Text

Cyber Security Inspection Report 05000336/2022403 and 05000423/2022403
	ML23005A148
Person / Time
Site:	Millstone
Issue date:	01/05/2023
From:	Glenn Dentel; Division of Operating Reactors
To:	Stoddard D; Dominion Energy
References
	IR 2022403
	Download: ML23005A148 (1)
	v • d • e

January 5, 2023

SUBJECT:

MILLSTONE POWER STATION, UNITS 2 AND 3 - CYBER SECURITY INSPECTION REPORT 05000336/2022403 AND 05000423/2022403

Dear Daniel Stoddard:

On December 9, 2022, the U.S. Nuclear Regulatory Commission (NRC) completed an inspection at Millstone Power Station, Units 2 and 3 and discussed the results of this inspection with William Bessette, Acting Plant Manager and other members of your staff. The results of this inspection are documented in the enclosed report.

No findings or violations of more than minor significance were identified during this inspection.

This letter, its enclosure, and your response (if any) will be made available for public inspection and copying at http://www.nrc.gov/reading-rm/adams.html and at the NRC Public Document Room in accordance with Title 10 of the Code of Federal Regulations 2.390, Public Inspections, Exemptions, Requests for Withholding.

Sincerely, Glenn T. Dentel, Chief Engineering Branch 2 Division of Operating Reactor Safety

Docket Nos. 05000336 and 05000423 License Nos. DPR-65 and NPF-49

Enclosure:

As stated

Inspection Report

Docket Numbers:

05000336 and 05000423

License Numbers:

DPR-65 and NPF-49

Report Numbers:

05000336/2022403 and 05000423/2022403

Enterprise Identifier: I-2022-403-0031

Licensee:

Dominion Energy Nuclear Connecticut, Inc.

Facility:

Millstone Power Station, Units 2 and 3

Location:

P.O. Box 128, Waterford, CT 06385

Inspection Dates:

December 5, 2022 to December 9, 2022

Inspectors:

C. Hobbs, Reactor Inspector, Team Leader

L. Manning, Information Systems Security Analyst

M. Patel, Senior Reactor Inspector

C. Priester, Cyber Security Contractor

Observers:

K. Lawson-Jenkins, IT Specialist (NSIR/CSB)

J. Rady, Senior Reactor Inspector

Approved By:

Glenn T. Dentel, Chief

Engineering Branch 2

Division of Operating Reactor Safety

SUMMARY

The U.S. Nuclear Regulatory Commission (NRC) continued monitoring the licensees performance by conducting a cyber security inspection at Millstone Power Station, Units 2 and 3, in accordance with the Reactor Oversight Process. The Reactor Oversight Process is the NRCs program for overseeing the safe operation of commercial nuclear power reactors. Refer to https://www.nrc.gov/reactors/operating/oversight.html for more information.

List of Findings and Violations

No findings or violations of more than minor significance were identified.

Additional Tracking Items

None.

INSPECTION SCOPES

Inspections were conducted using the appropriate portions of the inspection procedures (IPs) in effect at the beginning of the inspection unless otherwise noted. Currently approved IPs with their attached revision histories are located on the public website at http://www.nrc.gov/reading-rm/doc-collections/insp-manual/inspection-procedure/index.html. Samples were declared complete when the IP requirements most appropriate to the inspection activity were met consistent with Inspection Manual Chapter (IMC) 2201, Security Inspection Program for Commercial Nuclear Power Reactors. The inspectors reviewed selected procedures and records, observed activities, and interviewed personnel to assess licensee performance and compliance with Commission rules and regulations, license conditions, site procedures, and standards.

SAFEGUARDS

71130.10 - Cybersecurity

Cybersecurity (1 Sample)

(1) The inspectors reviewed implementation of Millstone's Cyber Security Plan and focused on evaluating changes to the program, critical systems, and critical digital assets. The following IP sections were completed and constitute completion of one sample:

03.01, Review Ongoing Monitoring and Assessment Activities

03.02, Verify Defense-in-Depth Protective Strategies

03.03, Review of Configuration Management Change Control

03.04, Review of Cyber Security Program

03.05, Evaluation of Corrective Actions

In addition to the systems and programs that have been added or modified since the last cyber security inspection, the following systems were selected for inspection:

System 2721, Plant Security System - Common (Security)

System 2415, Inadequate Core Cooling System (ICCS) - Unit 2 (Safety Related)

System 3346C, Station Blackout Diesel (SBO) - Unit 3 (Important to Safety)

System 3410A, Saturation Monitoring (Incore Thermocouples) - Unit 3 (Safety Related)

INSPECTION RESULTS

No findings were identified.

EXIT MEETINGS AND DEBRIEFS

The inspectors verified no proprietary information was retained or documented in this report.

On December 9, 2022, the inspectors presented the cyber security inspection results to William Bessette, Acting Plant Manager and other members of the licensee staff.

DOCUMENTS REVIEWED

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

71130.10

Corrective Action

Documents

CR 1210808

Unable to Perform Cyber Security Procedure as Written

10/20/2022

CR 1211802

Cyber Security - Data Diode Baseline Configuration not

Transmitted to Records

11/02/2022

CR 1212344

Cyber Security - Counterfeit or Fraudulent Cisco Equipment

11/08/2022

CR 1212376

Cyber Security - WOs Needed to walkdown CDAs and

Update Gaps in Vulnerability Assessment Tool

11/08/2022

CR 1213003

Cyber Security - CSIRT Activation

11/15/2022

Corrective Action

Documents

Resulting from

Inspection

CR 1214247

Cyber Security - SBO Computer Panel Lock Configuration

Not Maintained

2/01/2022

CR 1214551

Cyber Security Inspection - Inaccuracy in MP-REPORT-

SCA-MP2-2415-Terminal Server

2/05/2022

CR 1214639

Cyber Security Inspection - Warehouse Pallet X-Ray

Observation

2/06/2022

CR 1214642

Cyber Security Inspection - Cyber Security Kiosk NRC

Observation

2/06/2022

CR 1214671

Cyber Security Inspection - SBO Diesel Keys

2/07/2022

CR 1214748

Cyber Security Inspection - CSIRT Drill Observation

2/07/2022

CR 1214833

NRC Identified: Key Issue Not Documented in Key Issue Log 12/08/2022

CR 1214854

Cyber Security Inspection - Password Changes for

Personnel Transfers, NRC Observation

2/08/2022

CR 1214856

Cyber Security Inspection - Alternate Periodicities for Cyber

Security Controls, NRC Observation

2/08/2022

CR 1214909

Cyber Security Inspection - NRC Observation for SCM /

Cyber Procedure Improvements

2/09/2022

Engineering

Changes

PDCR 89-015

Millstone Unit 3, System No. 3410A, Inadequate Core

Cooling System (ICCS) - Software Modification for Broadcast

Mode

Revision 0

Engineering

Evaluations

MP-REPORT-

CBF-MP3-3410-

ICCMS

Cyber Security Controls Assessment - MP3 ICCMS / RVLMS

08/24/2017

MP-REPORT-

SCA-MP2-2415-

Cyber Security Controls Assessment - MP2 Inadequate Core

Colling Monitoring System Terminal Server

11/03/2017

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

Terminal Server

MP-REPORT-

SCA-MP3-3346C-

Computer-HSI

Cyber Security Controls Assessment - MP3 SBO Diesel HSI

computer

07/24/2019

MP-REPORT-

SCA-MP3-3346C-

Controller-PLC

Cyber Security Controls Assessment - MP3 SBO Diesel

Control Logix PLC

10/20/2017

MP-REPORT-

SCA-MP3-3410-

Computer

Cyber Security Controls Assessment - MP3 ICCMS / RVLIS

09/26/2018

MP-REPORT-

SCA-MPS-2721-

IDS-XFIELD

Cyber Security Controls Assessment - Millstone Security

Computer X-Field Processor

07/22/2020

MP-REPORT-

SCA-MPS-2721-

ISS-SWITCH

Cyber Security Controls Assessment - Millstone Intake

Structure Security Network ISS Switch

07/15/2021

Miscellaneous

Lesson Plan

ICC017C

MP3 Operator Training - Inadequate Core Cooling Monitor /

Reactor Vessel Level Monitoring System

Revision 4

Procedures

CM-AA-CYB-10

Cyber Security Program

Revision 3

ER-AA-102

Preventive Maintenance Program

Revision 16

IT-AA-CYB-101

Cyber Security Configuration Control

Revision 5

IT-AA-CYB-102

Nuclear Cyber Security Incident Response and Recovery

Revision 6

IT-AA-CYB-103

Cyber Security Critical Digital Asset Identification

Revision 8

IT-AA-CYB-106

Control and Protection of Portable Media Devices

Revision 9

IT-AA-CYB-108

Cyber Security Controls Analysis

Revision 8

IT-AA-CYB-113

Cyber Security Identification and Authentication

Revision 4

IT-AA-CYB-118

Cyber Security Systems and Services Acquisition

Revision 2

IT-AA-CYB-121

Cyber Security Risk Assessment and Patch Management

Revision 2

IT-AA-CYB-125

Cyber Security Incident Response Drill

Revision 1

MP-14-OPS-

FAP400.KEY

Operations Key Control

Revision 1

MS-AA-CYB-201

SCM Generation Cyber Security

Revision 1

OP 3353.MB4C

Millstone Unit 3 - Main Board 4C Annunciator Response

Revision 25

SY-AA-120-XRAY X-Ray Search and Screening

Revision 12

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

Work Orders

203256609

06/17/2021

203314812

01/03/2022

203320322

03/02/2022

203337632

06/30/2022

203358452

11/26/2022

IR 05000336/2022403

Text

SUBJECT:

Dear Daniel Stoddard:

Enclosure:

Inspection Report

SUMMARY

List of Findings and Violations

Additional Tracking Items

INSPECTION SCOPES

SAFEGUARDS

71130.10 - Cybersecurity

Cybersecurity (1 Sample)

INSPECTION RESULTS

EXIT MEETINGS AND DEBRIEFS

DOCUMENTS REVIEWED

Navigation menu

v t e Inspection Report - Millstone - 2022403 (Security)
80 \| 81 \| 82 \| 83 \| 84 \| 85 \| 86 \| 87 \| 88 \| 89 \| 90 \| 91 \| 92 \| 93 \| 94 \| 95 \| 96 \| 97 \| 98 \| 99 00 \| 01 \| 02 \| 03 \| 04 \| 05 \| 06 \| 07 \| 08 \| 09 \| 10 \| 11 \| 12 \| 13 \| 14 \| 15 \| 16 \| 17 \| 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24 \| 25 \| 26 \|
2022 Quarterly Integrated 1Q (0) 2Q (0) 3Q (0) 4Q (0) Assessments Mid Cycle End of Cycle 10(0) 11(0) Security 401(0) 402(0) 403(0) Operator Exams 301(0) 302(0) Emergency Planning 501(0) Other