ML110120041
| ML110120041 | |
| Person / Time | |
|---|---|
| Site: | Harris, Brunswick, Crystal River, Robinson  |
| Issue date: | 12/20/2010 |
| From: | Farideh Saba Plant Licensing Branch II |
| To: | Castell C, Miller D, Murray W, Stacy K, Westcott D Progress Energy Carolinas |
| Saba F, NRR/DORL/LPL2-2, 301-415-1447 | |
| References | |
| TAC ME4225, TAC ME4226, TAC ME4227, TAC ME4228, TAC ME4229 | |
| Download: ML110120041 (2) | |
Text
From:
Saba, Farideh Sent:
Mon 12/20/2010 11:19AM To:
Miller, David (Bryan); Westcott, Daniel; Castell, Curt; Murray, William R. (Bill); Stacy, Kara Cc:
Mozafari, Brenda; Lingam, Siva
Subject:
RAIs Cyber security amendments (ME4225, ME4226, ME4228, ME4229, and ME4227)
Importance: High By letter dated July 8, 2010 (Agencywide Documents Access and Management System, Accession No. ML101950043), Carolina Power and Light Company and Florida Power Corporation (the licensee) resubmitted a request to amend the Facility Operating License (Nos. DPR-71, DPR-62, NPF-63, DPR-23 and DPR-72) for Brunswick Steam Electric Plant Unit Nos.1 and 2; Shearon Harris Nuclear Power Plant Unit No. 1; H.B. Robinson Steam Electric Plant, Unit No. 2; and Crystal River Unit 3 Nuclear Generating Plant. Per the proposed license amendment, the licensee requested approval of the listed plants Cyber Security Plan (CSP) (ML101950044), provided a proposed CSP Implementation Schedule, and included a proposed revision to the Facility Operating License to incorporate the provisions for implementing and maintaining in effect the provisions of the approved CSP. The licensees amendment request was based on a generic template developed by the Nuclear Energy Institute in concert with the industry.
The Nuclear Regulatory Commission (NRC) staff reviewed the licensees CSP and the proposed CSP Implementation Schedule and determined that additional information is required to complete its technical review. Please see the following request for additional information (RAIs). These RAIs are reviewed in accordance with the guidance provided in Title 10 of the Code of Federal Regulations Section 2.390, and the NRC staff has determined that no security-related or proprietary information is contained therein.
If you have further questions or concerns, please contact me at (301) 415-1447 or by e-mail at farideh.saba@nrc.gov.
Farideh E. Saba, P.E.
Senior Project Manager NRC/ADRO/NRR/DORL 301-415-1447 Mail Stop O-8G9A Farideh.Saba@NRC.GOV Cyber Security Plan (CSP) Section 4: Establishing, Implementing, and Maintaining the Cyber Security Program
RAI 1
Title:
Defense-in-Depth Protective Strategies - Restriction of one-way communications between levels Title 10 of the Code of Federal Regulations (10 CFR) Section 73.54(c)(2) requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, Defense-in-Depth Protective Strategies, of the licensees fleet CSP states in bullet nine Communications initiated from CDAs [critical digital assets] within the lower-level plant computing network (Level 3) to CDAs within the higher-level plant computing network (Level 4) is restricted as described in engineering design documentation.
Explain how one-way communications will be restricted between two different security levels/zones that will prevent any data transmission from the low security level to the higher security level.
RAI 2
Title:
Defense-in-Depth Protective Strategies - Restriction of bi-directional communications between levels Section 73.54(c)(2) of 10 CFR requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, Defense-in-Depth Protective Strategies, of the licensees fleet CSP states in bullet twelve The communications voice and data networks (Level 3 type network) provide service for emergency preparedness and security functions required to meet NUREG-0654 and Section 73.55(j) of 10 CFR requirements. Bi-directional communication with less secure domains is required. Boundary security controls are applied as determined by evaluation performed in accordance with Section 3.1.6 of the Cyber Security Plan.
Explain how the bi-directional communications will be secured between communications voice and data networks that will prevent any data transmission to level 3.