L-18-033, Cyber Security Plan (Revision 1)

From kanterella
Jump to navigation Jump to search
Cyber Security Plan (Revision 1)
ML18039A180
Person / Time
Site: Beaver Valley
Issue date: 02/02/2018
From: Bologna R
FirstEnergy Nuclear Operating Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
L-18-033
Download: ML18039A180 (7)
v  d  e


Text

FENOC' ~

Beaver Valley Power Station P.O. Box4 Shippingport, PA 15077 RrstEnergy Nuclear Operating Company Richard D. Bologna 724-682-5234 Site Vice President Fax: 724-643-8069 February 2, 2018 L-18-033 10 CFR 50.54(p)(2)

ATTN: Document Control Desk U. S. Nuclear Regulatory Commission Washington, DC 20555-0001

SUBJECT:

Beaver Valley Power Station, Unit Nos. 1 and 2 BV-1 Docket No. 50-334, License No. DPR-66 BV-2 Docket No. 50-412, License No. NPF-73 Beaver Valley Power Station Cyber Security Plan (Revision 1)

This letter forwards Revision 1 of the Beaver Valley Power Station (BVPS) Cyber Security Plan (CSP) which was effective on December 11, 2017. Attachment A provides a summary of the Revision 1 CSP changes. These changes were reviewed and determined not to decrease the effectiveness of the BVPS CSP. Accordingly, this revision is beirig submitted in accordance with 10 CFR 50.54(p)(2).

The enclosure containing the revision of the BVPS CSP contains security related information and shoµld be withheld from public disclosure under the provisions of 10 CFR 2.390.

There are no regulatory commitments contained in this letter. If there are any questions or if additional information is required, please contact Mr. Michael A. Fox, Manager-Site Protection, at (724) 682-7812.

Sincerely,

~ Richard D. Bologna.

Site Vice President

Attachment:

A. Summary of BVPS CSP Revision 1 Changes THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHHOLD UNDER 10 CFR _

2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED

Beaver Valley Power Station, Unit Nos. 1 and 2 L-18-033 Page 2

Enclosure:

BVPS CSP, Revision 1 cc: NRC Region I Administrator NRC Senior Resident Inspector (w/o enclosure)

NRR Project Manager (w/o enclosure)

Director BRP/DEP (w/o enclosure)

Site BRP/DEP Representative (w/o enclosure)

THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHHOLD UNDER 10 CFR 2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED

ATTACHMENT A L-18-033 Summary of BVPS CSP Revision 1 Changes Page 1 of 4 The following summarizes the BVPS Cyber Security Plan (CSP) Revision 1 Changes made effective on December 11, 2017.

A. DESCRIPTION OF THE CHANGE(s):

\ Note: NEI 08-09 titled "Cyber Security Plan for Nuclear Powered Reactors", Rev 6 contains the template that BVPS used to develop the NRG-approved Rev O BVPS Cyber Security Plan (CSP). NEI 08-09, Rev 6, includes Appendices D and E, which contain cyber security controls that need to be evaluated as part of the cyber security plan. Appendices D and E are included by reference into the CSP. NEI subsequently negotiated Addendum 1 to NEI 08-09, Rev 6, which changed both the text of the CSP and some controls contained in Appendices D and E. Addendum 1 included both the changes and a justification. BVPS CSP Rev 1 incorporated the changes made in Addendum 1 of NEI 08-09.

1. Table of Contents 4.10, and title of Section 4.10, were revised from "Evaluate and Manage Cyber Risk" to "Policies and Implementing Procedures" to correct a typo from Revision 0.
2. Throughout the document, the reference to NEI 08-09, Revision 6, was modified by the addition of Addendum 1, to clarify that the changes from Addendum 1 have been incorporated into the CSP, including the changes to Appendices. D and E.

. I

3. Section 3, and Section 4.6, have been revised to reflect that cyber attacks are reported to the NRC in accordance with the requirements of 10 CFR 73.77.
4. Section 3.1.5 has been revised to indicate that the tabletop reviews and validation reviews for indirect assets and direct assets may differ, as long as the information provided is sufficient to perform the assessments required by Section 3.1.6.

THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHHOLD UNDER 10 CFR 2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED

ATIACHMENTA L-18-033 Summary of BVPS CSP Revision 1 Changes Page 2 of 4

5. Section 3.1.6 has been revised to explicitly state that the use of NEI 13-10 satisfies the requirements of Section 3.1.6. /
6. Section 3.1.6.2 previously limited the use of alternative countermeasures to a control that provides the same or greater cyber security protection, which excludes controls that can provide adequate protection to meet the intent of the control. This revision aligns the evaluation of alternative counter measures described in Section 3.1.6, to that required by 10 CFR 50.54(p).

In step 3.1.6.2, within the phrase "implementing alternative controls/countermeasures that eliminate threat/attack vectors" changed "eliminate" to "mitigate the consequences of the".

In step 3.1.6.2.b, changed the phrase "provide the same or greater cyber security protection as the corresponding cyber security control" to "mitigate the threat/attack vector the control is intended to protect."

In step 3.1.6.2.c, changed the phrase "that provide at least the same degree of cyber security protection as the corresponding cyber security control" to "determined in section 3.1.6.2.b."

7. Section 4.3 required all security CDAs to be in level 3 or 4. This included security communications equipment (e.g., radios and phones). This was changed to restore the effectiveness of the communication voice and data network capability by allowing for bi-directional communications and establishes that adequate Cyber Security Controls be provided for such digital equipment.
8. Section 4.4.3.1 has been revised to clarify that the reviews discussed in this section are coordinated by the Corporate Cyber Security Program Manager.
9. Section 4.4.3.2 (and Appendix E, Control 12) contains language regarding performance of Vulnerability Scans and the allowance for the use of vulnerability assessments or scans and the applicability to non-networked CDAs. The revised language provides clarity and certainty regarding these concerns.

_10. Section 4.11 was revised to move the responsibility to coordinate with the NRC, DHS, DOE, and FBI from the Corporate Cyber Security Program Manager to the Site Cyber Security Program Administrator.

THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHHOLD UNDER 10 CFR 2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED

ATTACHMENT A L-18-033 Summary of BVPS CSP Revision 1 Changes Page 3 of 4 Note: The changes to the appendices noted below are identified within Addendum 1 to NEI 08-09, Revision 6 and have been incorporated throughout the BVPS CSP Revision 1.

11. Appendix D, Control 1.2, Account Management, has two primary purposes;
1. Manage accounts on a CDA so that only authorized, necessary or appropriate user accounts or account privileges exist on a CDA as to reduce the possibility of such accounts being misused for malicious purp9ses, and
2. Periodically review accounts on CDAs to ensure that only authorized and necessary accounts exist. This control does not distinguish between CDAs that use and do not use Central Account Management capabilities.
  • The revised control requires that where a centralized account management system does not exist, accounts will be re,viewed any time the CDA is accessed and a potential exists to modify the configuration of an account. The control for creating and protecting audit records is relocated from D1 .2 to D2.2.
12. Appendix D, Control 1. 7, Unsuccessful Login Attempts, was silent on an alternative control for CDAs that do not support centralized logging. This revision added that guidance.

13.Appendix D, Control 1.8, System Use Notification, did not provide guidance for cases when the application of the System Use Notification could have an adverse impact on performance, safety, or reliability.* including a specific description of an alternative control provides clarity and certainty regarding assessment of this control.

14.Appendix D, Control 1.9, Previous Logan Notification, did not provide guidance for cases when the application of the Previous Logan Notification could have an adverse impact on performance, safety, or reliability. The control is revised to provide specific

  • description of an alternative control for when Previous Logan Notifications are not possible on the CDA.

15.Appendix D, Control 1.14, Automated Labeling, has been deleted.

16. In Appendix D, Control 2.2, *Auditable Events, the control for creating and protecting audit records was relocated from D1 .2 to D2.2.

THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHHOLD UNDER 10 CFR 2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED I

L_

ATTACHMENT A L-18-033 Summary of BVPS CSP Revision 1 Changes Page 4 of 4 17.Appendix D, Control 2.5, Response to Audit Processing Failures, provided actions regarding auditing failures, including shutting down a CDA. The action to shut down a CDA has been replaced with initiation of the processes to determine the appropriate immediate actions. Changes have also been made to this section to avoid adverse impacts of SSEP functions.

18.Appendix D, Control 2.8, Time Stamps, has been revised to allow the use of a Global Positioning System (GPS)-linked time source that is trusted and secure.

19.Appendix D, Control 3.2, Application Partitioning/Security Function Isolation, corresponds to control SC-3 in NIST 800-53. Bullets three through seven, which have been deleted, are not required by NIST 800-53 for high baseline systems such as used in Nuclear Power Plants (NPPs).

20.Appendix D, Control 3.5, Resource Priority, has been deleted.

21.Appendix D, Control 3.18, Thin Nodes, has been deleted ..

22. Appendix D, Control 3.20, Heterogeneity, has been deleted.

23.Appendix D, Control 3,.21, Fail in Known (Safe) State, has been deleted.

24. Appendix E, Control 5.1, Physical and Operational Environment Protection Policy and Procedures, and Appendix E, Control 5.3, Physical and Environmental Protection, stated the scope is for CDAs outside the protected area. Per NEI 10-04 and CSP section 3.1.3, such support equipment would be classified as a CDA and then security controls would be determined and applied per CSP Section 3.1.6. Security control 5.1 and 5.3 were revised to remove environmental protection language.

25.Appendix E, Control 6, Defense-In-Depth, could have been interpreted as requiring one-way data flow only from Level 4 to Level 3. This revision removes this contradiction and provides clarity and certainty regarding controls for data transfer between security levels.

26.Appendix E, Control 8.5, CDA Backups, in part requires verifying media reliability and information integrity on a monthly basis which is inappropriate to be generically applied to all types of media. This revision provides the ability to determine an interval that is based on the long-term integrity of the particular storage media. Including a more appropriate control description provides clarity and certainty regarding assessment of this control.

THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHl;IOLD UNDER 10 CFR 2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED

OFFICIAL USE ONLY - SECURITY RELATED INFORMATION WITHHOLD IN ACCORDANCE WITH 10 CFR 2.390 Enclosure Cover Sheet L-18-033 BVPS CSP Revision 1.

THE ENCLOSURE TO THIS LETTER CONTAINS SECURITY RELATED INFORMATION. WITHHOLD UNDER 10 CFR 2.390. UPON THE REMOVAL OF THE ENCLOSURE TO THIS LETTER, THIS LETTER IS UNCONTROLLED

Retrieved from "https://kanterella.com/w/index.php?title=L-18-033,_Cyber_Security_Plan_(Revision_1)&oldid=2074948"