Cyber security guideline for supply chain controls of digital commercial
product in nuclear facilities

According to guideline such as KINAC/RS-015, NRC’s RG5.71, and NEI 13-10, supply chain controls of critical digital assets (CDAs) for cybersecurity for nuclear facilities are considered from a principled point of view. In reality, when introducing CDAs, the safety-related supply chain control requirements are applied. Although digital I&C systems apply safety regulatory requirements due to overlapping safety and cybersecurity requirements, CDAs for emergency preparedness and physical protection in a blind spot of the regulations. NEI 13-10 classify the types of CDAs according to functions except for general computer type. In case of digital commercial products, there is a limit to applying the control of the supply chain in current safety and cybersecurity field It is necessary to apply supply chain control operator policies, procedures, and purchase requirements for each SSEP function, or to establish cybersecurity integrated supply chain control requirements. In this study, the cybersecurity regulation guideline for supply chain control considering SSEP (Safety-Security-Emergency Preparedness) function of CDAs.