ML111940123

From kanterella
Jump to navigation Jump to search

License Amendment, Issuance of Amendment Regarding Approval of the First Energy Nuclear Operating Company Cyber Security Plan
ML111940123
Person / Time
Site: Beaver Valley
Issue date: 07/28/2011
From: Nadiyah Morgan
Plant Licensing Branch 1
To: Harden P
First Energy Services
Morgan Nadiyah, NRR/Dorl, 415-1016
References
TAC ME4383, TAC ME4384
Download: ML111940123 (31)
v  d  e


Text

REGV<.q UNITED STATES

"'0 NUCLEAR REGULATORY COMMISSION

' '....oo WASHINGTON, D.C. 20555*0001 3:

~

,;; July 28, 2011 "Y. .f' 1-" ¥>O

        • 1' Mr. Paul A. Harden Site Vice President FirstEnergy Nuclear Operating Company Beaver Valley Power Station Mail Stop A-BV-SEB1 P.O. Box 4, Route 168 Shippingport, PA 15077

SUBJECT:

BEAVER VALLEY POWER STATION, UNIT NOS. 1 AND 2 - ISSUANCE OF AMENDMENT REGARDING APPROVAL OF THE FIRSTENERGY NUCLEAR OPERATING COMPANY CYBER SECURITY PLAN (TAC NOS. ME4383 AND ME4384)

Dear Mr. Harden:

The Commission has issued the enclosed Amendment No. 287 to Renewed Facility Operating License No. DPR-66 and Amendment No. 174 to Renewed Facility Operating License No. NPF 73 for the Beaver Valley Power Station, Unit Nos. 1 and 2 (BVPS-1 and 2). These amendments consist of changes to the Renewed Facility Operating Licenses (FOLs) in response to your application dated July 22,2010, as supplemented by letters dated September 28,2010, November 29,2010. February 3,2011. and April 6, 2011.

The request for the amendments to the Renewed FOLs include: (1) the proposed BVPS-1 and 2 Cyber Security Plan (CSP), (2) an implementation schedule, and (3) a proposed sentence to be added to the existing renewed FOL Physical Protection license condition for BVPS-1 and 2 that requires FirstEnergy Nuclear Operating Company (the licensee) to fully implement and maintain in effect all provisions of the Commission-approved BVPS-1 and 2 CSP as required by Title 10 of the Code of Federal Regulations (10 CFR) 73.54, "Protection of digital computer and communication systems and networks." A Federal Register notice dated March 27, 2009, issued the final rule that amended 10 CFR Part 73. The regulations in 10 CFR 73.54 establish the requirements for a Cyber Security Program. This regulation specifically requires each licensee currently licensed to operate a nuclear power plant under Part 50 of this chapter to submit a CSP that satisfies the requirements of the Rule. Each submittal must include a proposed implementation schedule and implementation of the licensee's Cyber Security Program must be consistent with the approved schedule. The background for this application is addressed by the U.S. Nuclear Regulatory Commission (NRC) Notice of Availability, Federal Register Notice, Final Rule 10 CFR Part 73, Power Reactor Security Requirements, published on March 27, 2009 (74 FR 13926).

These license amendments are effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee on July 22, 2010, as supplemented by letters dated September 28, 2010, November 29, 2010, February 3, 2011, and April 6, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

P. Harden - 2 A copy of our safety evaluation is also enclosed. Notice of Issuance will be included in the Commission's next regular Biweekly Federal Register Notice.

Nadiyah S. Morgan, Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-334 and 50-412

Enclosures:

1. Amendment No. 287 to License No. DPR-66
2. Amendment No. 174 to License No. NPF-73
3. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 FIRSTENERGY NUCLEAR. OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION CORP.

DOCKET NO. 50-334 BEAVER VALLEY POWER STATION, UNIT NO.1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 287 License No. DPR-66

1. The Nuclear Regulatory Commission (the Commission or the NRC) having found that:

A. The application for amendment by FirstEnergy Nuclear Operating Company, et aI., dated July 22,2010, as supplemented by letters dated September 28,2010, November 29, 2010, February 3, 2011, and April 6, 2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the regulations of the Commission; C. There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

-2

2. Accordingly, the license is amended by changes as indicated in the attachment to this license amendment and paragraph 2.C.(2) of the Renewed Facility Operating License No. DPR-66 is hereby amended to read as follows:

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 287, are hereby incorporated in the license. The licensee shall operate the facility in accordance with the Technical Specifications.

Further, the following paragraph is added to the existing License Condition 2.0:

"FENOC shall fully implement and maintain in effect all provisions of the Commission approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Beaver Valley Power Station CSP was approved by License Amendment No. 287."

3. This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 22, 2010, as supplemented by letters dated September 28, 2010, November 29, 2010, February 3, 2011, and April 6, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

/l~t-c-? ~/ ~4~r;;,'

Nancy L. talgado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the License Date of Issuance: July 28, 2011

ATTACHMENT TO LICENSE AMENDMENT NO. 287 RENEWED FACILITY OPERATING LICENSE NO. DPR-66 DOCKET NO. 50-334 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

REMOVE INSERT Page 3 Page 3 Page 7 Page 7

-3 (3) FENOC, pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) FENOC, pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess and use in amounts as required any byproduct, source, or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; (5) FENOC, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1:

Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level FENOC is authorized to operate the facility at a steady state reactor core power level of 2900 megawatts thermal.

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 287, are hereby incorporated in the license. The licensee shall operate the facility in accordance with the Technical Specifications.

(3) Auxiliary River Water System (Deleted by Amendment No.8)

Amendment No. 287 Beaver Valley Unit 1 Renewed Operating License DPR-66

-7 D. Physical Protection FENOC shall fully implement and maintain in effect all provisions of the Commission approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21 is entitled: "Beaver Valley Power Station (BVPS) Physical Security Plan" submitted by letter September 9, 2004, and supplemented September 30,2004, October 14, 2004, and May 12, 2006.

FENOC shall fully implement and maintain in effect all provisions of the Commission approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Beaver Valley Power Station CSP was approved by License Amendment No. 287.

E. All work and activities in connection with this project shall be performed pursuant to the provisions of the Commonwealth of Pennsylvania Clean Streams Acts of June 24, 1913, as amended and of June 22,1937, as amended, and in accordance with all permits issued by the Department of Environmental Resources of the Commonwealth of Pennsylvania.

F. License Renewal Commitments - The UFSAR supplement, as revised, submitted pursuant to 10 CFR 54.21 (d), describes certain future activities to be completed prior to and/or during the period of extended operation. FENOC shall complete these activities in accordance with Appendix A of NUREG-1929, Safety Evaluation Report Related to the Beaver Valley Power Station, Units 1 and 2, dated October 2009, and Supplement 1 of NUREG-1929, dated October 2009, and shall notify the NRC in writing when activities to be completed prior to the period of extended operation are complete and can be verified by NRC inspection.

G. UFSAR Supplement Changes The information in the UFSAR supplement, as revised, submitted pursuant to 10 CFR54.21 (d), shall be incorporated into the UFSAR as required by 10 CFR 50.71 (e) following the issuance of this renewed operating license.

Until that update is complete, FENOC may not make changes to the information in the supplement. Following incorporation into the UFSAR, the need for prior Commission approval of any changes will be governed by 10 CFR 50.59.

H. Capsule Withdrawal Schedule - For the renewed operating license term, all capsules in the reactor vessel that are removed and tested must meet the test procedures and reporting requirements of American Society for Testing and Materials (ASTM) E 185-82 to the extent practicable for the configuration of the specimens in the capsule. Any changes to the capsule withdrawal schedule, including spare capsules, must be approved by the NRC prior to implementation.

I. Containment Liner Volumetric Inspection a) If degradation (greater than 10 percent of the nominal thickness not attributable to fabrication/erection practices) is identified in the non-random areas examined using ultrasonic testing (UT) as described in Supplement 1 of NUREG-1929, UT examinations shall be performed at additional non-random areas, to be selected based on this operating experience. Should additional degradation be identified, additional non-random areas shall be UT examined until no further degradation (greater than 10 percent of the nominal thickness) is identified. All areas with degradation shall be reexamined over at least the next three successive inspection periods to ensure that progression of the degradation is not occurring.

Amendment No. 287 Beaver Valley Unit 1 Renewed Operating License DPR-66

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 FIRSTENERGY NUCLEAR OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION CORP.

OHIO EDISON COMPANY THE TOLEDO EDISON COMPANY DOCKET NO. 50-412 BEAVER VALLEY POWER STATION, UNIT NO.2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 174 License No. NPF-73

1. The Nuclear Regulatory Commission (the Commission or the NRC) having found that:

A. The application for amendment by FirstEnergy Nuclear Operating Company, et al., dated July 22,2010, as supplemented by letters dated September 28,2010, November 29, 2010, February 3, 2011, and April 6, 2011, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the regulations of the Commission; C. There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and Oi) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

- 2

2. Accordingly, the license is amended by changes as indicated in the attachment to this license amendment and paragraph 2.C.(2) of the Renewed Facility Operating License No. NPF-73 is hereby amended to read as follows:

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 174, and the Environmental Protection Plan contained in Appendix B, both of which are attached hereto and hereby incorporated in the license. FENOC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

Further, the following paragraph is added to the existing License Condition 2.E:

"FENOC shall fully implement and maintain in effect all provisions of the Commission approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Beaver Valley Power Station CSP was approved by License Amendment No. 174."

3. This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 22,2010, as supplemented by letters dated September 28,2010, November 29, 2010, February 3, 2011, and April 6, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION lZ~L~~ ,~ ~~~-c-~

Nancy L. &lgadO, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the License Date of Issuance: Ju 1y 28, 2011

ATIACHMENT TO LICENSE AMENDMENT NO. 174 RENEWED FACILITY OPERATING LICENSE NO. NPF-73 DOCKET NO. 50-412 Replace the following pages of the Facility Operating License with the attached revised pages.

The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

REMOVE INSERT Page 4 Page 4 Page 8 Page 8

-4 (b) Further, the licensees are also required to notify the NRC in writing prior to any change in: (i) the term or conditions of any lease agreements executed as part of these transactions; (ii) the BVPS Operating Agreement, (iii) the existing property insurance coverage for BVPS Unit 2, and (iv) any action by a lessor or others that may have adverse effect on the safe operation of the facility.

C. This renewed operating license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations set forth in 10 CFR Chapter 1 and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level FENOC is authorized to operate the facility at a steady state reactor core power level of 2900 megawatts thermal.

(2) Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 174, and the Environmental Protection Plan contained in Appendix B, both of which are attached hereto are hereby incorporated in the license. FEI\JOC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

Amendment No. 174 Beaver Valley Unit 2 Renewed Operating License NPF-73

8 (2) The facility requires an exemption from the requirements of 10 CFR 50, Appendix J, Section III.D.2(b)(ii). The justification of this exemption is contained in Section 6.2.6 of Supplement 5 to the Safety Evaluation Report and modified by a letter dated July 26, 1995. The staff's environmental assessment was published on May 12,1987 (52 FR 17651) and on June 9, 1995 (60 FR 30611). Therefore, pursuant to 10 CFR 50.12(a)(1) and 10 CFR 50.12(a)(2)(ii) and (iii), Beaver Valley Power Station, Unit 2 is exempt from the quoted requirements and instead, is required to perform the overall air lock leak test at pressure Pa before establishing containment integrity if air lock maintenance has been performed that could affect the air lock sealing capability. Local leak rate testing at a pressure of not less than Pa may be substituted for an overall air lock test where the design permits.

E. Physical Security FENOC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21 is entitled: "Beaver Valley Power Station (BVPS)

Physical Security Plan" submitted by letter September 9, 2004, and supplemented September 30,2004, October 14,2004, and May 12, 2006.

FENOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Beaver Valley Power Station CSP was approved by License Amendment No. 174.

F. Fire Protection Program (Section 9.5.1 of SER Supplement 3)

FENOC shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report through Amendment No. 17, and submittals dated May 18, May 20, May 21, June 24 and July 6, 1987, and as described in the Safety Evaluation Report dated October 1985, and Supplements 1 through 6, subject to the following provision:

FENOC may make changes to the approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

Amendment No. 174 Beaver Valley Unit 2 Renewed Operating License NPF-73

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO 287 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-66 AND AMENDMENT NO. 174 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-73 FIRSTENERGY NUCLEAR OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION CORP.

OHIO EDISON COMPANY THE TOLEDO EDISON COMPANY BEAVER VALLEY POWER STATION, UNIT NOS. 1 AND 2 DOCKET NOS. 50-334 AND 50-412

1.0 INTRODUCTION

By application dated July 22, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080034), as supplemented by letters dated September 28, 2010 (ADAMS Accession No. ML102740128), November 29,2010 (ADAMS Accession No. ML103360031), February 3,2011 (ADAMS Accession No. ML110390066), and April 6, 2011 (ADAMS Accession No. ML110980635), FirstEnergy Nuclear Operating Company (the licensee), requested changes to the Renewed Facility Operating Licenses (FOLs) for Beaver Valley Power Station, Unit Nos. 1 and 2 (BVPS-1 and 2) for approval of the licensee's Cyber Security Plan (CSP) and Implementation Schedule, as required by Title 10 of the Code of Federal Regulations (10 CFR) 73.54, "Protection of digital computer and communication systems and networks," (Reference 1). By letter dated April 4. 2011, the licensee supplemented their CSP to address: 1) scope of systems in response to the October 21, 2010, Commission decision (Reference 5); 2) records retention; and 3) implementation schedule.

The supplements dated September 28, 2010, November 29. 2010, February 3, 2011, and April 6, 2011, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Register on October 12,2010 (75 FR 62599).

The amendments would approve the CSP and associated implementation schedule, and revise Paragraph 7.0 of FOL No. DPR-66 for BVPS-1 and Paragraph 8.E of FOL No. NPF-73 for BVPS-2 to provide a license condition to require the licensee to fully implement and maintain in

- 2 effect all provisions of the NRC-approved CSP. The proposed change is generally consistent with Nuclear Energy Institute (NEI) 08-09, Revision 6, "Cyber Security Plan for Nuclear Power Reactors."

2.0 REGULATORY EVALUATION

2.1 General Requirements Consistent with 10 CFR 73.54(a), the licensee must provide high assurance that digital computer and communication systems, and networks are adequately protected against cyber attacks, up to and including the design basis threat (DBT), as described in 10 CFR 73.1. The licensee shall protect digital computer and communication systems and networks associated with: (i) safety-related and important-to-safety functions; (ii) security functions; (iii) emergency preparedness functions, including offsite communications; and (iv) support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness (SSEP) functions. The rule specifies that digital computer and communication systems and networks associated with these functions must be protected from cyber attacks that would adversely impact the integrity or confidentiality of data and software; deny access to systems, services, or data; or provide an adverse impact to the operations of systems, networks, and associated equipment.

In the October 21,2010, Staff Requirements Memorandum (SRM)-COMWCO-10-0001, the Commission stated that the NRC's cyber security rule at 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety. The staff determined that SSCs in the BOP that have a nexus to radiological health and safety are those that could directly or indirectly affect reactivity of a nuclear power plant (NPP), and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).

2.2 Elements of a CSP As stated in 10 CFR 73.54(e), the licensee must establish, implement, and maintain a CSP that satisfies the Cyber Security Program requirements of this regulation. In addition, the CSP must describe how the licensee will implement the requirements of the regulation and must account for the site-specific conditions that affect implementation. One method of complying with this regulation is to describe within the CSP how the licensee will achieve high assurance that all SSEP functions are protected from cyber attacks.

2.3 NRC Regulatory Guide (RG) 5.71 and Nuclear Energy Institute (NEI) 08-09, Revision 6 NRC RG 5.71, "Cyber Security Programs for Nuclear Facilities," (Reference 2) describes a regulatory position that promotes a defensive strategy consisting of a defensive architecture and a set of security controls based on standards provided in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems and Organizations" and NIST SP 800-82, "Guide to Industrial Control Systems Security," dated September 29, 2008. NIST SP 800-53 and NIST SP 800-82 are based on well-understood cyber threats, risks, and vulnerabilities, coupled with equally well-understood countermeasures and protective techniques. RG 5.71 divides the above-noted security controls into three broad categories: technical, operational, and management.

- 3 RG 5.71 provides a framework to aid in the identification of those digital assets that licensees must protect from cyber attacks. These identified digital assets are referred to as "critical digital assets" (CDAs). Licensees should address the potential cyber security risks to CDAs by applying the defensive architecture and addressing the collection of security controls identified in RG 5.71. RG 5.71 includes a CSP template that provides one method for preparing an acceptable CSP.

The organization of RG 5.71 reflects the steps necessary to meet the requirements of 10 CFR 73.54. Section C.3 of RG 5.71 describes an acceptable method for implementing the security controls, as detailed in Appendix B, "Technical Controls," and Appendix C, "Operational and Management Controls." Section C.4 of RG 5.71 discusses the need to maintain the established Cyber Security Program, including comprehensive monitoring of the CDAs and the effectiveness of their security protection measures, ensuring that changes to the CDAs or the environment are controlled, coordinated, and periodically reviewed for continued protection from cyber attacks. Section C.5 of RG 5.71 provides licensees and applicants with guidance for retaining records associated with their Cyber Security Programs. Appendix A to RG 5.71 provides a template for a generic CSP which licensees may use to comply with the licensing requirements of 10 CFR 73.54. Appendices Band C provide an acceptable set of security controls, which are based on well-understood threats, vulnerabilities, and attacks, coupled with equally well-understood and vetted countermeasures and protective techniques.

NEI 08-09, Revision 6 closely maps with RG 5.71; Appendix A of NEI 08-09, Revision 6 contains a CSP template that is comparable to Appendix A of RG 5.71. Appendix D of NEI 08 09, Revision 6 contains technical cyber security controls that are comparable to Appendix B of RG 5.71. Appendix E of NEI 08-09, Revision 6 contains operational and management cyber security controls that are comparable to Appendix C of RG 5.71.

The NRC staff stated in a letter (

Subject:

Nuclear Energy Institute [NEil 08-09, "Cyber Security Plan Template, Revision 6), dated May 5,2010 (ADAMS Accession No. ML101190371), that the licensee may use the template in NEI 08-09, Revision 6 (Reference 3), to prepare an acceptable CSP, with the exception of the definition of "cyber attack." The NRC staff subsequently reviewed and approved by letter dated June 7, 2010 (ADAMS Accession No. ML101550052), a definition for "cyber attack" to be used in submissions based on NEI 08-09, Revision 6 (Reference 4). The licensee submitted a CSP for the BVPS-1 and 2 that was based on the template provided in NEI 08-09, Revision 6 and included a definition of cyber attack acceptable to the NRC staff in the CSP. The definition was provided as Attachment 1 (Glossary) to the CSP. The CSP deviates from NEI 08-09, Revision 6, Appendix B. The NRC staff found the Glossary contained in Attachment 1 was acceptable with the exception of the omission of the definition for "cyber incident." Since "cyber incident" is an important concept and term that is referenced repeatedly in the description of an organization's Cyber Security Program in NEI 08-09, Revision 6, Appendices D and E, the NRC staff raised concerns about the licensee's ability to effectively address the stipulations, actions, and activities required by 10 CFR 73.54. The NRC subsequently requested clarification of the licensee's definition of "cyber incident" to determine if the CSP's stipulated program activities, assessments, and contingency operations met with the requirements of 10 CFR 73.54. The licensee submitted an updated CSP that includes a definition for "cyber incident" similar to that in the NEI 08-09, Revision 6, Appendix B Glossary, and describes the term sufficiently for the NRC to assess key controls, activities, and processes of the Cyber Security Program. Additionally, the licensee

-4 submitted a supplement to their CSP on April 4, 2011, to include information on SSCs in the BOP that, if compromised, could affect NPP reactivity.

RG 5.71 and NEI 08-09, Revision 6 are comparable documents; both are based on essentially the same general approach and same set of technical, operational, and management security controls. The submitted CSP was reviewed against the corresponding sections in RG 5.71.

3.0 TECHNICAL EVALUATION

The NRC staff performed a technical evaluation of the licensee's submittal. The licensee's submittal with the exceptions of deviations described in Section 3.23, generally conformed to the guidance in NEI 08-09, Revision 6, which was found to be acceptable by the NRC staff and comparable to RG 5.71 to satisfy the requirements contained in 10 CFR 73.54. The staff reviewed the licensee's submittal against the requirements of 10 CFR 73.54 following the guidance contained in RG 5.71. The NRC staff's evaluation of each section of their submittal is discussed below.

3.1 Scope and Purpose The licensee's CSP establishes a means to achieve high assurance that digital computer and communication systems and networks associated with the following functions are adequately protected against cyber attacks up to and including the DBT:

1. Safety-related and important-to-safety functions;
2. Security functions;
3. Emergency preparedness functions, including offsite communications; and
4. Support systems and equipment which, if compromised, would adversely impact SSEP functions.

The submitted CSP describes achievement of high assurance of adequate protection of systems associated with the above functions from cyber attacks by:

  • Implementing and documenting the "baseline" security controls as described in Section 3.1.6 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3 described in RG 5.71; and
  • Implementing and documenting a Cyber Security Program to maintain the established cyber security controls through a comprehensive life cycle approach as described in Section 4 of NEI 08-09, Revision 6, which is comparable to Appendix A, Section A.2.1 of RG 5.71.

Thus, the licensee's CSP, as originally submitted, is comparable to the CSP in NEI-08-09, Revision 6. However, in its submittal dated April 6, 2011, the licensee clarified its original submission and indicated that the scope of systems includes those BOP SSCs that have an impact on NPP reactivity if compromised. This is in response to and consistent with SRM COMWCO-1 0-0001, "Regulation of Cyber Security at Nuclear Power Plants," October 21, 2010 (ADAMS Accession No. ML102940009), in which the Commission stated that the NRC's cyber security rule at 10 CFR 73.54 should be interpreted to include SSCs in the BOP that have a nexus to radiological health and safety. The NRC staff determined that those systems that have a nexus to radiological health and safety could directly or indirectly affect reactivity of a NPP,

-5 and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1).

The NRC staff reviewed the CSP and the supplemental information submitted by the licensee and found no deviation from Regulatory Position C.3.3 in RG 5.71 and Appendix A, Section A.2.1 of RG 5.71. The NRC staff finds that the licensee established adequate measures to implement and document the Cyber Security Program, including baseline security controls.

Based on the above, the NRC staff finds that the CSP adequately establishes the Cyber Security Program, including baseline security controls.

3.2 Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls The licensee's CSP describes that the Cyber Security Program is established, implemented, and maintained as described in Section 3.1 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1 described in RG 5.71 to:

  • Analyze digital computer and communications systems and networks; and

The submitted CSP describes how the cyber security controls in Appendices D and E of NEI 08-09, Revision 6, which are comparable to Appendices Band C in RG 5.71, are addressed to protect CDAs from cyber attacks.

This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.1 in RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately addresses security controls.

3.3 Cyber Security Assessment and Authorization The licensee provided information addressing the creation of a formal, documented, cyber security assessment and authorization policy. This included a description concerning the creation of a formal, documented procedure comparable to Section 3.1.1 of NEI 08-09, Revision 6.

The NRC staff finds that the licensee established adequate measures to define and address the purpose, scope, roles, responsibilities, management commitment, and coordination, and facilitates the implementation of the cyber security assessment and authorization policy.

The NRC staff reviewed the above information and found no deviation from Section 3.1.1 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.1 and Appendix A, Section A.3.1.1 of RG 5.71.

Based on the above, the NRC staff finds that the CSP adequately established controls to develop, disseminate, and periodically update the cyber security assessment and authorization policy and implementing procedure.

- 6 3.4 Cyber Security Assessment Team (CSAT)

The CSAT responsibilities include conducting the cyber security assessment, documenting key findings during the assessment, and evaluating assumptions and conclusions about cyber security threats. The submitted CSP outlines the requirements, roles and responsibilities of the CSAT comparable to Section 3.1.2 of NEI 08-09, Revision 6. It also describes that the CSAT has the authority to conduct an independent assessment.

The submitted CSP describes that the CSAT will consist of individuals with knowledge about information and digital systems technology; NPP operations, engineering, and plant Technical Specifications; and physical security and emergency preparedness systems and programs. The CSAT description in the CSP is comparable to Regulatory Position C.3.1.2 in RG 5.71.

The submitted CSP lists the roles and responsibilities for the CSAT which included performing and overseeing the cyber security assessment process; documenting key observations; evaluating information about cyber security threats and vulnerabilities; confirming information obtained during tabletop reviews, walk-downs, or electronic validation of COAs; and identifying potential new cyber security controls.

The licensee's CSP noted on the ninth bullet in Section 3.1.2 that the CSAT would be involved in "reviewing and approving" cyber security controls. This is a deviation from the NEI 08-09, Revision 6 specification, which states that the CSAT would be responsible for "documenting" cyber security controls. The NRC staff requested clarification on how the controls would be documented. The licensee responded by stating that the documentation of controls would be ensured by a Cyber Security Specialist, but the preparation of the documentation could be accomplished by personnel from Engineering, Emergency Preparedness, Security, or other disciplines, depending on the control and the COA under examination. The licensee submitted an updated CSP, and addressed the concern by inserting language in Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," that "other plant organizations may be used to document the assessment. .. " The updated CSP notes in the same section that the CSAT would review and approve the usage of each cyber security control. This language supports the licensee's assertion that the documentation of security controls will occur and that the CSAT will have the ultimate responsibility for ensuring this occurs.

This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.1.2 in RG 5.71.

Based on the CSP statement that cyber security controls will be documented by a Cyber Security Specialist and reviewed and approved by members of the CSAT, the NRC staff finds that the CSP adequately establishes the requirements, roles and responsibilities of the CSAT.

3.5 Identification of COAs The submitted CSP describes that the licensee will identify and document COAs and critical systems (CSs), including a general description, the overall function, the overall consequences if a compromise were to occur, and the security*functional requirements or specifications as described in Section 3.1.3 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.3 of RG 5.71.

-7 Based on the above, the NRC staff finds that the CSP adequately describes the process to identify COAs.

3.6 Examination of Cyber Security Practices The submitted CSP describes how the CSAT will examine and document the existing cyber security policies, procedures, and practices; existing cyber security controls; detailed descriptions of network and communication architectures (or network/communication architecture drawings); information on security devices; and any other information that may be helpful during the cyber security assessment process as described in Section 3.1.4 of NEI 08-09, Revision 6. which is comparable to Regulatory Position C.3.1.2 of RG 5.71. The examinations will include an analysis of the effectiveness of the existing Cyber Security Program and cyber security controls. The CSAT will document the collected cyber security information and the results of their examination of the collected information.

This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.1.2 in RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes the examination of cyber security practices.

3.7 Tabletop Reviews and Validation Testing The submitted CSP describes tabletop reviews and validation testing, which confirm the direct and indirect connectivity of each COA and identify direct and indirect pathways to COAs. The CSP states that validation testing will be performed electronically or by physical walk downs.

The licensee's plan for tabletop reviews and validation testing is comparable to Section 3.1.5 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.4 of RG 5.71.

Based on the above, the NRC staff finds that the CSP adequately describes tabletop reviews and validation testing.

3.8 Mitigation of Vulnerabilities and Application of Cyber Security Controls The submitted CSP describes the use of information collected during the cyber security assessment process (e.g., disposition of cyber security controls, defensive models. defensive strategy measures, site and corporate network architectures) to implement security controls in accordance with Section 3.1.6 of NEI 08-09, Revision 6. which is comparable to Regulatory Position C.3.3 and Appendix A.3.1.6 to RG 5.71. The CSP describes the process that will be applied in cases where security controls cannot be implemented.

The submitted CSP notes that before the licensee can implement security controls on a COA, it will assess the potential for adverse impact in accordance with Section 3.1.6 of NEI 08-09.

Revision 6. which is comparable to Regulatory Position C.3.3 of RG 5.71.

In the CSP submitted to the NRC, the licensee proposed to address the implementation of alternate controls/countermeasures by: (a) documenting the basis for employing countermeasures; (b) analyzing the COA and proposed countermeasures to confirm the

- 8 effectiveness of the protections (that they provide the same or greater level of protections as the corresponding security controls); (c) implementing the proposed countermeasures; or (d) implementing an alternative frequency of periodicity for the security control employed by documenting the basis for the alternate frequency or periodicity.

Section 3.1.6 of NEI 08-09, Revision 6 does not include an "or" condition between items c and d above, thereby implying the implementation of alternate controls/countermeasures requires all four procedures to be considered and executed if possible. The insertion of the "or" operator in the submitted CSP signaled the licensee's intention to either implement the alternate control or define an alternate periodicity/frequency for measuring the alternate control's effectiveness, but with no intention of performing both activities, as dictated by the NEI 08-09, Revision 6 guidance. The NRC staff requested clarification from the licensee on its approach for implementing alternate controls/countermeasures.

The licensee responded that "although possible, it is not expected that both an alternative countermeasure and an alternative frequency for the security control would be implemented for the same controL" The NRC staff finds that the licensee's response does not indicate its refusal to implement alternative controls and employ alternative periodicities for assessing controls and would implement alternative control/countermeasure as authorized.

The licensee submitted an updated CSP that introduced language that deviated in Section 3.1.6 from that found in NEI 08-09, Revision 6, regarding the documentation of cyber security controls. This deviation is fully discussed in Section 3.4, "Cyber Security Assessment Team,"

above.

Based on the CSP statement that the licensee will implement cyber security controls, implement alternative controls/countermeasures, or not implement a control as per Section 3.1.6 of the licensee's CSP, the NRC staff finds that the CSP adequately describes mitigation of vulnerabilities and application of security controls.

3.9 Incorporating the Cyber Security Program into the Physical Protection Program The submitted CSP states that the Cyber Security Program will be reviewed as a component of the Physical Security Program in accordance with the requirements of 10 CFR 73.55(m). This is comparable to Section 4.1 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.4 of RG 5.71.

This section of the CSP submitted by the licensee is comparable to Appendix A, Section A.3.2 in RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes review of the CSP as a component of the physical security program.

3.10 Cyber Security Controls The submitted CSP describes how the technical, operational and management cyber security controls contained in Appendices D and E of NEI 08-09, Revision 6, that are comparable to Appendices Band C in RG 5.71, are evaluated and dispositioned based on site-specific conditions during all phases of the Cyber Security Program. The CSP describes that many

-9 security controls have actions that are required to be performed on specific frequencies and that the frequency of a security control is satisfied if the action is performed within 1.25 times the frequency specified in the control, as applied, and as measured from the previous performance of the action as described in Section 4.2 of NEI 08-09, Revision 6.

This section of the CSP submitted by the licensee is comparable to Appendix A, Section A,3.1.6 in RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes implementation of cyber security controls.

3.11 Defense-in-Depth Protective Strategies The licensee's CSP describes the implementation of defensive strategies that ensure the capability to detect, respond to, and recover from a cyber attack. The CSP specifies that the defensive strategies consist of security controls, defense-in-depth measures, and the defensive architecture. The submitted CSP notes that the defensive architecture establishes the logical and physical boundaries to control the data transfer between these boundaries.

The licensee established defense-in-depth strategies by: implementing and documenting a defensive architecture as described in Section 4.3 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.2 in RG 5.71; a physical security program, including physical barriers; the operational and management controls described in Appendix E of NEI 08-09, Revision 6, which is comparable to Appendix C to RG 5.71; and the technical controls described in Appendix D of NEI 08-09, Revision 6, which is comparable to Appendix B to RG 5.71.

The licensee's CSP indicated that communications inherited from lower levels to CDAs at higher levels would be "(1) eliminated or (2) severely restricted." Since the protection and isolating of CDAs at higher levels of security is vital to those defense-in-depth strategies at power plants, the NRC staff requested clarification from the licensee on how communications inherited from lower defense levels would be "severely restricted." The licensee responded by removing references to communications being "severely restricted" in the updated CSP submitted by letter dated April 6, 2011.

This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.2 and Appendix A, Section A,3.1.5 in RG 5.71.

Based on the licensees' comprehensive defense-in-depth protective strategies providing the capability to detect, respond to, and recover from a cyber attack, the NRC staff finds that the CSP adequately describes implementation of defense-in-depth protective strategies.

3.12 Ongoing Monitoring and Assessment The submitted CSP describes how ongoing monitoring of cyber security controls to support CDAs is implemented comparable to Appendix E of NEI 08-09, Revision 6, which is comparable to Regulatory Positions CA.1 and CA.2 of RG 5.71. The ongoing monitoring program includes configuration management and change control; cyber security impact analysis of changes and changed environments; ongoing assessments of cyber security controls; effectiveness analysis

- 10 (to monitor and confirm that the cyber security controls are implemented correctly, operating as intended, and achieving the desired outcome) and vulnerability scans to identify new vulnerabilities that could affect the security posture of CDAs.

This section of the CSP submitted by the licensee is comparable to Regulatory Positions C.4.1 and C.4.2 of RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes ongoing monitoring and assessment.

3.13 Modification of Digital Assets The submitted CSP describes how cyber security controls are established, implemented, and maintained to protect CDAs. These security controls ensure that modifications to CDAs are evaluated before implementation that the cyber security performance objectives are maintained, and that acquired CDAs have cyber security requirements in place to achieve the site's Cyber Security Program objectives. This is comparable to Section 4.5 of NEI 08-09, Revision 6, which is comparable to Appendices A.4.2.5 and A.4.2.6 of RG 5.71.

Based on the above, the NRC staff finds that the CSP adequately describes modification of digital assets.

3.14 Attack Mitigation and Incident Response The submitted CSP describes the process to ensure that SSEP functions are not adversely impacted due to cyber attacks in accordance with Section 4.6 of NEI 08-09, Revision 6, which is comparable to Appendix C, Section C.8 of RG 5.71. The CSP includes a discussion about creating incident response policy and procedures, and addresses training, testing and drills, incident handling, incident monitoring, and incident response assistance. It also describes identification, detection, response, containment, eradication, and recovery activities comparable to Section 4.6 of NEI 08-09, Revision 6.

This section of the CSP submitted by the licensee is comparable to Appendix C, Section C.8 of RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes attack mitigation and incident response.

3.15 Cyber Security Contingency Plan The submitted CSP describes creation of a Cyber Security Contingency Plan and policy that protects CDAs from the adverse impacts of a cyber attack described in Section 4.7 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3.2.7 and Appendix C.9 of RG 5.71. The licensee describes the Cyber Security Contingency Plan that would include the response to events. The plan includes procedures for (a) operating CDAs in a contingency, (b) roles and responsibilities of responders, (c) processes and procedures for backup and storage of information, (d) logical diagrams of network connectivity, (e) current configuration information, and (f) personnel lists for authorized access to CDAs.

- 11 This section of the CSP submitted by the licensee is comparable to Regulatory Position C.3.3.2.7 of RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes the cyber security contingency plan.

3.16 Cyber Security Training and Awareness The submitted CSP describes a program that establishes the training requirements necessary for the licensee's personnel and contractors to perform their assigned duties and responsibilities in implementing the Cyber Security Program in accordance with Section 4.8 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3.2.8 of RG 5.71.

The CSP states that individuals will be trained with a level of cyber security knowledge commensurate with their assigned responsibilities in order to provide high assurance that individuals are able to perform their job functions in accordance with Appendix E of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3.2.8 of RG 5.71 and describes three levels of training: awareness training, technical training, and specialized cyber security training.

Based on the above, the NRC staff finds that the CSP adequately describes the cyber security training and awareness.

3.17 Evaluate and Manage Cyber Risk The submitted CSP describes how cyber risk is evaluated and managed utilizing site programs and procedures comparable to Section 4.9 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.4 and Appendix C, Section C.13 of RG 5.71. The CSP describes the Threat and Vulnerability Management Program, Risk Mitigation, Operational Experience Program; and the Corrective Action Program and how each will be used to evaluate and manage risk.

This section of the CSP submitted by the licensee is comparable to Regulatory Position C.4 and Appendix C, Section C.13 of RG 5.71 without deviation.

Based on the above, the NRC staff finds that the CSP adequately describes evaluation and management of cyber risk.

3.18 Policies and Implementing Procedures The CSP describes development and implementation of policies and procedures to meet security control objectives in accordance with Section 4.10 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.5 and Appendix A. Section A.3.3 of RG 5.71. This includes the process to document, review, approve, issue, use, and revise policies and procedures.

The CSP also describes the licensee's procedures to establish specific responsibilities for positions described in Section 4.11 of NEI 08-09, Revision 6, which is comparable to Appendix C, Section C.10.10 of RG 5.71.

- 12 The submitted CSP contains the incorrect section heading, which is a duplicate of CSP Section 4.9, "Evaluate and Manage Cyber Risk." The section title should be, "Policies and Implementing Procedures." The content of this section does not deviate from Section 4.11 of NEI 08-09, Revision 6. The title should be corrected in a future version of the CSP.

Also, the licensee neglected to specify the title of the senior management official who is responsible for nuclear plant operations. Section 4.10 of NEI 08-09, Revision 6 offers the licensee several optional titles that can be selected, or the licensee can provide a senior management official in keeping with its organizational structure. The licensee does state that, "personnel responsible for the management and implementation of the program report to senior nuclear management." This omission does not impede the licensee's assurance that policies and procedures will be managed in a manner consistent with the requirements specified in Section 4.10 of NEI 08-09, Revision 6.

Based on the licensees' statement in their CSP that the personnel responsible for the management and implementation of the [cyber security] program will report to senior nuclear management, the NRC staff finds that the CSP adequately describes cyber security policies and implementing procedures.

3.19 Roles and Responsibilities The submitted CSP describes the roles and responsibilities for the qualified and experienced personnel, including the Cyber Security Program Sponsor, the Cyber Security Program Manager, Cyber Security Specialists, the Cyber Security Incident Response Team (CSIRT), and other positions as needed. The CSIRT initiates in accordance with the Incident Response Plan and initiates emergency action when required to safeguard CDAs from cyber security compromise and to assist with the eventual recovery of compromised systems. Implementing procedures establish roles and responsibilities for each of the cyber security roles in accordance with Section 4.11 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.2, Appendix A, Section A.3.1.2, and Appendix C, Section C.1 0.1 0 of RG 5.71.

The submitted CSP contains deviations to the roles and responsibilities defined in the NEI 08-09, Revision 6 for the Cyber Security Program Manager and Cyber Security Specialist and creates a new role, Site Cyber Security Program Administrator. The role and responsibility deviations are as follows:

In addition to the responsibilities listed in the NEI 08-09, Revision 6 description, this position also interfaces with the newly created position, Site Cyber Security Program Administrator(s).

The licensee CSP states that the position can also be a Cyber Security Specialist, but the assigned duties indicate the person in this position will be a lead Cyber Security Specialist. The responsibilities are:

- 13 o "Function as a single point of contact for issues related to cyber security" - This is formerly the responsibility of the Cyber Security Program Manager, but the distinction is made between the site/plant responsibilities of the Site Manager and the corporate focus of the Cyber Security Program Manager.

o "Initiates and coordinates the Cyber Security Incident Response Team (CSIRT) functions as required" - This is formerly the duty of the Cyber Security Program Manager as specified in NEI 08-09, Revision 6.

o "Conduct cyber security audits, network scans, and penetration tests against CDAs as necessary" - This is formerly the duty of the Cyber Security Specialist as specified in NEI 08-09, Revision 6.

o "Participates in the development and operation of the cyber security education, awareness, and training program" - This is a new responsibility not cited in the NEI 08-09, Revision 6 description for any position. The Site Cyber Security Program Administrator will be responsible for developing and operating programs that are approved by the Corporate Cyber Security Program Manager.

o "Participates in the development and implementation of cyber security policies and procedures"- This is a new responsibility not cited in the NEI 08-09, Revision 6 description for any position. The Site Cyber Security Program Administrator will be responsible for developing and implementing cyber security policies and procedures that are approved by the Corporate Cyber Program Manger.

  • In addition to the responsibilities that were transferred to the Site Cyber Security Program Administrator, as specified in NEI 08-09, Revision 6, an additional deviation was noted, whereby the licensee assigned the Cyber Security Specialist role the responsibility to "ensure cyber security assessments of CDAs are performed and documented prior to being presented to CSAT for review and approval. This may include documenting the assessments or reviewing assessments provided by another organization such as Engineering, Emergency Preparedness, or Security, or a combination."
  • The role of "Others" in NEI 08-09, Revision 6 refers to operators, engineers, techniCians, and users who perform their assigned duties in accordance with the non-CSAT staff with the preparation of cyber security controls documentation, deviated from the NEI 08-09, Revision 6 text by inserting the phrase, "including performing and documenting cyber security assessments of the CDAs, as requested by a Cyber Security Specialist." This deviation supports the licensee's approach, discussed in Section 3.4, "Cyber Security Assessment Team," and Section 3.8, "Mitigation of Vulnerabilities and Application of Cyber Security Controls."

While the licensee deviated from NEI 08-09, Rev. 6 in Section 4.11 of their CSP, all of the specific roles and responsibilities have been designated to one of several cyber security personnel. Based on the licensees' cyber security plan adequately addressing all of the roles and responsibilities, the NRC staff finds that the CSP adequately describes cyber security roles and responsibilities.

- 14 3.20 Cyber Security Program Review The submitted CSP describes how the Cyber Security Program establishes the necessary procedures to implement reviews of applicable program elements in accordance with Section 4.12 of NEI 08-09, Revision 6, which is comparable to Regulatory Position CA.3 and Appendix A, Section A.4.3 of RG 5.71.

Based on the above, the NRC staff finds that the CSP adequately describes Cyber Security Program review.

3.21 Document Control and Records Retention and Handling The submitted CSP describes that the licensee has established the necessary measures and governing procedures to ensure that sufficient records of items and activities affecting cyber security are developed, reviewed, approved, issued, used, and revised to reflect completed work. The CSP described that superseded portions of certain records will be retained for at least 3 years after the record is superseded, while audit records will be retained for no less than 12 months in accordance with Section 4.13 of NEI 08-09, Revision 6. However, this guidance provided by industry to licensees did not fully comply with the requirements of 10 CFR 73.54 and a generic RAI was issued.

In a letter dated February 28,2011 (ADAMS Accession No. ML110600204), NEI sent to the NRC proposed language for licensees' use to respond to the generic records retention RAI, to which the NRC had no technical objection (

Reference:

Letter from NRC dated March 1, 2011, ADAMS Accession No. ML110490337). The proposed language clarified the requirement by providing examples (without providing an all-inclusive list) of the records and supporting technical documentation that are needed to satisfy the requirements of 10 CFR 73.54. All records will be retained until the Commission terminates the license, and the licensee shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. By retaining accurate and complete records and technical documentation until the license is terminated, inspectors, auditors, or assessors will have the ability to evaluate incidents, events, and other activities that are related to any of the cyber security elements described, referenced, and contained within the licensee's NRC-approved CSP. It will also allow the licensee to maintain the ability to detect and respond to cyber attacks in a timely manner, in the case of an event. In a letter dated April 6, 2011 (ADAMS Accession No. ML110980635), the licensee responded to the records retention RAI using the language proposed by NEI in its letter dated February 28, 2011.

Based on the above, the NRC staff finds that the language the licensee proposes to adopt provides for adequate records retention and will support the licensee's ability to detect and respond to cyber attacks. The NRC staff further finds that this section is comparable to Regulatory Position C.5 and Appendix A, Section A.5 of RG 5.71 without deviation.

Accordingly, the NRC staff concludes that the licensee's CSP adequately describes cyber security document control and records retention and handling.

3.22 Implementation Schedule The submitted CSP provides a proposed implementation schedule for the Cyber Security Program. In a letter dated February 28, 2011 (ADAMS Accession No. ML110600206), NEI sent

- 15 to the NRC a template for licensees to use to submit their CSP implementation schedules, to which the NRC had no technical objection (

Reference:

Letter from NRC dated March 1, 2011, ADAMS Accession No. ML110070348). These key milestones include:

  • Install a deterministic one-way device between lower level devices and higher level devices;
  • Implement the security control "Access Control For Portable And Mobile Devices,"
  • Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;
  • Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment; and
  • Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented.

In a letter dated April 6, 2011 (ADAMS Accession No. ML110980635), the licensee provided a revised implementation schedule using the NEI template, with the exception of Milestone 6.

The licensee deviated from the temple for Milestone 6 to address only the NEI 08-09, Rev. 6, Appendix D technical controls, excluding the operational and management controls, on the basis that implementing the technical controls for target set CDAs provides a high degree of protection against cyber related attacks that could lead to radiological sabotage. Furthermore, the licensee's programs that are currently in place (e.g., physical protection, maintenance and work management, configuration management, operational experience, etc) provide a high degree of protection during the interim period until such time that the full cyber security program is implemented. As per the other implementation milestones included in the schedule, the licensee will be implementing certain operational and management controls, including the bulleted list above.

The NRC staff considers this April 4, 2011, supplement the approved schedule as required by 10 CFR 73.54.

Based on the provided schedule ensuring timely implementation of those protective measures that provide a higher degree of protection against radiological sabotage, the NRC staff finds the Cyber Security Program implementation schedule is satisfactory.

3.23 Differences from NEI 08-09, Revision 6 The NRC staff notes the following additional differences between the licensee's submission and NEI 08-09, Revision 6:

  • In Section 3.1, "Scope and Purpose," the licensee clarified the definition of important-to-safety functions, consistent with SRM-COMWCO-10-0001.

- 16

  • In Section 3.8, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," the licensee deviated by stating in the case of implementing alternative controls! countermeasures that eliminate threaVattack vector(s) associated with one or more of the cyber security controls, that either an alternative countermeasure that provides at least the same degree of cyber security protection as the corresponding cyber security control will be implemented or an alternative frequency or periodicity for the security control will be implemented.
  • In Section 3.18, "Policies and Implementing Procedures," the licensee did not provide the title of the senior management official who is responsible for nuclear plant operations.
  • In Section 3.19, "Roles and Responsibilities," the licensee deviated by assigning some of the specific roles and responsibilities to cyber security personnel in a manner that is different than NEI 08-09, Revision 6; all roles and responsibilities are assigned.
  • In Section 3.21, "Document Control and Records Retention and Handling," the licensee clarified the definition of records and supporting documentation that will be retained to conform to the requirements of 10 CFR 73.54.
  • In Section 3.22, "Implementation Schedule," the licensee submitted a revised implementation schedule, specifying the interim milestones and the final implementation date, including supporting rationale. The licensee deviated from the template for Milestone 6 to address only the NEI 08-09, Revision 6, Appendix D technical controls.

In its letter dated July 16, 2010, to the NRC requesting approval of the submitted BVPS-1 and 2 CSP, the licensee referenced the inclusion of Attachment 1 as the Glossary containing the terms used within the Plan. The NRC staff considers that the full evaluation of the CSP must include a review of the submitted Glossary to note deviations taken to those definitions used in Appendix B of NEI 08-09, Revision 6. The following listed deviations were noted:

  • NEI 08-09, Revision 6 includes the term "cyber incident." The glossary contained in Attachment 1 of the submitted CSP did not include a definition of "cyber incident." The NRC staff requested clarification and the licensee consequently provided an acceptable definition of "cyber incident" as discussed in Section 2.0.
  • NEI 08-09, Revision 6, Appendix B defines "critical digital asset" as the following, "a component of a critical system [This includes assets that perform SSEP functions; provide support to, protect, or provide a pathway to critical systems]; or a support system asset whose failure or compromise as a result of a cyber attack would result in an adverse impact t) a SSEP function." The Glossary contained in Attachment 1 of the submitted Ci3P defines "critical digital asset as the

- 17 following ,"a sUbcomponent of a CS that consists of or contains a digital device, computer, or communication system or network, whose failure or compromise as the result of a cyber attack would result in an adverse impact to a SSEP function." The NRC staff finds that the CSP synthesizes the NEI 08-09, Revision 6 definition in a way that doesn't compromise the following key aspects of the term, "(a) CDA is a component that is a digital devise, computer, communication system or network; (b) CDA is a sUb-component of a CS; and (c) the failure or compromise of such would result in an adverse impact to SSEP functions."

The NRC staff finds all of these deviations to be acceptable as discussed in the respective sections of this safety evaluation.

3.24 NRC Staff Findings The NRC staff's review and evaluation of the licensee's CSP was conducted using the staff positions established in the relevant sections of RG 5.71. Based on the NRC staff's review, the NRC finds that the licensee addressed the relevant information necessary to satisfy the requirements of 10 CFR 73.54, 10 CFR 73.55{a){1), 10 CFR 73.55(b)(8), and 10 CFR 73.55(m),

as applicable and that the licensee's Cyber Security Program provides high assurance that digital computer and communication systems and networks associated with the following are adequately protected against cyber attacks, up to and including the DBT as described in 10 CFR 73.1. This includes protecting digital computer and communication systems and networks associated with: (i) safety-related and important-to-safety functions; Oi) security functions; (iii) emergency preparedness functions, including offsite communications; and (iv) support systems and equipment which, if compromised, would adversely impact SSEP functions.

Therefore, the NRC staff finds the information contained in this CSP to be acceptable and upon successful implementation of this program, operation of the BVPS-1 and 2 will not be inimical to the common defense and security.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Pennsylvania State official was notified of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

The amendments change a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20. The NRC staff has determined that the amendments involve no significant increase in the amounts, and no Significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendments involve no significant hazards consideration, and there has been no public comment on such finding published in the Federal Register on October 12, 2010 (75 FR 62599). Also, these amendments relate to safeguards matters and do not involve any significant construction impacts, and relate to changes in recordkeeping, reporting, or administrative procedures or

- 18 requirements. Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9), (10), and (12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

7.0 REFERENCES

1. Section 73.54 of 10 CFR, "Protection of digital computer and communication systems and networks," U.S. Nuclear Regulatory Commission, Washington, DC, March 27,2009.
2. RG 5.71, "Cyber Security Programs for Nuclear Facilities," U.S. Nuclear Regulatory Commission, Washington, DC, January 2010. (ADAMS Accession No. ML090340159)
3. Letter from Jack Roe, Nuclear Energy Institute, to Scott Morris, U.S. Nuclear Regulatory Commission, "NEI 08-09, Revision 6, 'Cyber Security Plan for Nuclear Power Reactors; April 2010,'" April 28, 2010. (ADAMS Accession No. ML101180434)
4. Letter from Richard Correia, U.S. Nuclear Regulatory Commission, to Jack Roe, Nuclear Energy Institute, "Nuclear Energy Institute 08-09, 'Cyber Security Plan Template, Revision 6,'" May 5,2010. (ADAMS Accession No. ML101190371)
5. SRM-COMWCO-10-0001, "Regulation of Cyber Security at Nuclear Power Plants,"

October 21, 2010. (ADAMS Accession No. ML102940009)

Principal Contributor: J. Green, NSIRIDSP/ISCPB Date: July 28, 2011

P. Harden -2 A copy of our safety evaluation is also enclosed. Notice of Issuance will be included in the Commission's next regular Biweekly Federal Register Notice.

Sincerely,

/ra!

Nadiyah S. Morgan, Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-334 and 50-412

Enclosures:

1. Amendment No. 287 to License No. DPR-66
2. Amendment No. 174 to License No. NPF-73
3. Safety Evaluation cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsNRRDorILPI1-1 RidsNRRPMBeaverValley RidsNrrLASLittle (hard copy) RidsOGCMailCenter RidsNsirDsplscpb RidsNrrDorlDpr LPL1-1 R/F RidsAcrsAcnw&mMailCenter RidsRg1 MailCenter J. Green, NSIR P. Pederson, NSIR ADAMS A ccesslon N0.: ML111940123 *1 nput provi.ded ** V'la EI ect romc

'M al'I OFFICE LPL1-1/PM LPL1-1/LA NSIR/DSPIISCPB/BC OGC LPL 1-1/BC NAME NMorgan SUttle CErlanger* LSubin/NLO** NSalgado DATE 7/13/2011 7/13/2011 06/23/11 712512011 7/28/11 OFFICIAL RECORD COpy

Retrieved from "https://kanterella.com/w/index.php?title=ML111940123&oldid=2642541"