ML021490506
| ML021490506 | |
| Person / Time | |
|---|---|
| Site: | Salem, Hope Creek  |
| Issue date: | 06/12/2002 |
| From: | Robert Fretz NRC/NRR/DLPM/LPD1 |
| To: | Cohen N UNPLUG Salem Campaign |
| Fretz, R, NRR/DLPM, 415-1324 | |
| Shared Package | |
| ML021490497 | List: |
| References | |
| Y20020113 | |
| Download: ML021490506 (4) | |
Text
June 12, 2002 Mr. Norm Cohen, Coordinator The UNPLUG Salem Campaign Coalition for Peace and Justice 321 Barr Avenue Linwood, NJ 08221
Dear Mr. Cohen:
I am responding to your electronic mail (e-mail) sent to me on April 3, 2002. In the e-mail, you forwarded a copy of a letter sent to Mr. Harold W. Keiser, Chief Nuclear Officer & President, PSEG Nuclear LLC (PSEG), concerning security at the Salem Nuclear Generating Station, Unit Nos. 1 and 2 (Salem). In addition, you raised the following issues:
The U.S. Nuclear Regulatory Commission's (NRC) Inspector General (IG) should immediately investigate the entire matter of the nuclear plant plans found in Afghanistan.
The NRC should arrange a public meeting in Salem on security issues concerning Artificial Island.
The NRC should investigate and set rules for the outsourcing of employees and software as is being done by PSEG.
The NRC should arrange to have members of UNPLUG Salem be given the same briefing and tour as were the New Jersey Assembly-persons on April 2, 2002.
In a letter from Roy P. Zimmerman, Director, Office of Nuclear Security and Incident Response, dated May 10, 2002, we addressed your issue concerning the erroneous reports of plans for Salem being found in Afghanistan. In addition, Mr. Zimmermans letter informed you that we would not be able to support your request for a public meeting near Artificial Island.
Your April 3, 2002, letter stated that the NRC should investigate and set rules for the outsourcing of employees and software. Based on your letter to Mr. Keiser, we understand your concerns to be two-fold: (1) non-U.S. citizen-terrorists may be able to gain access to Salem as contract employees; and (2) computer software developed by non-U.S. citizens or companies may pose a threat to the plant because of the possibility of embedded viruses or other deliberately coded defects being placed in the software code. These two issues are addressed below.
NRC regulations concerning unescorted access at nuclear power plants do not place a distinction between licensee and contract employees. The same requirements for background checks apply to all nuclear power plant workers, regardless of their employer. Furthermore, according to Title 10 of the Code of Federal Regulations (10 CFR) Section 73.56, there is no requirement that NRC licensees deny unescorted access on the basis of an applicants country of origin.
N. Cohen In the aftermath of the September 11, 2001, terrorist attacks, the NRC took steps to strengthen access authorization requirements for all nuclear power plant workers. Following these events, the NRC issued over 30 threat advisories, some of which addressed unescorted access procedures. Also, the Orders issued on February 25, 2002, to all operating nuclear power plant licensees included requirements to improve unescorted access controls. While these actions are intended to address the current threat environment, the NRC staff is also taking other steps to ensure that all nuclear power plant workers will continue to be trustworthy by including the issue of access authorization in its comprehensive review of security and safeguards programs.
To this end, the NRC is coordinating with the Immigration and Naturalization Service and other government agencies to improve employment eligibility verification practices at all nuclear facilities. The NRC is also working with Congress as it carefully considers the possibility of new legislation designed to further improve background checks while properly balancing national security needs and an individuals rights, for U.S. and non-U.S. citizens alike.
With respect to your concerns about the outsourcing of software at Salem, the NRC considers security to be an important requirement for computer-based instrumentation and control (I&C) systems at nuclear power plants. The NRC has existing regulations and guidance that apply to both the hardware and software found in I&C systems important to safety. All structures, systems, and components, including associated software, are subject to NRC regulations in 10 CFR Part 50. Licensees must comply with the minimum functional and design criteria for I&C systems in 10 CFR 50.55a(h) and Appendix A to 10 CFR Part 50, as well as adhere to quality assurance requirements in Appendix B to 10 CFR Part 50.
Paragraph (h) to 10 CFR 50.55a references Institute of Electrical and Electronics Engineers (IEEE) Standard 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, and IEEE Standard 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations. These standards outline requirements for controlling access to protection and safety systems at nuclear power plants. With the advent of digital technology and its introduction in nuclear plant I&C applications, the NRC has also updated its guidance to reflect the industrys conversion to digital technology. In June 1997, the NRC issued Standard Review Plan (SRP) Chapter 7, Revision 4, to address digital technology requirements. Therefore, in order to adhere to NRC regulations and guidance, licensees must implement controls for electronic access to safety system software and data. For example, data communications systems (DCS) must be designed so that there are no electronic paths by which unauthorized personnel can change plant software or display erroneous plant status information to plant operators. If computers or equipment outside of the control of the plant staff may be connected to a DCS (e.g., connections to remote data displays off-site), the connections are to be through gateways that prevent unauthorized transactions originating from offsite.
The NRCs requirements for quality assurance are provided in Appendix B to 10 CFR Part 50, and apply to all software that is determined to be important to safety, regardless of where it is developed. Quality assurance comprises all planned and systematic actions necessary to provide adequate confidence that a structure, system, or component will perform satisfactorily in service. The NRC has issued a series of Regulatory Guides (RGs), RGs 1.168 through 1.173, that address quality controls relating to computer software and other digital equipment.
These requirements ensure that all safety-related software developed by any individual or company, whether located within or outside the U.S., is properly tested prior to being placed in service at a nuclear power plant. Additionally, in response to the September 11 terrorist
N. Cohen attacks, the NRC has taken further steps to ensure computer systems are protected against cyber terrorism and other similar attacks. The Orders issued on February 25, 2002, to all operating nuclear power plants include measures relating to computer security.
Finally, your April 3, 2002, letter asked that the NRC arrange a briefing and tour at Salem for members of The UNPLUG Salem Campaign. Because the NRC does not arrange for plant tours or briefings for members of the public, the Salem licensee should be contacted for such site visits. I note from your April 3, 2002, e-mail that you have already made this request to PSEG. I trust that this letter adequately addresses your concerns. If you have any questions, I can be reached at (301) 415-1324, or at rxf@nrc.gov.
Sincerely,
/RA/
Robert J. Fretz, Project Manager, Section 2 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation
N. Cohen attacks, the NRC has taken further steps to ensure computer systems are protected against cyber terrorism and other similar attacks. The Orders issued on February 25, 2002, to all operating nuclear power plants include measures relating to computer security.
Finally, your April 3, 2002, letter asked that the NRC arrange a briefing and tour at Salem for members of The UNPLUG Salem Campaign. Because the NRC does not arrange for plant tours or briefings for members of the public, the Salem licensee should be contacted for such site visits. I note from your April 3, 2002, e-mail that you have already made this request to PSEG. I trust that this letter adequately addresses your concerns. If you have any questions, I can be reached at (301) 415-1324, or at rxf@nrc.gov.
Sincerely,
/RA/
Robert J. Fretz, Project Manager, Section 2 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation DISTRIBUTION:
PUBLIC (w/incoming)
L. Cox A. Madison, NSIR NRR Mail Room (YT20020113)
S. Richards G. Meyer, RI J. Clifford V. Ordaz, NSIR R. Lorson, RI B. Sheron T. Clark K. Johnson R. Fretz PDI-2 R/F (w/incoming)
R. Zimmerman, NSIR ACCESSION NO: ML021490506 INCOMING NO: ML0 PKG. NO. ML021490497 OFFICE PDI-2/PM PDI-2/LA NSIR/SC PDI-2/SC LPDI/D NAME RFretz TClark AMadison JClifford SRichards DATE 6/10/02 6/10/02 6/10/02 6/12/02 OFFICIAL RECORD COPY