Response to Request for Additional Information and Supplement to Cyber Security Plan

ML11104A012
Person / Time
Site:	Columbia
Issue date:	03/31/2011
From:	Atkinson D Energy Northwest
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
GO2-11-066
Download: ML11104A012 (1)
v • d • e

Text

4 SECURITY RELATED INFORMATION WIT-HHOLD UNDER 10 CFR 2.890 ENERGY NORTHWEST Dale K. Atldnson Vice President, Employee Development/

Corporate Services P.O. Box 968, PE03 Richland, WA 993520968 Ph. 509.377.43021 F. 509.377.4098 dkatldnson@energy-northwest.com March 31, 2011 G02-11-066 10 CFR 73.54 U.S. Nuclear Regulatory Commission A'TN: Document Control Desk Washington, D.C. 20555-0001

Subject:

COLUMBIA GENERATING STATION, DOCKET NO. 50-397 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION

1) Letter G02-10-098 dated July 22, 2010, DK Atkinson (Energy Northwest) to NRC, "Request for Approval of the Columbia Generating Station Cyber Security Plan" (ADAMS Accession No. ML102150353)

References:

2) Letter G02-10-143 dated September 27, 2010, DK Atkinson (Energy Northwest) to NRC, "Notification Letter Designating Columbia Generating Station Balance of Plant Systems within the Cyber Security Rule Scope" (ADAMS Accession No. ML102780398)

3) Letter dated March 1, 2011, Balwant K. Singal (NRC) to Mark E.

Reddemann (Energy Northwest), "Columbia Generating Station -

Request for Additional Information Regarding Revision to the Facility Operating License and Request for Review and Approval of the Cyber Security Plan (TAC No. ME4381)"

Dear Sir or Madam:

In Reference 1, Energy Northwest submitted a request for amendment to the Facility Operating Licenses (FOL) for Columbia Generating Station (Columbia). The proposed amendment requested Nuclear Regulatory Commission (NRC) approval of the Cyber Security Plan (CSP) for Columbia, revision to the existing FOL Physical Protection license condition, and the Cyber Security Plan Implementation Schedule.

THE ENCLOSURE(S) CONTAIN SECURITY SENSITIVE INFORMATION AS DEFINED BY 10 CFR 2.390 AND SHOULD BE WITHHELD FROM PUBLIC DISCLOSURE. PROTECT THIS INFORMATION ACCORDINGLY.

sm/A-of-K---

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION Page 2 In Reference 2, Energy Northwest committed to amend Section 2.1, "Scope and Purpose," of the Cyber Security Plan for Columbia Generating Station to clarify the Balance of Plant (BOP) Systems, Structures, and Components (SSCs) that will be included in the scope of the cyber security program.

With Reference 3, Columbia received an NRC Request for Additional Information (RAI) regarding the CSP for the Columbia submittal. Enclosure 1 provides the Energy Northwest response to the NRC RAIs. With the RAI response, Energy Northwest has proposed revisions to Section 2.1, "Scope and Purpose," Section 4.13, "Document Control and Records Retention and Handling," and has added an Implementation Schedule for intermediate and final milestones of the CSP for Columbia. provides a revised copy of the CSP for Columbia which incorporates the proposed revisions to Section 2.1 and Section 4.13. Additionally, "Revision 0" was added to title. No other changes have been made to the document other than pagination. The enclosed CSP replaces, in its entirety, the CSP for Columbia previously submitted as Enclosure 2 of Reference 1. provides a copy of the Implementation Schedule for intermediate and final milestones of the CSP for Columbia and describes the commitments made in this submittal. The schedule and its commitments replace, in their entirety, the schedule and its commitments previously submitted as Enclosure 3 of Reference 1.

Energy Northwest requests that Enclosures 1, 2 and 3, which contain security-related information, be withheld from public disclosure in accordance with Section 2.390 of Title 10 of the Code of Federal Regulations (10 CFR). contains revised marked-up and re-typed FOL pages for the Physical Protection license condition for Columbia Generating Station to clarify the addition of the cyber security plan and add reference to this supplement. The marked-up and re-typed pages in Enclosure 4 replace, in their entirety, the marked-up and re-typed pages previously submitted in Attachment 1 and Attachment 2 to Enclosure 1 of Reference 1. contains a revised copy of the Columbia Generating Station Deviations from NEI 08-09, Revision 6, previously submitted in Enclosure 4 of Reference 1. The revised copy incorporates the change to address BOP systems discussed above with the section 2.1 and 4.13 changes, refers to the appropriate appendices in NEI 08-09, Revision 6 (where applicable), clarifies the appropriate title of senior site management in section 4.10, and corrects the cited wording for NEI 08-09 in Appendix A, Section 3.1.3, 2nd bullet, to state "Critical Digital Asset." Enclosure 5 replaces, in its entirety, the information previously submitted in Enclosure 4 of Reference 1.

The changes discussed above are clarifying and do not impact the conclusions of the no significant hazards consideration determination previously provided in Reference 1.

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION Page 3 If you should have any questions regarding this submittal, please contact KD Christianson, Acting Licensing Supervisor, at (509) 377-4315.

I declare under the penalty of perjury that the foregoing is true and correct. Executed on the date of this letter.

Respectfully, DK Atkinson Vice President, Employee Development/Corporate Services

Enclosures:

1) Response to Request for Additional Information (Security-Related Information - Withhold Under 10 CFR 2.390)

2) Cyber Security Plan for Columbia Generating Station, Revision 0 (Security-Related Information - Withhold Under 10 CFR 2.390)

3) Cyber Security Plan Implementation Schedule (Security-Related Information -Withhold Under 10 CFR 2.390)

4) Attachment 1 - Marked-up Page Showing the Proposed FOL Changes - Proposed FOL Changes in Final Typed Format

5) Columbia Generating Station Deviations from NEI 08-09, Revision 6 cc:

NRC RIV Regional Administrator NRC NRR Project Manager NRC Senior Resident Inspector/988C RN Sherman - BPA/1 399 WA Horin - Winston & Strawn EFSEC Manager RR Cowley - WDOH

A-4 RESPONSE TO REQUEST FOR ADD mONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION.

Pagelof2 - Marked-up Page Showing the Proposed FOL Changes 0. Exemptions from certain requirements of Appendices 0, H and J to 10 CFR Part 50, are.described In the Safety Evaluation Report.

These exemptions are authoriz.ed.by law and will not endanger life or property or the c on deferis6 andisecutity and are otherwise in the public Interest.

Therefore, these e;eAemptions t are hereby granted pursuant

granting of this exemption the facility wi p

sical

-security p' n',t n Ing and

.-t k

1 -

A

,:"in conform ity with the p qualification plan, and safeguards

• and cyber Securltypl 'A. t" n;jh les and eg contingency TE.

hT e

licensee shall fully Implement nd m Intain In effect all provisions of

-the C

.slon-approved physical sec It plan, train ing and qualificatio n plan a

afeguards contingency pla-..

ncluding amendments made pursuant to pr ohs of the Miscellaneous Amen ments and Search Requirements "evi~1intO to0'CR 73.55 (51 rR 27817 and 27822) and to the authority of 10 CFR 50. 0 and 10 CFR 50.54(p).

The Jan,! which contains Safeguards

[nformat to. pi~tk ted under 10 CrR 73.21, Is entitled:

'Columbia GeneratIng ation Physical Security Plan, Training and Qualification Plan, Safeguards C tingency Plan, and Independent Spent Fuel Storage Installation

4an, Revision 3' submitted Nay 18, 2006.

t e o,.

F. DeleteSrieoud.WJ G.

The licensee shall notify the Commission, as soon as ossible but not later than -one hour, of any accident at this facility whic could result In an unplanned release of quantities of fission products n excess of. allowable lmllt't for normal operation established by the Cosid sion.'

pro as io o

?s u h y p n

H.. The ilcensee-shall have and maintain financial pro, ction of such type and In lueh amounts as the Commission shall require In accordancewith Section 170 Wf the Atomic Energy Act of 1954.

as amended, o cover public liability claims.

' The cyb r e cr it l n h

co ntains Securiy -_

F.related information withheld from public disclosure Faider 10 CFR 2.390, Isentitbed: *CyberSec~urty

'Plan for Columbia Generating Station, Revision O'

submitled by letter dated July 22, 2010, and as s u p p l r n e ned b y le t te r d a

_te d

MSrc h 3 1.l 2 0 1o u t Amendment No.

06 at L..:.,;rt r

m

a RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION Page 2 of 2 - Proposed FOL Changes in Final'Typed Format

D.

Exemptions from certain requirements of Apobndicdg G, H and J to 10 CFR Parf 50, are described in the Safety Evaluation Rped.,These exemptions are authorized by law and will not endangerlife ot'property or the common defanse and security and are otherwise In the public Intoret" Therefore, those exemption.

are hereby granted pursuant, to 10 CFR 50.12.. With the granting-of this exemption the facility will operate, to the extent authorized herein, in coriforr.itg with the applicatIon,.@s amended, the provisions of-theAct, and the rutes.and:regulations of the ACommission.

E. The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security plan, training and qualification plan, safeguards contingency plan, and cyber security plan, including amendments made pursuant to provisions of the Miscellanebus Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54()). The physical security plan, training and qualification plan, and. safeguards contingency plan, which contain.

Safeguards information protected under 10 CFR 73.21, is entitled: VColumbia.

Generating Station Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plan, and Independent Spent Fuel Storage Installation Plan, Revision 3" submitted May 18, 20o0.

The cyber security plan, which contains security-related information withheld from public disclosure under 10 CFR 2.390, is entitled: "Cyber Security Plan for Columbia Generating Station, Revision 0,' submitted by letter dated July 22, 2010, and as supplemented by letter dated March 31, 2011.

F.

Deleted.

G.' The licensee shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

H..H. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of.1954, as amended, to cover public liability claims.

Amendment Na. 50, 1708. 183,206

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION Page 1 of 2 Columbia Generating Station Deviations from NEI 08-09,- Revision 6 NEI 08-09 NEI 08-09 Wording CGS Deviation Location Appendix A,

[Site/Licensee]

Changed to "Energy Northwest Section 1 acknowledges that the acknowledges that the implementation of 1st Paragraph implementation of this this plan does not alleviate responsibility Last Sentence p!an does not alleviate to comply with other NRC regulations."

their responsibility to Deleted the word "their" for grammatical comply with other NRC correctness".

regulations.

Appendix A, A Glossary of terms used This wording has been replaced with the Section 1....

within this Plan and.

actual terms contained within NEI 08-09, 3rd Paragraph Appendices of NEI 08-09, Revision 6, Appendix B. CGS has Revision 6, is contained in elected to incorporate the definitions Appendix B of NEI 08-09, directly into the Cyber Security Plan.

Revision 6.

Appendix A, None.

Added as new paragraph within Section Section 2.1 2:1 'Within the scope of NRC's cyber security rule at Title 10 of the Code of Federal Regulations (10 CFR) 73.54, systems or equipment that perform important to safety functions include structures, systems, and components (SSCs) in the balance of plant (BOP) that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient. Additionally, these SSCs are under the licensee's control and include electrical distribution equipment out to the first inter-tie with the offsite distribution system."

Appendix A, Refer to NEI 08-09, Changed to "Refer to Section 1.3 for Section 3.1.3-Revision 6, Appendix B, definition of Critical System." Definitions 1st Bullet Glossary for definition of have been incorporated directly.

Critical System.

Appendix A, Refer to NEI 08-09, Changed to "Refer to Section 1.2 for Section 3.1.3 -

Revision 6, Appendix B, definition of Critical Digital Asset."

2 nd Bullet Glossary for definition of Definitions have been incorporated Critical Digital Asset.

directly.

I-~

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION AND SUPPLEMENT TO THE CYBER SECURITY PLAN FOR COLUMBIA GENERATING STATION Page 2 of 2 Columbia Generating Station Deviations from NEI 08-09, Revision 6 NEI 08-09 NEI 08-09 Wording CGS Deviation Location Appendix A, Senior nuclear Changed to 'The Senior Nuclear Section 4.10 management is [Chief Management is defined as the Vice 1st Paragraph Nuclear Officer, Chief President of Nuclear Generation/Chief Last Sentence Nuclear Operations Nuclear Officer, who is accountable for Officer, Vice President of nuclear plant operation and will make all Nuclear Operations, Vice-decisions concerning cyber security President] who is which affect the safe operation of the accountable for nuclear plant."

plant(s) operation.

Appendix A Refer to NEI letter to NRC The 2n, paragraph through the end of the Section 4.13 dated February 28, 2011 section has been re-worded per NEI (ML1015500061).

letter to NRC (ML101550061).

Appendix B, Any event in which there This term has been added as Section 1.4 "Cyber Attack" is reason to believe that in the plan and the wording has been an adversary has changed to read:

committed or caused, or attempted to commit or Any event in which there is reason to cause, or has made a believe that an adversary has committed credible threat to commit or caused, or attempted to commit or or cause malicious cause, or has made a credible threat to exploitation of a SSEP commit or cause malicious exploitation of function.

a CDA.

Reference 1 below concluded that submission of the cyber security plan in accordance with NEI 08-09, Revision 6 with the exception of the definition of "cyber attack" would be acceptable.

Reference 2 provided the above wording as an acceptable definition of "cyber attack" which has been incorporated as Section 1.4 in this plan.

References:

1) NRC Letter dated May 24, 2010, CF Lyon (NRC) to JV Parrish (Energy Northwest), "Columbia Generating Station - License Amendment Request for Approval of the Cyber Security Plan (TAC No. ME2624)"

2) NRC Letter dated June 7, 2010, RP Correia (NRC) to CE Earls (NEI),

"Nuclear Energy Institute 08-09, 'Cyber Security Plan Template, Rev. 6'"