ML110110508
| ML110110508 | |
| Person / Time | |
|---|---|
| Site: | Monticello, Prairie Island  |
| Issue date: | 01/07/2011 |
| From: | Thomas Wengert Plant Licensing Branch III |
| To: | Vincent D Division of Operating Reactor Licensing |
| Wengert, Thomas | |
| References | |
| TAC ME4272, TAC ME4294, TAC ME4295 | |
| Download: ML110110508 (3) | |
Text
From:
Wengert, Thomas Sent:
Friday, January 07, 20111:16 PM To:
Vincent, Dale M.
Cc:
Tam, Peter
Subject:
XCEL (Monticello and Prairie Island) Cyber Security Plan LAR - Draft RAI #1 (TAC Nos. ME4272, ME4294, and ME4295)
Attachments:
XCEL Draft RAI#l for CSP LAR.pdf
- Dale, See attached Draft RAI #1 for the subject LAR. Please review and let me know if you would like me to arrange a telecon with the NRC staff to clarify the request. Also, let's discuss the response time for these RAls.
- Regards, Tom Wengert USNRC Project Manager - Prairie Island NRRIDORLlLPLlII-1 (301) 415-4037
REQUEST FOR ADDITIONAL INFORMATION (RA!)
REGARDING APPROVAL OF CYBER SECURITY PLAN NORTHERN STATES POWER COMPANY - MINNESOTA MONTICELLO NUCLEAR GENERATING PLANT, UNIT 1 PRAIRIE ISLAND NUCLEAR GENERATING PLANT DOCKET NOS. 50-263 50-282 AN Cyber Security Plan (CSP) Section 4: Establishing Cyber Security Program RAI 1: Clarifying the Site Defensive Model
~.ij
.54 (c)(2) calls for the licensee rn,.
..." and 10 CFR 73.54(d)(2) calls provides two examples of age 12, section 4.3, third paragraph) tween Leve d Level 2 is implemented by one or more CDAs in or above Level 3. Information flows between Levels e of defense-in-depth techniques that utilize technologies trusion detection systems and strategic local area but both relate to the defensive architecture:
- 1. What are s or methods" (these words are not used in the NEI 08-09 template) re o in the Monticello and Prairie Island CSP? Provide an explanation of how this is e ivalent to unidirectional communication devices (e.g., data diodes) or air gaps.
- 2. The Monticello and Prairie Island CSP uses the term "such as", which means these are just examples and the application of only one approach (e.g., a firewall alone) may suffice. Clarify how this approach is equivalent to an approach that incorporates both a firewall and a network intrusion detection system (i.e., two independent protection methods).
Enclosure
-2 RAI 2: Timeframe for Verifying Security Controls Section 73.54(g) of 10 CFR states: "The licensee shall review the cyber security program as a component of the physical security program in accordance with the requirements of § 73.55(m),
including the periodicity requirements." And, 10 CFR 73.55(m) states that the Security Program be reviewed: "(1) As a minimum the licensee shall review each element of the physical protection program at least every 24 months."
Monticello and Prairie Island CSP states on page 14, section 4.4.
assessments are performed to verify that the cyber security co remain in place throughout the life cycle, The assessment g e
'Il ifles the status of these cyber security controls at least every 36 months or in acc ce requirements for utilized cyber security controls as des d in Appen NEI 08-09. Revision 6, whichever is more frequent.
Clarify how a periodicity of 36 months for the as eets the requirements of 10 CFR 73.55(m) for 24 months.