JAFP-09-0128, Entergy Nuclear Operations, Inc. - Request for Approval of the James A. FitzPatrick Cyber Security Plan

From kanterella
Jump to navigation Jump to search

Entergy Nuclear Operations, Inc. - Request for Approval of the James A. FitzPatrick Cyber Security Plan
ML093310410
Person / Time
Site: FitzPatrick Constellation icon.png
Issue date: 11/23/2009
From: Peter Dietrich
FitzPatrick, Entergy Nuclear Northeast
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
JAFP-09-0128
Download: ML093310410 (14)
v  d  e


Text

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Entergy Nuclear Northeast Entergy Nuclear Operations, Inc.

James A. Fitzpatrick NPP SEntergy P.O. Box 110 Pete Dietrich Site Vice President - JAF JAFP-09-0128 November 23, 2009 U.S. Nuclear Regulatory Commission Document Control Desk Washington, D.C. 20555

SUBJECT:

Request for Approval of the James A. FitzPatrick Cyber Security Plan Entergy Nuclear Operations, Inc.

James A. FitzPatrick Nuclear Power Plant Docket No. 50-333 License no. DPR-59

Dear Sir or Madam,

In accordance with the provisions of 10 CFR §50.4 and §50.90 Entergy Nuclear Operations, Inc. is submitting a request for an amendment to the Facility Operating Licenses (FOL) for the James A. FitzPatrick Nuclear Power Plant (JAF). This proposed amendment requests NRC approval of the JAF Cyber Security Plan, provides an implementation schedule, and adds a sentence to the existing FOL Physical Protection license condition to require JAF to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan. provides an evaluation of the proposed change. Attachment 2 provides the existing FOL pages marked up to show the proposed change. Attachment 3 provides the proposed FOL changes in final typed format. Attachment 4 provides a copy of the JAF Cyber Security Plan Implementation Schedule with new regulatory commitments. provides the guidance deviations taken by Entergy. Attachment 6 provides a copy of the JAF Cyber Security Plan which is a standalone document that will be incorporated by reference into the JAF Physical Security Plan upon approval. Entergy requests that Attachment 4, 5, and 6, which contains sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390.

In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated New York State Official.

The commitments made in this submittal are identified in Attachment 4.

If you should have any questions regarding this submittal, please contact Mr. Joseph Pechacek at (315) 349-6766.

This submittal contains Security-Related Information, when separated from Attachments 4, 5, and 6 this submittal is not restricted <ýýF4rý ý

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 JAFP-09-0128 Page 2 of 3 I declare under penalty of perjury that the foregoing is true and correct.

Executed on this 2 3 rd day of November 2009.

Pete Didtric"-

Site Vice President PD:JP:mh Attachments: - Evaluation of Proposed Change - Marked up Facility Operation License Pages - Retyped Facility Operation License Pages - Cyber Security Plan Implementation Schedule/Commitments - Entergy (JAF) Deviations Table to NEI 08-09, Revision 3 - James A. FitzPatrick Cyber Security Plan cc next page.

This submittal contains Security-Related Information, when separated from Attachments 4, 5, and 6 this submittal is not restricted

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR-2.390 JAFP-09-0128 Page 3 of 3 cc:

Mr. Bhalchandra Vaidya, Project Manager Plant Licensing Branch I-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Mail Stop O-8-C2A Washington, DC 20555-0001 Mr. Samuel Collins Regional Administrator, Region I U.S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, Pennsylvania 19406-1415 Resident Inspector's Office U.S. Nuclear Regulatory Commission James A. FitzPatrick Nuclear Power Plant P.O. Box 136 Lycoming, New York 13093 Mr. Paul Eddy New York State Department of Public Service 3 Empire Plaza, 1.0 th Floor Albany, New York 12223 Mr. Francis J. Murray, Jr.

President and CEO NYSERDA 17 Columbia Circle Albany, NY 12203-6399 This submittal contains Security-Related Information, when separated from Attachments 4, 5, and 6 this submittal is not restricted

JAFP-09-0128 Attachment 1 Evaluation of Proposed Change (4 Pages)

JAFP-09-0128 Attachment 1 Evaluation of Proposed Change 1.0

SUMMARY

DESCRIPTION The proposed license amendment request (LAR) includes the proposed James A.

FitzPatrick (JAF) Cyber Security Plan (Plan), an Implementation Schedule, and a change to the existing Facility Operating License (FOL) Physical Protection license condition.

2.0 DETAILED DESCRIPTION The proposed license amendment request (LAR) includes three parts: the proposed Plan, an Implementation Schedule, and a change to the existing FOL Physical Protection license condition to require JAF to fully implement and maintain in effect all provisions of the Commission approved cyber security plan as required by 10 CFR §73.54. Federal Register notice issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR §73.54, "Protection of digital computer and communication systems and networks,"

establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule.

Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule.

The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 1).

3.0 TECHNICAL EVALUATION

Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73.

Cyber security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by 10 CFR 73.1(a)(1)(v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 2).

This LAR conforms to the model Cyber Security Plan contained in Appendix A of NEI 08-09, "Cyber Security Plan Template", Revision 3, dated September 2009, for use by licensees in development of their own cyber security plans with deviations as identified and justified in Attachment 5. Deviations to Appendices D and E of NEI 08-09, Revision 3 are detailed in Attachment 1 of the JAF Cyber Security Plan.

This LAR includes the proposed Plan (Attachment 6) that conforms to the template provided in NEI 08-09. In addition the LAR includes the proposed change to the existing FOL license condition for "Physical Protection" (Attachments 2 and 3). Finally, the LAR contains the proposed Implementation Schedule. (Attachment 4) as required by 10 CFR 73.54. Attachment 5 explains and justifies deviations from NEI 08-09, Revision 3, Appendix A to reflect later industry and NRC discussions.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS / CRITERIA This LAR is submitted pursuant to 10 CFR 73.54 which requires licensees currently licensed to operate'a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in 10 CFR 50.4 and 10 CFR 50.90.

4.2 No SIGNIFICANT HAZARDS CONSIDERATION Entergy Nuclear Operations, Inc. (ENO) has evaluated the proposed changes using the Page 1 of 4

JAFP-09-0128 Attachment 1 Evaluation of Proposed Change criteria in 10 CFR 50.92 and has determined that the proposed changes do not involve a significant hazards consideration. An analysis of the issue of no significant hazards consideration is presented below:

1. The proposed change does not involve a significantincrease in the probabilityor consequences of an,accident previously evaluated.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided in NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at JAF. The Plan establishes the licensing basis for the JAF Cyber Security Program for JAF. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems are protected from cyber attacks. The Plan itself does not require any plant modifications.

However, the Plan does describe how plant modifications which involve digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design basis threat as defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or effect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and has no impact on the probability or consequences of an accident previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part adds a sentence to the existing FOL license condition for Physical Protection. Both of these changes are administrative and have no impact on the probability or consequences of an accident previously evaluated.

Therefore, it is concluded that this change does not.involve a significant increase in the probability or consequences of an accident previously evaluated.

2. The proposed change does not create the possibility of a new or different kind of accident from any accidentpreviously evaluated.

The proposed change is required by 10 CFR 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided by NEI 08-09 and provides a description of how the requirements of the Rule will be implemented at JAF. The Plan establishes the licensing basis for the JAF Cyber Security Program for JAF. The Plan establishes the means to achieve high assurance that nuclear Page 2 of 4

JAFP-09-0128 Attachment 1 Evaluation of Proposed Change power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. The Plan itself does not require any plant modifications. However, the Plan does describe how plant modifications involved digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the designr basis threat defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or effect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and does not create the possibility of a new or different kind of accident from any previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part adds a requirement to the existing FOL license condition for Physical Protection. Both of these changes are administrative and do not create the possibility of a new or different kind of accident from any previously evaluated.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

3. The proposed change does not involve a significantreduction in a margin of safety.

The proposed change is required by § 73.54 and includes three parts. The first part is the submittal of the Plan for NRC review and approval. The Plan conforms to the template provided by NEI 08-09 and provides a description of the means the requirements of the Rule will be implemented at JAF. The Plan establishes the licensing basis for the JAF Cyber Security Program for JAF. The Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. Plant safety margins are established through Limiting Conditions for Operation, Limiting Safety System Settings and Safety limits specified in the Technical Specifications. Because there is no change to these established Page 3 of 4

JAFP-09-0128 Attachment 1 Evaluation of Proposed Change safety margins, the proposed change does not involve a significant reduction in a margin of safety.

The second part of the proposed change is an Implementation Schedule. The third part adds a requirement to the existing FOL license condition for Physical Protection. Both of these changes are administrative and do not involve a significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, ENO concludes that the proposed change presents no significant hazards under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.

4.3 CONCLUSION

In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for JAF that will be incorporated into the Physical Security Plan by reference. This proposed amendment will not involve any significant construction impacts. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in 10 CFR 51.22(c)(1 2). Therefore, pursuant to 10 CFR 51.22(b), ENO concludes that no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.
2. EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002.

Page 4 of 4

(1 JAFP-09-0128 Attachment 2 Marked up Facility Operation License Pages Page 3 Page 5

(4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration; or associated with radioactive apparatus, components or tools..

(5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not in excess of 2536 megawatts (thermal).

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 2-95, are hereby incorporated in the renewed operating license.

The licensee shall operate the facility in accordance with the Technical Specifications.

(3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire protections program as described in the Final Safety Analysis Report for the facility and as approved in the SER dated November 20, 1972; the SER Supplement No. 1 dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981; Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989), 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dated August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993), 190 (dated June 29, 1993), 191 (dated July 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:

Amendment295

Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as supplemented by letter dated May17, 2006..

Entergy shall fully implement and maintain in effect all provisions of the Commission approved James A. FitzPatrick Cyber Security Plan submitted by letter dated November 23, 2009 and withheld from public disclosure in accordance with 10 CFR 2.390.

E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment.

(1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions.

(2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." The Startup test program includes system testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various portions of the power ascension to the higher licensed power level so that predicted equipment performance characteristics can be verified. The licensee will do the startup testing program in accordance with its procedures. The licensee's approach is in conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991 (proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC-31897P-AA, Class III (proprietary), May1992.

(3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Training issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be addressed in accordance with simulator Configuration Management procedural requirements.

F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No.

289, are herby incorporated into this renewed operating license. ENO shall operate the facility in accordance with the Additional Conditions.

Renewcd License No. DPR 59 Amendment

JAFP-09-0128 Attachment 3 Retyped Facility Operation License Pages Page 3 Page 5

(4) ENO pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use, at any time, any byproduct, source and special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration; or associated with radioactive apparatus, components or tools..

(5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not in excess of 2536 megawatts (thermal).

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. , are hereby incorporated in the renewed operating license. The licensee shall operate the facility in accordance with the Technical Specifications.

(3) Fire Protection ENO shall implement and maintain in effect all provisions of the approved fire protections program as described in the Final Safety Analysis Report for the facility and as approved in the SER dated November 20, 1972; the SER Supplement No. 1 dated February 1, 1973; the SER Supplement No. 2 dated October 4, 1974; the SER dated August 1, 1979; the SER Supplement dated October 3, 1980; the SER Supplement dated February 13, 1981; the NRC Letter dated February 24, 1981; Technical Specification Amendments 34 (dated January 31, 1978), 80 (dated May 22, 1984), 134 (dated July 19, 1989), 135 (dated September 5, 1989), 142 (dated October 23, 1989), 164 (dated August 10, 1990), 176 (dated January 16, 1992), 177 (dated February 10, 1992), 186 (dated February 19, 1993), 190 (dated June 29, 1993), 191 (dated July 7, 1993), 206 (dated February 28, 1994) and 214 (dated June 27, 1994); and NRC Exemptions and associated safety evaluations dated April 26, 1983, July 1, 1983, January 11, 1985, April 30, 1986, September 15, 1986 and September 10, 1992 subject to the following provision:

Amendment

Safeguards Contingency Plan, Revision 0," submitted by letter dated October 26, 2004, as supplemented by letter dated May17, 2006..

Entergy shall fully implement and maintain in effect all provisions of the Commission approved James A. FitzPatrick Cyber Security Plan submitted by letter dated November 23, 2009 and withheld from public disclosure in accordance with 10 CFR 2.390.

E. Power Uprate License Amendment Implementation The licensee shall complete the following actions as a condition of the approval of the power uprate license amendment.

(1) Recirculation Pump Motor Vibration Perform monitoring of recirculation pump motor vibration during initial Cycle 13 power ascension for uprated power conditions.

(2) Startup Test Program The licensee will follow a startup testing program, during Cycle 13 power ascension, as described in GE Licensing Topical Report NEDC-31897P-1,, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." The Startup test program includes system testing of such process control systems as the feedwater flow and main steam pressure control systems. The licensee will collect steady-state operational data during various portions of the power ascension to the higher licensed power level so that predicted equipment performance characteristics can be verified. The licensee will do the startup testing program in accordance with its procedures. The licensee's approach is in conformance with the test guidelines of GE Licensing Topical Report NEDC-31897P-1, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." June 1991 (proprietary), GE Licensing Topical Report NEDO-31897, "Generic Guidelines for General Electric Boiling Water Reactor Power Uprate." February 1992 (nonproprietary), and NEDC-31897P-AA, Class III (proprietary), May1992.

(3) Human Factors The licensee will review the results of the Cycle 13 startup test program to determine any potential effects on operator training. Training issues identified will be incorporated in Licensed Operator training during 1997. Simulator discrepancies identified will be addressed in accordance with simulator Configuration Management procedural requirements.

F. Additional Conditions The Additional Conditions contained in Appendix C, as revised through Amendment No.

289, are herby incorporated into this renewed operating license. ENO shall operate the facility in accordance with the Additional Conditions.

Amendment

Retrieved from "https://kanterella.com/w/index.php?title=JAFP-09-0128,_Entergy_Nuclear_Operations,_Inc._-_Request_for_Approval_of_the_James_A._FitzPatrick_Cyber_Security_Plan&oldid=2139337"