By Shahid Mahdi
To feed the voracious energy appetite of the AI revolution, Silicon Valley has found a massive, carbon-free battery: the American nuclear fleet.
Faced with a staggering projected increase in summer peak demand over the next decade, Big Tech is attempting to bypass congested grid interconnection queues. Its solution is co-location: physically plugging hyperscale data centers into nuclear power plants. (See Talen, Amazon Enter PPA for 1.9 GW of Power from Susquehanna.)
While FERC and state regulators fiercely debate whether these deals will shift costs onto residential ratepayers, they are ignoring a more critical question: By physically and electrically fusing our most hyper-connected digital assets (AI data centers) with our most sensitive kinetic assets (nuclear reactors), are we engineering a catastrophic vulnerability?
Put simply: If a co-located data center is hit with ransomware, does the nuclear plant have to trip offline?
To find the answer, we must look to the greatest cybersecurity failure in modern U.S. energy infrastructure history: the May 2021 Colonial Pipeline attack. (See Colonial Hack Sparks Competing Recommendations at FERC.)
In the energy sector, infrastructure is built on distinct layers of technology. There is the information technology (IT), which handles software and billing, and the operational technology (OT), which are the physical levers, valves and switches that control the flow of energy.
When Russian ransomware group DarkSide infiltrated Colonial Pipeline, it did not hack the OT. It never touched the pipeline’s physical controls. It attacked the IT systems, locking up administrative files containing sensitive information and demanding a $5 million ransom.
Yet the pipeline was shut down, paralyzing the Eastern Seaboard. Why? Because out of blind panic and an inability to safely segregate the IT networks from the OT networks, the operators were forced to pull the plug on the physical infrastructure to prevent the infection from spreading.
Ultimate IT and OT Assets
An AI data center is the ultimate IT asset. It is a sprawling supercomputer designed to be connected to global networks, ingesting and processing massive amounts of data from the open internet. A nuclear power plant, conversely, is the ultimate OT asset, reliant on precise, secure and isolated physical engineering.
If a state-sponsored adversary or a ransomware-as-a-service syndicate breaches the data center’s IT network, the resulting chaos will not be contained to silicon chips. If the utility operator cannot prove an “air gap” exists between the data center’s infected servers and the nuclear reactor’s operational controls, they will face the same horrific choice Colonial Pipeline did. Out of an abundance of caution, the nuclear reactor may have to be scrammed — abruptly taken offline — costing millions of dollars and draining firm baseload power from the surrounding public grid.
Currently, the regulatory apparatus is fundamentally misaligned to handle this threat. State utility commissions and federal agencies are operating in a “regulatory labyrinth,” tracking thousands of filings across a fragmented system. But their focus remains mostly financial. FERC in 2025 was directed to initiate a proceeding (Docket EL25-49-000) to consider issues related to the co-location of large loads at generation facilities, but the primary concerns remain grid reliability and cost allocation.
As Congress, FERC and NERC establish the rules of the road for AI-nuclear co-location, they must mandate “resilience by design.” Tech companies seeking direct access to nuclear power must be required by law to finance and implement military-grade network segmentation. The burden of proof must fall on the developers to demonstrate that a catastrophic digital breach of their AI servers will not mathematically or operationally necessitate the shutdown of the adjacent nuclear core.
The AI era promises immense breakthroughs, but it also transforms every server farm into a potential backdoor to our critical infrastructure. We learned the hard way that a hacked billing system can stop the flow of gas. We cannot afford to learn what a hacked algorithm might do to a nuclear reactor.
Shahid Mahdi is a director at energy regulatory intelligence company EnerKnol and an expert in cybersecurity threats to energy infrastructure.
