KINAC has regulated cyber security of nuclear facilities based on「Act on Physical Protection and Radiological Emergency」and KINAC/RS-015 “Security for Computer and Information System of Nuclear Facilities”, a regulatory guide. By that law and regulatory guide, nuclear licensees shall protect digital assets so-called CDAs, which are conducting safety, security, and emergency preparedness functions from cyber-attack. First of all, to protect CDAs from cyber-attack, licensees should identify CDAs from their assets according to the RS-015. The identification methods are provided in another regulatory guide, RS-019. To research the best practice, a reference case is selected as a U.S. case. In this study, a comparison analysis was conducted especially focused on EP CDAs identification methodology between R.O.K. and U.S., because the regulation basis is relatively insufficient in R.O.K., and improvement plans for the cyber security regulations in R.O.K were proposed. From the analysis, it was identified that detailed methods to identify EP function are provided in NEI 10-14 “Identifying Systems and Assets Subject to the Cyber Security Rule” published by Nuclear Energy Institute (NEI), an institute of nuclear power reactor licensees. Also identified that the definition of EP function is provided clearly in NEI 10-04 based on related regulation, 10 CFR 50.47 “Emergency Plans”. In that regulation, licensees shall follow and maintain the effectiveness of an emergency plan that meets the sixteen planning standards of 10 CFR 50.47(b). So, these sixteen planning standards correspond to the emergency preparedness functions. In NEI 10-04, scoping considerations for emergency preparedness function are provided referring to sixteen planning standards. Moreover, in that scoping considerations, planning standards, planning standard functions and 10 CFR 73.54 “Protection of digital computer and communication systems and networks” scoping guidance are provided, so, licensees identify EP CDA in their assets conveniently. In case of R.O.K., because these sixteen planning standards are not established, there is an ambiguity in identifying EP CDAs. The only related provision is “Detailed Standards for Establishment of Emergency Plan”. To resolve the ambiguity, it is needed to analyze sixteen planning standards in 10 CFR 50.47(b) and “Detailed Standards for Establishment of Emergency Plan”. Then, should be developed ‘scoping considerations for emergency preparedness function’ based on the analysis as provided in NEI 10-04.
The cyber-attack on Natanz nuclear facility in Iran which called Stuxnet showed how cyber could affect the physical system. If cyber-attack on NPPs compromise digital I&C system, it may occur some malfunction on actuators and at worst, radioactive material released into the environment. However, it is hard to test the cyber security on operating NPPs because of the safety problems. So, it is necessary to develop a test-bed to test both the cyber security of NPPs and the effect of cyber-attack on NPPs. KINAC has been developing NPPs test-bed to evaluate the cyber security of NPPs, validate cyber security controls of licensee and train the inspectors. In this paper, the conceptual design of NPPs cyber security test-bed will be discussed. Actual I&C systems such as PLC (Programmable Logic Controller) and DCS (Distributed Control System) are essential for testing cyber security. Also, NPPs simulator is one of important part to evaluate or analyze the effect of cyber-attack on NPPs. Usually, NPPs simulator consists of software which contains nuclear model, thermal-hydraulic model, execution program and GUI and hardware which contains workstation, operator console, PC and large display panel. It provides very similar to actual NPPs to users. However, in case of conventional NPPs simulator, I&C part is implemented as a software, so it is impossible to test the cyber security. To solve this issue, in case of the NPPs cyber security test-bed, I&C part should be hardware and simulation code should be modified to connect the hardware I&C part and software simulator using the HIL (Hardware-in-the-loop) method. The main purpose of this NPPs cyber security test-bed is to utilize in NPPs cyber security regulation. So, KINAC is developing the test-bed with APR 1400 simulator model and KNICS PLC and DCS platform. These real hardware I&C system will be connected to hacker’s PC to test cyber security of NPPs. Also, the data set will be updated with real NPPs data set after the test-bed development finished. Furthermore, to give various analysis environment, archiving equipment that archive major plant process data, network packet between I&C systems and the like will be added. This NPPs cyber security test-bed combined the good points of conventional NPPs simulator and cyber security test-bed. It can test the cyber security of NPPs that conventional NPPs simulator cannot do. Also, it can evaluate and analyze the impact of cyber-attack on NPPs that cyber security test-bed cannot do.