Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 January 5, 2011 Site Vice President Entergy Nuclear Operations, Inc.

Pilgrim Nuclear Power Station 600 Rocky Hill Road Plymouth, MA 02360-5508 SUB..IECT:

REQUEST FOR ADDITIONAL INFORMATION TO SUPPORT THE REVIEW OF PILGRIM NUCLEAR POWER STATION CYBER SECURITY PLAN (ID: 2.10.034) (TAC NO. ME4351)

Dear Sir or Madam:

By letter dated July 15, 2010 (Agencywide Documents Access and Management System, Accession No. ML101970359), Entergy Nuclear Operations, Inc. (the licensee) resubmitted a request to amend the Facility Operating License (No. DPR-35) for Pilgrim Nuclear Power Station (PNPS). Per the proposed license amendment, the licensee requested approval of the PNPS Cyber Security Plan (CSP), provided a proposed CSP Implementation Schedule, and included a proposed revision to the Facility Operating License to incorporate the provisions for implementing and maintaining in effect the provisions of the approved CSP. The licensee's amendment request was based on a generic template developed by the Nuclear Energy Institute in concert with the industry.

The Nuclear Regulatory Commission (NRC) staff is reviewing the CSP and the proposed CSP Implementation Schedule and has determined that additional information is required to complete its technical review. A supplemental request for additional information is included as an Enclosure and was reviewed in accordance with the guidance provided in Title 10 of the Code of Federal Regulations Section 2.390, and the NRC staff has determined that no security related or proprietary information is contained therein. A response to this RAI is requested to be provided by February 15, 2011.

Sincerely, Richard V. Guzman, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-293

Enclosure:

As stated cc w/encl: Distribution via Listserv

REQUEST FOR ADDITIONAL INFORMATION (RAn ON THE REQUEST FOR APPROVAL OF THE PILGRIM NUCLEAR POWER STATION (PILGRIM)

CYBER SECURITY PLAN Cyber Security Plan (CSP) Sections 1, 2, 3, and 4: Introduction; CSP; Analyzing Digital Computer Systems and Networks; and Establishing, Implementing, and Maintaining the Cyber Security Program RAI1 RAI

Title:

Appropriate References to CSP Sections and Sub-Sections Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54(e) requires the licensee to establish, implement, and maintain a CSP that implements the Cyber Security Program requirements of this section. Section 73.54(e)(1) of 10 CFR states; "the cyber security plan must describe how the requirements of this section will be implemented and must account for the site-specific conditions that affect implementation." The Pilgrim CSP provides sufficient detail and scope in its description on how it will meet requirements specified in the 10 CFR Section 73.54(e) rulings cited above. However, the submitted CSP does not contain section or sub-section numbers. Throughout the CSP, references are made to section(s) numbers within the plan that do not exist. Therefore, references in the CSP to various internal sections as evidence of compliance with 10 CFR 73.54(e) are invalid, since the section numbers are missing.

Please provide the necessary page and paragraph references or other indicators to ensure that the proper connection is made between a referenced section or sub-section and its actual location with the CSP.

CSP Section 4: Establishing, Implementing, and Maintaining the Cyber Security Program RAI2 RAI

Title:

Defense-in-Depth Protective Strategies - Critical Digital Asset (CDA) Isolation Strategies Section 73.54(c)(2) of 10 CFR requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, "Defense-in-Depth Protective Strategies," of the Pilgrim CSP states in several instances when referring to protections which isolate or secure CDAs within various cyber security defensive levels, that boundaries may be secured via "an air gap or deterministic one-way isolation device such as a data diode or hardware VPN [virtual private network)."

Please clarify how hardware VPNs will sufficiently protect CDAs within defensive boundaries, including an explanation of the technical configurations that would enable it to mimic the capabilities of a deterministic one-way isolation device.

Enclosure

- 2 RAI3 RAI

Title:

Defense-in-Depth Protective Strategies - Protection of CDAs Associated with Emergency Preparedness Functions Section 73.54(a)(1) of 10 CFR requires that "The licensee shall protect digital computer and communication systems and networks associated with... (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions."

Section 4.3, "Defense-in-Depth Protective Strategies," of the Pilgrim CSP, in describing its site defensive model, states that CDAs that "are not required to be within Level 4 due to their safety or security significance, and that perform security or Emergency Plan functions and security or Emergency Plan data acquisition or that perform safety monitoring, are within Level 3."

Furthermore, the CSP states that "CDAs that are not required to be in at least Level 3 and that perform or support Emergency Plan functions are within Level 2."

The CSP does not indicate which protective strategies will be implemented for CDAs that perform Emergency Preparedness functions. Please clarify: (1) the distinction between CDAs that perform Emergency Planning and Emergency Preparedness functions; and (2) which protective strategies will be implemented for CDAs that perform "emergency preparedness" functions.

January 5, 2011 Site Vice President Entergy Nuclear Operations, Inc.

Pilgrim Nuclear Power Station 600 Rocky Hill Road Plymouth, MA 02360-5508 SUB..IECT:

REQUEST FOR ADDITIONAL INFORMATION TO SUPPORT THE REVIEW OF PILGRIM NUCLEAR POWER STATION CYBER SECURITY PLAN (ID: 2.10.034) (TAC NO. ME4351)

Dear Sir or Madam:

By letter dated July 15, 2010 (Agencywide Documents Access and Management System, Accession No. ML101970359), Entergy Nuclear Operations, Inc. (the licensee) resubmitted a request to amend the Facility Operating License (No. DPR-35) for Pilgrim Nuclear Power Station (PNPS). Per the proposed license amendment, the licensee requested approval of the PNPS Cyber Security Plan (CSP), provided a proposed CSP Implementation Schedule, and included a proposed revision to the Facility Operating License to incorporate the provisions for implementing and maintaining in effect the provisions of the approved CSP. The licensee's amendment request was based on a generic template developed by the Nuclear Energy Institute in concert with the industry.

The Nuclear Regulatory Commission (NRC) staff is reviewing the CSP and the proposed CSP Implementation Schedule and has determined that additional information is required to complete its technical review. A supplemental request for additional information is included as an Enclosure and was reviewed in accordance with the guidance provided in Title 10 of the Code of Federal Regulations Section 2.390, and the NRC staff has determined that no security related or proprietary information is contained therein. A response to this RAI is requested to be provided by February 15, 2011.

Sincerely, IRA!

Richard V. Guzman, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-293

Enclosure:

As stated cc w/encl: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsNrrDorlLpl1-1 Resource RidsRgn'1 MailCenter RidsNrrLASLittle RidsNsirDsp Resource RidsNrrPMPilgrim RidsAcrsAcnw _Mail Center Resou rce PPederson ADAMS Accession No.: ML103610351

• RAI provided by memo. No substantiaI chanQes made. **Concurrence via e-mail OFFICE LPL 1-1/PM LPL1-1/LA NSIRIDSP/ISCPB LPL1-1/BC NAME RGuzman SUttle**

CErlanger*

NSalgado DATE 1/3/11 1/3/11 12114/10 115/11 OFFICIAL RECORD COpy