Second Supplement to Request for Approval of Cyber Security Plan

ML102090054
Person / Time
Site:	Watts Bar
Issue date:	07/23/2010
From:	Krich R Tennessee Valley Authority
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
TAC ME2677, TAC ME2679, WBN-TS-09-23
Download: ML102090054 (13)
v • d • e

Text

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Tennessee Valley Authority 1101 Market Street, LP 3R Chattanooga, Tennessee 37402-2801 R. M. Krich Vice President Nuclear Licensing July 23, 2010 10 CFR 50.4 10 CFR 50.90 WBN-TS-09-23 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Watts Bar Nuclear Plant, Units 1 and 2 Facility Operating License No. NPF-90 NRC Docket Nos. 50-390 and 50-391

Subject:

Second Supplement to Request for Approval of the Watts Bar Nuclear Plant Cyber Security Plan

References:

1. Letter from TVA to NRC, "Request for Approval of the Watts Bar Nuclear Plant Cyber Security Plan," dated November 23, 2009

2. Letter from TVA to NRC, "Supplement to Request for Approval of the Watts Bar Nuclear Plant Cyber Security Plan," dated December 18, 2009

3. Letter from NRC to TVA, "Watts Bar Nuclear Plant, Units 1 and 2 -

License Amendment Request for Approval of the Cyber Security Plan (TAC Nos. ME2677 and ME2679)," dated May 24, 2010

4. Letter from NRC to NEI, "Nuclear Energy Institute 08-09, 'Cyber Security Plan Template, Rev. 6,"' dated June 7, 2010 By letter dated November 23, 2009 (Reference 1) as supplemented December 18, 2009 (Reference 2), the Tennessee Valley Authority (TVA) submitted a license amendment request (LAR) for Watts Bar Nuclear Plant, Unit 1. The proposed LAR included proposed changes to the existing Watts Bar Nuclear Plant, Unit 1 operating license's Physical Protection license condition, a proposed Cyber Security SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

printed on recycled paper 5W,4

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 U.S. Nuclear Regulatory Commission Page 2 July 23, 2010 Plan Implementation Schedule, and the Cyber Security Plan. This information was provided in the following Enclosures of the November 23, 2009 letter: - Evaluation of Proposed Change - Watts Bar Nuclear Plant Cyber Security Plan Implementation Schedule - Watts Bar Nuclear Plant Cyber Security Plan Because of concerns with the Nuclear Energy Institute (NEI) guidance used to prepare the Cyber Security Plan, the Nuclear Regulatory Commission (NRC) by letter dated May 24, 2010 (Reference 3) requested TVA to provide a revised submittal to comply with the requirements of 10 CFR 73.54. The NRC further stated in the May 24, 2010 letter that submission of a cyber security plan using the template provided in NEI 08-09, "Cyber Security Plan Template," Revision 6, dated April 2010 would be acceptable to comply with the requirements of 10 CFR 73.54, with the exception of the definition of "cyber attack." The NRC requested a response within 60 days of the May 24, 2010 letter. This response is due by July 23, 2010.

TVA understands that NEI 08-09, Revision 6 addresses all the generic issues, with the exception to the "cyber attack" definition, provided in the March 9, 2010 e-mail referenced in the May 24, 2010 letter. TVA is therefore providing a revised cyber security plan as provided in Enclosure 3 of this letter. This cyber security plan was prepared using the NEI 08-09, Revision 6 template. The only exception taken to NEI 08-09, Revision 6, is the definition of "cyber attack." As noted in the cyber security plan and the Deviation Table attached to Enclosure 3, the definition used in TVA's submitted plan is: "any event in which there is reason to believe that an adversary has committed or caused, or attempted to commit or cause, or has made a credible threat to commit or cause malicious exploitation of a CDA (critical digital asset)." This definition was determined acceptable in NRC's June 7, 2010 letter (Reference 4). Enclosure 3 of this letter supersedes, in its entirety, the Enclosure 3 submitted in the November 23, 2009 letter.

In addition, TVA is providing revised Watts Bar Nuclear Plant Cyber Security Plan Implementation Schedules for Unit 1 and Unit 2 as provided in Enclosure 2 of this letter. The implementation schedules have been revised to include additional milestones and to provide a basis for the proposed completion dates. The Unit 1 implementation date follows the last scheduled refueling outage needed to implement the potential system modifications. Enclosure 2 of this letter supersedes, in its entirety, the Enclosure 2 submitted in the November 23, 2009 letter.

Based on discussions with the NRC, the Watts Bar, Unit 2 construction completion project expects to complete the implementation of the Cyber Security Program prior to licensing. As a result, Watts Bar, Unit 2 will have sufficient design and implementation activities completed to support an audit/inspection in April 2011.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 U.S. Nuclear Regulatory Commission Page 3 July 23, 2010 provides revisions to the proposed change to the license previously provided in Enclosure 1 of the November 23, 2009 letter. These revisions are a result of updating the Cyber Security Plan from Revision 3 to Revision 6 of NEI 08-09 and changing the date the Plan was submitted. In Section 3.0, "Technical Evaluation,"

reference to "Appendix A, Table 1" was deleted and is indicated by the strikethrough text and revision bar. This Table was removed in NEI 08-09, Revision 6. In Section 6.0, "References," Reference 3 was revised and is indicated by the bold text and revision bar. Attachments 1 and 2 were revised to change the date the Cyber Security Plan was submitted from "November 23, 2009" to "July 23, 2010." These revisions supersede Section 3.0, Section 6.0, and Attachments 1 and 2 provided in Enclosure 1 of the November 23, 2009 letter.

TVA has determined that the additional information provided by this letter does not affect the no significant hazards considerations associated with the proposed license amendment submitted by Reference 2. The determination of "no significant hazards consideration," provided in Reference 2 is only applicable to the Watts Bar, Unit 1 portion of the submittals as Unit 2 is in construction status.

TVA requests that Enclosures 2 and 3, which contain sensitive information, be withheld from public disclosure in accordance with 10 CFR 2.390, "Public inspections, exemptions, requests for withholding." Additionally, in accordance with 10 CFR 50.91 (b)(1), TVA is sending a copy of this letter and attachments to the Tennessee State Department of Environment and Conservation.

There are no commitments associated with this submittal. If you have any questions about this change, please contact Kevin Casey at (423) 751-8523.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 23rd day of July, 2010.

Respectfully, J

Enclosures

1. Evaluation of Proposed Change

2. Watts Bar Nuclear Plant Cyber Security Plan Implementation Schedule

3. Watts Bar Nuclear Plant Cyber Security Plan cc: See Page 4 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 U.S. Nuclear Regulatory Commission Page 4 July 23, 2010 cc (Enclosures):

NRC Regional Administrator - Region II NRC Senior Resident Inspector - Watts Bar Nuclear Plant Director, Division of Radiological Health - Tennessee State Department of Environment and Conservation (w/o Enclosures 2 & 3)

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

Enclosure I Evaluation of Proposed Change Request for Approval of the Watts Bar Nuclear Plant Cyber Security Plan

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390

3.0 TECHNICAL EVALUATION

Federal Register Notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73.

Cyber security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by 10 CFR 73.1 (a)(1 (v). These requirements are substantial improvements upon the requirements imposed by EA-02-026 (Reference 6.2).

NEI 08-09, "Cyber Security Plan Template," provides an approach for complying with the Commission's regulations for protecting digital computers, communications systems, and networks. NEI Q8109 has been submitted to the NR, (Reference 6.3) fr. use by l..icensees

,n develo*p.ent of their own ybe. se*ur.ity plans. The Watts Bar Nuclear Plant Cyber Security Plan is in accordance with NEI 08-09 (Reference 6.3). with the exception that Appendix A, Table 1, 'Systems Within the Scopo of 10- CE-FR 73.54," and the- ;asociated referern;ces to Table 1 haVe not been irnclud ed-iR the Cyber Secu,,rity Plan. The r*r*e*oal o Tab;-lo-1 was-ba-sed on NIRC foeQdb~ack ;and is cnesidered acceptable si~nce the-Table 1-lI.istiRg of syste_÷ms Within the soGpe of 10 CFR 73.51 wi

-b aVailAbl.e for inspection-t on9 site This LAR includes the proposed Plan (Enclosure 3) that conforms to the template provided in NEI 08-09. In addition the LAR includes the proposed change to the existing FOL license condition for "Physical Protection" (Attachments 1 and 2) for WBN Unit 1. Finally, the LAR contains the proposed Implementation Schedule (Enclosure 2) as required by 10 CFR 73.54.

E1-1 SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390

6.0 REFERENCES

1. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926.

2. EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002.

3. Letter from NRC to Nuclear Energy Institute, "Nuclear Energy Institute 08-09,

'Cyber Security Plan Template, Rev 6,"' dated May 5, 2010.

E1-2 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Proposed Facility Operating License Change (Marked-up)

E1-3 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

5 (2)

The facility was previously granted an exemption from the criticality monitoring requirements of 10 CFR 70.24 (see Special Nuclear Material License No. SNM-1861 dated September 5, 1979). The technical justification is contained in Section 9.1 of Supplement 5 to the Safety Evaluation Report, and the staffs environmental assessment was published on April 18, 1985 (50 FR 15516). The facility is hereby exempted from the criticality alarm system provisions of 10 CFR 70.24 so far as this section applies to the storage of fuel assemblies held under this license.

(3)

The facility requires an exemption from 10 CFR 73.55(c)(1 0). The justification for this exemption is contained in Section 13.6.9 of Supplement 15 and 20 to the Safety Evaluation Report. The staffs environmental assessment was published on April 25, 1995 (60 FR 20291). Pursuant to 10 CFR 73.5, the facility is exempted from the stated implementation schedule of the surface vehicle bomb rule, and may implement the same as late as February 17, 1996.

(4)

The facility was previously granted an exemption from certain requirements of 10 CFR 73.55(d)(5) relating to the returning of picture badges upon exit from the protected areas, such that individuals not employed by TVA who are authorized unescorted access into protected areas can take their badges offsite (see 59 FR 66061, December 22, 1994). The granting of this exemption is hereby affirmed.

(5)

The facility was previously granted an exemption from certain requirements of 10 CFR 50, Appendix E, such that the State of Tennessee, which is within the ingestion exposure pathway emergency planning zone, need not participate in the November 1995 full-participation exercise (see 60 FR 54526, October 24, 1995). The granting of this exemption is hereby affirmed.

E.

TVA shall fully implement and maintain in effect all provisions of the Commission approved physical security, training and qualification, and INSERT safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Watts Bar Nuclear Plant Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 3," submitted by letter dated May 16, 2006.

INSERT F.

TVA shall implement and maintain in effect all provisions of the approved fire protection program as described in the Fire Protection Report for the facility, as approved in Supplements 18 and 19 of the SER (NUREG-0847) subject to the following provision:

TVA may make changes to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

(2)

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved Watts Bar Nuclear Plant Cyber Security Plan submitted by letter dated July 23, 2010, and withheld from public disclosure in accordance with 10 CFR 2.390.

Revised by letter dated A, 'gp ist 9, 0NN7 and Correction letter dated September 18, 2007 E 1-4

5a G.

Except as otherwise provided in the Technical Specifications (Appendix A to this license) or Environmental Protection Plan (Appendix B to this license), TVA shall report any violations of the requirements contained in Section 2.C of this license in the following manner: initial notification shall be made within twenty-four (24) hours to the NRC Operations Center via the Emergency Notification System with written follow-up within 30 days in accordance with the procedures described in 10 CFR 50.73 (b), (c), and (e).

H.

The licensee shall have and maintain financial protection of such types and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

Revised by letter dated August 9, 2007 E 1-5

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 Proposed Facility Operating License Change (Re-Typed)

E1-6 SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 ENCLOSURES 2 AND 3 TO THIS LETTER CONTAIN SECURITY-RELATED INFORMATION. SECURITY-RELATED INFORMATION CLASSIFICATIONS DOES NOT APPLY TO THIS PAGE WHEN SEPARATED FROM ENCLOSURES 2 AND 3.

5 (2)

The facility was previously granted an exemption from the criticality monitoring requirements of 10 CFR 70.24 (see Special Nuclear Material License No. SNM-1 861 dated September 5, 1979). The technical justification is contained in Section 9.1 of Supplement 5 to the Safety Evaluation Report, and the staffs environmental assessment was published on April 18, 1985 (50 FR 15516). The facility is hereby exempted from the criticality alarm system provisions of 10 CFR 70.24 so far as this section applies to the storage of fuel assemblies held under this license.

(3)

The facility requires an exemption from 10 CFR 73.55(c)(10). The justification for this exemption is contained in Section 13.6.9 of Supplement 15 and 20 to the Safety Evaluation Report. The staffs environmental assessment was published on April 25, 1995 (60 FR 20291). Pursuant to 10 CFR 73.5, the facility is exempted from the stated implementation schedule of the surface vehicle bomb rule, and may implement the same as late as February 17, 1996.

(4)

The facility was previously granted an exemption from certain requirements of 10 CFR 73.55(d)(5) relating to the returning of picture badges upon exit from the protected areas, such that individuals not employed by TVA who are authorized unescorted access into protected areas can take their badges offsite (see 59 FR 66061, December 22, 1994). The granting of this exemption is hereby affirmed.

(5)

The facility was previously granted an exemption from certain requirements of 10 CFR 50, Appendix E, such that the State of Tennessee, which is within the ingestion exposure pathway emergency planning zone, need not participate in the November 1995 full-participation exercise (see 60 FR 54526, October 24, 1995). The granting of this exemption is hereby affirmed.

E.

(1)

TVA shall fully implement and maintain in effect all provisions of the Commission approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Watts Bar Nuclear Plant Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan, Revision 3," submitted by letter dated May 16, 2006.

(2)

The licensee shall fully implement and maintain in effect all provisions of the commission-approved Watts Bar Nuclear Plant Cyber Security Plan submitted by letter dated July 23, 2010, and withheld from public disclosure in accordance with 10 CFR 2.390.

Revised by letter dated August 9, 2007 and Correction letter dated September 18, 2007 Amendment No. [#]

E 1-7

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 5a F.

TVA shall implement and maintain in effect all provisions of the approved fire protection program as described in the Fire Protection Report for the facility, as approved in Supplements 18 and 19 of the SER (NUREG-0847) subject to the following provision:

TVA may make changes to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

G.

Except as otherwise provided in the Technical Specifications (Appendix A to this license) or Environmental Protection Plan (Appendix B to this license), TVA shall report any violations of the requirements contained in Section 2.C of this license in the following manner: initial notification shall be made within twenty-four (24) hours to the NRC Operations Center via the Emergency Notification System with written follow-up within 30 days in accordance with the procedures described in 10 CFR 50.73 (b), (c), and (e).

H.

The licensee shall have and maintain financial protection of such types and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

Revised by letter dated August 9, 2007 Amendment No. [#]

E 1-8