License Amendment Request, Request for Approval of the Fcs/Oppd Cyber Security Plan

ML102080452
Person / Time
Site:	Fort Calhoun
Issue date:	07/26/2010
From:	Reinhart J Omaha Public Power District
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
LIC-10-0055
Download: ML102080452 (42)
v • d • e

Text

444 South 16th Street Mall Omaha, NE 68102-2247 LIC-10-0055 July 26, 2010 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

REFERENCES:

1. Docket No. 50-285

2. Nuclear Energy Institute 08-09 [Rev. 6], Cyber Security Plan for Nuclear Power Reactors, dated April 2010

3. Letter from OPPD (J. A. Reinhart) to NRC (Document Control Desk), Fort Calhoun Station, Unit No. 1, License Amendment Request (LAR), Request for Approval of the FCS/OPPD Cyber Security Plan, dated November 16, 2009 (LIC-09-0092)

(ML093210542)

4. Letter from NRC (L. E. Wilkins) to OPPD (D. J. Bannister) Fort Calhoun Station, Unit No.1 - License Amendment Request for Approval of the Cyber Security Plan (TAC No. ME2699), dated May 28, 2010 (NRC-10-0039) (ML101410007)

SUBJECT:

Fort Calhoun Station, Unit No. 1, License Amendment Request (LAR),

Request for Approval of the FCS / OPPD Cyber Security Plan In accordance with the provisions of 10 CFR 50.4 and 50.90, the Omaha Public Power District (OPPD) requests an amendment to the Renewed Facility Operating License (FOL) for Fort Calhoun Station (FCS), Unit No. 1. NRC approval is requested for the FCS / OPPD Cyber Security Plan, the proposed implementation schedule, and a sentence to be added to the existing FOL physical protection license condition requiring FCS / OPPD to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan.

The proposed Cyber Security Plan conforms to the model application contained in Reference 2 with minor deviations as discussed in the enclosed evaluation.

In accordance with Reference 4, OPPD hereby withdraws the license amendment request of Reference 3 and supersedes it in its entirety with this submittal.

Employment with Equal Opportunity

U. S. Nuclear Regulatory Commission LIC-1 0-0055 Page 2 provides an evaluation of the proposed amendment and contains the following attachments:

• Attachment 1 provides the existing FOL page marked up to show the proposed change.

• Attachment 2 provides the proposed FOL page in final typed format. provides a copy of the FCS I OPPD Cyber Security Plan, which is a standalone document that will be incorporated by reference into the FCS I OPPD Security Plan upon approval. Enclosure 3 provides a proposed Cyber Security Plan implementation schedule. In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated State of Nebraska Official.

OPPD requests a period of 30 days following NRC approval to issue the revised FOL page. Commitments contained within the Cyber Security Plan implementation schedule will be tracked by the FCS Commitment Tracking Program.

I declare under penalty of perjury that the foregoing is true and correct. Executed on July 26,2010.

If you should have any questions regarding this submittal, please contact Mr. Bill Hansher at 402-533-6894. - Evaluation of Proposed Amendment - FCS I OPPD Cyber Security Plan - Cyber Security Plan Implementation Schedule cc: E. E. Collins, NRC Regional Administrator, Region IV L. E. Wilkins, NRC Project Manager J. C. Kirkland, NRC Senior Resident Inspector Manager Radiation Control Program. Nebraska Health & Human Services, R & L Public Health Assurance, State of Nebraska

LIC-10-0055 Page 1 Evaluation of Proposed Amendment Request for Approval of the FCS / OPPD Cyber Security Plan 1.0 Summary Description 2.0 Detailed Description 3.0 Technical Evaluation 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements / Criteria 4.2 Significant Hazards Consideration 4.3 Conclusion 5.0 Environmental Consideration 6.0 References ATTACHMENTS - Proposed Renewed Facility Operating License Change (Mark-Up) - Proposed Renewed Facility Operating License Change (Re-Typed)

LIC-10-0055 Page 2 1.0

SUMMARY

DESCRIPTION This license amendment request (LAR) includes the proposed Fort Calhoun Station (FCS) Unit No. 1 / Omaha Public Power District (OPPD) Cyber Security Plan (Plan), an implementation schedule, and a proposed sentence to be added to the existing Renewed Facility Operating License (FOL) physical protection license condition. This LAR supersedes Reference 6.1 in its entirety.

2.0 DETAILED DESCRIPTION The proposed LAR includes three parts: the proposed Plan, an implementation schedule, and a proposed sentence to be added to the existing FOL physical protection license condition to require FCS / OPPD to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan as required by 10 CFR 73.54. Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR 73.54, "Protection of digital computer and communication systems and networks," establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 (Reference 6.2).

3.0 TECHNICAL EVALUATION

Federal Register notice 74 FR 13926 issued the final rule that amended 10 CFR Part

73. Cyber security requirements are codified in 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by 10 CFR 73.1(a)(1)(v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 6.3).

By letter dated April 28, 2010 (Reference 6.4), the Nuclear Energy Institute (NEI) submitted Revision 6 to NEI 08-09, "Cyber Security Plan for Nuclear Power Reactors" (Reference 6.5), which contains changes that address the NRC staff concerns associated with previous revisions. Based on a technical review of the document (Reference 6.6), the NRC concluded that submission of a cyber security plan using the template provided in NEI 08-09, Revision 6, would be acceptable for use by licensees to comply with the requirements of 10 CFR 73.54, with the exception of the definition of "cyber attack".

In response, NEI submitted (Reference 6.7) the following definition of cyber attack to maintain alignment with agreements reached with the NRC staff during development of

LIC-10-0055 Page 3 NEI 08-09, Revision 6:

Any event in which there is reason to believe that an adversary has committed or caused, or attempted to cause, or has made a credible threat to commit or cause malicious exploitation of a CDA.

NEI has stated (Reference 6.7), that this definition will be included in a future revision of NEI 08-09. The enclosed FCS / OPPD Cyber Security Plan utilizes the revised definition as accepted by the NRC in Reference 6.8.

This LAR includes the proposed Plan (Enclosure 2), which conforms to the template provided in NEI 08-09, Revision 6, with minor deviations as noted below. In addition, the LAR includes the proposed change to the existing license condition for physical protection (Attachments 1 and 2) and contains the proposed implementation schedule (Enclosure 3) as required by 10 CFR 73.54.

FCS / OPPD Cyber Security Plan NEI 08-09, Revision 6 Deviation Table NEI 08-09 FCS / OPPD Cyber Justification Security Plan Deviation Appendix A, NEI 08-09, Revision 6, It is not always possible to eliminate Section 3.1.6, Item Appendix A, Section 3.1.6, every threat/attack vector without 2 Item 2 currently states that adversely impacting the ability of a threat/attack vectors must critical digital asset or system to be eliminated. The FCS / function safely. Although it may be OPPD Cyber Security possible to eliminate external Plan has revised its threat/attack vectors, if a system is implementation of this powered on, it is unlikely that the item to state that insider threat/attack vector can threat/attack vectors must always be eliminated. Therefore, be eliminated or mitigated. robust mitigation measures will also serve to protect critical digital assets/systems where elimination of the threat/attack vectors is very difficult to achieve.

Appendix B, Section 1 of the FCS / The definition of cyber attack Definition of Cyber OPPD Cyber Security proposed by NEI in Reference 6.7, Attack Plan notes that the maintains alignment with agreements definition of cyber attack reached with the NRC staff during was revised by Reference development of NEI 08-09, Revision 6.7. 6.

LIC-10-0055 Page 4 NEI 08-09 FCS / OPPD Cyber Justification Security Plan Deviation Appendix E, The FCS / OPPD Cyber Bullet No. 4 conflicts with Bullet No. 5 Section 6, Bullet Security Plan will not be and Section 4.3 Defense in Depth No. 4 implemented in Strategy. Bullet No. 4 also conflicts accordance with Bullet No. with Regulatory Guide 5.71, Section 4, which allows only one- 3.2.1, Bullet No. 2. Eliminating the way direct data flow from requirements of Bullet No. 4 removes higher security levels to this contradiction and does not lower security levels. adversely affect the ability of the FCS

/ OPPD Cyber Security Plan to meet regulatory requirements.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS / CRITERIA This LAR is submitted pursuant to 10 CFR 73.54 which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a Cyber Security Plan as specified in 10 CFR 50.4 and 50.90.

4.2 SIGNIFICANT HAZARDS CONSIDERATION The Omaha Public Power District (OPPD) has evaluated the proposed change using the criteria in 10 CFR 50.92 and has determined that the proposed change does not involve a significant hazards consideration. An analysis of the issue of no significant hazards consideration is presented below:

1. Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated.

No.

The proposed amendment incorporates a new requirement in the Facility Operating License to implement and maintain a Cyber Security Plan as part of the facility's overall program for physical protection. Inclusion of the Cyber Security Plan in the Facility Operating License (FOL) itself does not involve any modifications to the safety-related structures, systems or components (SSCs). Rather, the Cyber Security Plan describes how the requirements of 10 CFR 73.54 are to be implemented to identify, evaluate, and mitigate cyber attacks up to and including the design basis cyber attack threat, thereby achieving high assurance that the facility's digital computer and communications systems and networks are protected from cyber attacks. The implementation and incorporation of the Cyber Security Plan into the FOL will not alter previously evaluated Updated Safety Analysis Report (USAR) design basis accident analysis assumptions, add any accident initiators, or affect the

LIC-10-0055 Page 5 function of the plant safety-related SSCs as to how they are operated, maintained, modified, tested, or inspected.

Therefore, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Do the proposed changes create the possibility of a new or different kind of accident from any accident previously evaluated.

No.

The proposed amendment provides assurance that safety-related SSCs are protected from cyber attacks. Implementation of 10 CFR 73.54 and inclusion of the Cyber Security Plan in the FOL do not result in the need for any new or different USAR design basis accident analysis. It does not introduce new equipment that could create a new or different kind of accident, and no new equipment failure modes are created. As a result, no new accident scenarios, failure mechanisms, or limiting single failures are introduced as a result of the proposed amendment.

Therefore, the proposed amendment does not create the possibility of a new or different kind of accident than those previously evaluated.

3. Do the proposed changes involve a significant reduction in a margin of safety.

No.

The margin of safety is associated with the confidence in the ability of the fission product barriers (i.e., fuel cladding, reactor coolant pressure boundary, and containment structure) to limit the level of radiation to the public. The proposed amendment would not alter the way any safety-related SSC functions and would not alter the way the plant is operated. The amendment provides assurance that safety-related SSCs are protected from cyber attacks. The proposed amendment would not introduce any new uncertainties or change any existing uncertainties associated with any safety limit. The proposed amendment would have no impact on the structural integrity of the fuel cladding, reactor coolant pressure boundary, or containment structure. Based on the above considerations, the proposed amendment would not degrade confidence in the ability of the fission product barriers to limit the level of radiation to the public.

Therefore, the proposed amendment does not involve a significant reduction in a margin of safety.

Based on the above, OPPD concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c),

and accordingly, a finding of no significant hazards consideration is justified.

LIC-10-0055 Page 6

4.3 CONCLUSION

In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a Cyber Security Program for FCS and will be a part of the Physical Security Plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(b)(12), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 REFERENCES

6.1 Letter from OPPD (J. A. Reinhart) to NRC (Document Control Desk), Fort Calhoun Station, Unit No. 1, License Amendment Request (LAR), Request for Approval of the FCS/OPPD Cyber Security Plan, dated November 16, 2009 (LIC-09-0092) (ML093210542) 6.2 Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926 6.3 EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002 6.4 Letter from NEI (J. W. Roe) to NRC (S. A. Morris), NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, April 2010, dated April 28, 2010 (ML101180434) 6.5 Nuclear Energy Institute 08-09 [Rev. 6], Cyber Security Plan for Nuclear Power Reactors, dated April 2010 (ML101180437) 6.6 Letter from NRC (R. P. Correia) to NEI (J. Roe), Nuclear Energy Institute 08-09, Cyber Security Plan Template, Rev 6, dated May 5, 2010 (ML101190371) 6.7 Letter from NEI (C. E. Earls) to NRC (R. P. Correia), NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, April 2010 (ML101550061) 6.8 Letter from NRC (R. P. Correia) to NEI (C. E. Earls), Nuclear Energy Institute 08-09, Cyber Security Plan Template, Rev. 6, dated June 7, 2010 (ML101550052)

LIC-10-0055 , Attachment 1 Page 1 Proposed Renewed Facility Operating License Change (Mark-Up)1 1

Deleted text shown in strikeout; added text in underline.

(4) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form for sample analysis or instrument calibration or when associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by operation of the facility.

3. This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Section 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

A. Maximum Power Level Omaha Public Power District is authorized to operate the Fort Calhoun Station, Unit 1, at steady state reactor core power levels not in excess of 1500 megawatts thermal (rate power).

B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 265, are hereby incorporated in the license. Omaha Public Power District shall operate the facility in accordance with the Technical Specifications.

C. Security and Safeguards Contingency Plans (1) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fort Calhoun Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan," submitted by letter dated May 19, 2006.

(2) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan submitted by letter dated July 26, 2010.

Renewed Operating License No. DPR-40 Amendment No. 265

LIC-10-0055 , Attachment 2 Page 1 Proposed Renewed Facility Operating License Change (Re-Typed)

(4) Pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form for sample analysis or instrument calibration or when associated with radioactive apparatus or components; (5) Pursuant to the Act and 10 CFR Parts 30 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by operation of the facility.

3. This renewed license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Section 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

A. Maximum Power Level Omaha Public Power District is authorized to operate the Fort Calhoun Station, Unit 1, at steady state reactor core power levels not in excess of 1500 megawatts thermal (rate power).

B. Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 265, are hereby incorporated in the license. Omaha Public Power District shall operate the facility in accordance with the Technical Specifications.

C. Security and Safeguards Contingency Plans (1) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plans, which contain Safeguards Information protected under 10 CFR 73.21, are entitled: "Fort Calhoun Station Security Plan, Training and Qualification Plan, Safeguards Contingency Plan," submitted by letter dated May 19, 2006.

(2) The Omaha Public Power District shall fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan submitted by letter dated July 26, 2010.

Renewed Operating License No. DPR-40 Amendment No. 265

LIC-10-0055 FCS / OPPD Cyber Security Plan

FORT CALHOUN STATION /

OMAHA PUBLIC POWER DISTRICT CYBER SECURITY PLAN

FORT CALHOUN STATION /

OMAHA PUBLIC POWER DISTRICT CYBER SECURITY PLAN 1 INTRODUCTION The purpose of this Cyber Security Plan (Plan) is to provide a description of how the requirements of 10 CFR 73.54, Protection of digital computer and communication systems and networks (Rule) are implemented at Fort Calhoun Station (FCS). The intent of this Plan is to protect the health and safety of the public from radiological sabotage as a result of a cyber attack as described in 10 CFR 73.1. 10 CFR 50.34(c),

Physical Security Plan, requires the inclusion of a physical security plan. Omaha Public Power District (OPPD) acknowledges that the implementation of this plan does not alleviate their responsibility to comply with other NRC regulations.

Further, 10 CFR 50.34(c)(2) states in part that Each applicant for an operating license for a utilization facility that will be subject to the requirements of 10 CFR 73.55 of this chapter must include a cyber security plan in accordance with the criteria set forth in 10 CFR 73.54 of this chapter. This Cyber Security Plan establishes the licensing basis for the Cyber Security Program (Program) for FCS.

A Glossary of terms1 used within this Plan and Appendices of NEI 08-09, Revision 6, is contained in Appendix B of NEI 08-09, Revision 6.

2 CYBER SECURITY PLAN 2.1 SCOPE AND PURPOSE This Plan establishes a means to achieve high assurance that digital computer and communication systems and networks associated with the following functions (hereafter designated as Critical Digital Assets (CDAs)) are adequately protected against cyber attacks up to and including the Design Basis Threat (DBT) as described in 10 CFR 73.1:

1. Safety-related and important-to safety functions;

2. Security functions;

3. Emergency preparedness functions including offsite communications; and

4. Support systems and equipment which if compromised, would adversely impact safety, security, or emergency preparedness functions.

The safety-related and important-to safety functions, security functions, and emergency preparedness functions including offsite communications are herein referred to as SSEP functions.

1 The definition of cyber attack was subsequently revised in a letter from NEI (C. E. Earls), to the NRC (R.

P. Correia) dated June 2, 2010. (ML101550061) 1

High assurance of adequate protection of systems associated with the above functions from cyber attacks is achieved by:

1. Implementing and documenting the baseline cyber security controls described in Section 3.1.6 of this Plan; and

2. Implementing and documenting a cyber security program to maintain the established cyber security controls through a comprehensive life cycle approach as described in Section 4 of this Plan.

2.2 PERFORMANCE REQUIREMENTS 10 CFR 73.55(a)(1) requires that licensees implement the requirements of this section through its Commission-approved Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plans, and Cyber Security Plan, referred to collectively as security plans.

As required by 10 CFR 73.54(b)(3), cyber security is a component of the physical protection program. As such, this Plan establishes how digital computer and communication systems and networks within the scope of 10 CFR 73.54 are adequately protected from cyber attacks up to and including the DBT characteristics described in RG 5.69, Guidance for the Application of the Radiological Sabotage Design Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.55 Requirements. (Safeguards Information (SGI))

Performance based requirements demonstrated in this Plan are designed to:

2.2.1 Evaluate modifications to CDAs prior to implementation to achieve high assurance that digital computer and communications systems and networks are adequately protected against cyber attacks, up to and including the DBT. (10 CFR 73.54(a)(1) and 10 CFR 73.54(d)(3))

2.2.2 Prevent adverse impact to SSEP functions resulting from cyber attacks, that would adversely impact the integrity or confidentiality of data and/or software, deny access to systems, services, and/or data, and adversely impact the operation of systems, networks, and associated equipment to protect against the DBT. (10 CFR 73.54(a)(2) and 10 CFR 73.55(b)(2))

2.2.3 Analyze digital computer and communications systems and networks and identify those assets that must be protected against cyber attack to preserve the intended function of plant systems, structures, and components within the scope of the Rule and account for these conditions in the design of the Program. (10 CFR 73.54(b)(1) and 10 CFR 73.55(b)(4))

2.2.4 Establish, implement and maintain the Program in accordance with 10 CFR73.54. (10 CFR 73.54(b)(2) and 10 CFR 73.55(b)(8))

2.2.5 Incorporate the cyber security program as a component of the physical protection program. (10 CFR 73.54(b)(3) and 10 CFR 73.55(b)(8))

2

2.2.6 Implement security controls to protect the identified assets from cyber attacks. (10 CFR 73.54(c)(1))

2.2.7 Provide defense-in-depth through the integration of systems, technologies, programs, equipment, supporting processes, and implementing procedures as needed to ensure effectiveness of the Program. (10 CFR 73.54(c)(2) and 10 CFR 73.55(b)(3)(ii))

2.2.8 Maintain the capability to mitigate the adverse consequences of cyber attacks. (10 CFR 73.54(c)(3) and 10 CFR 73.54(e)(2)(ii))

2.2.9 Ensure that the functions of identified protected assets are not adversely impacted due to cyber attacks. (10 CFR 73.54(c)(4))

2.2.10 Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities. (10 CFR 73.54(d)(1))

2.2.11 Use the site corrective action program to: 1) track, trend, correct, and prevent recurrence of cyber security failures and deficiencies, and 2) evaluate and manage cyber risks. (10 CFR 73.54(d)(2) and 10 CFR 73.55(b)(10))

2.2.12 Describe how the cyber security program requirements will be implemented; accounting for the site-specific conditions that affect implementation. (10 CFR 73.54(e)(1))

2.2.13 Ensure that the Program maintains the capability to detect, respond to, and recover from cyber attacks up to and including the design basis threat of radiological sabotage as stated in 10 CFR73.1 at all times. (10 CFR 73.54(e)(2)(i), 10 CFR 73.54(e)(2)(iv) and 10 CFR73.55(b)(2))

2.2.14 Maintain the capability to correct exploited vulnerabilities. (10 CFR73.54(e)(2)(iii))

2.2.15 Demonstrate the ability to meet Commission requirements through implementation of the Program in licensee policies and procedures which are available upon the request of an authorized representative of the Commission. (10 CFR 73.54(f) and 10 CFR 73.55(b)(5))

2.2.16 Review the cyber security program as a component of the physical security program, including the periodicity requirements. (10 CFR 73.54(g) and 10 CFR 73.55(m))

2.2.17 Describe how all records and supporting technical documentation are retained. (10 CFR 73.54(h))

2.2.18 Coordinate implementation of this Plan and associated procedures with other FCS procedures to preclude conflict during both normal and emergency conditions. (10 CFR 73.55(b)(11))

3

3 ANALYZING DIGITAL COMPUTER SYSTEMS AND NETWORKS The Cyber Security Program is established, implemented and maintained in accordance with 10 CFR 73.54(b)(2) and 10 CFR 73.55(b)(8) to protect those systems required by 10 CFR 73.54(a)(1)(i-iv) from cyber attacks that would: adversely impact the integrity or confidentiality of data and/or software; deny access to systems, services and/or data; or adversely impact the operation of systems, networks, and associated equipment. This Cyber Security Program complies with 10 CFR 73.54 by implementing cyber security controls, defensive strategies, and attack mitigation methods that meet the Rule.

The cyber security controls described in Appendices D and E of NEI 08-09, Revision 6, are implemented in accordance with Section 3.1.6 of this Plan. Documentation of the cyber security controls in place for CDAs are not submitted with this Plan but are available on site for inspection by the NRC. Cyber security program changes that are determined to decrease the effectiveness of this Plan are submitted to the NRC for approval as required by 10 CFR 50.90. Revisions to this Plan are processed in accordance with procedures that implement the requirements of 10 CFR 50.54(p).

Cyber attacks at FCS are reported to the NRC in accordance with the requirements of 10 CFR 73, Appendix G.

3.1 ANALYZING DIGITAL COMPUTER SYSTEMS AND NETWORKS AND APPLYING CYBER SECURITY CONTROLS In accordance with 10 CFR 73.54(b)(1), the Cyber Security Program is established, implemented, and is maintained to:

• Analyze digital computer and communications systems and networks, and

• Identify those assets that must be protected against cyber attacks to satisfy 10 CFR 73.54(a).

In accordance with 10 CFR 73.54(c)(1), cyber security controls are implemented to protect the assets identified by 10 CFR 73.54(b)(1) from cyber attacks. The cyber security controls provided in Appendices D and E of NEI 08-09, Revision 6 are used as the basis for protecting the identified CDAs.

Cyber security risks are evaluated, managed, and mitigated to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the DBT. The cyber security controls provided in Appendices D and E of NEI 08-09, Revision 6 are the technical, operational, and management countermeasures available to protect the availability, integrity, and confidentiality of CDAs. The cyber security controls in Appendices D and E of NEI 08-09, Revision 6 are implemented using the methodology in Sections 3.1.1 through 3.1.6 below. In so doing, high assurance of adequate protection of CDAs associated with SSEP functions from cyber attacks defined by 10 CFR 73.1 and RG 5.69 is ensured.

4

3.1.1 Cyber Security Assessment and Authorization OPPD develops, disseminates, periodically reviews in accordance with 10 CFR 73.55(m), and updates:

• A formal, documented, cyber security assessment and authorization policy and/or procedure that defines and addresses: the purpose, scope, roles, responsibilities, management commitment, and coordination among departments; and the implementation of the cyber security controls in Appendices D and E of NEI 08-09, Revision 6.

• A formal, documented procedure to facilitate the implementation of the cyber security assessment.

3.1.2 Cyber Security Assessment Team A Cyber Security Assessment Team (CSAT) is formed consisting of individuals with broad knowledge in the following areas:

• Information and digital system technology - This includes cyber security, software development, offsite communications, computer system administration, computer engineering and computer networking. Knowledge of the digital systems involved in plant operations, including digital instrumentation and control systems, and those involved in plant information systems, is included. Plant operational systems include programmable logic controllers, control systems, and distributed control systems. Information systems include computer systems and databases containing information used to design, operate, and maintain CDAs. In the networking arena, knowledge of both plant- and corporate-wide networks is included.

• Nuclear power plant operations, engineering, and nuclear safety - This includes overall facility operations and plant technical specifications. The staff representing this technical area has the ability to trace the impact of a vulnerability or series of vulnerabilities in a CDA (or connected digital asset) outward through plant systems and subsystems so that the overall impact on SSEP functions of the plant can be evaluated.

• Physical security and emergency preparedness - This includes the sites physical security and emergency preparedness systems and programs.

The roles and responsibilities of the CSAT include such activities as:

• Performing or overseeing stages of the cyber security assessment process.

• Documenting key observations, analyses, and findings during the assessment process.

• Evaluating assumptions and conclusions about cyber security threats; potential vulnerabilities to, and consequences from an attack; the effectiveness of existing cyber security controls, defensive strategies, and attack mitigation methods; cyber security awareness and training of those 5

working with, or responsible for CDAs and cyber security controls throughout their system life cycles; and estimates of cyber security risk levels.

• Confirming information acquired during tabletop reviews by conducting walk-downs or electronic validation of CDAs and connected digital assets, and associated cyber security controls.

• Identifying potential new cyber security controls.

• Documenting the required cyber security control application per Section 3.1.6 of this Plan.

• Transmitting assessment documentation, including supporting information, to Records Management in accordance with 10 CFR 73.54(h) and the record retention requirements specified in Section 4.13 of this Plan.

The CSAT has the authority to conduct an assessment in accordance with the requirements of Section 3 of this Plan.

3.1.3 Identification of Critical Digital Assets The CSAT:

• Identifies and documents Critical Systems (CS), which must be protected under the Rule. (Refer to NEI 08-09, Revision 6, Appendix B, Glossary for definition of Critical System)

• Identifies and documents Critical Digital Assets (CDAs). (Refer to NEI 08-09, Revision 6, Appendix B, Glossary for definition of Critical Digital Asset)

The process by which CDAs are identified has been documented.

For each CS examined, the documentation includes the following:

• Identification of the Critical System;

• Identification of the digital devices that provide direct or supporting roles in the function of the CS (e.g., protection, control, monitoring, reporting, or communications);

• Identification of CDAs within the Critical System;

• General description of the CDAs;

• Brief description of overall function of the CDAs;

• Description of overall consequence to the CS and SSEP functions if a compromise of the CDA occurs; and

• Security functional requirements or specifications, as available, that include the following:

o Information security requirements necessary for vendors and developers to maintain the integrity of acquired systems; o Secure configuration, installation, and operation of the CDA; o Effective use and maintenance of security features/functions; o Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; 6

o User-accessible security features/functions and how to effectively use those security features/functions; o Methods for user interaction with CDAs, which enables individuals to use the system in a more secure manner; and o User responsibilities in maintaining the security of the CDA.

3.1.4 Examination of Cyber Security Practices The CSAT collects, examines, and documents the existing cyber security policies, procedures, and practices; existing cyber security controls; detailed descriptions of network and communication architectures (or network/communication architecture drawings); information on security devices; and any other information that may be helpful during the cyber security assessment process. The team collects, documents by reference and evaluates the following as they apply to CDAs:

• Site- and corporate-wide information on defensive strategies including cyber security controls, defensive models, and other defensive strategy measures;

• The sites physical and operational security program with respect to the protection of CDAs;

• Site and corporate network architectures, and configuration information on security devices;

• Cyber security requirements for vendors and contractors while on site or used during procurement;

• Information on computer networks and communication systems and networks that are present within the plant and could be potential pathways for attacks;

• Cyber security assessments, studies, evaluations or audits to gain insight into areas of potential vulnerabilities; and

• Infrastructure support systems (e.g., electrical power; heating, ventilation, and air conditioning (HVAC); communications; fire suppression) which, if compromised, could adversely impact the proper functioning of CDAs.

The examination includes an analysis of the effectiveness of existing cyber security programs and cyber security controls. The CSAT documents the collected cyber security information and the results of their examination of the collected information.

3.1.5 Tabletop Reviews and Validation Testing The CSAT conducts a tabletop review and validation activities.

Results of table top reviews and validation reviews are documented.

For each CDA/CDA group, the CSAT:

• Confirms the location;

• Confirms direct and indirect connectivity pathways; 7

• Confirms infrastructure interdependencies;

• Reviews any CDA assessment documentation;

• Reviews the defensive strategies;

• Reviews the defensive models;

• Confirms the implementation of plant-wide physical and cyber security policies and procedures that secure the CDAs from a cyber attack, including attack mitigation, and incident response and recovery;

• Confirms that staff members working with the CDAs are trained to a level of cyber security knowledge commensurate with their assigned responsibilities; and

• Identifies and documents the CDA cyber security exposures including specific attack/threat vectors to be assessed for mitigation using the method in Section 3.1.6.

The above activities are validated for CDAs through walk-downs. These walk-downs include:

• Performing, where practical, a physical inspection of the connections and configuration of CDAs, including tracing communication connections into and out of the CDA to termination points along communication pathways.

• Performing electronic validation when physical walk-down inspections are impractical to trace a communication pathway to its conclusion. When there is a risk of operational disruption, electronic validation tests are conducted during periods of scheduled outage. Where used, a justification of the adequacy of the electronic validation technique is documented.

• Examining the physical security established to protect CDAs and the CDAs communication pathways.

• Examining the configuration and assessing the effectiveness of cyber security controls (e.g., firewalls, intrusion detection systems, data diodes) along the communication pathways.

• Examining interdependencies with other CDA(s) and trust relationships between the CDA(s).

• Examining interdependencies with infrastructure support systems including electrical power, environmental controls, and fire suppression equipment which, if compromised, could adversely impact the proper functioning of CDAs.

• Resolving information and/or configuration discrepancies identified during the tabletop reviews, including the presence of undocumented and/or missing connections, and other cyber security-related irregularities associated with the CDA.

Information and/or configuration discrepancies identified during the tabletop reviews and walk-downs, including the presence of undocumented and/or missing connections, and other cyber security-related irregularities associated with the CDA are documented for remediation in the Corrective Action Program.

8

3.1.6 Mitigation of Vulnerabilities and Application of Cyber Security Controls Defense-in-depth strategies are established by documenting and implementing the:

• Defensive strategy described in Section 4.3;

• Technical cyber security controls in Appendix D of NEI 08-09, Revision 6 consistent with the process described below; and

• Operational and Management cyber security controls in Appendix E of NEI 08-09, Revision 6 consistent with the process described below.

The CSAT utilizes the information gathered in Sections 3.1.3 through 3.1.5 to document how each of the technical cyber security controls were addressed for each CDA using the process described below. Other plant organizations may be used to implement the CSAT recommendations. For example, the Plant/Design Engineering group will perform requisite modifications to CDAs.

Cyber security controls are not applied if the control adversely impacts safety and important to safety, security or emergency preparedness functions. When a cyber security control is determined to have an adverse effect, alternate controls are used to mitigate the lack of the security control for the CDA per the process described in this section.

For CDAs, the information in Sections 3.1.3 - 3.1.5 is utilized to analyze and document one or more of the following:

1. Implementing the cyber security controls in Appendices D and E of NEI 08-09, Revision 6.

2. Implementing alternative controls/countermeasures that eliminate or mitigate threat/attack vector(s) associated with one or more of the cyber security controls enumerated in (1) above by:

a. Documenting the basis for employing alternative countermeasures;

b. Performing and documenting the analyses of the CDA and alternative countermeasures to confirm that the countermeasures provide the same or greater cyber security protection as the corresponding cyber security control; and

c. Implementing alternative countermeasures that provide at least the same degree of cyber security protection as the corresponding cyber security control;

d. Implementing an alternative frequency or periodicity for the security control employed by documenting the basis for the alternate frequency or periodicity. The basis incorporates one or more of the following:

i. NRC Regulations, Orders 9

ii. Operating License Requirements (e.g., Technical Specifications) iii. Site operating history iv. Industry operating experience

v. Experience with security control vi. Guidance in generally accepted standards (e.g., NIST, IEEE, ISO) vii. Audits and Assessments viii. Benchmarking ix. Availability of new technologies.

3. Not implementing one or more of the cyber security controls by:

a. Performing an analysis of the specific cyber security controls for the CDA that will not be implemented.

b. Documenting justification demonstrating the attack vector does not exist (i.e., not applicable) thereby demonstrating that those specific cyber security controls are not necessary.

3.2 RECORDS Records of the assessment described in Section 3.1 of this Plan are maintained in accordance with approved procedures as described in Section 4.13 of this Plan.

10

4 ESTABLISHING, IMPLEMENTING, AND MAINTAINING THE CYBER SECURITY PROGRAM This section establishes the programmatic elements necessary to maintain cyber security throughout the life cycle of CDAs. The elements of this section are implemented to maintain high assurance that CDAs associated with the SSEP functions are adequately protected from cyber attacks up to and including the DBT.

A life cycle approach is employed consistent with the controls described in Appendix E of NEI 08-09, Revision 6. This approach ensures that the cyber security controls established and implemented for CDAs are maintained to achieve the sites overall cyber security program objectives. For proposed new digital assets, or existing digital assets that are undergoing modification, the process described in Sections 10 and 11 of the Operational and Management controls of NEI 08-09, Revision 6, Appendix E are implemented.

Records are maintained in accordance with Section 4.13 of this Plan.

4.1 INCORPORATING THE CYBER SECURITY PROGRAM INTO THE PHYSICAL PROTECTION PROGRAM The Cyber Security Program, which is referenced in the Physical Security Plan, implements the Cyber Security Program requirements in accordance with 10 CFR 73.54(b)(3), 10 CFR 73.55(a)(1), and 10 CFR 73.55(c)(6). Cyber attacks are also considered during the development and identification of target sets as required by the Physical Security Program and 10 CFR 73.55(f)(2).

Revisions to this Plan are processed in accordance with procedures that implement the requirements of 10 CFR 50.54(p). Changes that are determined to decrease the effectiveness of this Plan are submitted to the NRC for approval as required by 10 CFR 50.90.

The Cyber Security Program is reviewed as a component of the Physical Security Program as required by 10 CFR 73.55(m).

4.2 CYBER SECURITY CONTROLS The Technical, Operational and Management Cyber Security Controls described in Appendices D and E of NEI 08-09 Revision 6, are evaluated and dispositioned based on site specific conditions during the establishment of risk baselines, during on-going programs, and during oversight activities.

Cyber security controls are used to protect CDAs within the scope of the Rule. The cyber security controls are implemented utilizing the process described in Section 3.1.6 of this Plan. Management controls, Operational controls, and Technical controls, in conjunction with Physical Security Plans, support the overall safety of nuclear material 11

and reliability of plant operations. The Cyber Security Controls are utilized in site Baseline Assessment, Configuration Management, Engineering Design Control, Training, Attack Mitigation and Incident Response, Record Retention and Handling, and Review programs.

If a CDA cannot support the use of automated cyber security control mechanisms, non-automated cyber security control mechanisms or procedures are documented and utilized where necessary to maintain the desired level of protection.

Many security controls have actions that are required to be performed on specific frequencies. The frequency of a security control is met if the action is performed within 1.25 times the frequency specified in the control, as applied, and as measured from the previous performance of the action. This extension facilitates scheduling and considers plant operating conditions that may not be suitable for conducting the security control action (e.g., transient conditions, other ongoing surveillance or maintenance activities).

These provisions are not intended to be used repeatedly merely as an operational convenience to extend frequencies beyond those specified.

4.3 DEFENSE-IN-DEPTH PROTECTIVE STRATEGIES Defense-in-depth protective strategies have been implemented, documented, and are maintained to ensure the capability to detect, delay, respond to, and recover from cyber attacks on CDAs. The defensive strategy describes the defensive security architecture, identifies the protective controls associated within each security level, implements cyber security controls in accordance with Section 3.1 of this Plan, employs the Defense-in-Depth measures described in NEI 08-09, Appendix E, Section 6, and maintains the cyber security program in accordance with in Section 4 of this Plan.

The defensive architecture has been implemented, documented, and is maintained to protect CDAs that have similar cyber risks from other CDAs, systems or equipment by establishing the logical and physical boundaries to control the data transfer between boundaries.

This defensive architecture provides for cyber security defensive levels separated by security boundaries devices, such as firewalls and diodes, at which digital communications are monitored and restricted. Systems requiring the greatest degree of security are located within the greatest number and strength of boundaries. The criteria below are utilized in the defensive architecture.

The FCS defensive model implements all of the following:

• The defensive model consists of 4 layers, with layer 4 having the greatest level of protection.

• Safety CDAs are in Level 4.

• Security CDAs are in Level 4.

• CDAs within a particular security level may not share a common network.

12

• The boundary between Level 3 and Level 2 is implemented by one or more deterministic devices (i.e., data diodes, air gaps) that isolate CDAs in or above Level 3. Information flows between Level 3 and 4 are restricted through the use of a firewall and monitored by a network-based intrusion detection system. The firewall implements the Information Flow Enforcement cyber security control in NEI 08-09, Revision 6, Appendix D, Section 1.4 and the rule set characteristics for non-deterministic information flow enforcement described in the Defense-In-Depth cyber security control in NEI 08-09, Revision 6, Appendix E, Section 6.

For this defensive architecture to be effective in protecting CDAs from cyber attacks the above characteristics are consistently applied, along with the technical, management, and operational security controls discussed in Appendices D and E of NEI 08-09, Revision 6.

The cyber security defensive model is enhanced by physical and administrative cyber security controls implemented by the Physical Security Program. Physical barriers such as locked doors, locked cabinets, and/or locating CDAs in the protected area or vital area are also used to mitigate risk.

4.4 ONGOING MONITORING AND ASSESSMENT Ongoing monitoring of cyber security controls used to support CDAs is implemented consistent with Appendix E of NEI 08-09, Revision 6. Automated support tools are also used, where available, to accomplish near real-time risk management for CDAs. The ongoing monitoring program includes:

• Configuration management of CDAs;

• Cyber security impact analyses of changes to the CDAs or their environment(s) to ensure that implemented cyber security controls are performing their functions effectively;

• Ongoing assessments to verify that the cyber security controls implemented for CDAs remain in place throughout the life cycle of the CDA;

• Verification that rogue assets are not connected to the network infrastructure;

• Ongoing assessments of the need for and effectiveness of the cyber security controls identified in Appendices D and E of NEI 08-09, Revision 6; and

• Periodic cyber security program review to evaluate and improve the effectiveness of the Program.

This element of the Program is mutually supportive of the activities conducted to monitor configuration changes of CDAs.

4.4.1 Configuration Management and Change Control The configuration management controls described in Appendix E of NEI 08-09, Revision 6, have been implemented as described in Section 3.1.6, and implementation has been documented. A configuration management approach 13

is implemented to update and maintain cyber security controls for CDAs in order to ensure that the cyber security program objectives remain satisfied.

Modifications to CDAs are evaluated before implementation to ensure that the cyber security performance objectives of 10 CFR 73.54(a)(1) are maintained. A record of changes made to the configuration of CDAs is maintained.

CDA cyber security and configuration management documentation is updated or created using the site configuration management program or other configuration management procedure or process. This documentation includes the bases for not implementing one or more of the technical cyber security controls specified in Appendix D of NEI 08-09, Revision 6.

During the operation and maintenance phases of the CDA life cycle, changes to CDAs are made using Design Control and Configuration Management procedures, so that additional cyber security risk is not introduced into the system. The process ensures that the controls specified in Appendices D and E of NEI 08-09, Revision 6, have been implemented in a manner consistent with this Plan and implementing procedures.

During the retirement phase, the Design Control and Configuration Management procedures address SSEP functions.

4.4.2 Cyber Security Impact Analysis of Changes and Environment A cyber security impact analysis is performed prior to making a design or configuration change to a CDA, or when changes to the environment occur, consistent with the process described in Section 4 of the Operational and Management Controls of Appendix E to NEI 08-09, Revision 6, to manage risks introduced by the changes.

Interdependencies of other CDAs or support systems are evaluated, documented, and incorporated into the cyber security impact analysis. The steps for conducting the tabletop review described in Section 3.1.5 are performed.

These impact analyses are performed as part of the change approval process to assess the impacts of the changes on the cyber security posture of CDAs and systems that can affect SSEP functions. Cyber security related issues identified during the change management process are addressed within the change management process, and therefore are not handled by the Corrective Action Program. Adverse conditions identified after the modification is implemented are entered into the site Corrective Action Program.

Risks to SSEP functions, CDAs and CSs are managed through ongoing evaluation of threats and vulnerabilities and by addressing threat and attack vectors associated with the cyber security controls provided in Appendices D and E of NEI 08-09, Revision 6, during the various phases of the life cycle.

14

Additionally, procedures are developed for screening, evaluating, mitigating and dispositioning threat and vulnerability notifications received from credible sources. Dispositioning includes implementation, as necessary; of cyber security controls to mitigate newly reported or discovered vulnerabilities and threats.

4.4.3 Ongoing Assessment of Cyber Security Controls Ongoing assessments are performed to verify that the cyber security controls implemented for CDAs remain in place throughout the life cycle. The assessment process verifies the status of these cyber security controls at least every 24 months or in accordance with the specific requirements for utilized cyber security controls as described in Appendices D and E of NEI 08-09, Revision 6, whichever is more frequent.

4.4.3.1 Effectiveness Analysis The effectiveness and efficiency of the Cyber Security Program and the cyber security controls in Appendices D and E of NEI 08-09, Revision 6, are monitored to confirm that the cyber security controls are implemented correctly, operating as intended, and continuing to provide high assurance that CDAs are protected against cyber attacks up-to and including the DBT. Reviews of the cyber security program and controls include, but are not limited to, periodic audits of the physical security program, security plans, implementing procedures, cyber security programs; safety/security interface activities; the testing, maintenance, and calibration program as it relates to cyber security; and feedback from the NRC and local, state and federal law enforcement authorities.

The effectiveness evaluation provides information for cyber security decision makers about the results of previous policy and acquisition decisions. These measures:

• Provide insight for improving performance of the Cyber Security Program;

• Assist in determining the effectiveness of cyber security controls in Appendices D and E of NEI 08-09, Revision 6;

• Assist in ascertaining whether specific cyber security controls are functioning and are helping facilitate corrective action prioritization; and

• Require fusing the Cyber Security Program activities data with the data obtained from automated monitoring and evaluation tools in a manner that can be tied to cyber security control implementation.

The effectiveness of these cyber security controls is verified when applied, and at least every 24 months or in accordance with the specific requirements for employed cyber security controls as described in Appendices D and E of NEI 08-09, Revision 6, whichever is more frequent. Documents of maintenance and repairs on CDA components are reviewed to ensure that CDAs which perform cyber security functions are maintained according to recommendations provided 15

by the manufacturer or as determined by site-specific procedures. Adverse conditions identified during effectiveness evaluations are entered in the site Corrective Action Program.

4.4.3.2 Vulnerability Scans Electronic vulnerability scanning of CDAs is performed when security controls are first applied, and as required by specific guidance in the cyber security controls in Appendices D and E of NEI 08-09, Revision 6. When new vulnerabilities that could affect the cyber security posture of CDAs are identified, vulnerability scanning will be performed.

Vulnerability scan reports are analyzed and vulnerabilities that could result in a risk to SSEP functions at the site are remediated. Information obtained from the vulnerability scanning process is shared with appropriate personnel to ensure that similar vulnerabilities that may impact interconnected or similar CDA(s) are understood, evaluated and mitigated.

When there is a risk of operational disruption, electronic vulnerability scans are conducted during periods of scheduled outage. Test beds and vendor maintained environments may be used for or in substitution for performing vulnerability scans.

Assessment and scanning process must not adversely impact SSEP functions. If this could occur, CDAs are removed from service or replicated (to the extent feasible) before assessment and scanning is conducted. If vulnerability assessments or scanning cannot be performed on a production CDA because of the potential for an adverse impact on SSEP functions, alternate controls (e.g.,

providing a replicated system or CDA to conduct scanning) are employed.

A vulnerability assessment may be used as a substitute for vulnerability scanning where there is risk of an adverse impact to SSEP functions, and when off-line, replicated, or vendor test beds are not available. When new vulnerabilities are discovered, the vulnerability assessment considers the same threat vectors as the identified vulnerabilities. When vulnerability assessments are used to verify security controls, the assessment targets the threat vectors the security controls address. In both cases, the vulnerability assessment verifies that the vulnerability or threat vector is addressed to provide high assurance of adequate protection that SSEP functions are protected from cyber attacks up-to and including the Design Basis Threat.

4.5 ADDITION AND MODIFICATION OF DIGITAL ASSETS The approach for assessing new/modified CDAs is to use the assessment process described in Section 3.1 of this Plan.

16

Programs, Procedures, and/or Processes have been established, implemented, and maintained to control life cycle phase activity cyber security controls for CDAs. These programs, procedures, and/or processes ensure that modifications to a CDA within the scope of 10 CFR 73.54 are evaluated before implementation to ensure that the cyber security performance objectives of 10 CFR 73.54(a)(1) are maintained and that acquired CDAs have cyber security requirements developed to achieve the sites cyber security program objectives.

Records are maintained in accordance with Section 4.13 of this Plan.

4.6 ATTACK MITIGATION AND INCIDENT RESPONSE The Program ensures that the Safety, Security, and Emergency Preparedness functions of digital assets within the scope of the Rule (CDAs) are not adversely impacted due to cyber attacks. Appendix E of NEI 08-09, Revision 6, includes the following topics pertaining to attack mitigation and incident response:

• Incident Response Policy and Procedures

• Incident Response Training

• Incident Response Testing and Drills

• Incident Handling

• Incident Monitoring

• Incident Response Assistance Policies, and/or Procedures, and/or Programs document cyber security controls to deny, deter, and detect adverse threats and conditions to CDAs that may be susceptible to cyber attacks which exploit system vulnerabilities. Cyber security controls employed counteract threats. Policies, and/or Procedures, and/or Programs document the methods to handle digital-related adverse conditions.

Digital-related adverse conditions are entered into the site Corrective Action Program for resolution. If the condition affects a CDA, the condition is evaluated to determine if there is reason to believe that the condition is the result of a cyber attack. If there is reason to believe the condition is the result of a cyber attack, the event is reported to the NRC in accordance with 10 CFR 73, Appendix G.

Identification, detection, and response to cyber attacks are directed by site procedures for cyber security and other procedures that govern response to plant events. When there is reasonable suspicion of a cyber attack, response instructions direct notification to the activation of Cyber Security Incident Response Team. Response instructions direct other emergency response actions, if warranted.

Cyber security attack containment activities are directed by site procedures. These measures include but are not limited to:

• Assist in determining the CDAs operability or functionality; 17

• Isolate the affected CDA with approval by Shift Manager, if possible; and

• Verify surrounding networks and support systems are not contaminated.

Eradication activities identify the attack and the compromised pathway, patch or clean the CDA, or replace the CDA using disaster recovery procedures. Measures necessary to mitigate the consequences of cyber attacks are as directed by site governing procedures.

Recovery activities include but are not limited to functional recovery test, cyber security function and requirements tests, restoration to operational state, verification of operability or functionality, and return to service. Systems, networks, and/or equipment affected by cyber attacks are restored and returned to operation as directed by site procedures. Post incident analysis is conducted in accordance with site Corrective Action Program procedures.

4.7 CYBER SECURITY CONTINGENCY PLAN A Cyber Security Contingency Plan protects CDAs from adverse impacts from cyber attack. Refer to Appendix E of NEI 08-09, Revision 6, for additional Cyber Security Contingency Plan cyber security controls.

The contingency planning policy is developed, disseminated, periodically reviewed and updated. The contingency planning policy provides the following:

a. A formal, documented policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organization entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the policy and associated contingency planning controls.

The Cyber Security Contingency Plan includes:

• Required response to events or conditions of varying duration and severity that would activate the recovery plan;

• Procedures for operating the CDAs in manual mode with external electronic communications connections severed until secure conditions can be restored;

• Roles and responsibilities of responders;

• Processes and procedures for the backup and secure storage of information;

• Complete and up-to-date logical diagrams depicting network connectivity;

• Current configuration information for components;

• Personnel list (according to title and/or function) for authorized physical and cyber access to the CDA;

• Communication procedure and list of personnel (according to title and/or function) to contact in the case of an emergency; and

• Documented requirements for the replacement of components.

18

4.8 CYBER SECURITY TRAINING AND AWARENESS The Program establishes the training requirements necessary for licensee personnel and contractors to perform their assigned duties and responsibilities in implementing the requirements of the Program.

Individuals are trained to a level of cyber security knowledge commensurate with their assigned responsibilities in order to provide high assurance that individuals are able to perform their job functions. Refer to Appendix E of NEI 08-09, Revision 6, which describes the Cyber Security Controls required for the following levels of training:

• Awareness Training

• Technical Training

• Specialized Cyber Security Training Specific topics included within the Cyber Security Training and Awareness program may be modified, added or deleted (1) in response to feedback from personnel and contractors who have taken the training or (2) as a result of discussions with cyber security groups and associations.

4.9 EVALUATE AND MANAGE CYBER RISK Cyber risk is evaluated and managed utilizing site programs and procedures.

4.9.1 Threat and Vulnerability Management Cyber risks are managed through evaluation of threats and vulnerabilities to computer and control systems during the life cycle phases as documented in the Engineering Design Control, Configuration Management, Software Quality Assurance, Operating Experience (OE) and Corrective Action Program (CAP) processes. The Program establishes in procedures or other plant documents how responses to threat notifications and vulnerabilities against a CDA received from a credible source are screened, evaluated and dispositioned.

4.9.2 Risk Mitigation Protection and mitigation of cyber risk are achieved by applying cyber security controls to the CDAs within the scope of the Rule. Detailed information on how these requirements are implemented to achieve high assurance objectives of cyber security controls specified in this Plan is available on site for the NRCs inspections and audit.

4.9.3 Operational Experience Policies, and/or Procedures, and/or Programs establish how the operational experiences related to cyber security are screened to determine applicability, evaluated to determine significance, and dispositioned in an operational 19

experience program. Any condition determined to be adverse as a result of the evaluation of operational experiences, is dispositioned in the Corrective Action Program.

4.9.4 Corrective Action Program Policies, and/or Procedures, and/or Programs establish the criteria for adverse conditions and the requirements for corrective action. Adverse impact resulting from a cyber security condition is evaluated, tracked and dispositioned in accordance with the site Corrective Action Program.

4.10 POLICIES AND IMPLEMENTING PROCEDURES Policies and implementing procedures are developed to meet the implemented cyber security controls objectives provided in Appendices D and E of NEI 08-09, Revision 6.

The program policies and implementing procedures are documented, developed, reviewed, approved, issued, used, and revised as described in Section 4 of this Plan.

Program policies and implementing procedures establish that personnel responsible for the management and implementation of the program report indirectly to senior nuclear management. Senior nuclear management is the Chief Nuclear Officer who is accountable for nuclear plant(s) operation.

Implementing procedures establish responsibilities for the positions documented in Section 4.11.

4.11 ROLES AND RESPONSIBILITIES Roles and responsibilities are implemented with site procedures to preclude conflict during both normal and emergency conditions. The following Roles are created and staffed with qualified and experienced personnel. Authorized contracted resources possessing the skill set identified below for their designated role may be used.

Implementing procedures establish responsibilities for the following:

Cyber Security Program Sponsor

• Member of Senior FCS / OPPD Management;

• Overall responsibility and accountability for the cyber security program;

• Provide resources required for the development, implementation and sustenance of the cyber security program;

• Accountable to meet the needs of the site and receives support and compliance; and

• Ensure that resources are available to develop and implement the Program.

Cyber Security Program Manager

• The single point of contact accountable for any issues related to FCS / OPPD cyber security; 20

• Responsible for oversight and assuring periodic assessments are performed in accordance with Section 4;

• Provides oversight of the plant cyber security operations;

• Functions as a single point of contact for issues related to cyber security;

• Provides oversight and direction on issues regarding nuclear plant cyber security;

• Initiates and coordinates Cyber Security Incident Response Team (CSIRT) functions as required;

• Coordinates with NRC, DHS, DOE, and FBI as required during cyber security events;

• Oversees and approves the development and implementation of a Cyber Security Plan;

• Ensures and approves the development and operation of the cyber security education, awareness, and training program; and

• Oversees and approves the development and implementation of cyber security policies and procedures.

Cyber Security Specialists

• Protect CDAs from cyber threat;

• Understand the cyber security implications surrounding the overall architecture of plant networks, operating systems, hardware platforms, plant-specific applications, and the services and protocols upon which those applications rely;

• Perform cyber security assessments of CDAs;

• Conduct cyber security audits, network scans, and penetration tests against CDAs as necessary;

• Conduct cyber security investigations involving compromise of CDAs;

• Preserve evidence collected during cyber security investigations to prevent loss of evidentiary value;

• Maintain expert skill and knowledge level in the area of cyber security; and

• Receive specialized cyber security training described in Section 4.8.

Cyber Security Incident Response Team (CSIRT)

• Initiates in accordance with the Incident Response Plan;

• Initiates emergency action when required to safeguard CDAs from cyber security compromise and to assist with the eventual recovery of compromised systems;

• Contains and mitigates incidents involving critical and other support systems;

• Restores compromised CDAs; and

• Responds to a cyber attack and performs the activities described in Section 4.6. Responsibilities are designated in site incident response procedures.

Ancillary CSIRT staff includes organizations and individuals who operate, maintain, or design critical systems. CSIRT support staff is comprised of organizations and individuals as needed for specific specialized knowledge.

21

Others Operators, engineers, technicians, and users perform their assigned duties in accordance with the requirements of the Program.

4.12 CYBER SECURITY PROGRAM REVIEW The Cyber Security Program established the necessary measures and governing procedures to implement reviews of applicable program elements in accordance with the requirements of 10 CFR 73.55(m). Security Controls are elements of the Security Program and are reviewed consistent with the following requirements of 10 CFR 73.55(m).

(1) As a minimum the licensee shall review each element of the physical protection program at least every 24 months. Reviews shall be conducted:

(i) Within 12 months following initial implementation of the physical protection program or a change to personnel, procedures, equipment, or facilities that potentially could adversely affect security.

(ii) As necessary based upon site-specific analyses, assessments, or other performance indicators.

(iii) By individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsite physical protection program.

(2) Reviews of the security program must include, but not be limited to, an audit of the effectiveness of the physical security program, security plans, implementing procedures, cyber security programs, safety/security interface activities, the testing, maintenance, and calibration program, and response commitments by local, State, and Federal law enforcement authorities.

(3) The results and recommendations of the onsite physical protection program reviews, management's findings regarding program effectiveness, and any actions taken as a result of recommendations from prior program reviews, must be documented in a report to the licensee's plant manager and to corporate management at least one level higher than that having responsibility for day-to-day plant operation. These reports must be maintained in an auditable form, available for inspection.

(4) Findings from onsite physical protection program reviews must be entered into the site corrective action program.

4.13 DOCUMENT CONTROL AND RECORDS RETENTION AND HANDLING FCS / OPPD has established the necessary measures and governing procedures to ensure that sufficient records of items and activities affecting cyber security are developed, reviewed, approved, issued, used, and revised to reflect completed work.

22

The following will be retained as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least three (3) years after the record is superseded, unless otherwise specified by the Commission:

• Records of the assessment described in Section 3.1 of this Plan;

• Records that are generated in the Establishment, Implementation, and Maintenance of the Cyber Security Program;

• Records of Addition and Modification of Digital Assets; and

• Records and supporting technical documentation required to satisfy the requirements of the Rule CDA audit records will be retained for no less than 12 months. CDA auditing capabilities are configured in accordance with section 3.1.6 of this plan.

Where a central logging server is employed, the audit records received will be retained for no less than 12 months.

The following audit data will be retained:

• Audit data described in Appendix D, 2.3, Content of audit records

• Audit data that support Appendix E, Defense-in-Depth security control will be retained to provide support for after-the-fact investigations of security attacks and satisfy the requirements of 10 CFR 73.54 and 10 CFR 73.55.

Audit (digital and non-digital) data include:

• Operating system logs

• Service and application logs

• Network device logs For the purposes of this Plan, audit data is not required to be maintained under the QA Records Program.

Individual Cyber Security Training Records will be documented and maintained for 3 years.

23

LIC-10-0055 Page 1 Cyber Security Plan Implementation Schedule Generic RAI Question # 29 includes reference to previous regulatory guidance and industry initiatives related to cyber security. As referenced, current industry guidance for cyber security is described in NEI 04-04, Cyber Security Program for Power Reactors. However, the scope of requirements in the NRC accepted implementation guidance contained in NEI 08-09 revision 6 are significantly greater than the previously implemented cyber security program. The defensive model design requirements, the new digital asset assessment methodology and the resultant digital asset remediation actions will require a significant expenditure of labor resources. As referenced in the Generic RAI Question # 29, Fort Calhoun Station (FCS), Unit No. 1/Omaha Public Power District (OPPD) is also required to implement a separate Cyber Security Program in accordance with the NERC Critical Infrastructure Protection Standards.

While the timeframe for implementation is shorter for the NERC regulation as described in the RAI question, the NERC cyber security methodology is different from the NRC Rule requirements. The NERC requirements are based on a logical risk based assessment process while the NRC Rule 73.54 requires a deterministic cyber security assessment methodology.

In light of the extensive work associated with implementation of these two new regulations, FCS

/ OPPD has developed a prioritized approach to establish the NRC Rule 73.54 implementation schedule. FCS / OPPD realizes the importance of deploying a uni-directional communication barrier to protect the most critical SSEP functions. One major activity is the deployment of uni-directional communication barrier to ensure protection from remote attacks on plant systems.

While the deployment of the uni-directional barrier is critical to protection from external cyber threats, it also impacts remote access to plant data systems by authorized personnel. This elimination of remote access will require Licensees to develop and implement a detailed change management plan.

Another major activity is the performance of individual critical digital asset (CDA) assessments to identify individual asset security control remediation actions. Programs and procedures are being developed to implement the programmatic requirements of the regulation. The cyber security assessment teams are also being established for execution of program requirements.

These teams are required to have extensive knowledge of plant systems and cyber security control technology. A comprehensive training program will be required to ensure competent personnel for program execution.

Following are the Cyber Security implementation milestones that have been developed based on the sample listing of milestones provided with your December 2009 implementation schedule guidance:

LIC-10-0055 Page 2 Implementation Completion Date Basis Milestone Train and Qualify Cyber 12/2011 The CSAT will require a broad and very specialized knowledge of information and Security Assessment digital systems technology. The CSAT will need to have digital plant systems Team (CSAT) knowledge as well as nuclear power plant operations, engineering and nuclear safety experience and technical expertise. The personnel selected for this team will require additional training in these areas to ensure adequate capabilities to meet the regulation requirements.

By the completion date, the following will be performed:

• Cyber security assessment procedures/tools will be developed and available;

• Qualifications for CSAT will be developed; and

• Training of the CSAT will be completed.

Identify Critical Systems CS - 6//2011 By the completion date, the following will be performed:

(CSs) and Critical Digital CDA - 8/2011

• Critical Systems will be identified; and Assets (CDAs)

• Critical Digital Assets will be identified.

Develop Cyber Security 7/2011 The Defensive Strategy expands upon the high level model in the Cyber Security Defensive Strategy (i.e., Plan and requires assessment of existing site and corporate policies, comparison to defensive model) new requirements, revisions as required, and communication to plant personnel.

By the completion date, the following will be performed:

• Documenting the defense-in-depth architecture and defensive strategy;

• Revisions to existing defensive strategy policies will be implemented and communicated; and

• Planning the implementation of the defense-in-depth architecture.

LIC-10-0055 Page 3 Implementation Completion Date Basis Milestone Implement cyber security 9/2012 - for The implementation of communication barriers protects the most critical SSEP defense-in-depth isolation functions from remote attacks on our plant systems. While the deployment of the architecture boundaries barriers is critical to protection from external cyber threats, it also prevents remote 6/2013 - for other access to core monitoring and plant data systems for reactor engineers and other boundaries plant staff. This elimination of remote access to core monitoring systems requires the development and execution of a detailed change management plan to ensure continued safe operation of the plants.

Vendors may be required to develop software revisions to support the model. The modification will be developed, prioritized and scheduled. Since software must be updated on and data retrieved from isolated systems, a method of patching, updating and scanning isolated devices will be developed.

By the completion date, the following will be performed:

• Installation of deterministic one-way devices to implement defensive layer boundaries.

Establish Cyber Security 12/2013 The implementation of the cyber security program is expected to require Program policy/procedure development and/or upgrades for nearly every plant department.

policies/procedures The procedural development for the cyber security program requirements and all of the individual security controls will be far-reaching. Many of the security controls will require development of the technical processes for implementing the control in a nuclear plan environment including development of new procedures for surveillances, periodic monitoring and reviews. Procedure development will begin early in the implementation of the program and continue until the specified completion date.

By the completion date, the following will be performed:

• Policies/procedures will be updated to establish Cyber Security Program ;

• The Cyber Security Assessment Procedure will be issued; and

LIC-10-0055 Page 4 Implementation Completion Date Basis Milestone

• New policies/procedures or revision of existing policies/procedures in areas impacted by cyber security requirements will be develop and implemented.

Perform and document 12/2013 Based on the existing cyber security program, it is known that the number of digital the cyber security assets requiring assessment is extensive. As previously discussed, the CDA assessment described in assessment methodology required for this regulation is extremely rigorous and the Cyber Security Plan deterministic. The completion of these assessments will require a significant commitment of resources.

Performing the assessments will require participation of multiple disciplines and involve document reviews, system configuration evaluation, physical walk downs or electronic verification of every communication pathway for each CDA, and documentation of results. These tasks will need to be coordinated and scheduled to align with department resource availability and system access requirements.

By the completion date, the following will be performed:

• Cyber security assessments will be performed and documented.

Implement Security 12/2014 Although the scope of individual CDA assessment remediation actions is unknown, Controls not requiring a based on the number and complexity of the required security controls, it is expected plant modification. The to be a significant effort. Each of the individual CDA remediation actions will need to Cyber Security Program be planned, resourced, and executed. This date is only a commitment for the is implemented and the remediation actions not requiring a plant modification.

Program has entered maintenance phase. Changes requiring a plant modification may be implemented during the ongoing maintenance of the cyber security program. A rigorous planning process is used to ensure safe execution of refueling outage work. The potential system modifications required by this regulation need to be carefully planned and executed to ensure no detrimental effect to safe plant operations.

LIC-10-0055 Page 5 Implementation Completion Date Basis Milestone The Program will be considered implemented and transitioned to the maintenance phase if modifications have either been implemented, or are budgeted and scheduled for implementation.

By the completion date, the following will be performed:

• Security controls (that do not require plant modification) will be implemented in accordance with Section 3.1.6 of the Plan. The application of security controls requiring plant modifications will be planned, budgeted, and scheduled.

Beginning on this date, during the ongoing maintenance of the Program, the following will be included:

• The requirements of Section 4 of the Plan will be effective; and

• Implementing plant modifications, per the schedule developed above, that have not been completed.