ML103440571
| ML103440571 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 12/16/2010 |
| From: | Hall J Plant Licensing Branch IV |
| To: | Edington R Arizona Public Service Co |
| Gibson, Lauren, NRR/DORL/LPL4, 415-1056 | |
| References | |
| TAC ME4428, TAC ME4429, TAC ME4430 | |
| Download: ML103440571 (4) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 16, 2010 Mr. Randall K. Edington Executive Vice President Nuclearl Chief Nuclear Officer Mail Station 7602 Arizona Public Service Company P.O. Box 52034 Phoenix, AZ 85072-2034
SUBJECT:
PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2, AND 3 REQUEST FOR ADDITIONAL INFORMATION REGARDING REQUEST FOR APPROVAL OF CYBER SECURITY PLAN (TAC NOS. ME4428, ME4429, AND ME4430)
Dear Mr. Edington:
By letter dated July 22,2010, as supplemented by letters dated September 29 and November 30, 2010 (Agencywide Documents Access and Management System (ADAMS)
Accession Nos. ML102150230, ML102810308, and ML103420060, respectively), Arizona Public Service Company (the licensee), submitted a license amendment request for approval of the Palo Verde Nuclear Generating Station (PVNGS) Cyber Security Plan.
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided by the licensee and determined that the additional information identified in the enclosure to this letter is needed in order for the NRC staff to complete its review. The draft copy of the request for additional information was provided to Mr. Russell Stroud of your staff via e-mail on Friday, December 3, 2010. A conference call to clarify the requests for additional information was held with Mr. Tom Weber and other members of your staff on December 10,2010. During that call, Mr. Weber agreed to provide a response to the requests for additional information by January 21, 2010.
If you have any questions, please contact me at (301) 415-4032 or via e-mail at randy. hall@nrc.gov.
Sincerely,
~1se:eeCI Manager
~~~i~~~Sing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530
Enclosure:
As stated cc w/encl: Distribution via Listserv
REQUEST FOR ADDITIONAL INFORMATION REQUEST FOR APPROVAL OF THE CYBER SECURITY PLAN PALO VERDE NUCLEAR GENERATING STATION, UNITS 1,2, AND 3 DOCKET NOS. STN-50-528, STN-50-529, AND STN-50-530 ARIZONA PUBLIC SERVICE COMPANY By letter dated July 22, 2010, as supplemented by letters dated September 29 and November 30,2010 (Agencywide Documents Access and Management System (ADAMS)
Accession Nos. ML102150230, ML102810308, and ML103420060, respectively), Arizona Public Service Company (the licensee), submitted a license amendment request for approval of the Palo Verde Nuclear Generating Station (PVNGS) Cyber Security Plan (CSP). The U.S. Nuclear Regulatory Commission (NRC) staff requests that the licensee provide additional information in support of the request for approval, as follows:
- 1.
Cyber Security Threat Evaluation (CSP Section 3.1.2: Cyber Security Assessment Team)
The NRC regulation in Title 10 of the Code of Federal Regulations (10 CFR) 73.54(d)(2) requires the licensee to evaluate and manage cyber risks. The PVNGS CSP Section 3.1.2, "Cyber Security Assessment Team," (CSAT) states, in part, that one of the roles and responsibilities of the CSAT is "Evaluating assumptions and conclusions about known cyber security threats; potential vulnerabilities to, and consequences from an attack; the effectiveness of existing cyber security controls, defensive strategies, and attack mitigation methods; cyber security awareness and training of those working with, or responsible for CDAs [critical digital assets] and cyber security controls throughout their system life cycles;..." The above language deviates from the template by inserting the word "known" which could limit the scope of the CSAT evaluations.
Please explain how PVNGS uses the process described above to stay current on unknown or emerging cyber security threats.
- 2.
Mitigation and Incident Response for Non-Remote Attacks (CSP Section 4.6: Attack Mitigation and Incident Response)
The NRC regulation in 10 CFR 73.54(a) requires the licensee to "provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in §73.1." The regulations in 10 CFR 73.54(e)(2) require the licensee's cyber security program to "include measures for incident response and recovery for cyber attacks."
Section 4.6, "Attack Mitigation and Incident Response," of the PVNGS CSP states "Policies, procedures, and programs (as outlined in the PVNGS Cyber Security Program) document cyber security controls to deny, deter, and detect adverse threats Enclosure
- 2 and conditions to CDAs that may be susceptible to remote cyber attacks which exploit system vulnerabilities." PVNGS deviated from the template in NEI 08-09, Rev. 6, "Cyber Security Plan for Nuclear Reactors," by inserting the word "remote" which could exclude insider attacks from consideration.
Please explain how the PVNGS will deny, deter, and detect threats and conditions to CDAs that may be susceptible to cyber attacks which are not remote (e.g., on-site).
- 3.
Eliminate vs. Mitigate Flaws in CDAs (CSP Appendix E: Operational and Management Cyber Security Controls (Section 3.2 of Appendix E))
The NRC regulation in 10 CFR 73.54(a)(1) requires that "the licensee shall protect digital computer and communication systems and networks associated with: (i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications"; and 10 CFR 73.54(c)(1) requires that the cyber security program must be designed to "implement security controls to protect the assets identified by paragraph (b)(1) of this section from cyber attacks." Furthermore, 10 CFR 73.54(d)(3) requires the licensee to "ensure that modifications to assets, identified by paragraph (b)(1) of this section, are evaluated before implementation to ensure that the cyber security performance objectives identified in paragraph (a)(1) of this section are maintained."
The PVNGS CSP, Deviation Table, suggests that Section 3.2 of Appendix E be changed. The current text reads, "Perform vulnerability scans or assessments of the CDA to validate that the flaw has been eliminated before the CDA is put into production."
The deviation suggested is to replace the word 'eliminated' with the word 'mitigated.'
The rationale for this change was that "It is very unlikely that there will be a case where the 'flaws' themselves can be completely 'eliminated.'" The proposed action in the revised PVNGS CSP would be to mitigate any flaws prior to equipment installation.
Please describe the processes, methods, and considerations to mitigate (which means to become less harsh or less severe) rather than eliminate (which means to remove) flaws before a compromised CDA is put back into production. If alternative controls are used, please explain the process and provide the criteria for selecting alternate controls to mitigate rather than eliminate any flaws in a CDA and clarify that the justification process provides equivalent protection in lieu of the security controls from Appendices D and E that cannot be implemented.
-by memo dated OFFICE NRRlLPL4/PM NRRlLPL4/PM NRRlLPL4/LA NSIRlDDRS/ISCPB/BC NRRlLPL4/BC NRRlLPL4/PM NAME LKGibson JRHaJl JBurkhardt CErlanger-MMarkley JRHall DATE 12/14/10 12/15/10 12/14/10 11/30/10 12/16/10 12/16/10