LIC-11-0036, (Fcs), Unit No.1, FCS / OPPD Cyber Security Plan, License Amendment Request (Revised)

From kanterella
Jump to navigation Jump to search

(Fcs), Unit No.1, FCS / OPPD Cyber Security Plan, License Amendment Request (Revised)
ML111010107
Person / Time
Site: Fort Calhoun Omaha Public Power District icon.png
Issue date: 04/08/2011
From: Reinhart J
Omaha Public Power District
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LIC-11-0036, TAC ME4380
Download: ML111010107 (37)
v  d  e


Text

-~

DjjjjD lJmIJttB Public PtJwsr OiBlrlct 444 South 16th Street Mall Omaha, NE 68102-2247 LIC-11-0036 April 8, 2011 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

REFERENCES:

1. Docket No. 50-285
2. Letter from OPPD (J. A Reinhart) to NRC (Document Control Desk), "Fort Calhoun Station, Unit No.1, License Amendment Request (LAR), Request for Approval of the FCS/OPPD Cyber Security Plan," dated July 26,2010 (LlC-10-0055) (ML102080452)

(TAC No. ME4380)

3. Letter from OPPD (J. A Reinhart) to NRC (Document Control Desk), "Fort Calhoun Station (FCS), Unit No.1, "Supplement to FCS I OPPD Cyber Security Plan License Amendment Request (LAR)

Regarding Balance of Plant Systems within the Scope of the Program," dated November 30, 2010 (LlC-10-0101) (ML102080452) (TAC No. ME4380)

4. Letter from OPPD (J. B. Herman) to NRC (Document Control Desk), "Response* to NRC Generic Request for Additional Information (RAI)," dated March 31,2011 (LlC-11-0033)

SUBJECT:

Fort Calhoun Station (FCS), Unit No.1, FCS I OPPD Cyber Security Plan, License Amendment Request (REVISED)

In Reference 4, the Omaha Public Power District (OPPD) committed to revise and resubmit the FCS I OPPD Cyber Security Plan (Le., the Plan) and Implementation Schedule due to generic issues identified by the NRC. Accordingly, the revised Plan and Implementation Schedule are enclosed. The license condition submitted by the supplement (Reference 3) to the initial LAR (Reference 2) has also been revised and is attached. The evaluation of the proposed change submitted with Reference 2 is unaffected by this submittal and remains fully applicable.

Per the commitment of Reference 4, the following changes were made:

Employment with Equal Opportunity

U. S. Nuclear Regulatory Commission LlC-11-0036 Page 2

1. Section 4.13, Document Control And Records Retention And Handling, of the Plan is clarified to elaborate on the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years).
2. Section 2.1, Purpose and Scope, of the Plan is revised to be consistent with the latest NRC guidance (Adams Accession No. Ml1 03550480) regarding the inclusion of structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety.
3. The Implementation Schedule (IS) has been revised to identify the appropriate milestones and completion dates with supporting rationale. The level of detail is sufficient to allow the NRC to evaluate OPPD's proposed schedule, associated milestone dates, and the final completion date.

Please note that the final date for completing implementation of the Plan has been extended from December 31, 2014, to December 31, 2015, to complete development of the operational and management (O&M) security controls required by NEI-08-09, Revision 6. The additional time is required because of the extensive workload associated with full implementation of the Plan. The interim milestone dates are unchanged, which ensures the protection of critical digital assets during the additional time necessary to complete implementation of the O&M security controls. provides the revised Facility Operating License (FOl) page marked up to show the proposed change. Attachment 2 provides the FOl page in final typed format. provides the revised FCS / OPPD Cyber Security Plan, which is a standalone document that will be incorporated by reference into the FCS / OPPD Security Plan upon approval. For review purposes, a bar in the right margin denotes the location of text revised as described above. Please note that the bar will be removed when the Plan is issued following NRC approval. The Implementation Schedule was revised in its entirety and therefore does not include revision bars. provides the revised FCS / OPPD Cyber Security Plan Implementation Schedule.

The FOl pages, FCS / OPPD Cyber Security Plan, and Implementation Schedule provided with this submittal supersede those provided by References 2 and 3.

In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated State of Nebraska Official.

1\10 commitments to the NRC are made in this submittal.

U. S. Nuclear Regulatory Commission LlC-11-0036 Page 3 Implementation of the approved amendment will be as described in Reference 2.

I declare under penalty of perjury that the foregoing is true and correct. Executed on April 8, 2011.

If you should have any questions regarding this submittal, please contact' Mr. Bill Hansh at 402-533-6894.

ffrey A. Reinhart Site Vice President JAR/CJS/mle - Proposed Renewed Facility Operating License Change (Mark-Up) - Proposed Renewed Facility Operating License Change (Re-Typed) - FCS I OPPD Cyber Security Plan - FCS I OPPD Cyber Security Plan Implementation Schedule cc: E. E. Collins, Jr., NRC Regional Administrator, Region IV L. E. Wilkins, NRC Project Manager J. C. Kirkland, NRC Senior Resident Inspector Manager Radiation Control Program, Nebraska Health & Human Services, R & L Public Health Assurance, State of Nebraska

L1C*11-0036 Proposed Renewed Facility Operating License Change (Mark*Up)1 1 Deleted text shown in strikeeut; added text in underline.

-3 (4) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form for sample analysis or instrument calibration or when associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by operation of the facility.

3. This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Section 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

A. Maximum Power Level Omaha Public Power District is authorized to operate the Fort Calhoun Station, Unit 1, at steady state reactor core power levels not in excess of 1500 megawatts thermal (rate power).

B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 29&, are hereby incorporated in the license. Omaha Public Power District shall operate the facility in accordance with the Technical Specifications.

C. Security and Safeguards Contingency Plans ill The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fort Calhoun Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan," submitted by letter dated May 19, 2006.

{gl The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan submitted by letter dated July 26,2010. as supplemented by letters dated November 30.2010. and April 8. 2011.

Renewed Operating License No. DPR-40 Amendment No. 29&

LlC-ii-0036 Proposed Renewed Facility Operating License Change (Re-Typed)

-3 (4) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form for sample analysis or instrument calibration or when associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by operation of the facility.

3. This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Section 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

A. Maximum Power Level Omaha Public Power District is authorized to operate the Fort Calhoun Station, Unit 1, at steady state reactor core power levels not in excess of 1500 megawatts thermal (rate power).

B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 29&, are hereby incorporated in the license. Omaha Public Power District shall operate the facility in accordance with the Technical Specifications.

C. Security and Safeguards Contingency Plans (1) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR SO.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fort Calhoun Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan," submitted by letter dated May 19, 2006.

(2) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan submitted by letter dated July 26, 2010, as supplemented by letters dated November 30, 2010, and April 8, 2011.

Renewed Operating License No. DPR-40 Amendment No. 29&

LlC-11-0036 FCS I OPPD Cyber Security Plan

FORT CALHOUN STATION /

OMAHA PUBLIC POWER DISTRICT CYBER SECURITY PLAN

FORT CALHOUN STATION (FCS) I OMAHA PUBLIC POWER DISTRICT (OPPD)

CYBER SECURITY PLAN 1 INTRODUCTION The purpose of this Cyber Security Plan (Plan) is to provide a description of how the requirements of 10 CFR 73.54, "Protection of digital computer and communication systems and networks" (Rule) are implemented at Fort Calhoun Station (FCS). The intent of this Plan is to protect the health and safety of the public from radiological sabotage as a result of a cyber attack as described in 10 CFR 73.1. 10 CFR 50.34(c),

"Physical Security Plan," requires the inclusion of a physical security plan. Omaha Public Power District (OPPD) acknowledges that the implementation of this plan does not alleviate their responsibility to comply with other NRC regulations.

Further, 10 CFR 50.34(c)(2) states in part that "Each applicant for an operating license for a utilization facility that will be subject to the requirements of 10 CFR 73.55 of this chapter must include a cyber security plan in accordance with the criteria set forth in 10 CFR 73.54 of this chapter." This Cyber Security Plan establishes the licensing basis for the Cyber Security Program (Program) for FCS.

A Glossary of terms 1 used within this Plan and Appendices of NEI 08-09, Revision 6, is contained in Appendix B of t\IEI 08-09, Revision 6.

2 CYBER SECURITY PLAN 2.1 SCOPE AND PURPOSE This Plan establishes a means to achieve high assurance that digital computer and communication systems and networks associated with the following functions (hereafter designated as Critical Digital Assets (CDAs)) are adequately protected against cyber attacks up to and including the Design Basis Threat (DBT) as described in 10 CFR 73.1 :

1. Safety-related and important-to safety functions;
2. Security functions;
3. Emergency preparedness functions including offsite communications; and
4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

The safety-related and important-to safety functions, security functions, and emergency preparedness functions including off site communications are herein referred to as SSEP functions.

1 The definition of cyber attack was subsequently revised in a letter from NEI (C. E. Earls) to the NRC (R.

P. Correia), dated June 2, 2010. (ML101550061)

FCS / OPPD CYBER SECURITY PLAN Within the scope of NRC's cyber security rule at Title 10 of the Code of Federal Regulations (10 CFR) 73.54, systems or equipment that perform important to safety functions include structures, systems, and components (SSCs) in the balance of plant (BOP) that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient. Additionally, these SSCs are under the licensee's control and include electrical distribution equipment out to the first inter-tie with the offsite distribution system.

High assurance of adequate protection of systems associated with the above functions from cyber attacks is achieved by:

1. Implementing and documenting the "baseline" cyber security controls described in Section 3.1.6 of this Plan; and
2. Implementing and documenting a cyber security program to maintain the established cyber security controls through a comprehensive life cycle approach as described in Section 4 of this Plan.

2.2 PERFORMANCE REQUIREMENTS 10 CFR 73.55(a)(1) requires that licensees implement the requirements of this section through its Commission-approved Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plans, and Cyber Security Plan, referred to collectively as "security plans."

As required by 10 CFR 73.54(b)(3), cyber security is a component of the physical protection program. As such, this Plan establishes how digital computer and communication systems and networks within the scope of 10 CFR 73.54 are adequately protected from cyber attacks up to and including the DBT characteristics described in RG 5.69, "Guidance for the Application of the Radiological Sabotage Design Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.55 Requirements." (Safeguards Information (SG/))

Performance based requirements demonstrated in this Plan are designed to:

2.2.1 Evaluate modifications to CDAs prior to implementation to achieve high assurance that digital computer and communications systems and networks are adequately protected against cyber attacks, up to and including the DBT. (10 CFR 73.54(a)(1) and 10 CFR 73.54(d)(3))

2.2.2 Prevent adverse impact to SSEP functions resulting from cyber attacks, that would adversely impact the integrity or confidentiality of data and/or software, deny access to systems, services, and/or data, and adversely impact the operation of systems, networks, and associated equipment to protect against the DBT. (10 CFR 73.54(a)(2) and 10 CFR 73.55(b)(2))

2.2.3 Analyze digital computer and communications systems and networks and identify those assets that must be protected against cyber attack to preserve the intended function of plant systems, structures, and components within the scope of the Rule and account for these 2

FCS / OPPD CYBER SECURITY PLAN conditions in the design of the Program. (10 CFR 73.54(b)(1) and 10 CFR 73.55(b)(4))

2.2.4 Establish, implement and maintain the Program in accordance with 10 CFR 73.54. (10 CFR 73.54(b)(2) and 10 CFR 73.55(b)(8))

2.2.5 Incorporate the cyber security program as a component of the physical protection program. (10 CFR 73.54(b)(3) and 10 CFR 73.55(b)(8))

2.2.6 Implement security controls to protect the identified assets from cyber attacks. (10 CFR 73.54(c)(1 ))

2.2.7 Provide defense-in-depth through the integration of systems, technologies, programs, equipment, supporting processes, and implementing procedures as needed to ensure effectiveness of the Program. (10 CFR 73.54{c)(2) and 10 CFR 73.55(b)(3){ii))

2.2.8 Maintain the capability to mitigate the adverse consequences of cyber attacks. (10 CFR 73.54(c)(3) and 10 CFR 73.54(e)(2)(ii))

2.2.9 Ensure that the functions of identified protected assets are not adversely impacted due to cyber attacks. (10 CFR 73.54(c)(4))

2.2.10 Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. (10 CFR 73.54(d)(1 ))

2.2.11 Use the site corrective action program to: 1) track, trend, correct, and prevent recurrence of cyber security failures and deficiencies, and 2) evaluate and manage cyber risks. (10 CFR 73.54(d)(2) and 10 CFR 73.55(b)(10))

2.2.12 Describe how the cyber security program requirements will be implemented; accounting for the site-specific conditions that affect implementation. (10 CFR 73.54(e)(1))

2.2.13 Ensure that the Program maintains the capability to detect, respond to, and recover from cyber attacks up to and including the design basis threat of radiological sabotage as stated in 10 CFR 73.1 at all times. (10 CFR 73.54(e)(2)(i), 10 CFR 73.54(e)(2)(iv) and 10 CFR 73.55{b)(2))

2.2.14 Maintain the capability to correct exploited vulnerabilities. (10 CFR73.54( e)(2)(iii))

2.2.15 Demonstrate the ability to meet Commission requirements through implementation of the Program in licensee policies and procedures which are available upon the request of an authorized representative of the Commission. (10 CFR 73.54(f) and 10 CFR 73.55(b)(5))

2.2.16 Review the cyber security program as a component of the physical security program, including the periodicity requirements. (10 CFR 73.54(g) and 10 CFR 73.55(m))

2.2.17 Describe how all records and supporting technical documentation are retained. (10 CFR 73.54(h))

3

FCS / OPPD CYBER SECURITY PLAN 2.2.18 Coordinate implementation of this Plan and associated procedures with other FCS procedures to preclude conflict during both normal and emergency conditions. (10 CFR 73.55(b)(11))

3 ANALYZING DIGITAL COMPUTER SYSTEMS AND NETWORKS The Cyber Security Program is established, implemented and maintained in accordance with 10 CFR 73.54(b)(2) and 10 CFR 73.55(b)(8) to protect those systems required by 10 CFR 73.54(a)(1 )(i-iv) from cyber attacks that would: adversely impact the integrity or confidentiality of data and/or software; deny access to systems, services and/or data; or adversely impact the operation of systems, networks, and associated equipment. This Cyber Security Program complies with 10 CFR 73.54 by implementing cyber security controls, defensive strategies, and attack mitigation methods that meet the Rule.

The cyber security controls described in Appendices D and E of NEI 08-09, Revision 6, are implemented in accordance with Section 3.1.6 of this Plan. Documentation of the cyber security controls in place for CDAs are not submitted with this Plan but are available on site for inspection by the NRC. Cyber security program changes that are determined to decrease the effectiveness of this Plan are submitted to the NRC for approval as required by 10 CFR 50.90. Revisions to this Plan are processed in accordance with procedures that implement the requirements of 10 CFR 50.54(p).

Cyber attacks at FCS are reported to the NRC in accordance with the requirements of 10 CFR 73, Appendix G.

3.1 ANALYZING DIGITAL COMPUTER SYSTEMS AND NETWORKS AND ApPLYING CYBER SECURITY CONTROLS In accordance with 10 CFR 73.54(b)(1), the Cyber Security Program is established, implemented, and is maintained to:

  • Analyze digital computer and communications systems and networks, and

In accordance with 10 CFR 73.54(c)(1), cyber security controls are implemented to protect the assets identified by 10 CFR 73.54(b)(1) from cyber attacks. The cyber security controls provided in Appendices D and E of NEI 08-09, Revision 6 are used as the basis for protecting the identified CDAs.

Cyber security risks are evaluated, managed, and mitigated to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the DBT. The cyber security controls provided in Appendices D and E of NEI 08-09, Revision 6 are the technical, operational, and management countermeasures available to protect the availability, integrity, and confidentiality of CDAs. The cyber security controls in Appendices D and E of NEI 08-09, Revision 6 are implemented using the methodology in Sections 3.1.1 through 3.1.6 below. In so doing, high assurance of adequate protection of CDAs 4

FCS / OPPD CYBER SECURITY PLAN associated with SSEP functions from cyber attacks defined by 10 CFR 73.1 and RG 5.69 is ensured.

3.1.1 Cyber Security Assessment and Authorization OPPD develops, disseminates, periodically reviews in accordance with 10 CFR 73.55(m), and updates:

  • A formal, documented, cyber security assessment and authorization policy and/or procedure that defines and addresses: the purpose, scope, roles, responsibilities, management commitment, and coordination among departments; and the implementation of the cyber security controls in Appendices 0 and E of NEI 08-09, Revision 6.
  • A formal, documented procedure to facilitate the implementation of the cyber security assessment.

3.1.2 Cyber Security Assessment Team A Cyber Security Assessment Team (CSAT) is formed consisting of individuals with broad knowledge in the following areas:

  • Information and digital system technology - This includes cyber security, software development, offsite communications, computer system administration, computer engineering and computer networking. Knowledge of the digital systems involved in plant operations, including digital instrumentation and control systems, and those involved in plant information systems, is included. Plant operational systems include programmable logic controllers, control systems, and distributed control systems. Information systems include computer systems and databases containing information used to design, operate, and maintain CDAs. In the networking arena, knowledge of both plant- and corporate-wide networks is included.
  • Nuclear power plant operations, engineering, and nuclear safety - This includes overall facility operations and plant technical specifications. The staff representing this technical area has the ability to trace the impact of a vulnerability or series of vulnerabilities in a CDA (or connected digital asset) outward through plant systems and subsystems so that the overall impact on SSEP functions of the plant can be evaluated.

The roles and responsibilities of the CSAT include slJch activities as:

  • Performing or overseeing stages of the cyber security assessment process.
  • Documenting key observations, analyses, and findings during the assessment process.

5

FCS I OPPD CYBER SECURITY PLAN

  • Evaluating assumptions and conclusions about cyber security threats; potential vulnerabilities to, and consequences from an attack; the effectiveness of existing cyber security controls, defensive strategies, and attack mitigation methods; cyber security awareness and training of those working with, or responsible for CDAs and cyber security controls throughout their system life cycles; and estimates of cyber security risk levels.
  • Confirming information acquired during tabletop reviews by conducting walk downs or electronic validation of CDAs and connected digital assets, and associated cyber security controls.
  • Documenting the required cyber security control application per Section 3.1.6 of this Plan.
  • Transmitting assessment documentation, including supporting information, to Records Management in accordance with 10 CFR 73.54{h) and the record retention requirements specified in Section 4.13 of this Plan.

The CSAT has the authority to conduct an assessment in accordance with the requirements of Section 3 of this Plan.

3.1.3 Identification of Critical Digital Assets The CSAT:

  • Identifies and documents Critical Systems (CS), which must be protected under the Rule. (Refer to NEI 08-09, Revision 6, Appendix B, Glossary for definition of Critical System)
  • Identifies and documents Critical Digital Assets (CDAs). (Refer to NEI 08-09, Revision 6, Appendix B, Glossary for definition of Critical Digital Asset)

The process by which CDAs are identified has been documented.

For each CS examined, the documentation includes the following:

  • Identification of the Critical System;
  • Identification of the digital devices that provide direct or supporting roles in the function of the CS (e.g., protection, control, monitoring, reporting, or communications);
  • Identification of CDAs within the Critical System;
  • General description of the CDAs;
  • Brief description of overall function of the CDAs;
  • Description of overall consequence to the CS and SSEP functions if a compromise of the CDA occurs; and
  • Security functional requirements or specifications, as available, that include the following:

6

FCS / OPPO CYBER SECURITY PLAN o Information security requirements necessary for vendors and developers to maintain the integrity of acquired systems; o Secure configuration, installation, and operation of the COA; o Effective use and maintenance of security features/functions; o Known vulnerabilities regarding configuration and use of administrative (Le., privileged) functions; o User-accessible security featureslfunctions and how to effectively use those security features/functions; o Methods for user interaction with COAs, which enables individuals to use the system in a more secure manner; and o User responsibilities in maintaining the security of the COA.

3.1.4 Examination of Cyber Security Practices The CSAT collects, examines, and documents the existing cyber security policies, procedures, and practices; existing cyber security controls; detailed descriptions of network and communication architectures (or network/communication architecture drawings); information on security devices; and any other information that may be helpful during the cyber security assessment process. The team collects, documents by reference and evaluates the following as they apply to COAs:

  • Site- and corporate-wide information on defensive strategies including cyber security controls, defensive models, and other defensive strategy measures;
  • The site's physical and operational security program with respect to the protection of COAs;
  • Site and corporate network architectures, and configuration information on security devices;
  • Cyber security requirements for vendors and contractors while on site or used during procurement;
  • Information on computer networks and communication systems and networks that are present within the plant and could be potential pathways for attacks;
  • Cyber security assessments, studies, evaluations or audits to gain insight into areas of potential vulnerabilities; and
  • Infrastructure support systems (e.g., electrical power; heating, ventilation, and air conditioning (HVAC); communications; fire suppression) which, if compromised, could adversely impact the proper functioning of COAs.

The examination includes an analysis of the effectiveness of existing cyber security programs and cyber security controls. The CSAT documents the collected cyber security information and the results of their examination of the collected information.

7

FCS / OPPO CYBER SECURITY PLAN 3.1.5 Tabletop Reviews and Validation Testing The CSAT conducts a tabletop review and validation activities.

Results of table top reviews and va.lidation reviews are documented.

For each COA/COA group, the CSAT:

  • Confirms the location;
  • Confirms direct and indirect connectivity pathwa.ys;
  • Confirms infrastructure interdependencies;
  • Reviews any COA assessment documentation;
  • Reviews the defensive strategies;
  • Reviews the defensive models;
  • Confirms the implementation of plant-wide physical and cyber security policies and procedures that secure the COAs from a cyber attack, including attack mitigation, and incident response and recovery;
  • Confirms that staff members working with the COAs are trained to a level of cyber security knowledge commensurate with their assigned responsibilities; and
  • Identifies and documents the COA cyber security exposures including specific attack/threat vectors to be assessed for mitigation using the method in Section 3.1.6.

The above activities are validated for COAs through walk-downs. These walk downs include:

  • Performing, where practical, a physical inspection of the connections and configuration of COAs, including tracing communication connections into and out of the COA to termination points along communication pathways.
  • Performing electronic validation when physical walk-down inspections are impractical to trace a communication pathway to its conclusion. When there is a risk of operational disruption. electronic validation tests are conducted during periods of scheduled outage. Where used, a justification of the adequacy of the electronic validation technique is documented.
  • Examining the physical security established to protect COAs and the COA's communication pathways.
  • Examining the configuration and assessing the effectiveness of cyber security controls (e.g., firewalls, intrusion detection systems, data diodes) along the communication pathways.
  • Examining interdependencies with other COA(s) and trust relationships between the COA(s).

8

FCS / OPPD CYBER SECURITY PLAN

  • Examining interdependencies with infrastructure support systems including electrical power, environmental controls, and fire suppression equipment which, if compromised, could adversely impact the proper functioning of CDAs.
  • Resolving information and/or configuration discrepancies identified during the tabletop reviews, including the presence of undocumented and/or missing connections, and other cyber security-related irregularities associated with the CDA.

Information and/or configuration discrepancies identified during the tabletop reviews and walk-downs, including the presence of undocumented and/or missing connections, and other cyber security-related irregularities associated with the CDA are documented for remediation in the Corrective Action Program.

3.1.6 Mitigation of Vulnerabilities and Application of Cyber Security Controls Defense-in-depth strategies are established by documenting and implementing the:

  • Defensive strategy described in Section 4.3;
  • Technical cyber security controls in Appendix 0 of NEI 08-09, Revision 6 consistent with the process described below; and
  • Operational and Management cyber security controls in Appendix E of NEI 08-09, Revision 6 consistent with the process described below.

The CSAT utilizes the information gathered in Sections 3.1.3 through 3.1.5 to document how each of the technical cyber security controls were addressed for each CDA using the process described below. Other plant organizations may be used to implement the CSAT recommendations. For example, the Plant/Design Engineering group will perform requisite modifications to CDAs.

Cyber security controls are not applied if the control adversely impacts safety and important to safety, security or emergency preparedness functions. When a cyber security control is determined to have an adverse effect, alternate controls are used to mitigate the lack of the security control for the CDA per the process described in this section.

For CDAs, the information in Sections 3.1.3 - 3.1.5 is utilized to analyze and document one or more of the following:

1. Implementing the cyber security controls in Appendices 0 and E of NEI 08 09, Revision 6.
2. Implementing alternative controls/countermeasures that eliminate or mitigate threat/attack vector(s) associated with one or more of the cyber security controls enumerated in (1) above by:

9

FCS / OPPD CYBER SECURITY PLAN

a. Documenting the basis for employing alternative countermeasures;
b. Performing and documenting the analyses of the CDA and alternative countermeasures to confirm that the countermeasures provide the same or greater cyber security protection as the corresponding cyber security control; and
c. Implementing alternative countermeasures that provide at least the same degree of cyber security protection as the corresponding cyber security control;
d. Implementing an alternative frequency or periodicity for the security control employed by documenting the basis for the alternate frequency or periodicity. The basis incorporates one or more of the following:
i. NRC Regulations, Orders ii. Operating License Requirements (e.g., Technical Specifications) iii. Site operating history iv. Industry operating experience
v. Experience with security control vi. Guidance in generally accepted standards (e.g., NIST, IEEE, ISO) vii. Audits and Assessments viii. Benchmarking ix. Availability of new technologies.
3. Not implementing one or more of the cyber security controls by:
a. Performing an analysis of the specific cyber security controls for the CDA that will not be implemented.
b. Documenting justification demonstrating the attack vector does not exist (Le., not applicable) thereby demonstrating that those specific cyber security controls are not necessary.

3.2 RECORDS Records of the assessment described in Section 3.1 of this Plan are maintained in accordance with approved procedures as described in Section 4.13 of this Plan.

10

FCS / OPPD CYBER SECURITY PLAN 4 ESTABLISHING, IMPLEMENTING, AND MAINTAINING THE CYBER SECURITY PROGRAM This section establishes the programmatic elements necessary to maintain cyber security throughout the life cycle of CDAs. The elements of this section are implemented to maintain high assurance that CDAs associated with the SSEP functions are adequately protected from cyber attacks up to and including the DBT.

A life cycle approach is employed consistent with the controls described in Appendix E of NEI 08-09, Revision 6. This approach ensures that the cyber security controls established and implemented for CDAs are maintained to achieve the site's overall cyber security program objectives. For proposed new digital assets, or existing digital assets that are undergoing modification, the process described in Sections 10 and 11 of the Operational and Management controls of NEI 08-09, Revision 6, Appendix E are implemented.

Records are maintained in accordance with Section 4.13 of this Plan.

4.1 INCORPORATING THE CYBER SECURITY PROGRAM INTO THE PHYSICAL PROTECTION PROGRAM The Cyber Security Program, which is referenced in the Physical Security Plan, implements the Cyber Security Program requirements in accordance with 10 CFR 73.54(b)(3), 10 CFR 73.55(a)(1), and 10 CFR 73.55(c)(6). Cyber attacks are also considered during the development and identification of target sets as required by the Physical Security Program and 10 CFR 73.55(f)(2).

Revisions to this Plan are processed in accordance with procedures that implement the requirements of 10 CFR 50.54(p). Changes that are determined to decrease the effectiveness of this Plan are submitted to the NRC for approval as required by 10 CFR 50.90.

The Cyber Security Program is reviewed as a component of the PhYSical Security Program as required by 10 CFR 73.55(m).

4.2 CYBER SECURITY CONTROLS The Technical, Operational and Management Cyber Security Controls described in Appendices 0 and E of NEI 08-09, Revision 6, are evaluated and dispositioned based on site specific conditions during the establishment of risk baselines, during on-going programs, and during oversight activities.

Cyber security controls are used to protect CDAs within the scope of the Rule. The cyber security controls are implemented utilizing the process described in Section 3.1.6 of this Plan. Management controls, Operational controls, and Technical controls, in conjunction with Physical Security Plans, support the overall safety of nuclear material 11

FCS / OPPD CYBER SECURITY PLAN and reliability of plant operations. The Cyber Security Controls are utilized in site

. Baseline Assessment, Configuration Management, Engineering Design Control, Training, Attack Mitigation and Incident Response, Record Retention and Handling, and Review programs.

If a CDA cannot support the use of automated cyber security control mechanisms, non automated cyber security control mechanisms or procedures are documented and utilized where necessary to maintain the desired level of protection.

Many security controls have actions that are required to be performed on specific frequencies. The frequency of a security control is met if the action is performed within 1.25 times the frequency specified in the control, as applied, and as measured from the previous performance of the action. This extension facilitates scheduling and considers plant operating conditions that may not be suitable for conducting the security control action (e.g., transient conditions, other ongoing surveillance or maintenance activities).

These provisions are not intended to be used repeatedly merely as an operational convenience to extend frequencies beyond those specified.

4.3 DEFENSE-IN-DEPTH PROTECTIVE STRATEGIES Defense-in-depth protective strategies have been implemented, documented, and are maintained to ensure the capability to detect, delay, respond to, and recover from cyber attacks on CDAs. The defensive strategy describes the defensive security architecture, identifies the protective controls associated within each security level, implements cyber security controls in accordance with Section 3.1 of this Plan, employs the Defense-in Depth measures described in NEI 08-09, Appendix E, Section 6, and maintains the cyber security program in accordance with in Section 4 of this Plan.

The defensive architecture has been implemented, documented, and is maintained to protect CDAs that have similar cyber risks from other CDAs, systems or equipment by establishing the logical and physical boundaries to control the data transfer between boundaries.

This defensive architecture provides for cyber security defensive levels separated by security boundaries devices, such as firewalls and diodes, at which digital communications are monitored and restricted. Systems requiring the greatest degree of security are located within the greatest number and strength of boundaries. The criteria below are utilized in the defensive architecture.

The FCS defensive model implements all of the following:

  • The defensive model consists of 4 layers, with layer 4 having the greatest level of protection.
  • Safety CDAs are in Level 4.
  • Security CDAs are in Level 4.
  • CDAs within a particular security level may not share a common network.

12

FCS / OPPD CYBER SECURITY PLAN

  • The boundary between Level 3 and Level 2 is implemented by one or more deterministic devices (i.e., data diodes, air gaps) that isolate CDAs in or above Level 3. Information flows between Level 3 and 4 are restricted through the use of a firewall and monitored by a network-based intrusion detection system. The firewall implements the Information Flow Enforcement cyber security control in I\IEI 08-09, Revision 6, Appendix D, Section 1.4 and the rule set characteristics for non-deterministic information flow enforcement described in the Defense-In Depth cyber security control in NEI 08-09, Revision 6, Appendix E, Section 6.

For this defensive architecture to be effective in protecting CDAs from cyber attacks the above characteristics are consistently applied, along with the technical, management, and operational security controls discussed in Appendices D and E of NEI 08-09, Revision 6.

The cyber security defensive model is enhanced by physical and administrative cyber security controls implemented by the Physical Security Program. Physical barriers such as locked doors, locked cabinets, and/or locating CDAs in the protected area or vital area are also used to mitigate risk."

4.4 ONGOING MONITORING AND ASSESSMENT Ongoing monitoring of cyber security controls used to support CDAs is implemented consistent with Appendix E of NEI 08-09, Revision 6. Automated support tools are also used, where available, to accomplish near real-time risk management for CDAs. The ongoing monitoring program includes:

  • Configuration management of CDAs;
  • Cyber security impact analyses of changes to the CDAs or their environment(s) to ensure that implemented cyber security controls are performing their functions effectively;
  • OngOing assessments to verify that the cyber security controls implemented for CDAs remain in place throughout the life cycle of the CDA;
  • Verification that rogue assets are not connected to the network infrastructure;
  • Ongoing assessments of the need for and effectiveness of the cyber security controls identified in Appendices D and E of NEI 08-09, Revision 6; and
  • Periodic cyber security program review to evaluate and improve the effectiveness of the Program.

This element of the Program is mutually supportive of the activities conducted to monitor configuration changes of CDAs.

4.4.1 Configuration Management and Change Control The configuration management controls described in Appendix E of NEI 08-09, Revision 6, have been implemented as described in Section 3.1 .6, and implementation has been documented. A configuration management approach 13

FCS rOPPD CYBER SECURITY PLAN is implemented to update and maintain cyber security controls for CDAs in order to ensure that the cyber security program objectives remain satisfied.

Modifications to CDAs are evaluated before implementation to ensure that the cyber security performance objectives of 10 CFR 73.54(a)(1) are maintained. A record of changes made to the configuration of CDAs is maintained.

CDA cyber security and configuration management documentation is updated or created using the site configuration management program or other configuration management procedure or process. This documentation includes the bases for not implementing one or more of the technical cyber security controls specified in Appendix D of NEI 08-09, Revision 6.

During the operation and maintenance phases of the CDA life cycle, changes to CDAs are made using Design Control and Configuration Management procedures, so that additional cyber security risk is not introduced into the system. The process ensures that the controls specified in Appendices D and E of NEI 08-09, Revision 6, have been implemented in a manner consistent with this Plan and implementing procedures.

During the retirement phase, the Design Control and Configuration Management procedures address SSEP functions.

4.4.2 Cyber Security Impact Analysis of Changes and Environment A cyber security impact analysis is performed prior to making a design or configuration change to a CDA, or when changes to the environment occur, consistent with the process described in Section 4 of the Operational and Management Controls of Appendix E to NEI 08-09, Revision 6, to manage risks introduced by the changes.

Interdependencies of other CDAs or support systems are evaluated, documented, and incorporated into the cyber security impact analysis. The steps for conducting the tabletop review described in Section 3.1 .5 are performed.

These impact analyses are performed as part of the change approval process to assess the impacts of the changes on the cyber security posture of CDAs and systems that can affect SSEP functions. Cyber security related issues identified during the change management process are addressed within the change management process, and therefore are not handled by the Corrective Action Program. Adverse conditions identified after the modi'fication is implemented are entered into the site Corrective Action Program.

Risks to SSEP functions, CDAs and CSs are managed through ongoing evaluation of threats and vulnerabilities and by addressing threat and attack vectors associated with the cyber security controls provided in Appendices D and E of NEI 08-09, Revision 6, during the various phases of the life cycle.

14

FCS / OPPD CYBER SECURITY PLAN Additionally, procedures are developed for screening, evaluating, mitigating and dispositioning threat and vulnerability notifications received from credible sources. Dispositioning includes implementation, as necessary; of cyber security controls to mitigate newly reported or discovered vulnerabilities and threats.

4.4.3 Ongoing Assessment of Cyber Security Controls Ongoing assessments are performed to verify that the cyber security controls implemented for CDAs remain in place throughout the life cycle. The assessment process verifies the status of these cyber security controls at least every 24 months or in accordance with the specific requirements for utilized cyber security controls as described in Appendices 0 and E of NEI 08-09, Revision 6, whichever is more frequent.

4.4.3.1 Effectiveness Analysis The effectiveness and efficiency of the Cyber Security Program and the cyber security controls in Appendices 0 and E of NEI 08-09, Revision 6, are monitored to confirm that the cyber security controls are implemented correctly, operating as intended, and continuing to provide high assurance that CDAs are protected against cyber attacks up-to and including the DBT. Reviews of the cyber security program and controls include, but are not limited to, periodic audits of the physical security program, security plans, implementing procedures, cyber security programs; safety/security interface activities; the testing, maintenance, and calibration program as it relates to cyber security; and feedback from the NRC and local, state and federal law enforcement authorities.

The effectiveness evaluation provides information for cyber security decision makers about the results of previous policy and acquisition decisions. These measures:

  • Provide insight for improving performance of the Cyber Security Program;
  • Assist in ascertaining whether specific cyber security controls are functioning and are helping facilitate corrective action prioritization; and
  • Require fusing the Cyber Security Program activities data with the data obtained from automated monitoring and evaluation tools in a manner that can be tied to cyber security control implementation.

The effectiveness of these cyber security controls is verified when applied, and at least every 24 months or in accordance with the specific requirements for employed cyber security controls as described in Appendices 0 and E of "lEI 08 09, Revision 6, whichever is more frequent. Documents of maintenance and repairs on CDA components are reviewed to ensure that CDAs which perform cyber security functions are maintained according to recommendations provided 15

FCS / OPPD CYBER SECURITY PLAN by the manufacturer or as determined by site-specific procedures. Adverse conditions identified during effectiveness evaluations are entered in the site Corrective Action Program.

4.4.3.2 Vulnerability Scans Electronic vulnerability scanning of CDAs is performed when security controls are first applied, and as required by specific guidance in the cyber security controls in Appendices D and E of NEI 08-09, Revision 6. When new vulnerabilities that could affect the cyber security posture of CDAs are identified, vulnerability scanning will be performed.

Vulnerability scan reports are analyzed and vulnerabilities that could result in a risk to SSEP functions at the site are remediated. Information obtained 'from the vulnerability scanning process is shared with appropriate personnel to ensure that similar vulnerabilities that may impact interconnected or similar CDA(s) are understood, evaluated and mitigated.

When there is a risk of operational disruption, electronic vulnerability scans are conducted during periods of scheduled outage. Test beds and vendor maintained environments may be used for or in substitution for performing vulnerability scans.

Assessment and scanning process must not adversely impact SSEP functions. If this could occur, CDAs are removed from service or replicated (to the extent feasible) before assessment and scanning is conducted. If vulnerability assessments or scanning cannot be performed on a production CDA because of the potential for an adverse impact on SSEP functions, alternate controls (e.g.,

providing a replicated system or CDA to conduct scanning) are employed.

A vulnerability assessment may be used as a substitute for vulnerability scanning where there is risk of an adverse impact to SSEP functions, and when off-line, replicated, or vendor test beds are not available. When new vulnerabilities are discovered, the vulnerability assessment considers the same threat vectors as the identified vulnerabilities. When vulnerability assessments are used to verify security controls, the assessment targets the threat vectors the security controls address. In both cases, the vulnerability assessment verifies that the vulnerability or threat vector is addressed to provide high assurance of adequate protection that SSEP functions are protected from cyber attacks up-to and including the Design Basis Threat.

4.5 ADDITION AND MODIFICATION OF DIGITAL ASSETS The approach for assessing new/modified CDAs is to use the assessment process described in Section 3.1 of this Plan.

16

FCS / OPPD CYBER SECURITY PLAN Programs, Procedures, and/or Processes have been established, implemented, and maintained to control life cycle phase activity cyber security controls for CDAs. These programs, procedures, and/or processes ensure that modifications to a CDA within the scope of 10 CFR 73.54 are evaluated before implementation to ensure that the cyber security performance objectives of 10 CFR 73.54(a)(1) are maintained and that acquired CDAs have cyber security requirements developed to achieve the site's cyber security program objectives.

Records are maintained in accordance with Section 4.13 of this Plan.

4.6 ATTACK MITIGATION AND INCIDENT RESPONSE The Program ensures that the Safety, Security, and Emergency Preparedness functions of digital assets within the scope of the Rule (CDAs) are not adversely impacted due to cyber attacks. Appendix E of NEI 08-09, Revision 6, includes the following topics pertaining to attack mitigation and incident response:

  • Incident Response Policy and Procedures
  • Incident Response Training
  • Incident Response Testing and Drills
  • Incident Handling
  • Incident Monitoring
  • Incident Response Assistance Policies, and/or Procedures, and/or Programs document cyber security controls to deny, deter, and detect adverse threats and conditions to CDAs that may be susceptible to cyber attacks which exploit system vulnerabilities. Cyber security controls employed counteract threats. Policies, and/or Procedures, and/or Programs document the methods to handle digital-related adverse conditions.

Digital-related adverse conditions are entered into the site Corrective Action Program for resolution. If the condition affects a CDA, the condition is evaluated to determine if there is reason to believe that the condition is the result of a cyber attack. If there is reason to believe the condition is the result of a cyber attack, the event is reported to the NRC in accordance with 10 CFR 73, Appendix G.

Identification, detection, and response to cyber attacks are directed by site procedures for cyber security and other procedures that govern response to plant events. When there is reasonable suspicion of a cyber attack, response instructions direct notification to the activation of Cyber Security Incident Response Team. Response instructions direct other emergency response actions, if warranted.

Cyber security attack containment activities are directed by site procedures. These measures include but are not limited to:

  • Assist in determining the CDA's operability or functionality; 17

FCS / OPPD CYBER SECURITY PLAN

  • Isolate the affected CDA with approval by Shift Manager, if possible; and
  • Verify surrounding networks and support systems are not contaminated.

Eradication activities identify the attack and the compromised pathway, patch or clean the CDA, or replace the CDA using disaster recovery procedures. Measures necessary to mitigate the consequences of cyber attacks are as directed by site governing procedures.

Recovery activities include but are not limited to functional recovery test, cyber security function and requirements tests, restoration to operational state, verification of operability or functionality, and return to service. Systems, networks, and/or equipment affected by cyber attacks are restored and returned to operation as directed by site procedures. Post incident analysis is conducted in accordance with site Corrective Action Program procedures.

4.7 CYBER SECURITY CONTINGENCY PLAN A Cyber Security Contingency Plan protects CDAs from adverse impacts from cyber attack. Refer to Appendix E of NEI 08~09, Revision 6, for additional Cyber Security Contingency Plan cyber security controls. '

The contingency planning policy is developed, disseminated, periodically reviewed and updated. The contingency planning policy provides the following:

a. A formal, documented policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organization entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the policy and associated contingency planning controls.

The Cyber Security Contingency Plan includes:

  • Required response to events or conditions of varying duration and severity that would activate the recovery plan;
  • Procedures for operating the CDAs in manual mode with external electronic communications connections severed until secure conditions can be restored;
  • Roles and responsibilities of responders;
  • Processes and procedures for the backup and secure storage of information;
  • Complete and up-to-date logical diagrams depicting network connectivity;
  • Current configuration information for components;
  • Personnel list (according to title and/or function) for authorized physical and cyber access to the CDA;
  • Communication procedure and list of personnel (according to title and/or function) to contact in the case of an emergency; and
  • Documented requirements for the replacement of components.

18

FCS / OPPD CYBER SECURITY PLAN 4.8 CYBER SECURITY TRAINING AND AWARENESS The Program establishes the training requirements necessary for licensee personnel and contractors to perform their assigned duties and responsibilities in implementing the requirements of the Program.

Individuals are trained to a level of cyber security knowledge commensurate with their assigned responsibilities in order to provide high assurance that individuals are able to perform their job functions. Refer to Appendix E of NEI 08-09, Revision 6, which describes the Cyber Security Controls required for the following levels of training:

  • Awareness Training
  • Technical Training
  • Specialized Cyber Security Training Specific topics included within the Cyber Security Training and Awareness program may be modified, added or deleted (1) in response to feedback from personnel and contractors who have taken the training or (2) as a result of discussions with cyber security groups and associations.

4.9 EVALUATE AND MANAGE CYBER RISK Cyber risk is evaluated and managed utilizing site programs and procedures.

4.9.1 Threat and Vulnerability Management Cyber risks are managed through evaluation of threats and vulnerabilities to computer and control systems during the life cycle phases as documented in the Engineering Design Control, Configuration Management, Software Quality Assurance, Operating Experience (OE) and Corrective Action Program (CAP) processes. The Program establishes in procedures or other plant documents how responses to threat notifications and vulnerabilities against a CDA received from a credible source are screened, evaluated and dispositioned.

4.9.2 Risk Mitigation Protection and mitigation of cyber risk are achieved by applying cyber security controls to the CDAs within the scope of the Rule. Detailed information on how these requirements are implemented to achieve high assurance objectives of cyber security controls specified in this Plan is available on site for the NRC's inspections and audit.

4.9.3 Operational Experience Policies, and/or Procedures, and/or Programs establish how the operational experiences related to cyber security are screened to determine applicability, evaluated to determine significance, and dispositioned in an operational 19

FCS / OPPD CYBER SECURITY PLAN experience program. Any condition determined to be adverse as a result of the evaluation of operational experiences, is dispositioned in the Corrective Action Program.

4.9.4 Corrective Action Program Policies, and/or Procedures, and/or Programs establish the criteria for adverse conditions and the requirements for corrective action. Adverse impact resulting from a cyber security condition is evaluated, tracked and dispositioned in accordance with the site Corrective Action Program.

4.10 POLICIES AND IMPLEMENTING PROCEDURES Policies and implementing procedures are developed to meet the implemented cyber security control's objectives provided in Appendices D and E of NEI 08-09, Revision 6.

The program policies and implementing procedures are documented, developed, reviewed, approved, issued, used, and revised as described in Section 4 of this Plan.

Program policies and implementing procedures establish that personnel responsible for the management and implementation of the program report indirectly to senior nuclear management. Senior nuclear management is the Chief Nuclear Officer who is accountable for nuclear plant(s) operation.

Implementing procedures establish responsibilities for the positions documented in Section 4.11.

4.11 ROLES AND RESPONSIBILITIES Roles and responsibilities are implemented with site procedures to preclude conflict during both normal and emergency conditions. The following Roles are created and staffed with qualified and experienced personnel. Authorized contracted resources possessing the skill set identified below for their designated role may be used.

Implementing procedures establish responsibilities for the following:

Cyber*Security Program Sponsor

  • Member of Senior FCS / OPPD Management;
  • Overall responsibility and accountability for the cyber security program;
  • Provide resources required for the development, implementation and sustenance of the cyber security program;
  • Accountable to meet the needs of the site and receives support and compliance; and
  • Ensure that resources are available to develop and implement the Program.

Cyber Security Program Manager

FCS / OPPD CYBER SECURITY PLAN

  • Responsible for oversight and assuring periodic assessments are performed in accordance with Section 4;
  • Functions as a single point of contact for issues related to cyber security;
  • Provides oversight and direction on issues regarding nuclear plant cyber security;
  • Oversees and approves the development and implementation of a Cyber Security Plan;
  • Ensures and approves the development and operation of the cyber security education, awareness, and training program; and
  • Oversees and approves the development and implementation of cyber security policies and procedures.

Cyber Security Specialists

  • Protect CDAs from cyber threat;
  • Understand the cyber security implications surrounding the overall architecture of plant networks, operating systems, hardware platforms, plant specific applications, and the services and protocols upon which those applications rely;
  • Conduct cyber security audits, network scans, and penetration tests against CDAs as necessary;
  • Preserve evidence collected during cyber security investigations to prevent loss of evidentiary value;
  • Maintain expert skill and knowledge level in the area of cyber security; and

Cyber Security Incident Response Team (CSIRT)

  • Initiates in accordance with the Incident Response Plan;
  • Initiates emergency action when required to safeguard CDAs from cyber security compromise and to assist with the eventual recovery of compromised systems;
  • Contains and mitigates incidents involving critical and other support systems;
  • Restores compromised CDAs; and
  • Responds to a cyber attack and performs the activities described in Section 4.6. Responsibilities are designated in site incident response procedures.

Ancillary CSIRT staff includes organizations and individuals who operate, maintain, or design critical systems. CSIRT support staff is comprised of organizations and individuals as needed for specific specialized knowledge.

21

FCS / OPPD CYBER SECURITY PLAN Others Operators, engineers, technicians, and users perform their assigned duties in accordance with the requirements of the Program.

4.12 CYBER SECURITY PROGRAM REVIEW The Cyber Security Program established the necessary measures and governing procedures to implement reviews of applicable program elements in accordance with the requirements of 10 CFR 73.55{m). Security Controls are elements of the Security Program and are reviewed consistent with the following requirements of 10 CFR 73.55{m).

(1) As a minimum, the licensee shall review each element of the physical protection program at least every 24 months. Reviews shall be conducted:

(i) Within 12 months following initial implementation of the physical protection program or a change to personnel, procedures, equipment, or facilities that potentially could adversely affect security.

(ii) As necessary based upon site-specific analyses, assessments, or other performance indicators.

(iii) By individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsite physical protection program.

(2) Reviews of the security program must include, but not be limited to, an audit of the effectiveness of the physical security program, security plans, implementing procedures, cyber security programs, safety/security interface activities, the testing, maintenance, and calibration program, and response commitments by local, State, and Federal law enforcement authorities.

(3) The results and recommendations of the onsite physical protection program reviews, management's findings regarding program effectiveness, and any actions taken as a result of recommendations from prior program reviews, must be documented in a report to the licensee's plant manager and to corporate management at least one level higher than that having responsibility for day-to-day plant operation. These reports must be maintained in an auditable form, available for inspection.

(4) Findings from onsite physical protection program reviews must be entered into the site Corrective Action Program.

4.13 DOCUMENT CONTROL AND RECORDS RETENTION AND HANDI_ING FCS / OPPD has established the necessary measures and governing procedures to ensure that sufficient records of items and activities affecting cyber security are developed, reviewed, approved, issued, used, and revised to reflect completed work.

22

FCS / OPPD CYBER SECURITY PLAN The following are examples of records or supporting technical documentation that are retained as a record until the Commission terminates the license for which the records are developed. Superseded portions of these records are retained for three years unless otherwise specified by the Commission in accordance with the requirements of 10 CFR 73.54(h):

  • Modification records for CDAs;
  • Analyses, basis, conclusions, and determinations used to establish a component as a CDA;
  • Written Policies and Procedures that implement and maintain the Cyber Security program, with records of changes;
  • Corrective Action records related to Cyber Security non-conformance or adverse conditions;
  • Documentation of periodic Cyber Security Program reviews and Program audits;
  • Vulnerability notifications determined to adversely impact CDAs and the associated analyses, assessments and dispositions;
  • Training records to document personnel qualifications and Program implementation and maintenance; and
  • Audit records, which are electronic or manual event records (logs) that facilitate the identification and analysis of cyber security attacks and are developed in accordance with Appendix D, Section 2, Audit and Accountability.

o The scope of auditable events is developed in accordance with Appendix D, Section 2.2, Auditable Events. Events identified for auditing are recorded in accordance with Appendix D, Section 2.3, Content of Auditable Records and Appendix D, Section 2.4, Audit Storage Capacity (for electronic audit records). The source of auditable events (electronic and non-electronic) include, but are not limited to:

  • Operating system logs

'. Service and application logs

  • Network device logs
  • Access Logs o Audit records of auditable events are retained to document access history, as well as to discover the source of cyber attacks or other security-related incidents affecting CDAs or SSEP functions, or both. These records are reviewed and analyzed in accordance with the policies, procedures, and programs implementing Appendix D, Section 2.6, Audit Review, Analysis and Reporting. The review and analysis is conducted consistent with maintaining high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1.

Superseded records (or portions thereof) are then retained for three years, after the record has been reviewed and analyzed.

23

LI C-11-0036 FCS I OPPD Cyber Security Plan Implementation Schedule

FCS I OPPD Cyber Security Plan Implementation Schedule Full implementation of the cyber security program involves many supporting tasks. Major activities include: program and procedure development; performing of individual critical digital asset (CDA) assessments; and identification, scheduling, and implementing individual asset security control design remediation actions through the site configuration management program. These design modifications may be performed on-line or could require a refueling outage for installation.

The extensive workload associated with full implementation of the Cyber Security Plan (CSP) requires prioritization to assure those activities that provide higher degrees of protection against radiological sabotage are performed first. Therefore, the CSP implementation schedule will be implemented with two major milestone dates. The first milestone date of no later than December 31,2012, includes the activities listed in the table below. The second milestone date, December 31,2015, includes the completion of all remaining actions that result in the full implementation of the cyber security plan for all applicable Safety, Security, and Emergency Preparedness (SSEP) functions. This date also bounds the completion of all individual asset security control design remediation actions.

Cyber security controls are not applied if the control adversely impacts safety and important to safety, security or emergency preparedness functions.

1 Establish Cyber Security Assessment Team No later than The CSAT, collectively, will need to have digital plant systems (CSAT) as described in Section 3.1.2 "Cyber December 31, 2012 knowledge as well as nuclear power plant operations, engineering Security Assessment Team" of the Cyber Security and nuclear safety experience and technical expertise. The Plan (CSP). personnel selected for this team may require additional training in these areas to help to ensure adequate capabilities to perform cyber security assessments as well as other duties.

2 Identify Critical Systems (CSs) and Critical Digital No later than The scope of 10 CFR 73.54 includes digital computer and Assets (CDAs) as described in Section 3.1.3 December 31, 2012 communication systems and networks associated with: safety "Identification of Critical Digital Assets" of the CSP. related and important-to-safety functions; security functions; emergency preparedness functions, including offsite communications; and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. The scope of 10 CFR 73.54 includes structures, systems, and components (SSCs) that have a nexus to radiological health and safety and therefore can directly or indirectly affect reactivity of a nuclear power plant and could Page 1 of 4

result in an unplanned reactor shutdown or transient.

3 Implement Installation of adeterministic one-way No later than The implementation of communication barriers protects the most device between lower level devices (level 0 1,2) December 31,2012 critical SSEP functions from remote attacks on plant systems.

and the higher level devices (level 3,4) as Isolating the plant systems from the internet as well as from the described in Section 4.3, "Defense-In-Depth corporate business systems is an important milestone in Protective Strategies" of the CSP. defending against external threats. While the deployment of the barriers is critical to protection from external cyber threats, it also Lower security level devices (level 0, 1, 2 devices) prevents remote access to core monitoring and plant data that bypass the deterministic device and connect systems for reactor engineers, plant operations, and other plant to level 3 or 4 will be modified to prevent the digital staff. This elimination of remote access to reactor core monitoring connectivity to the higher level or will be modified systems may require the development and execution of a detailed to meet cyber security requirements change management plan to ensure continued safe operation of commensurate with the level 3 or 4 devices to the plants. Vendors may be required to develop software which they connect. revisions to support the model. The modification will be developed, prioritized and scheduled.

The design modifications that are not finished by the completion date will be documented in the site configuration management and/or change control program to assure completion of the design modification as soon as possible, but no later than the final implementation date.

\----.+---. - - - - - - -

4 The security control "Access Control For Portable No later than Portable media devices are used to transfer electronic information And Mobile Devices" described in Appendix D December 31,2012 (e.g., data, software, firmware, virus engine updates and 1.19 of NEI 08-09, Revision 6, will be configuration information) to and from plant process equipment.

implemented. Careful use of this class of media is required to minimize the spread of malicious software to plant process equipment. The effective implementation of this control may require the coordinated implementation of other complimentary controls to Page 2 of 4

ensure adequate mitigation.

5 Implement obserVation and identification of No later than Insider mitigation rounds by trained staff look for obvious signs of obvious cyber related tampering to existing insider December 31,2012 cyber related tampering and would provide mitigation of mitigation rounds by incorporating the appropriate observable cyber related insider actions. Implementing steps to elements in Appendix E, Section 4.3 "Personnel add signs of cyber security-related tampering to insider mitigation Performing Maintenance And Testing Activities." rounds will be performed by the completion date.

6 Identify, document, and implement NEI 08-09, No later than The site physical protection program provides high assurance that Revision 6, Appendix Dtechnical cyber security December 31, 2012 these elements are protected from physical harm by an controls in accordance with the Cyber Security adversary. The cyber security program will enhance the defense Plan Section 3.1.6 "Mitigation of Vulnerabilities in-depth nature of the protection of CDAs associated with target and Application of Cyber Security Controls" for sets. Implementing Cyber Security Plan technical controls to CDAs that could adversely impact the design target set CDAs provides a high degree of protection against function of physical security target set eqUipment. cyber related attacks that could lead to radiological sabotage.

Security controls will be addressed in accordance with Cyber The implementation of controls that require a Security Plan Section 3.1.6 with the exception of those that design modification that are not finished by the require adesign modification.

completion date will be documented in the site configuration management and/or change control Note that the Operational and Management controls, as provided program to assure completion of the design in NEI 08-09, Revision 6, Appendix E, will be implemented in modification as soon as possible, but no later than conjunction with the full implementation of the Cyber Security the final implementation date. Program. These controls are primarily procedure based programs and must be implemented in coordination with the comprehensive Cyber Security Program. However, ahigh degree of protection against cyber related attacks is maintained as many of these programs (e.g., physical protection, maintenance and work management, configuration management, operational experience.

etc.) are currently in place and are well established within the nuclear industry. For the CDAs in scope, Operational and Page 3 of 4

Management Security Controls will be addressed under an interim auditable process since not all elements of the Operational and Management (O&M) Security Controls Program as required by NEI 08-09, Revision 6 will be fully developed and implemented by 1213112012.

7 Ongoing monitoring and assessment activities No later than The ongoing monitoring and assessment activities as described in commence, as described in Section 4.4, "Ongoing December 31,2012 Section 4.4, "Ongoing Monitoring and Assessment" of the Cyber Monitoring and Assessment" of the CSP, for those Security Plan will be implemented for the controls applied to target target set CDAs whose security controls have set CDAs. This action results in the commencement of the cyber been implemented. security program for target set related CDAs.

8 .Full implementation of FCS I OPPD Cyber December 31,2015 By the completion date, FCS I OPPD Cyber Security Plan will be Security Plan for all SSEP functions will be fully implemented for all SSEP functions in accordance with 10 achieved. CFR 73.54. This date also bounds the completion of all individual asset security control design remediation actions including those that require a refueling outage for implementation.

Page 4 of 4

Retrieved from "https://kanterella.com/w/index.php?title=LIC-11-0036,_(Fcs),_Unit_No.1,_FCS_/_OPPD_Cyber_Security_Plan,_License_Amendment_Request_(Revised)&oldid=2551166"