With the introduction of digital instrumentation system, the cyber security threat to nuclear power plants is becoming more and more serious. The existing cyber security standards of nuclear power plants still need to be improved, and the technology practice of defensive strategies is lacking all over the world. In this paper, based on the comparison of domestic and foreign regulations and standards, combined with the technical practice of I&C system overall plan, a defense-in-depth model based on data flow is proposed. The overall technical requirements, hierarchy, network model, cyber security basic requirements, cyber security interface and protection of digital assets are introduced, the application of the model and the direction of research on cyber security of nuclear power plant are prospected.