SBK-L-11059, Response to Request for Information Regarding Approval of Cyber Security Plan

From kanterella
(Redirected from ML110950648)
Jump to navigation Jump to search

Response to Request for Information Regarding Approval of Cyber Security Plan
ML110950648
Person / Time
Site: Seabrook NextEra Energy icon.png
Issue date: 03/31/2011
From: Freeman P
NextEra Energy Seabrook
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
SBK-L-11059, TAC ME4453
Download: ML110950648 (25)
v  d  e


Text

Security Related Information EXT--- CAM 0,,00=x%-ra T Withhold From Public Disclosure Under 10 CFR 2.390 ENERGY~

' SEABRýOOK March 3 1,2011 10 CFR 50.4 10 CFR 50.90 SBK-L-11059 Docket No. 50-443 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Seabrook Station Response to Request for Information Regarding Approval of Seabrook Station Cyber Security Plan

References:

1. NextEra Energy Seabrook letter SBK-L-101 19, "License Amendment Request 10-04, Amendment to the Facility Operating License and Submittal of the Seabrook Station Cyber Security Plan," July 26, 2010
2. NextEra Energy Seabrook letter SBK-L-10 160, "Notification Letter Designating Seabrook Station Balance of Plant Systems within the Cyber Security Rule Scope," September 28, 2010
3. NextEra Energy Seabrook letter SBK-L-10186, "Supplement to License Amendment Request 10-04, Amendment to the Facility Operating License and Submittal of the Seabrook Station Cyber Security Plan," November 16, 2010
4. NRC letter "Seabrook Station Unit No. 1 - Request for Additional Information Regarding Approval of Cyber Security Plan (TAC No. ME4453)," March 4, 2011 In accordance with the provisions of 10 CFR §50.4 and §50.90, NextEra Energy Seabrook, LLC (NextEra) submitted Reference 1 requesting an amendment to the Facility Operating License (FOL) for Seabrook Station, Unit No. 1. The proposed amendment requested NRC approval of the Seabrook Station Cyber Security Plan, provided an implementation schedule, and added a sentence to the existing Physical Security license condition to require NextEra to fully implement and maintain in effect all provisions of the Commission approved cyber security plan.

Enclosure 3 to this letter contains Security-Related Information. Sh ( 1 Upon separation, this page is uncontrolled. k_ L NextEra Energy Seabrook, LLC, P.O. Box 300, Lafayette Road, Seabrook, NH 03874

Security Related Information Withhold From Public Disclosure Under 10 CFR 2.390 U. S. Nuclear Regulatory Commission SBK-L- 11059 / Page 2 In Reference 2, NextEra provided notification designating the Seabrook Station balance of plant systems with the scope of the cyber security rule and committed to supplement its Cyber Security Plan. Reference 3 supplemented Reference 1 with a change to Section 2.1, "Scope and Purpose," that clarified the balance of plant structures, systems, and components that will be included in the scope of the cyber security program.

In Reference 4, the NRC staff determined that additional information is required to complete its review of the submittal. This letter provides NextEra's response to the request for additional information. contains NextEra's response to the request for additional information. provides an evaluation of the proposed change and includes the following attachments:

  • Attachment 1 provides the existing FOL page marked up to show the proposed change.
  • Attachment 2 provides the proposed FOL change in final typed format. provides the Seabrook Station Cyber Security Plan with sections 2.1 and 4.13 revised. NextEra requests that Enclosure 3, which contains security-related information, be withheld from public disclosure in accordance with 10 CFR 2.390. provides a revised cyber security plan implementation schedule.

The changes to the proposed amendment do not alter the conclusion in Reference 1 that the proposed change does not involve a significant hazard consideration pursuant to 10 CFR 50.92. The Seabrook Station Operation Review Committee has reviewed this change, and a copy of this letter has been forwarded to the New Hampshire State Liaison Officer pursuant to 10 CFR 50.91.

Should you have any questions regarding this letter, please contact Mr. Michael O'Keefe, Licensing Manager, at (603) 773-7745.

Sincerely, NextEra Energy Seabrook, LLC Paul Freeman Site Vice President Enclosure 3 to this letter contains Security-Related Information.

Upon separation, this page is uncontrolled.

Security Related Information Withhold From Public Disclosure Under 10 CFR 2.390 U. S. Nuclear Regulatory Commission SBK-L-1 1059 / Page 3 - Response to the Request for Additional Information. - Evaluation of Proposed Change - Seabrook Station Cyber Security Plan - Cyber Security Plan Implementation Schedule cc: NRC Region I Administrator G. E. Miller, NRC Project Manager W. J. Raymond, NRC Resident Inspector Mr. Christopher M. Pope, Director Homeland Security and Emergency Management New Hampshire Department of Safety Division of Homeland Security and Emergency Management Bureau of Emergency Management 33 Hazen Drive Concord, NH 03305 John Giarrusso, Jr., Nuclear Preparedness Manager The Commonwealth of Massachusetts Emergency Management Agency 400 Worcester Road Framingham, MA 01702-5399 Enclosure 3 to this letter contains Security-Related Information.

Upon separation, this page is uncontrolled.

NEXTera ENERGY01%

SEABROOK The following information is enclosed in support of this License Amendment Request:

0 Enclosure 1 - Response to the Request for Additional Information.

0 Enclosure 2 - Evaluation of Proposed Change 0 Enclosure 3 - Seabrook Station Cyber Security Plan S Enclosure 4 - Cyber Security Plan Implementation Schedule I, Paul Freeman, Site Vice President of NextEra Energy Seabrook, LLC hereby affirm that the information and statements contained within this response to the request for additional information are based on facts and circumstances which are true and accurate to the best of my knowledge and belief.

Sworn and Subscribed before me this 5I"

,. day of ,, 2011 A~j7 Notary Public/ Paul Freeman Site Vice President

ENCLOSURE1 Response to the Request for Additional Information RAI 01: Records Retention Title 10 of the Code of FederalRegulations (10 CFR) Section 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a Cyber Security Plan (CSP) that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.

The licensee's CSP in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.

54(h).

RAI-01: Explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73.54.

NextEra's Response to RAI 01 As described in this submittal, NextEra is submitting a revised cyber security plan that incorporates language changes into section 4.13 consistent with the language that NEI sent to the NRC on February 28, 2011 (ML110600204). In a letter dated March 1, 2011, from NRC to C. Earls NEI (ML110490337), the NRC staff indicated they had no issues with the language proposed in response to the generic records retention RAI.

1

RAI 02: Implementation Schedule The regulation at 10 CFR 73.54, "Protection of digital computer and communication systems and networks," requires licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. 10 CFR 73.54(a) requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design-basis threat (DBT).

The completion of several key intermediate milestones, listed below, would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The Nuclear Regulatory Commission (NRC) staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:

- Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP.

- Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP.

- Implement cyber security defense-in-depth architecture by installation of

[deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies," of the CSP.

- Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D Section 1.19 "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6.

- Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E Section 10.3, "Baseline Configuration," of NEI 08-09, Revision 6.

- Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP.

2

- Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP.

- Full implementation of the CSP for all safety, security, and emergency preparedness functions.

It is the NRC's intention to develop a license condition incorporating the revised CSP implementation schedule containing the key milestone dates.

RAI-02: Provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates, which include the final completion date.

NextEra's Response to RAI 02 As described in this submittal, NextEra is submitting a revised CSP schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the proposed schedule and associated milestone dates which include the final completion date. This revised schedule is consistent with the template NEI provided to the NRC in letter dated February 28, 2011 (ML110600211). As stated in the March 1, 2011 letter, "Template for the Cyber Security Plan Implementation Schedule," from NRC to C. Earls, NEI, (ML110070348) based upon a technical review, the NRC staff did not identify any issues with the cyber security plan implementation schedule template.

RAI 03: Scope of Systems Section 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the DBT as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that the licensee shall protect digital computer and communication systems and networks associated with:

- Safety-related and important-to-safety functions;

- Security functions;

- Emergency preparedness functions, including offsite communications; and

- Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.

3

Subsequent to the issuance of the Cyber Security Rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (Agencywide Documents Access and Management System (ADAMS) Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480), that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination.

RAI-03: Explain how the scoping of systems provided by the CSP meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC, as Referenced above.

NextEra's Response to RAI 03 As described in this submittal, NextEra is submitting a revised cyber security plan that incorporates the language changes into section 2.1 consistent with the approach provided by the letter from NRC to NEI dated January 5, 2011 (ML103550480).

4

ENCLOSURE 2 Evaluation of Proposed Change 1.0 Summary Description 2.0 Detailed Description 3.0 Technical Evaluation 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements Criteria 4.2 Significant Hazards Consideration 4.3 Conclusion 5.0 Environmental Consideration 6.0 References ATTACHMENTS Attachment 1 - Proposed Facility Operating License Change (Mark-Up)

Attachment 2 - Proposed Facility Operating License Change (Re-type) 1

1.0

SUMMARY

DESCRIPTION NextEra Energy Seabrook, LLC (NextEra) submitted Reference 1 requesting an amendment to the Facility Operating License (FOL) for Seabrook Station, Unit No. 1. The proposed amendment requested NRC approval of the Seabrook Station Cyber Security Plan, provided an implementation schedule, and added a sentence to the existing Physical Security license condition to require NextEra to fully implement and maintain in effect all provisions of the Commission approved cyber security plan.

Reference 2 provided notification designating the Seabrook Station balance of plant systems within the scope of the cyber security rule.

Reference 3 provided a change to Section 2.1, "Scope and Purpose," of the Seabrook Station Cyber Security Plan to clarify the balance of plant structures, systems, and components that are included in the scope of the cyber security program. This change also required a revision to the "Evaluation of Proposed Change," including the mark-up and re-typed pages of the proposed change to the FOL, submitted in Reference 1.

In Reference 4, the NRC staff determined that additional information is required to complete its review of the submittal, and this submittal provides NextEra's response to the request for additional information. This supplement revises the "Evaluation of Proposed Change," the FOL mark-up and re-typed pages, as well as the implementation schedule submitted in Reference 1.

2.0 DETAILED DESCRIPTION This supplement revises the proposed LAR [Reference 1] that included three parts: the proposed Plan, an Implementation Schedule, and a proposed sentence to be added to the existing FOL Physical Security license condition to require NextEra to fully implement and maintain in effect all provisions of the Commission approved Cyber Security Plan as required by 10 CFR 73.54.

FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR 73.54, "Protection of digital computer and communication systems and networks," establish the requirements for a cyber security program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a cyber security plan that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule, and implementation of the licensee's cyber security program must be consistent with the approved schedule. The background for this application is addressed by the NRC Notice of Availability published on March 27, 2009, 74 FR 13926 [Reference 5].

3.0 TECHNICAL EVALUATION

FederalRegister notice 74 FR 13926 issued the final rule that amended 10 CFR Part 73.

1

Cyber security requirements are codified as new 10 CFR 73.54 and are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the design basis threat established by

§ 73.1 (a)(1)(v). These requirements enhance upon the requirements imposed by EA-02-026

[Reference 6].

This supplement includes the proposed change to the existing FOL condition for Physical Security (Attachments 1 and 2), as well as the revised proposed cyber security plan (Enclosure 3), which conforms to the template provided in NEI 08-09, revision 6 [Reference 7] with the following exceptions:

Emergency Preparedness 10 CFR 73.54 requires protecting digital computer and communication systems and networks associated with emergency preparedness (EP) functions, including offsite communications. The EP functions within the scope of the Plan are those functions which support implementation of the Risk Significant Planning Standards' (RSPSs) as defined in NRC Inspection Manual Chapter 0609, Appendix B. The RSPSs are the subset of EP Planning Standards, defined in. 10 CFR 50.47(b), which play the greatest role in protecting public health and safety. In terms of importance, this approach aligns the selected EP functions with other system functions which are "Safety-Related" or "Important-to-Safety."

10 CFR 73.56 (b)(ii) requires that any individual whose duties and responsibilities permit the individual to take actions by electronic means, either on site or remotely, that could adversely impact the licensee's emergency preparedness be subject to an access authorization program.

However, some systems or portions of systems, which perform a RSPS-related EP function, may be located in offsite locations not under the control of the licensee and/or not staffed by licensee personnel. Similarly, there may be system components that are normally installed, modified, or maintained by non-licensee personnel (e.g., a telecommunications company technician, an employee of a State agency, etc.).

Therefore, the systems and portions of systems to be protected from cyber attack in accordance with 10 CFR 73.54(a)(1)(iii), must:

1) Perform a RSPS-related EP function, and
2) Be within the licensee's complete custody and control.

I The RSPSs are 10 CFR 50.47(b)(4), (5), (9), or (10), including the related sections of Appendix E to 10 CFR Part 50. 10 CFR 50.47(b)(10) has two aspects that are of differing risk-significance. Only the portion dealing with the development of protective action recommendations (PARs) is integral to protection of public health and safety and is considered to be an RSPS.

2

Senior Nuclear Management Senior nuclear management is defined as the Vice President accountable for nuclear plant security. Although NEI 08-09 defines this position as accountable for nuclear plant operation, the position of Vice President accountable for nuclear plant security better reflects the duties and responsibilities of the Seabrook Station Cyber Security Plan.

In Reference 1, the proposed cyber security plan designated senior nuclear management as Vice President Fleet Support, who is accountable for nuclear plant security. However, following organizational changes, this position is no longer responsible for nuclear plant security.

Therefore, the plan now refers to the Vice President accountable for nuclear plant security.

Definition of Cyber Attack In lieu of the use of the definition of "cyber attack" in NEI 08-09, the definition of "cyber attack" accepted by the NRC in a letter dated June 7, 2010 [Reference 8] and presented below will be used.

"Any event in which there is reason to believe that an adversary has committed or caused, or attempted to commit or cause, or has made a credible threat to commit or cause malicious exploitation of a CDA."

Balance of Plant Systems within Scope The following paragraph is added to Section 2.1 "Scope and Purpose," to clarify the balance of plant structures, systems and components that are included in the scope of the cyber security program: "Within the scope of NRC's cyber security rule at Title 10 of the Code of Federal Regulations (10 CFR) 73.54, systems or equipment that perform important to safety functions include structures, systems, and components (SSCs) in the balance of plant (BOP) that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient. Additionally, these SSCs are under the licensee's control and include electrical distribution equipment out to the first inter-tie with the offsite distribution system."

Document Control and Records Retention and Handling Section 4.13, "Document Control And Records Retention And Handling," is revised to provide examples of records or supporting technical documentation that are retained as a record until the Commission terminates the license for which the records are developed and to specify that superseded portions of these records are retained for three years unless otherwise specified by the Commission in accordance with the requirements of 10 CFR 73.54(h).

3

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Criteria / Requirements This LAR is submitted pursuant to 10 CFR §73.54, which requires licensees currently licensed to operate a nuclear power plant under 10 CFR Part 50 to submit a cyber security plan as specified in §50.4 and §50.90.

4.2 Significant Hazards Consideration NextEra has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed amendment incorporates a new requirement in the Facility Operating License (FOL) to implement and maintain a Cyber Security Plan as part of the facility's overall program for physical protection. Inclusion of the Cyber Security Plan in the FOL itself does not involve any modifications to the safety-related structures, systems, or components (SSCs). Rather, the Cyber Security Plan describes how the requirements of 10 CFR 73.54 are to be implemented to identify, evaluate, and mitigate cyber attacks up to and including the design basis cyber attack threat, thereby achieving high assurance that the facility's digital computer and communications systems and networks are protected from cyber attacks. The Cyber Security Plan will not alter previously evaluated Final Safety Analysis Report (FSAR) design basis accident analysis assumptions, add any accident initiators, or affect the function of the plant safety-related SSCs as to how they are operated, maintained, modified, tested, or inspected. Therefore, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

This proposed amendment provides assurance that safety-related SSCs are protected from cyber attacks. Implementation of 10 CFR 73.54 and the inclusion of a plan in the FOL do not result in the need of any new or different FSAR design basis accident analysis. It does not introduce new equipment that could create a new or different kind of accident, and no new equipment failure modes are created. As a result, no new accident scenarios, failure mechanisms, or 4

limiting single failures are introduced as a result of this proposed amendment.

Therefore, the proposed amendment does not create a possibility for an accident of a new or different type than those previously evaluated.

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

The margin of safety is associated with the confidence in the ability of the fission product barriers (i.e., fuel cladding, reactor coolant pressure boundary, and containment structure) to limit the level of radiation to the public. The proposed amendment would not alter the way any safety-related SSC functions and would not alter the way the plant is operated. The amendment provides assurance that safety-related SSCs are protected from cyber attacks. The proposed amendment would not introduce any new uncertainties or change any existing uncertainties associated with any safety limit. The proposed amendment would have no impact on the structural integrity of the fuel cladding, reactor coolant pressure boundary, or containment structure. Based on the above considerations, the proposed amendment would not degrade the confidence in the ability of the fission product barriers to limit the level of radiation to the public. Therefore, the proposed change does not involve a significant reduction in a margin of safety.

4.3 Conclusion Based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

The proposed amendment establishes the licensing basis for a cyber security program for Seabrook Station and will be a part of the physical security plan. This proposed amendment will not involve any significant construction impacts. Pursuant to 10 CFR 51.22(b) and 51.22 (c)(12), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

5

6.0 REFERENCES

1. NextEra Energy Seabrook letter SBK-L-10119, "License Amendment Request 10-04, Amendment to the Facility Operating License and Submittal of the Seabrook Station Cyber Security Plan," July 26, 2010
2. NextEra Energy Seabrook letter SBK-L-10160, "Notification Letter Designating Seabrook Station Balance of Plant Systems within the Cyber Security Rule Scope,"

September 28, 2010

3. NextEra Energy Seabrook letter SBK-L-10186, "Supplement to License Amendment Request 10-04, Amendment to the Facility Operating License and Submittal of the Seabrook Station Cyber Security Plan," November 16, 2010
4. NRC letter "Seabrook Station Unit No. 1 - Request for Additional Information Regarding Approval of Cyber Security Plan (TAC No. ME4453)," March 4, 2011
5. Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009, 74 FR 13926
6. EA-02-026, Order Modifying Licenses, Safeguards and Security Plan Requirements, issued February 25, 2002
7. NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, April, 2010
8. NRC letter "Nuclear Energy Institute 08-09, "Cyber Security Plan Template, Rev 6,"

June 7, 2010 6

Attachment 1 Proposed Facility Operating License Change (Mark-Up)

INSERT NextEra Energy Seabrook shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan submitted by letter dated July 26, 2010, supplemented by letters dated November 16, 2010 and March 31, 2011, and withheld from public disclosure in accordance with 10 CFR 2.390.

E. Physical Security The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provision of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans', submitted by letter dated September 23, 2004, and supplemented by letters dated October 15, October 22, and October 29, 2004, and May 18, 2006, is entitled: "Florida Power and Light & FPL Energy Seabrook Physical Security Plan, Training and Qualification Plan and Safeguards Contingency Plan." The set contains Safeguards Information protected under 10 CFR 73.21.

F. Fire Protection NextEra Energy Seabrook, LLC, shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report, the Fire Protection Program Report, and the Fire Protection of Safe Shutdown Capability report for the facility, as supplemented and amended, and as approved in the Safety Evaluation Report, dated March 1983; Supplement 4, dated May 1986; Supplement 5, dated July 1986; Supplement 6, dated October 1986; Supplement 7, dated October 1987; and Supplement 8, dated May 1989 subject to the following provisions: NextEra Energy Seabrook, LLC, may make changes to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain shutdown in the event of a fire.

G. DELETED H. Financial Protection The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

DELETED 1The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.

Amendment No. 86, 44,3 122

Attachment 2 Proposed Facility Operating License Change (Re-type)

E. Physical Security The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provision of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans 1 , submitted by letter dated September 23, 2004, and supplemented by letters dated October 15, October 22, and October 29, 2004, and May 18, 2006, is entitled: "Florida Power and Light & FPL Energy Seabrook Physical Security Plan, Training and Qualification Plan and Safeguards Contingency Plan." The set contains Safeguards Information protected under 10 CFR 73.21. NextEra Energy Seabrook shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan submitted by letter dated July 26, 2010, supplemented by letters dated November 16, 2010 and March 31, 2011, and withheld from public disclosure in accordance with 10 CFR 2.390.

F. :Fire Protection NextEra Energy Seabrook, LLC, shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report, the Fire Protection Program Report, and the Fire Protection of Safe Shutdown Capability report for the facility, as supplemented and amended, and as approved in the Safety Evaluation Report, dated March 1983; Supplement 4, dated May 1986; Supplement 5, dated July 1986; Supplement 6, dated October 1986; Supplement 7, dated October 1987; and Supplement 8, dated May 1989 subject to the following provisions: NextEra Energy Seabrook, LLC, may make changes to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain shutdown in the event of a fire.

G. DELETED H. Financial Protection The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

DELETED 1The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.

Amendment No. 86, 443 4-22

ENCLOSURE 4 Cyber Security Plan Implementation Schedule Full implementation of the cyber security program involves many supporting tasks. Major activities include: program and procedure development; performing of individual critical digital asset (CDA) assessments; and identification, scheduling, and implementing individual asset security control design remediation actions through the site configuration management program.

These design modifications may be performed on-line or could require a refueling outage for installation.

The extensive workload associated with full implementation of the Cyber Security Plan (CSP) requires prioritization to assure those activities that provide higher degrees of protection against radiological sabotage are performed first. Therefore, the CSP implementation schedule will be implemented with two major milestone dates. The first milestone date of no later than December 31, 2012, includes the activities listed in the table below. The second milestone date, December 31, 2015, includes the completion of all remaining actions that result in the full implementation of the cyber security plan for all applicable Safety, Security, and Emergency Preparedness (SSEP) functions. This date also bounds the completion of all individual asset security control design remediation actions.

Cyber security controls are not applied if the control adversely impacts safety and important to safety, security or emergency preparedness functions.

I M Completi o Basis

  • Date 1 Establish Cyber Security No later than The CSAT, collectively, will need to Assessment Team (CSAT) as December 31, have digital plant systems knowledge as described in Section 3.1.2 "Cyber 2012 well as nuclear power plant operations, Security Assessment Team" of engineering and nuclear safety the Cyber Security Plan (CSP). experience and technical expertise. The personnel selected for this team may require additional training in these areas to ensure adequate capabilities to perform cyber security assessments as well as other duties.

1

  1. Imlmntto M ietn Copeto Basi Date 2 Identify Critical Systems (CSs) No later than The scope of 10 CFR 73.54 includes and Critical Digital Assets December 31, digital computer and communication (CDAs) as described in Section 2012 systems and networks associated with:

3.13 "Identification of Critical safety-related and important-to safety Digital Assets" of the CSP. functions; security functions; emergency preparedness functions, including offsite communications; and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. The scope of 10 CFR 73.54 includes structures, systems, and components (SSCs) that have a nexus to radiological health and safety and therefore can directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient.

2

  1. ImlmnainMlsoe Cmlto ais Dat 13 Implement installation of a No later than The implementation of communication deterministic one-way device December 31, barriers protects the most critical SSEP between lower level devices 2012 functions from remote attacks on plant (level 1, 2, and 3) and the higher systems. Isolating the plant systems level devices (level 4) as from the internet as well as from the described in Section 4.3, corporate business systems is an "Defense-In-Depth Protective important milestone in defending Strategies" of the CSP. against external threats. While the Lower security level devices deployment of the barriers is critical to (level 1, 2, and 3 devices) that protection from external cyber threats, it bypass the deterministic device also prevents remote access to core and connect to level 4 will be monitoring and plant data systems for modified to prevent the digital reactor engineers, plant operations, and connectivity to the higher level or other plant staff. This elimination of will be modified to meet cyber remote access to reactor core security requirements monitoring systems may require the commensurate with the level 4 development and execution of a devices to which they connect. detailed change management plan to ensure continued safe operation of the The design modifications that are plants. Vendors may be required to not finished by the completion develop software revisions to support date will be documented in the the model. The modification will be site configuration management developed, prioritized and scheduled.

and/or change control program to assure completion of the design modification as soon as possible, but no later than the final implementation date.

i i 4 The security control "Access No later than Portable media devices are used to Control For Portable And Mobile December 31, transfer electronic information (e.g.,

Devices" described in Appendix 2012 data, software, firmware, virus engine D 1.19 of NEI 08-09, Revision 6, updates and configuration information) will be implemented. to and from plant process equipment.

Careful use of this class of media is required to minimize the spread of malicious software to plant process equipment. The effective implementation of this control may require the coordinated implementation of other complimentary controls to ensure adequate mitigation.

3

ImleenatonMieson CmpeionBai IDat 5 Implement observation and No later than Insider mitigation rounds by trained identification of obvious cyber December 31, staff look for obvious signs of cyber related tampering to existing 2012 related tampering and would provide insider mitigation rounds by mitigation of observable cyber related incorporating the appropriate insider actions. Implementing steps to elements in Appendix E Section add signs of cyber security-related 4.3 "Personnel Performing tampering to insider mitigation rounds Maintenance And Testing will be performed by the completion Activities." date.

+

6 Identify, document, and No later than The site physical protection program implement cyber security controls December 31, provides high assurance that these in accordance with the Cyber 2012 elements are protected from physical Security Plan Section 3.1.6 harm by an adversary. The cyber "Mitigation of Vulnerabilities and security program will enhance the Application of Cyber Security defense-in-depth nature of the Controls" for CDAs that could protection of CDAs associated with adversely impact the design target sets. Implementing Cyber function of physical security Security Plan security controls for target set equipment. target set CDAs provides a high degree The implementation of controls of protection against a cyber related that require a design modification attack that could lead to radiological that are not finished by the sabotage. Security controls Will be completion date will be addressed in accordance with Cyber documented in the site Security Plan Section 3.1.6, with the configuration management and/or exception of those that require a design change control program to assure modification.

completion of the design modification as soon as possible, but no later than the final implementation date.

7 Ongoing monitoring and No later than The ongoing monitoring and assessment assessment activities commence, December 31, activities as described in Section 4.4, as described in Section 4.4, 2012 "Ongoing Monitoring and Assessment" "Ongoing Monitoring and of the Cyber Security Plan will be Assessment" of the CSP, for implemented for the controls applied to those target set CDAs whose target set CDAs. This action results in security controls have been the commencement of the cyber implemented. security program for target set related CDAs.

4

Imlmnaio Mietn Copeto Basis Dat 8 Full implementation of the No later than By the completion date, the Cyber Seabrook Station Cyber Security December 31, Security Plan will be fully implemented Plan for all SSEP functions will 2015 for all SSEP functions in accordance be achieved. with 10 CFR 73.54. This date also bounds the completion of all individual asset security control design remediation actions including those that require a refuel outage for implementation.

5

Retrieved from "https://kanterella.com/w/index.php?title=SBK-L-11059,_Response_to_Request_for_Information_Regarding_Approval_of_Cyber_Security_Plan&oldid=2551263"