Recently, more than 70 SMRs have been developed around the world due to their modularity, flexibility, and miniaturization. An innovative SMR (i-SMR) is also being developed in Korea, and operators are planning to apply for a Standard Design Approval (SDA) in 2026 after completing the standard design. Accordingly, regulatory organizations are conducting R&D on regulatory requirements and guidelines for systematic SMR standard design review by referring to IAEA and NRC cases. In terms of security, SMRs are expected to undergo many changes not only in terms of physical security through security systems, security areas, and vital equipments, but also in terms of cybersecurity through new digital technologies, remote monitoring, and automated operation. Accordingly, the IAEA Fundamental Safety Principles (SF-1) require operators to improve the safety of nuclear facilities by considering security requirements, access control requirements, and the results of operational impact assessments based on threats from the design and construction stages. Similarly, the U.S. nuclear regulatory body (NRC) has confirmed the status of security assessment and design considering design basis threats (DBTs) in the NuScale standard design review process, and the Canadian nuclear regulatory body (CNSC) has revised security regulatory guidelines and applied them to the SMR standard design review. Among these various activities related to SMR security, this paper analyzes the major changes in the cybersecurity regulatory guidelines for SMRs recently revised by the CNSC, the Canadian nuclear regulatory body. Compared to the previous guidelines, the Defensive Cybersecurity Architecture (DCSA), including external logical access control, security level and zone communication requirements, verification and validation (V&V) activities during development phases, and system & service acquisition security requirements have been added. Other changes, such as the cyber incident response program, will be analyzed and compared. Through the revised regulatory guidelines, the CNSC has divided cybersecurity levels into four (High, Moderate, Low, and Business), strictly prohibiting remote access to High and Moderate levels, and allowing remote access to Low levels only for maintenance purposes. In addition, the paper will analyze the detailed revisions, such as prohibiting access to the High level from lower levels and allowing only handshaking signals from the Low level to the Moderate level.
The guidelines for cyber security regulations at domestic and foreign nuclear facilities, such as KINAC/RS-015, NRC’s RG5.71 and NEI 13-10, require the establishment of security measures to maintain the integrity of critical digital assets (CDAs) and protect them as threats to the supply process. According to the requirements, cyber security requirements shall be reflected in purchase requirements from the time of introduction of CDAs, and it shall also be verified whether cyber security security measures were properly applied before introduction. Domestic licensees apply measures to control the supply chain in the nuclear safety sector to cyber security policies. The safety sector supply chain control policy has areas that functionally overlap with the requirements of cyber security regulations, so regulatory guidelines in the safety sector can be applied. However, since most of the emergency preparedness and physical protection functions introduce digital commercial products, there is a limit to applying the control of the supply chain in the safety field as it is. It is necessary to apply supply chain control operator policies, procedures, and purchase requirements for each SSEP function, or to establish cyber security integrated supply chain control requirements. In this paper, based on the licensee’s current supply chain control policy, the cyber security regulation plan for supply chain control according to the SSEP (Safety-Security-Emergency Preparedness) function of CDAs is considered.
Recently, about 70 Small Modular Reactors (SMRs) are being developed around the world due to various advantages such as modularization, flexibility, and miniaturization. An innovative SMR (i- SMR) is being developed in South Korea as well, and the domestic nuclear utility is planning to apply for the Standard Design Approval in 2026 after completing the basic design and standard design. Accordingly, the regulatory body is conducting research on the regulatory system for reviewing the i- SMR standard designs by referring to the IAEA and the U.S. NRC cases. A SMR is expected to many changes not only in terms of cyber security due to new digital technology, remote monitoring, and automatic operation, but also in terms of physical security according to security systems, security areas, and vital equipment. Accordingly, related technical documents issued by the IAEA require nuclear utilities to consider regulatory requirements of security from the design phase by integrating security regulations into SMR licensing. The U.S. NRC has also identified 17 issues affecting SMR design since 2010 (SECY-10-0034), and among them, ‘Consideration of SMR security requirements’ was included as a major issue. Accordingly, the NuScale applicant conducted security assessment and design in consideration of the Design Base Threat (DBT) in the initial SMR design process through the Gap Analysis Report (2012) and the NuScale’s Security System Technical Report (TR-0416-48929), and the NRC developed the Design Specific Review Standard for NuScale (DSRS) and then reviewed the applicant’s security design process, standard design results, and testing criteria for security system (ITAAC). This paper analyzed the case of security review activities during the NuScale standard design review, and through this, it is intended to be used in the development of domestic regulatory system for the i-SMR security review in the future.
KINAC (Korea Institute of Nuclear Non-proliferation and Control) is entrusted with the NSSC (Nuclear Safety And Security Commission) to conduct threat assessments for nuclear facilities. As part of the threat assessment, DBT (Design Basis Threat) must be established every three years, and a threat assessment report must be developed for DBT establishment. This paper suggests a method for collecting and analyzing cyber threat information for the development of a cyber security threat assessment report. Recently, cyber threats not only in the IT (Information Technology) field but also in the ICS (Industrial Control System) field are rapidly increasing. As cyber threats increase, threat information including related attack techniques is also increasing. Although KINAC is conducting a threat assessment on cyber security at nuclear facilities, it cannot collect and analyze all cyber threat information. Therefore, it is necessary to determine a reliable source of threat information for threat assessment, and establish a strategy for collecting and analyzing threat information for DBT establishment. The first method for collecting and analyzing threat information is to first collect threat information on industrial fields with high similarity to nuclear facilities. Most of the disclosed cyber threat information is in the IT field, and most of this information is not suitable for closed-network nuclear facilities. Therefore, it is necessary to first collect and analyze threat information on facilities that use networks similar to nuclear facilities such as energy and financial sector. The second method is to analyze the attack technique for the collected threat information. The biggest factor in DBT reset is whether there is a new threat and how much it has increased compared to the existing threat. Therefore, it is necessary to analyze which attack technique was used in the collected threat information, and as part of the analysis, a cyber attack analysis model such as a kill chain can be used. The last method is to collect and manage the disclosed vulnerability information. In order to manage vulnerabilities, it is necessary to analyze what assets are in the nuclear facility first. By matching the reported vulnerability with the CDA (Critical Digital Asset) in the facility, it is possible to analyze whether the CDA can be affected by a cyber attack.As cyber threats continue to increase, it is necessary to analyze threat cases of similar facilities, attack techniques using attack models, and vulnerability analysis through asset identification in order to develop a threat assessments report.