ML102090028

From kanterella
Jump to navigation Jump to search
Third Supplement to Request for Approval of Cyber Security Plan
ML102090028
Person / Time
Site: Sequoyah  Tennessee Valley Authority icon.png
Issue date: 07/23/2010
From: Krich R
Tennessee Valley Authority
To:
Document Control Desk, Office of Nuclear Reactor Regulation, Office of Nuclear Security and Incident Response
References
TS-09-06
Download: ML102090028 (19)
v  d  e


Text

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Tennessee Valley Authority 1101 Market Street, LP 3R Chattanooga, Tennessee 37402-2801 R. M. Krich Vice President Nuclear Licensing July 23, 2010 10 CFR 50.4 10 CFR 50.90 TS-09-06 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Sequoyah Nuclear Plant, Units 1 and 2 Facility Operating License Nos. DPR-44 and DPR-79 NRC Docket Nos. 50-327 and 50-328

Subject:

Third Supplement to Request for Approval of the Sequoyah Nuclear Plant Cyber Security Plan

References:

1. Letter from TVA to NRC, "Request for Approval of the Sequoyah Nuclear Plant Cyber Security Plan," dated November 23, 2009
2. Letter from TVA to NRC, "Request for Approval of the Sequoyah Nuclear Plant Cyber Security Plan - Supplement," dated December 11,2009
3. Letter from TVA to NRC, "Supplement to Request for Approval of the Sequoyah Nuclear Plant Cyber Security Plan," dated December 18, 2009
4. Letter from NRC to TVA, "Sequoyah Nuclear Plant, Units 1 and 2 -

License Amendment Request for Approval of the Cyber Security Plan (TAC Nos. ME2680 and ME2681)," dated May 21, 2010

5. Letter from NRC to NEI, "Nuclear Energy Institute 08-09, 'Cyber Security Plan Template, Rev. 6,"' dated June 7, 2010 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

printed on recycled paper (A

~i17JL~

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 U.S. Nuclear Regulatory Commission Page 2 July 23, 2010 By letter dated November 23, 2009 (Reference 1) as supplemented December 11, 2009 (Reference 2), and December 18, 2009 (Reference 3), the Tennessee Valley Authority (TVA) submitted a license amendment request (LAR) for Sequoyah Nuclear Plant, Units 1 and 2. The proposed LAR included proposed changes to the existing Sequoyah Nuclear Plant, Units 1 and 2 operating licenses' Physical Protection license condition, a proposed Cyber Security Plan Implementation Schedule, and the Cyber Security Plan. This information was provided in the following Enclosures of the November 23, 2009 letter: - Evaluation of Proposed Change - Sequoyah Nuclear Plant Cyber Security Plan Implementation Schedule - Sequoyah Nuclear Plant Cyber Security Plan Because of concerns with the Nuclear Energy Institute (NEI) guidance used to prepare the Cyber Security Plan, the Nuclear Regulatory Commission (NRC) by letter dated May 21, 2010 (Reference 4) requested TVA to provide a revised submittal to comply with the requirements of 10 CFR 73.54. The NRC further stated in the May 21, 2010 letter that submission of a cyber security plan using the template provided in NEI 08-09, "Cyber Security Plan Template, Revision 6," dated April 2010 would be acceptable to comply with the requirements of 10 CFR 73.54, with the exception of the definition of "cyber attack." The NRC requested a response within 60 days of the May 21, 2010 letter, which would be July 20, 2010. TVA requested and was granted an extension of this due date in a phone call between Siva Lingam (NRC) and Kevin Casey (TVA) on July 15, 2010. Therefore, this response is due on July 23, 2010.

TVA understands that NEI 08-09, Revision 6 addresses all the generic issues, with exception to the "cyber attack" definition, provided in the March 9, 2010 e-mail referenced in the May 21, 2010 letter. TVA is therefore providing a revised cyber security plan as provided in Enclosure 3 of this letter. This cyber security plan was prepared using the NEI 08-09, Revision 6 template. The only exception taken to NEI 08-09, Revision 6, is the definition of "cyber attack." As noted in the Deviation Table attached to Enclosure 3, the definition used in TVA's Cyber Security Plan is: "any event in which there is reason to believe that an adversary has committed or caused, or attempted to commit or cause, or has made a credible threat to commit or cause malicious exploitation of a CDA (critical digital asset)." This definition was determined acceptable in NRC's June 7, 2010 letter (Reference 5). Enclosure 3 of this letter supersedes, in its entirety, the Enclosure 3 submitted in the November 23, 2009 letter.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 U.S. Nuclear Regulatory Commission Page 3 July 23, 2010 In addition, TVA is providing revised Sequoyah Nuclear Plant Cyber Security Plan Implementation Schedules for Unit 1 and Unit 2 as provided in Enclosure 2 of this letter. The implementation schedules have been revised to include additional milestones and to provide a basis for the proposed completion dates. The implementation date follows the site's last scheduled refueling outage needed to implement the potential system modifications. Enclosure 2 of this letter supersedes, in its entirety, the Enclosure 2 submitted in the November 23, 2009 letter. provides revisions to the proposed change to the license previously provided in Enclosure 1 of the November 23, 2009 letter. These revisions are a result of updating the Cyber Security Plan from Revision 3 to Revision 6 of NEI 08-09 and changing the date the Plan was submitted. In Section 3.0, "Technical Evaluation,"

reference to "Appendix A, Table 1'" was deleted and is indicated by the strikethrough text and revision bar. This Table was removed in NEI 08-09, Revision 6. In Section 6.0, "References," Reference 3 was revised and is indicated by the bold text and revision bar. Attachments 1 and 2 were revised to change the date the Cyber Security Plan was submitted from "November 23, 2009" to "July 23, 2010." These revisions supersede Section 3.0, Section 6.0, and Attachments 1 and 2 provided in Enclosure 1 of the November 23, 2009 letter.

TVA has determined that the additional information provided by this letter does not affect the no significant hazards considerations associated with the proposed license amendment submitted by Reference 3.

TVA requests that Enclosures 2 and 3, which contain sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390, "Public inspections, exemptions, requests for withholding." Additionally, in accordance with 10 CFR 50.91 (b)(1), TVA is sending a copy of this letter and attachments to the Tennessee State Department of Environment and Conservation.

There are no commitments associated with this submittal. If you have any questions about this change, please contact Kevin Casey at (423) 751-8523.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 U.S. Nuclear Regulatory Commission Page 4 July 23, 2010 I declare under penalty of perjury that the foregoing is true and correct. Executed on this 23rd day of July, 2010.

Respectfully, R. M. Krich

Enclosures:

1. Evaluation of Proposed Change
2. Sequoyah Nuclear Plant Cyber Security Plan Implementation Schedules
3. Sequoyah Nuclear Plant Cyber Security Plan Enclosures cc (Enclosures):

NRC Regional Administrator-Region II NRC Senior Resident Inspector - Sequoyah Nuclear Plant Director, Division of Radiological Health - Tennessee State Department of Environment and Conservation (w/o Enclosures 2 & 3)

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Evaluation of Proposed Change Request for Approval of the Sequoyah Nuclear Plant Cyber Security Plan E1-1 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

3.0 TECHNICAL EVALUATION

Federal Register Notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73.

Cyber security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by 10 CFR 73.1 (a)(1 (v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 6.2).

NEI 08-09, "Cyber Security Plan Template," provides an approach for complying with the Commission's regulations for protecting digital computers, communications systems, and networks. NEI 08 09 has b8ee submitted to the NRC (Refer-ne 65.3) for use by lcensees in development Of th..irF oWn cyber security plans. The Sequoyah Nuclear Plant Cyber Security Plan is in accordance with NEI 08-09 (Reference 6.3). w-fith the exception that Appendix A, Table 1, "Systems Within the Scope of 10 CFIR 73.54," and the associated refe--rences, to Table 1 hav;e not been includ-ed in the Cyber Security Plan. The removl oIA-f TaMbi I was, based on NRC feedback ad Rr i

JsdRed acceptable since, the Table I litinR of systems w...ithiR the sope of 10 Q

R 73.R5 w*il b e available for inspection on site.

This LAR includes the proposed Plan (Enclosure 3) that conforms to the template provided in NEI 08-09. In addition the LAR includes the proposed change to the existing FOLs license conditions for "Physical Protection" (Attachments 1 and 2) for SQN Units 1 and 2.

Finally, the LAR contains the proposed Implementation Schedule (Enclosure 2) as required by 10 CFR 73.54.

E1-2 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390

6.0 REFERENCES

1. Federal Register notice, Final Rule 10 CFR 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.
2. EA-02-026, Order modifying License, Safeguards and Security Plan Requirements, issued February 25, 2002.
3. Letter from NRC to Nuclear Energy Institute, "Nuclear Energy Institute 08-09,

'Cyber Security Plan Template, Rev 6,"' dated May 5, 2010.

E1-3 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Attachment I Proposed Facility Operating License Change (Marked-up)

E1-4 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Sequoyah Nuclear Plant, Unit I Proposed Facility Operating License Change (Marked-up)

E1-5 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

-12b-E.

Physical Protection m

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Sequoyah Nuclear Plant Security Plan, Training And Qualification Plan, And Safeguards Contingency Plan" submitted by letter dated May 8, 2006.

(2)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved Sequoyah Nuclear Plant Cyber Security Plan submitted by letter dated July 23, 2010, and withheld from public disclosure in accordance with 10 CFR 2.390.

HU (n

October 28, 2008 Amendment No. 10, 53, 73, 193, 200, 213, 223, 292 E 1-6

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Sequoyah Nuclear Plant, Unit 2 Proposed Facility Operating License Change (Marked-up)

E 1-7 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

-12a-A temporary exemption from General Design Criterion 57 found in Appendix A to 10 CFR part 50 is described in the Office of Nuclear Reactor Regulation's Safety Evaluation Report, Supplement No. 5, Section 6.2.4. This exemption is authorized by law and will not endanger life or property or the common defense and security and is otherwise in the public interest. The exemption, therefore, is hereby granted and shall remain in effect through the first refueling outage as discussed in Section 6.2.4 of Supplement 5 to the Safety Evaluation Report. The granting of the exemption is authorized with the issuance of the Facility Operating License. The facility will operate, to the extent authorized herein, in conformity with the application as amended, the provisions of the Act, and the regulations of the Commission. Additional Exemptions are listed in.

E.

Physical Protection INSERT SThe licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Sequoyah Nuclear Plant Security Plan, Training And Qualification Plan, And Safeguards Contingency Plan" submitted by letter dated May 8, 2006.

F.

Reactor Safety Methodology Applications Programs (Section 24.0)

TVA will provide a report prepared by the Kaman Sciences Corporation (KSC) on a full scale nuclear safety and availability analysis within six months from the date of the KSC report.

G.

This amended license is subject to the following additional condition for the protection of the environment:

Before engaging in additional construction or operational activities which may result in an environmental impact that was not evaluated by the Commission, Tennessee Valley Authority will prepare and record an environmental evaluation of such activity. When the evaluation indicates that such activity may result in a significant adverse environmental impact that was not evaluated, or that is significantly greater than that evaluated in the Final Environmental Statement prepared by the Tennessee Valley Authority and the Environmental Impact Appraisal prepared by the Commission in May 1979, the Tennessee Valley Authority shall provide a written evaluation of such activities and obtain prior approval from the Director, Office of Nuclear Reactor Regulation.

H.

Deleted

1.

TVA shall immediately notify the Commission of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

J.

TVA shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

INSERT (2)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved Sequoyah Nuclear Plant Cyber Security Plan submitted by letter dated July 23, 2010, and withheld from public disclosure in accordance with 10 CFR 2.390.

October 28, 2008 Amendment 2, 65, 162, 170, 204, 214, 267, 273,282 E 1-8 K.

This amended license is effective as of the date of issuance and shall expire September 15, 2021.

FOR THE NUCLEAR REGULATORY COMMISSION Harold R. Denton, Director Office of Nuclear Reactor Regulation Attachments:

1. Attachment 1
2. Appendices A and B Technical Specifications Date of Issuance: September 15, 1981 December 29, 1988 Amendment No. 2, 83 E1-9

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Proposed Facility Operating license Change (Re-typed)

E 1-10 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Sequoyah Nuclear Plant Unit I Proposed Facility Operating License Change (Re-typed)

E 1-11 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

-12b-E, Physical Protection (1)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Sequoyah Nuclear Plant Security Plan, Training And Qualification Plan, And Safeguards Contingency Plan" submitted by letter dated May 8, 2006.

(2)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved Sequoyah Nuclear Plant Cyber Security Plan submitted by letter dated July 23, 2010, and withheld from public disclosure in accordance with 10 CFR 2.390.

Amendment No. 10, 53, 73, 193, 200, 213, 223, 292, E 1-12

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Sequoyah Nuclear Plant, Unit 2 Proposed Facility Operating License Change (Re-typed)

E 1-13 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

-12a-A temporary exemption from General Design Criterion 57 found in Appendix A to 10 CFR part 50 is described in the Office of Nuclear Reactor Regulation's Safety Evaluation Report, Supplement No. 5, Section 6.2.4. This exemption is authorized by law and will not endanger life or property or the common defense and security and is otherwise in the public interest. The exemption, therefore, is hereby granted and shall remain in effect through the first refueling outage as discussed in Section 6.2.4 of Supplement 5 to the Safety Evaluation Report. The granting of the exemption is authorized with the issuance of the Facility Operating License. The facility will operate, to the extent authorized herein, in conformity with the application as amended, the provisions of the Act, and the regulations of the Commission. Additional Exemptions are listed in.

E.

Physical Protection (1)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Sequoyah Nuclear Plant Security Plan, Training And Qualification Plan, And Safeguards Contingency Plan" submitted by letter dated May 8, 2006.

(2)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved Sequoyah Nuclear Plant Cyber Security Plan submitted by letter dated July 23, 2010, and withheld from public disclosure in accordance with 10 CFR 2.390.

F.

Reactor Safety Methodology Applications Programs (Section 24.0)

TVA will provide a report prepared by the Kaman Sciences Corporation (KSC) on a full scale nuclear safety and availability analysis within six months from the date of the KSC report.

G.

This amended license is subject to the following additional condition for the protection of the environment:

Before engaging in additional construction or operational activities which may result in an environmental impact that was not evaluated by the Commission, Tennessee Valley Authority will prepare and record an environmental evaluation of such activity. When the evaluation indicates that such activity may result in a significant adverse environmental impact that was not evaluated, or that is significantly greater than that evaluated in the Final Environmental Statement prepared by the Tennessee Valley Authority and the Environmental Impact Appraisal prepared by the Commission in May 1979, the Tennessee Valley Authority shall provide a written evaluation of such activities and obtain prior approval from the Director, Office of Nuclear Reactor Regulation.

H.

Deleted TVA shall immediately notify the Commission of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

Amendment 2, 65, 162, 170, 204, 214, 267, 273, 282, E1-14 J.

TVA shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

K.

This amended license is effective as of the date of issuance and shall expire September 15, 2021.

FOR THE NUCLEAR REGULATORY COMMISSION Harold R. Denton, Director Office of Nuclear Reactor Regulation Attachments:

1. Attachment 1
2. Appendices A and B Technical Specifications Date of Issuance: September 15, 1981 Amendment No. 2, 83, E1-15
Retrieved from "https://kanterella.com/w/index.php?title=ML102090028&oldid=5295428"