A Preliminary Report on Static Analysis of C Code for Nuclear Reactor Protection System

摘要

Cybersecurity regulations require new I&C (Instrumentation & Control) systems in nuclear power plants to develop software in accordance with secure software development methodology to prevent the digital systems from cyber attacks. One of the common aspects of various secure software development methodologies is that widely-accepted practices should be followed throughout programming. As PLC (Programmable Logic Controller) is used to implement digital I&Cs, C programs are often translated automatically from design specifications such as FBD programs. This paper tries to analyze a part of preliminary version of C codes of a Korean I&C system with a static source code analysis tool of Microsoft. It shows that the automatic translator from FBD to C had a few critical defects, not concerned with security directly. It also recommends to select appropriate analysis tools and rule sets to check best practices in secure programming, even if the C code is produced mechanically.