GO2-09-153, Submittal of an Amendment Request for Approval of Cyber Security Plan

From kanterella
Jump to navigation Jump to search
Submittal of an Amendment Request for Approval of Cyber Security Plan
ML093280912
Person / Time
Site: Columbia Energy Northwest icon.png
Issue date: 11/16/2009
From: Atkinson D
Energy Northwest
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
GO2-09-153
Download: ML093280912 (12)
v  d  e


Text

ENERGYP.O. ENERGYVice Dale K. Atkinson President, Operational Support Box 968, PE03 NORTHW EST Richland, WA 99352-0968 Ph. 509.377.4302 I F. 509.377.4098 dkatkinson @energy-northwest.com November 16, 2009 G02-09-153 10 CFR 73.54 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001

Subject:

COLUMBIA GENERATING STATION, DOCKET NO. 50-397 REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN

Reference:

NEI 08-09 Rev. 3, "Cyber Security Plan for Nuclear Power Reactors,"

September 2009.

Dear Sir or Madam:

In accordance with the provisions of 10 CFR §50.4 and §50.90, Energy Northwest is submitting a request for an amendment to the Facility Operating License (FOL) for Columbia Generating Station. This proposed amendment requests NRC approval of the Columbia Generating Station Cyber Security Plan, provides an Implementation Schedule, and proposes a revision to the existing FOL Physical Protection license condition 2.E to require Energy Northwest to fully implement and maintain in effect all provisions of the Commission approved Columbia Generating Station Cyber Security Plan.

This proposed amendment conforms to the model application provided in Appendix A of the reference. provides an evaluation of the proposed change. Enclosure 1 also contains the following attachments:

" Attachment 1 provides the existing FOL page marked up to show the proposed change.

" Attachment 2 provides the proposed FOL change in final typed format. provides a copy of the Columbia Generating Station Cyber Security Plan which is a stand alone document that will be incorporated by reference into the Columbia Generating Station Physical Security Plan upon the staff's approval. provides a copy of the Columbia Generating Station Cyber Security Plan Implementation Schedule and describes commitments made in this submittal. (

Lk~4

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 2 Energy Northwest requests that Enclosure 2, which contains security sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390. In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated Washington State Official.

If you should have any questions regarding this submittal, please contact Mr. MC Humphreys at 509 377-4025.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the date of this letter.

Respectfully, DK Atkinson Vice President, Operational Support

Enclosures:

1 - Evaluation of Proposed Change 2 - Columbia Generating Station Cyber Security Plan 3 - Columbia Generating Station Cyber Security Plan Implementation Schedule cc: EE Collins, Jr. - NRC RIV NJ DiFrancesco - NRC NRR NRC Senior Resident Inspector/988C RN Sherman - BPA/1 399 WA Horin - Winston & Strawn EFSEC Manager RR Cowley - WDOH

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 1 of 8 Evaluation of Proposed Change Request for Approval of the Columbia Generating Station Cyber Security Plan 1.0

SUMMARY

DESCRIPTION 2.0 DETAILED DESCRIPTION

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

ATTACHMENTS - Marked-up Facility Operating License page. - Facility Operating License change in final typed format.

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 2 of 8 1.0

SUMMARY

DESCRIPTION The proposed license amendment request (LAR) includes the proposed Columbia Generating Station Cyber Security Plan (Plan), an Implementation Schedule, and a proposed sentence to be added to the existing Facility Operating License (FOL)

Physical Protection license condition.

2.0 DETAILED DESCRIPTION The proposed LAR includes three parts: the proposed Plan, an Implementation Schedule, and a proposed revision to the existing FOL Physical Protection license condition 2.E to require Energy Northwest to fully implement and maintain in effect all provisions of the Commission approved Columbia Generating Station Cyber Security Plan as required by 10 CFR §73.54. The regulations in 10 CFR §73.54, "Protection of digital computer and communication systems and networks," (Rule) establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 1).

3.0 TECHNICAL EVALUATION

FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part

73. Cyber security requirements are codified as new §73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by § 73.1 (a)(1)(v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 2).

This LAR includes the proposed Plan (Enclosure 2) that conforms to the template provided in Appendix A of NEI 08-09 (Reference 3). In addition, the LAR includes the proposed revision to the existing FOL license condition for "Physical Protection" (Attachments 1 and 2). Finally, the LAR contains the proposed Implementation Schedule (Enclosure 3) as required by 10 CFR §73.54.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS I CRITERIA This LAR is submitted pursuant to 10 CFR §73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in §50.4 and §50.90.

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 3 of 8 4.2 SIGNIFICANT HAZARDS CONSIDERATION Energy Northwest has evaluated the proposed changes using the criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration. An analysis of the issue of no significant hazards consideration is presented below:

Criterion 1: The proposedchange does not involve a significantincreasein the probabilityor consequences of an accident previously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided in NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at Columbia Generating Station. The Plan establishes the licensing basis for the Energy Northwest Cyber Security Program for Columbia Generating Station. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems are protected from cyber attacks. The Plan itself does not require any plant modifications. However, the Plan does describe how plant modifications which involve digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design basis threat as defined in the Rule.

The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and has no impact on the probability or consequences of an accident previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part is a proposed revision to the existing FOL license condition 2.E for Physical Protection.

Both of these changes are administrative and have no impact on the probability or consequences of an accident previously evaluated.

Therefore, it is concluded that this change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

t I REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Enclosure 1 Page 4 of 8 Criterion2: The proposed change does not create the possibilityof a new or different kind of accidentfrom any accident previously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at Columbia Generating Station. The Plan establishes the licensing basis for the Energy Northwest Cyber Security Program for Columbia Generating Station. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. The Plan itself does not require any plant modifications. However, the Plan does describe how plant modifications involving digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design basis threat defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or affect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks, and does not create the possibility of a new or different kind of accident from any previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part is a proposed revision to the existing FOL license condition 2.E for Physical Protection.

Both of these changes are administrative and do not create the possibility of a new or different kind of accident from any previously evaluated.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

Criterion 3: The proposed change does not involve a significantreduction in a margin of safety.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at Columbia Generating Station. The Plan establishes the

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 5 of 8 licensing basis for the Energy Northwest Cyber Security Program for Columbia Generating Station. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. Plant safety margins are established through Limiting Conditions for Operation, Limiting Safety System Settings and Safety Limits specified in the Technical Specifications. Because there is no change to these established safety margins, the proposed change does not involve a significant reduction in a margin of safety.

The second part of the proposed change is an Implementation Schedule. The third part is a proposed revision to the existing FOL license condition 2.E for Physical Protection.

Both of these changes are administrative and do not involve a significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, Energy Northwest concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c),

and accordingly, a finding of no significant hazards consideration is justified.

4.3 CONCLUSION

In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for Columbia Generating Station and will be a part of the Physical Security Plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(b)(1 2) no environmental impact statement or environmental assessment needs to be prepared in connection with the issuance of the amendment.

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 6 of 8

6.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.
2. EA-02-026, Order Modifying Licenses, Safeguards andSecurity Plan Requirements, issued February 25, 2002.
3. NEI 08-09 Rev. 3, "Cyber Security Plan for Nuclear Power Reactors," September 2009.

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 7 of 8 Attachment 1 Proposed Facility Operating License Change (Mark-Up)

1 10 -

D. Exemptions from certain requirements of Appendices G, H and J to 10 CFR Part 50, are described in the Safety Evaluation Report. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest. Therefore, these exemptions are hereby granted pursuant to 10 CFR 50.12. With the granting of this exemption the facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E. The licensee shall full implement and maintain in effect all provisions of the Commission-approve physical security plan, training and qualification plan, and safeguards contingency plan, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plan, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Columbia Generating Station Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Plan, Revision 3" submitted May 18, 2006.

F. Deleted.

G. The licensee shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission-.

H. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

Amendment No. 5&ý,1- ,8 206 Revi~ed by -dted t ...... 206

REQUEST FOR APPROVAL OF THE COLUMBIA GENERATING STATION CYBER SECURITY PLAN Page 8 of 8 Attachment 2 Proposed Facility Operating License Change (Re-Typed)

D. Exemptions from certain requirements of Appendices G, H and J to 10 CFR Part 50, are described in the Safety .Evaluation Report. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest. Therefore, these exemptions are hereby granted pursuant to 10 CFR 50.12. With the granting of this exemption the facility will operate, to the extent authorized herei.n, in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission.

E. The licensee shall fully implement and maintain in effect all provisions of the Commission-approved Columbia Generating Station cyber security plan, physical security plan, training and qualification plan, and safeguards contingency plan, including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plan, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Columbia Generating Station Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Plan, Revision 3" submitted May 1.8, 2006.

F. Deleted.

G. The licensee shall notify the Commission, as soon as possible but not later than one hour, bf any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

H. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the, Atomic Energy Act of 1954, as amended, to cover public liability claims.

Amendment No. 57,178,13,20 Rcviscd by letter dated February 2, 2007

Retrieved from "https://kanterella.com/w/index.php?title=GO2-09-153,_Submittal_of_an_Amendment_Request_for_Approval_of_Cyber_Security_Plan&oldid=2139413"