On April 28, 2022, a North Korean hacker (operator) recruited an active officer in exchange for virtual currency to steal military secrets and attempted to hack the battlefield network, and it was revealed that he tried to use PoisonTap during the investigation. Let’s analyze whether these events pose a threat to nuclear facilities. PoisonTap is a tool coded in the Node.js language to Raspberry Pi Zero and weaponized. When connected to a target PC with a USB or Thunderbolt port, the target PC can be occupied in about a minute. PoisonTap materials include Raspberry Pi Zero, a USB expansion port that can be connected to the target PC, a space where the code can operate (code about 12 MB), and Node.js (weaponizable code), which can be made without much difficulty. PoisonTap’s functionality allows cookies and sessions to be stolen through hijacking and allows remote access by exposing internal routers to the outside. Some of the reasons why PoisonTap occurred are that network devices connect directly to the computer without any conditions. And one of the big problems of this vulnerability is the design problem of the Internet itself, so it is difficult to block or defend technically. It is difficult to protect if it is simply a software problem because it is different from how to fix it through software code modification. According to the PoisonTap principle analysis, it connects the PoisonTap to the target PC based on the network’s characteristics (subnets of lower-priority network devices are given higher priority than gateways of higher-priority network devices). The HTML+Javascript generated while being connected becomes a backdoor that can be connected anytime. In other words, by creating a Websocket that can be connected to the web browser itself at any time, an attacker can connect to the target PC at any time. In such a threat, PoisonTap is used to break in and install a web backdoor on the target PC to make it continuously accessible and attack even if the PoisonTap is disconnected. This problem is believed to be an insider threat not only to military units but also to nuclear facilities that are closed networks. PoisonTap can be brought into major nuclear areas in cooperation with insiders with general maintenance of USB equipment. Ordinary workers often leave their laptops or leave them for a while by inserting a screen-saver password. In addition, because there is no communication with the outside, actions that do not seal USB ports and enter deep sleep mode (network connection) can be exposed as cyber threats to nuclear facilities using PoisonTap by malicious insiders.

Recently, more than 70 SMRs have been developed around the world due to their modularity, flexibility, and miniaturization. An innovative SMR (i-SMR) is also being developed in Korea, and operators are planning to apply for a Standard Design Approval (SDA) in 2026 after completing the standard design. Accordingly, regulatory organizations are conducting R&D on regulatory requirements and guidelines for systematic SMR standard design review by referring to IAEA and NRC cases. In terms of security, SMRs are expected to undergo many changes not only in terms of physical security through security systems, security areas, and vital equipments, but also in terms of cybersecurity through new digital technologies, remote monitoring, and automated operation. Accordingly, the IAEA Fundamental Safety Principles (SF-1) require operators to improve the safety of nuclear facilities by considering security requirements, access control requirements, and the results of operational impact assessments based on threats from the design and construction stages. Similarly, the U.S. nuclear regulatory body (NRC) has confirmed the status of security assessment and design considering design basis threats (DBTs) in the NuScale standard design review process, and the Canadian nuclear regulatory body (CNSC) has revised security regulatory guidelines and applied them to the SMR standard design review. Among these various activities related to SMR security, this paper analyzes the major changes in the cybersecurity regulatory guidelines for SMRs recently revised by the CNSC, the Canadian nuclear regulatory body. Compared to the previous guidelines, the Defensive Cybersecurity Architecture (DCSA), including external logical access control, security level and zone communication requirements, verification and validation (V&V) activities during development phases, and system & service acquisition security requirements have been added. Other changes, such as the cyber incident response program, will be analyzed and compared. Through the revised regulatory guidelines, the CNSC has divided cybersecurity levels into four (High, Moderate, Low, and Business), strictly prohibiting remote access to High and Moderate levels, and allowing remote access to Low levels only for maintenance purposes. In addition, the paper will analyze the detailed revisions, such as prohibiting access to the High level from lower levels and allowing only handshaking signals from the Low level to the Moderate level.

The licensee of nuclear facilities in the Republic of Korea should ensure the functionality of Critical Digital Assets (CDAs) is maintained and minimize the negative impact of cyber-attacks by establishing a cyber security contingency plan. The contingency plan should include detailed response guidelines for each stage of detection, analysis, isolation, eradication, and recovery and comply with the requirements specified in KINAC’s “Regulatory Standard 015 - Security for Computer and Information System of Nuclear Facilities”. However, since the cyber security contingency plan describes the overall response guidelines for CDA, it may be difficult to respond practically to cyberattacks. This paper suggests a method to address this issue by performing exercises based on the classification of CDA types. CDAs in nuclear facilities can be classified according to their characteristics. The criteria for classifying CDA types include whether the asset is a PC, whether communication ports (RS-232, 422, 485) exist, whether storage devices can be connected through USB/memory card ports and whether internal settings can be changed through HMI devices such as built-in buttons. By classifying CDA types based on the proposed criteria, the attack vectors of CDAs can be defined. By defining the attack vectors, a list of cyber-attacks that CDAs may face can be created, and abnormal symptoms of CDAs resulting from the listed cyber-attacks can be defined. By using the defined abnormal symptoms of CDAs, the response measures of detection, analysis, isolation, eradication, and recovery can be concretized and reflected in the contingency plan. This may enable a more practical emergency response. This paper presents an improvement to the cyber security emergency response plan through the definition of cyber-attacks based on the classification of CDA types. By improving the contingency plan for CDAs as a whole using the proposed method, it is expected that more effective response measures can be taken in the event of a cyber-attack.