Licensees are required to protect critical digital assets (CDAs) in nuclear facilities against cyber-attacks, up to and including design basis threat (DBT), according to「ACT ON PHYSICAL PROTECTION AND RADIOLOGICAL EMERGENCY」. However, CDAs may be excluded from cyber security regulations at nuclear power plant decommissioning, and this may lead to severe consequences if the excluded CDAs contain sensitive information such as the number and location of nuclear fuels and information on security officers. In that case, that information could be leaked to the adversary without adequately removing the information before discarding the CDAs. It can be potentially abused to threaten nuclear facilities inducing radiological sabotage and nuclear material theft. So, controls of sensitive information are needed. This study aims to derive regulatory improvements related to discarding CDAs that have sensitive information by analyzing foreign cases such as IAEA and U.S. NRC. The sensitive information in the IAEA guide is the following: (1) details of physical protection systems and any other security measures in place for nuclear material, other radioactive material, associated facilities, and activities; (2) information relating to the quantity and form of nuclear material or other radioactive material in use or storage; (3) information relating to the quantity and form of nuclear material or other radioactive material in transport; (4) details of computer systems; (5) contingency and response plans for nuclear security events; (6) personal information; (7) threat assessments and security alerting information; (8) details of sensitive technology; (9) details of vulnerabilities or weaknesses that relate to the above topics; (10) historical information on any of the above topics. In the case of the U.S. NRC, they categorize sensitive information into three groups: (1) classified information, (2) safeguard information (SGI), (3) sensitive unclassified non-safeguards information (SUNSI). Classified information is information whose compromise would cause damage to national security or assist in manufacturing nuclear weapons. The SGI concerns the physical protection of operating power reactors, spent fuel shipments, strategic special nuclear material, or other radioactive material. Finally, SUNSI is generally not publicly available information such as personnel privacy, attorney-client privilege, and a confidential source. IAEA recommends protecting the above sensitive information in accordance with NSS No.23-G (Security of Nuclear Information), and NRC protects classified information, SGI, and SUNSI under relative laws. In the case of ROK, if security control measures are enhanced CDAs that possess sensitive information, the risk of information leakage will be decreased when those CDAs are discarded.

• In Hyo Lee(Korea Institute of Nuclear Nonproliferation and Control (KINAC))