If there is solid proof of this, then inform the NRC. All nuclear plants are to be digitally secured under Code of Federal Regulations, 10CFR73.54. This is a public document, available to anyone.
Any plant found with a vulnerability would be subject to fines and shutdown.
You are correct.
However, true “security” is in the eyes of the beholder.
Audits are self-conducted “Binderware” affirmations of how good the security posture is.
Senior corp IT audit manager from one of the largest international energy management operations companies reached out two years ago for open position helping address their client IT Security audits.
During the course of the conversation learning their pain points with chemical plant IT security audits, he was asked “how are the IT security audits were going with the power plants they manage?”.
He responded, “Oh, I that’s right, that’s something we need to get on, too.”