ML093480161

From kanterella
Jump to navigation Jump to search

Submittal of License Amendment Request - Cyber Security Plan
ML093480161
Person / Time
Site: River Bend Entergy icon.png
Issue date: 12/09/2009
From: Roberts J
Entergy Operations
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML093480161 (13)


Text

_Entergy Operations, Inc.

River Bend Station

, ;E t 5485 U.S. Highway 61N St. Francisville, LA 70775 157 Tel 225-381-4149 Jerry C. Roberts Director, Nuclear Safety Assurance River Bend Station December 9, 2009 U. S. Nuclear Regulatory Commission Document Control Desk Washington, DC 20555 RBG-46983

Subject:

License Amendment Request - Cyber Security Plan River Bend Station - Unit 1 Docket No. 50-458 License No. NPF-47

Reference:

RBG-46969, dated November 19, 2009, River Bend Station License Amendment Request - Cyber Security Plan

Dear Sir or Madam,

This letter updates 10 CFR 2.390 references contained'in RBG-46969 (Reference) and entirely supersedes/replaces the November 19, 2009, River Bend Station License Amendment Request - Cyber Security Plan submittal.

In accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, Entergy is submitting a request for an amendment to the Facility Operating License (FOL) for River Bend Station (RBS). This proposed amendment requests NRC approval of the RBS Cyber Security Plan and implementation schedule, and requests approval of an additional sentence to the existing FOL Physical Protection license condition to require Entergy to fully implement with the approved schedule and to maintain in effect all provisions of the Commission approved Cyber Security Plan.

Attachment 1 provides an evaluation of the proposed change. Attachment 2 provides the existing FOL pages marked up to show the proposed change. Attachment 3 provides the proposed FOL changes in final typed format. Attachment 4 provides the River Bend Cyber Security Plan implementation schedule. Attachment 5 provides the guidance deviations taken by Entergy. Attachment 6 provides a copy of the RBS Cyber Security Plan which is a standalone document that will be incorporated by reference into the RBS Physical Security Plan upon approval. Entergy requests that Attachments 4, 5, and 6, which contain security related information, be withheld from public disclosure in accordance with 10 CFR 2.390.

The proposed changes have been evaluated in accordance with 10 CFR 50.91(a)(1) using criteria in 10 CFR 50.92(c), and it has been determined that the changes involve no significant hazards consideration. The bases for these determinations are included in Attachment 1.

This letter contains security-sensitive information - Attachments 4, 5, and 6 are withheld from public disclosure per 10CFR2.390

RBS Cyber Security Plan Submittal RBG-46983 Page 2 of 3 This license amendment is effective as of its date of issuance and shall be implemented in accordance with the approved Implementation Schedule.

The new commitments in this letter are provided in Attachment 4. Should you have any questions regarding this submittal, please contact David Lorfing, at (225) 381-4157.

I declare under penalty of perjury that the foregoing is true and correct. Executed on November 19, 2009.

Sincerely, MP/JCR/DNL/wjf Attachments: 1. Evaluation of the Proposed Operating License Change

2. Proposed Operating License Changes (mark-up)
3. Revised Operating License Pages
4. Implementation Schedule/List of Regulatory Commitments
5. Entergy (RBS) Deviation Table to NEI 08-09, Revision 3
6. RBS Cyber Security Plan This letter contains security-sensitive information - Attachments 4, 5, and 6 are withheld from public disclosure per 10CFR2.390

RBS Cyber Security Plan Submittal RBG-46983 Page 3 of 3 cc: Regional Administrator U.S. Nuclear Regulatory Commission Region IV 612 E. Lamar Blvd., Suite 400 Arlington, TX 76011-4125 NRC Senior Resident Inspector PO Box 1050 St. Francisville, LA, 70775 U.S. Nuclear Regulatory Commission Attn: Mr. Alan Wang, Project Manager MS 0-7-Dl Washington, DC 20555-0001 Mr. Jeffrey P. Meyers Louisiana Department of Environmental Quality Office of Environmental Compliance Attn. OEC - ERSD P. O. Box 4312 Baton Rouge, LA 70821-4312 This letter contains security-sensitive information - Attachments 4, 5, and 6 are withheld from public disclosure per 10CFR2.390

RBS Cyber Security Plan Submittal RBG-46983 Page 1 of 6 Attachment 1 Cyber Security Plan Submittal Evaluation of the Proposed Operating License Change

RBS Cyber Security Plan Submittal RBG-46983 Page 2 of 6 RIVER BEND CYBER SECURITY PLAN SUBMITTAL EVALUATION OF THE PROPOSED OPERATING LICENSE CHANGE 1.0

SUMMARY

DESCRIPTION The proposed license amendment request (LAR) includes the proposed RBS Cyber Security Plan (Plan), an Implementation Schedule, and a proposed sentence to be added to the existing FOL Physical Protection license condition.

2.0 DETAILED DESCRIPTION The proposed LAR includes three parts: the proposed RBS Cyber Security Plan, an implementation schedule, and a proposed sentence to be added to the existing FOL Physical Protection license condition to require Entergy to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan as required by 10 CFR 73.54.

FederalRegister notice, dated March 27, 2009, issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR 73.54, "Protection of Digital Computer and Communication Systems and Networks," establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 1).

3.0 TECHNICAL EVALUATION

FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73.

Cyber security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by 10 CFR 73.1 (a)(1)(v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 2).

This proposed amendment conforms to the model Cyber Security Plan contained in Appendix A of NEI 08-09, "Cyber Security Plan Template", Revision 3 dated September 2009, for use by licensees in development of their own cyber security plans with deviations as identified and justified in Attachment 5. Deviations to Appendices D and E of NEI 08-09, Revision 3 are detailed in Attachment 1 of the RBS Cyber Security Plan.

This LAR includes the proposed RBS Cyber Security Plan (Attachment 6) that conforms to the template provided in NEI 08-09. In addition, the LAR includes the proposed change to the existing FOL license condition for "Physical Protection" (Attachments 2 and 3). The LAR

RBS Cyber Security Plan Submittal RBG-46983 Page 3 of 6 contains the proposed implementation schedule (Attachment 4) as required by 10 CFR 73.54. Attachment 5 explains deviations from NEI 08-09, Revision 3, Appendix A, to reflect later industry, NRC discussions.

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements / Criteria This LAR is submitted pursuant to 10 CFR 73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in 10 CFR 50.4 and 10 CFR 50.90.

4.2 Significant Hazards Consideration Entergy has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of Amendment," as discussed below:

1: The proposed change does not involve a significant increase in the probabilityor consequences of an accident previously evaluated.

The proposed change is required by 10 CFR 73.54 and includes three parts. The first part is the submittal of the RBS Cyber Security Plan for NRC review and approval. The RBS Cyber Security Plan conforms to the template provided in NEI 08-09 with deviations and provides a description of how the requirements of the Rule will be implemented at RBS. The RBS Cyber Security Plan establishes the licensing basis for the RBS Cyber Security Program.

The RBS Cyber Security Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which, if compromised, would have a significant impact on safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems are protected from cyber attacks. The RBS Cyber Security Plan itself does not require any plant modifications. However, the RBS Cyber Security Plan does describe how plant modifications which involve digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design basis threat as defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or effect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve

RBS Cyber Security Plan Submittal RBG-46983 Page 4 of 6 high assurance that the systems within the scope of the Rule are protected from cyber attacks and has no impact on the probability or consequences of an accident previously evaluated.

The second part of the proposed change is an implementation schedule. The third part adds a sentence to the existing facility operating license condition for Physical Protection. Both of these changes are administrative and have no impact on the probability or consequences of an accident previously evaluated.

Therefore, it is concluded that this change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2: The proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

The proposed change is required by 10 CFR 73.54 and includes three parts. The first part is the submittal of the RBS Cyber Security Plan for NRC review and approval. The RBS Cyber Security Plan conforms to the template provided by NEI 08-09 with deviations and provides a description of how the requirements of the Rule will be implemented at RBS. The RBS Cyber Security Plan establishes the licensing basis for the RBS Cyber Security Program.

The RBS Cyber Security Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which, if compromised, would have a significant impact on safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. The RBS Cyber Security Plan itself does not require any plant modifications. However, the RBS Cyber Security Plan does describe how plant modifications involving digital computer systems are reviewed to provide high assurance of adequate protection against cyber attacks, up to and including the design basis threat defined in the Rule. The proposed change does not alter the plant configuration, require new plant equipment to be installed, alter accident analysis assumptions, add any initiators, or effect the function of plant systems or the manner in which systems are operated, maintained, modified, tested, or inspected. The first part of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks and does not create the possibility of a new or different kind of accident from any previously evaluated.

The second part of the proposed change is an Implementation Schedule. The third part adds a sentence to the existing facility operating license condition for Physical Protection. Both of

RBS Cyber Security Plan Submittal RBG-46983 Page 5 of 6 these changes are administrative and do not create the possibility of a new or different kind of accident from any previously evaluated.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

3: The proposedchange does not involve a significant reduction in a margin of safety.

The proposed change is required by 10 CFR 73.54 and includes three parts. The first part is the submittal of the RBS Cyber Security Plan for NRC review and approval. The RBS Cyber Security Plan conforms to the template provided by NEI 08-09 with deviations and provides a description of how the requirements of the Rule will be implemented at RBS. The RBS Cyber Security Plan establishes the licensing basis for the RBS Cyber Security Program.

The RBS Cyber Security Plan establishes how to achieve high assurance that nuclear power plant digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks up to and including the design basis threat:

1. Safety-related and important-to-safety functions,
2. Security functions,
3. Emergency preparedness functions including offsite communications, and
4. Support systems and equipment which, if compromised, would have a significant impact on safety, security, or emergency preparedness functions.

Part one of the proposed change is designed to achieve high assurance that the systems within the scope of the Rule are protected from cyber attacks. Plant safety margins are established through limiting conditions for operation, limiting safety system settings and safety limits specified in the Technical Specifications. Because there is no change to these established safety margins, the proposed change does not involve a significant reduction in a margin of safety.

The second part of the proposed change is an implementation schedule. The third part adds a sentence to the existing facility operating license condition for Physical Protection. Both of these changes are administrative and do not involve a significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, Entergy concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.

RBS Cyber Security Plan Submittal RBG-46983 Page 6 of 6 4.3 Conclusion In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for RBS and will be a part of the RBS Cyber Security Plan. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in 10 CFR 51.22(c)(1 2). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.
2. EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002.

RBS Cyber Security Plan Submittal RBG-46983 Page 1 of 2 Attachment 2 Proposed Operating License Changes (Mark-up)

D. The licensee shall fully implement and maintain in effect all provisions of the Commission-approved, physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to the provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Safeguards Contingency and Training & Qualification Plan,"

submitted by letter dated May 16, 2006.

E. The licensee shall fully implement in accordance with an NRC-approved implementation schedule and maintain in effect all provisions of the Commission-approved RBS Cyber Security Plan submitted by letter dated November 19, 2009, and withheld from public disclosure in accordance with 10 CFR 2.390.

E-F. Except as otherwise provided in the Technical Specifications or Environmental Protection Plan, EOI shall report any violations of the requirements contained in Section 2, Items C.(1); C.(3) through (9); and C.(1 1) through (16) of this license in the following manner: initial notification shall be made within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to the NRC Operations Center via the Emergency Notification System with written followup within 60 days in accordance with the procedures described in 10 CFR 50.73(b), (c) and (e).

FG. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

GH. This license is effective as of the date of issuance and shall expire at midnight on August 29, 2025.

FOR THE NUCLEAR REGULATORY COMMISSION Harold R. Denton, Director Office of Nuclear Reactor Regulation

Enclosures:

1. Attachments 1-5
2. Appendix A - Technical Specifications (NUREG-1 172)
3. Appendix B - Environmental Protection Plan
4. Appendix C - Antitrust Conditions Date of Issuance: November 20, 1985 Revised: December 16, 1993 Amendment No. 70 795 119 135 R evised by l ett dated e ctober r 28,2 Revised by eottor dated Novombor 19, 2001 Rovisod by lottcr dated Januar,' 21, 200 Revised by letter dated ___

RBS Cyber Security Plan Submittal RBG-46983 Page 1 of 2 Attachment 3 Revised Operating License Pages

D. The licensee shall fully implement and maintain in effect all provisions of the' Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to the provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Safeguards Contingency and Training & Qualification Plan,"

submitted by letter dated May 16, 2006.

E. The licensee shall fully implement in accordance with an NRC-approved implementation schedule and maintain in effect all provisions of the Commission-approved RBS Cyber Security Plan submitted by letter dated November 19, 2009, and withheld from public disclosure in accordance with 10 CFR 2.390.

F. Except as otherwise provided in the Technical Specifications or Environmental Protection Plan, EOI shall report any violations of the requirements contained in Section 2, Items C.(1); C.(3) through (9); and C.(1 1) through (16) of this license in the following manner: initial notification shall be made within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to the NRC Operations Center via the Emergency Notification System with written followup within 60 days in accordance with the procedures described in 10 CFR 50.73(b), (c) and (e).

G. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability, claims.

H. This license is effective as of the date of issuance and shall expire at midnight on August 29, 2025.

FOR THE NUCLEAR REGULATORY COMMISSION Harold R. Denton, Director Office of Nuclear Reactor Regulation

Enclosures:

5. Attachments 1-5
6. Appendix A - Technical Specifications (NUREG-1 172)
7. Appendix B - Environmental Protection Plan
8. Appendix C - Antitrust Conditions Date of Issuance: November 20, 1985 Revised: December 16,1993 Amendment No. 70 798*8 14**16 Revised by Iettor dated Oc~tobor 28, 20 Revised by lctter dated- Noevember: 19, 2001 Reviced by Iotter dated January 21, 2007 Revised by letter dated