Nuclear power plants (NPPs) are designed in consideration of redundancy, diversity, and independence to prevent leakage of radioactive materials from safety of view, and a contingency plan is established in case of DBA (Design Basis Accident) occurrence. In addition, NPPs have established contingency plans for physical attacks, including terrorist intrusions and bomb attacks. However, the level of contingency plan caused by cyberattacks is quite insufficient compared to the contingency plan in terms of safety and physical protection. The purpose of this paper is to present the problems of cyberattack contingency plan and methods to supplement it. The first problem with cyberattack contingency plan is that the initiating event for implementing the contingency plan is undecided. In terms of safety, the DBA is identified as an initial event, and each contingency plan is based on the initial events specified in the DBA such as Loss of Coolant Accident and Loss of Offsite Power. In terms of physical protection, each has a contingency plan by identifying bomb attacks and terrorist intrusions in Protected Area and Vital Area as initial events. On the other hand, in the contingency plan related to a cyberattack, an initial event caused by a cyberattack is not identified. For this, it is necessary to classify the attack results that may occur when the CDA is compromised based on the attack technique described in Design Basis Threat. Based on this, an initiating event should be selected and a contingency plan according to each initiating event should be established. The second problem is that there is no responsibility matrix according to the occurrence of the initiating event. From a safety point of view, when a DBA occurs, the organization’s mission according to each initial event is described in the contingency plan, and related countermeasures are defined in case of an accident through Emergency Operation Procedure. In the case of physical protection, referring to IAEA’s Regulatory Guide 5.54, the organization’s responsibility is defined in matrix form when an initial event such as a bomb attack occurs. In this way, the responsibility matrix to be carried out in case of initiating events based on the defined initial event should be described in the contingency plan. In this paper, the problems of the cyberattack contingency plan are presented, and for this purpose, the definition of the initial event and the need for a responsibility matrix when the initial event occurs are presented.

• Seungmin Kim(Korea Institute of Nuclear Nonproliferation and Control (KINAC)) Corresponding author