Nuclear operators must sort out their digital assets as Critical Digital Asset (CDA) and manage their vulnerabilities. Since vulnerabilities are continually found and can be abused anytime, and the number of digital assets in nuclear facilities is increasing, it is important to collect publically-known vulnerabilities in automated mechanism to reevaluate their risks. KINAC is now in progress of establishing an automated mechanism of collecting publically-known vulnerabilities for nuclear facilities. This paper will discuss about criteria of selecting database when establishing an automated mechanism of collecting publically-known vulnerabilities for nuclear facilities. When selecting sets of vulnerability database, the characteristic of sets of digital assets need to be managed, importance of each digital asset, and where and who will use the set of digital assets should be mainly considered. Most of safety-related CDAs are made and used in the United States, and safety-related CDAs are similar to Information and Communication Technology (ICT) facilities. Therefore, the main vulnerability database used in the United States should be included when collecting the database of vulnerabilities. Especially, US government actively provides vulnerabilities of digital assets, enacting vulnerability disclosure policy to make each organization report their own potential vulnerabilities. The main vulnerability database of the US is National Vulnerability Database (NVD) of NIST. It contains over 150,000 vulnerabilities on ICT and Industrial Control System (ICS). Nuclear Energy Institute (NEI) published “Cyber Security Vulnerability and Risk Management”, Addendum 5 to NEI 08-09, and informed that US-CERT, ICS-CERT, and NVD can be used as publically-known vulnerability database, and US National Regulatory Commission (NRC) endorsed the publication. In South Korea, KrCERT and National Cyber Threat Intelligence (NCTI) share publically-known vulnerabilities, however, the number of vulnerabilities are less than those of NVD, and most of the data are duplication of those of NVD. Moreover, certain portion of information are only opened to authorized organizations, so it is unable to access those databases. Therefore, considering the fact that most information of vulnerabilities of CDAs are included in NVD and ICS-CERT, vulnerability database should also contain information from NVD and ICS-CERT. Otherwise, the database must contain equivalent information compared to NVD and ICS-CERT. Furthermore, the methodology for collecting vulnerabilities of digital assets from other countries is also required to be studied in the future research.

• Eunji Chang(Korea Institute of Nuclear Nonproliferation and Control, 1418, Yuseong-daero, Yuseong-gu, Daejeon) Corresponding author