오늘날 사이버 안보의 위협은 모든 국가안보 사안과 관련되어 있다고 해 도 과언이 아니다. 사이버 안보의 위협은 정부와 안보기관에서 대응해야 할 핵심적인 사안으로 부상하였다. 국내에서도 사이버 안보 강화를 위한 법령 제정에 대한 논의가 있어왔으며 2011년 사이버위협 대응을 위한 부처별 역 할을 정립하는 등의 대응을 위한 ‘국가사이버 안보마스터 플랜’이 수립되었 고, 비교적 최근인 2019년에는 ‘국가사이버안보전략’이 세워지는 등의 노력 이 있어왔다. 그러나 이러한 노력들은 아직까지는 추상적인 수준에 머물고 있으며, 실제 사이버 안보 관련 입법으로 이어지지 못하였다는 점에서 한계 가 있다. 따라서 한국은 사이버 공간을 통한 다양한 정보활동, 대테러위협, 해킹위협 등에 노출되어 있음에도 불구하고 사이버 위협 대상이 되는 주요 시설과 취약시설에 대한 보안을 강화할 수 있는 법령이 상당히 취약하다. 반 면 미국과 유럽 등 해외 주요 선진국들은 2000년대 초부터 국가적 차원에서 사이버위협에 대응하기 위한 체계들을 세우고, 정책을 개발하고, 그리고 법 령들을 제정해왔다. 이러한 활동은 사이버 위협 컨트롤 타워 설립, 전담조직 설치, 관련기관 및 조직에 대한 책임 및 역할 부여, 사이버 안보법 제정, 사 이버안보 전략 수립 등의 다양한 법령과 전략, 그리고 정책의 수립 등을 포 함한다. 복잡한 사이버 안보사안의 출현과 다양한 사이버 안보 위협주체들의 등장으로 더욱 위협적으로 변모하고 있는 안보환경 속에서 국내 사이버 안 보 역량 강화를 위한 입법은 매우 시급하고 중요하다. 그러나 국내에서는 이 러한 사이버 안보관련 입법에 대한 관심이나 논의는 아직까지 미흡한 실정 이다. 이에 따라, 이 연구에서는 국내 사이버 안보관련 전략발전과 법령제정 에 기여하기 위한 의도로 미국의 사이버 안보전략과 정책, 그리고 법률의 발 전 동향을 살펴보았다. 이를 통해 이 연구는 국내 사이버 안보전략과 정책발 전 그리고 관련 법령의 제정과 관련된 시사점을 제시하였다.

Recently, more than 70 SMRs have been developed around the world due to their modularity, flexibility, and miniaturization. An innovative SMR (i-SMR) is also being developed in Korea, and operators are planning to apply for a Standard Design Approval (SDA) in 2026 after completing the standard design. Accordingly, regulatory organizations are conducting R&D on regulatory requirements and guidelines for systematic SMR standard design review by referring to IAEA and NRC cases. In terms of security, SMRs are expected to undergo many changes not only in terms of physical security through security systems, security areas, and vital equipments, but also in terms of cybersecurity through new digital technologies, remote monitoring, and automated operation. Accordingly, the IAEA Fundamental Safety Principles (SF-1) require operators to improve the safety of nuclear facilities by considering security requirements, access control requirements, and the results of operational impact assessments based on threats from the design and construction stages. Similarly, the U.S. nuclear regulatory body (NRC) has confirmed the status of security assessment and design considering design basis threats (DBTs) in the NuScale standard design review process, and the Canadian nuclear regulatory body (CNSC) has revised security regulatory guidelines and applied them to the SMR standard design review. Among these various activities related to SMR security, this paper analyzes the major changes in the cybersecurity regulatory guidelines for SMRs recently revised by the CNSC, the Canadian nuclear regulatory body. Compared to the previous guidelines, the Defensive Cybersecurity Architecture (DCSA), including external logical access control, security level and zone communication requirements, verification and validation (V&V) activities during development phases, and system & service acquisition security requirements have been added. Other changes, such as the cyber incident response program, will be analyzed and compared. Through the revised regulatory guidelines, the CNSC has divided cybersecurity levels into four (High, Moderate, Low, and Business), strictly prohibiting remote access to High and Moderate levels, and allowing remote access to Low levels only for maintenance purposes. In addition, the paper will analyze the detailed revisions, such as prohibiting access to the High level from lower levels and allowing only handshaking signals from the Low level to the Moderate level.

According to the “Law on protection and response measures for nuclear facilities and radiation”, Nuclear Power Plant (NPP) licensees should conduct periodic exercises based on hypothetical cyberattack scenarios, and there is a need to select significant and probable ones in a systematic manner. Since cyber-attacks are carried out intentionally, it is difficult to statistically specify the sequences, and it is not easy to systematically establish exercise scenarios because existing engineering safety facilities can be forcibly disabled. To deal with the above situation, this paper suggests a procedure using the Probabilistic Safety Assessment (PSA) model to develop a cybersecurity exercise scenario. The process for creating cyber security exercise scenarios consists of (i) selecting cyber-attack-causing initiating events, (ii) identifying digital systems, (iii) assigning cyber-attack vectors to a digital system, (iv) determining and adding type for operator’s response, (v) modifying a baseline PSA model, and (vi) extracting top-ranked minimal cut sets, and (vii) selecting a representative scenario. This procedure is described in detail through a case study, an expected cyber-attack scenario General Transient-Anticipated Transient Without Scram (GTRN-ATWS). It refers to an accident scenario for ATWS induced by GTRN. Since ATWS is targeted for cyber training in some NPPs, and GTRN is one of the most common accidents occurring in NPPs, GTRN-ATWS was chosen as an example. As for the cyber-attack vector, portable media and mobile devices were selected as examples based on expert judgment. In this paper, only brief examples of GTRN-ATWS events have been presented, but future studies will be conducted on an analysis of all initiating events in which cyber-attacks can occur.

The emergence of global internet access from the low Earth orbit (LEO) comes with cybersecurity vulnerabilities. Under international space law regimes, the concept of cybersecurity in outer space remains ambiguous. Furthermore, cyberattacks affecting the era’s thoroughly segregated computer space systems were unimagined. Cyber borders are not the same as physical borders. Cyberspace does not admit the demarcation of territorial sovereignty, as it is not based on physical location, and assigning territorial sovereignty to cyberspace is time-consuming. This research proposes the concept of a multi-stakeholder international legal regime for space cybersecurity, as establishing cybersecurity standards and risk management mechanisms necessitates technical measures and a regulatory framework. International cooperation is the only way to provide a fully coordinated approach to cyberspace protection which is consistent with the fundamental premise of international cooperation and collaboration in space.