity Program. IAEA Nuclear Security Series No. NSS-G-1.3 (Protecting Against Cyber Attacks, 2021) provides the international guidance framework for nuclear facility cybersecurity, including AI system security considerations aligned with the IAEA Nuclear Security Fundamentals.

How does the NRC Technical Specification 3.4.13 RCS leakage action threshold relate to AI-assisted leak rate calculation?

Technical Specification 3.4.13 (Reactor Coolant System Operational Leakage) is a standard PWR Technical Specification based on the NRC’s Standard Technical Specifications (NUREG-1431 for Westinghouse PWRs, NUREG-1432 for CE-designed PWRs) that defines operability requirements for the RCS pressure boundary in terms of allowed leakage rates. The specification distinguishes between identified leakage (leakage from known sources such as valve packing leaks or RCP pump seal leakoff that can be individually characterized) and unidentified leakage (leakage that cannot be attributed to a known source), with the unidentified leakage limit typically set at 0.1 gpm in most plant Technical Specifications, reflecting the NRC’s judgment that 0.1 gpm of unidentified leakage represents the threshold at which active crack propagation in primary piping must be suspected and investigated.

AI-assisted leak rate calculation programs at modern nuclear plants — implemented in the plant process computer system (PPCS) or as standalone software tools — continuously process the multiple indication sources that contribute to RCS leakage quantification: primary coolant makeup water flow (gallons added per unit time to maintain pressurizer level), containment sump pump activation frequency and duration, containment atmosphere radiation monitor trends, containment humidity sensor trends, and primary drain tank level changes. When these multiple data sources are processed as individual trend chart images submitted to an AI-assisted leak rate aggregation model, each image constitutes an independent adversarial injection surface. Because the 0.1 gpm TS 3.4.13 action threshold is the limit below which no operator action is required, an adversarial attack that suppresses the AI’s reporting of any single contributing leak indicator by a fraction of the threshold value across multiple inputs could collectively suppress the AI’s aggregate leak rate estimate from above-threshold to below-threshold without any single input suppression being individually detectable against normal data variability.

What is the spent fuel pool cooling failure risk scenario that makes SFP monitoring AI integrity a nuclear safety priority?

The Fukushima Daiichi Unit 4 spent fuel pool scenario in March 2011 — in which hydrogen explosions and station blackout conditions created uncertainty about whether the Unit 4 SFP had lost sufficient water level to expose fuel assemblies to air and potentially ignite a zircaloy cladding fire — fundamentally changed the NRC’s regulatory treatment of spent fuel pool cooling as a nuclear safety function. Prior to Fukushima, SFP cooling loss was treated as a beyond-design-basis event with lower regulatory priority than reactor core cooling; after Fukushima, NRC issued Bulletin 2012-01, Order EA-12-051 (requiring hardened containment venting systems), and the Tier 1 and Tier 2 recommendations of the Near-Term Task Force review that led to the Mitigation Strategies rule (10 CFR 50.155), all of which address SFP cooling reliability and monitoring instrumentation. A spent fuel pool cooling loss scenario with sufficient magnitude to cause fuel cladding failure is a design-basis or beyond-design-basis accident with potential for significant fission product release from damaged zircaloy cladding — a Category 3 initiating event in the NRC’s Individual Plant Examination framework with potential dose consequences exceeding 10 CFR 100 site boundary dose limits in worst-case scenarios.

For currently operating plants with substantial spent fuel inventories accumulated over decades of operation — Braidwood Station (operated by Constellation Energy) has accumulated more than 2,300 spent fuel assemblies in each unit’s SFP from 35+ years of operation, a thermal load requiring continuous active cooling rather than passive decay heat removal — SFP cooling system performance monitoring is a daily operational necessity. AI-assisted SFP monitoring platforms that process pool temperature, level, and boron concentration trend charts as image inputs to AI alert generation engines are a real operational technology deployed at multi-unit sites with high-burnup spent fuel inventories. The consequence of adversarial suppression of SFP monitoring AI alerts at such a site is delayed recognition of degraded SFP cooling performance, potentially allowing pool temperature to rise from normal operating range (approximately 80–120°F) toward the boiling point (212°F at atmospheric pressure) before operators receive automated AI notification — compressing the time window for corrective action and escalating the probability of requiring Emergency Operating Procedure entry for SFP events.

How does NEI 08-09 cybersecurity baseline control architecture apply to AI-based nuclear access control systems?

NEI 08-09 defines four security levels (Level 4 through Level 1, with Level 4 being the most safety-significant) and specifies cybersecurity controls applicable to digital assets at each level. Physical protection systems — including electronic access control, personnel identity verification, and video surveillance systems associated with NRC-required security functions under 10 CFR 73.55 — are assigned to Security Level 1 or Level 2 in the NEI 08-09 framework, requiring the most stringent set of cybersecurity controls including defense-in-depth architecture, strong access controls, detection and response capabilities, and supply chain security requirements. AI-assisted biometric identity verification systems and video analytics platforms deployed at vital area entry points are digital assets associated with NRC-required physical protection functions; as such, they are within the 10 CFR 73.54 cybersecurity rule scope and subject to the NEI 08-09 Appendix D controls for their assigned security level.

The specific cybersecurity controls most directly relevant to adversarial pixel injection attacks against nuclear access control AI include: (1) integrity verification controls requiring that digital inputs to security-critical systems be authenticated or integrity-checked before use; (2) change detection controls requiring detection of unauthorized modifications to inputs processed by security digital assets; and (3) monitoring and anomaly detection controls requiring continuous surveillance of security system behavior for indicators of unauthorized access or manipulation. While these NEI 08-09 controls are conceptually applicable to adversarial pixel injection attacks, their implementation guidance predates the deployment of AI-based image analysis in nuclear security systems and does not specify adversarial robustness testing or inference-time adversarial scanning as technical implementations. Nuclear plant cybersecurity programs that have implemented AI-assisted facial recognition or video analytics at vital area entry points should evaluate whether their current NEI 08-09 cybersecurity control implementations address the adversarial image injection attack surface, and whether inference-time scanning tools satisfy the integrity verification and anomaly detection control requirements in the most technically defensible way.

What international nuclear AI cybersecurity standards apply to EDF, Ontario Power Generation, and IAEA member-state reactor operators?

The International Atomic Energy Agency’s Nuclear Security Series provides the international normative framework for nuclear facility cybersecurity. IAEA NSS No. NST047 (Computer Security Techniques for Nuclear Facilities, 2021) is the primary technical guidance document for nuclear facility cybersecurity controls, providing zone-based security architecture guidance that maps conceptually to the NEI 08-09 security level framework. IAEA Nuclear Security Series No. 17 (Computer Security at Nuclear Facilities, 2011) established the foundational IAEA guidance on nuclear facility computer security that informed national regulatory implementations in France, the United Kingdom, Canada, South Korea, and other IAEA member states with substantial nuclear fleets. For EDF’s 56-reactor French fleet and EDF Energy’s UK fleet (Sizewell B is the only operating UK PWR; the remaining UK advanced gas-cooled reactor fleet is in decommissioning), the relevant national regulatory frameworks are ASN (Autorité de Sûreté Nucléaire) Order of 7 February 2012 on nuclear installation safety, which incorporates digital system cybersecurity requirements aligned with IAEA guidance, and ONR (Office for Nuclear Regulation) Security Assessment Principles (SyAPs) governing UK nuclear facility cybersecurity.

Ontario Power Generation’s CANDU pressurized heavy water reactor fleet at Darlington and Pickering Nuclear Generating Station operates under Canadian Nuclear Safety Commission (CNSC) regulatory oversight. CNSC Regulatory Document REGDOC-2.12.3 (Security of Nuclear Substances: Sealed Sources) and CNSC REGDOC-3.1.2 (Reporting Requirements for Nuclear Power Plants) together with CNSC’s implementation of CSA Group standard N290.7 (Cyber Security for Nuclear Power Plants) establish the Canadian regulatory framework for nuclear cybersecurity applicable to OPG’s AI-assisted plant monitoring systems. CSA N290.7 draws on IEC 62645 (Nuclear Power Plants — Instrumentation and Control Systems — Requirements for Security Programmes for Computer-Based Systems) for detailed technical control requirements. For CANDU reactors, which use on-power fueling and have different I&C architectures from PWR and BWR designs — including the CANDU Fuel Management computer and the Reactor Regulating System AI monitoring functions — the adversarial injection attack surfaces are distinct from PWR/BWR implementations but the same inference-time scanning architecture applies to any image-input AI system used in safety or security functions.