Correction Letter to the Cyber Security Plan Amendment

ML112620622
Person / Time
Site:	Beaver Valley
Issue date:	09/22/2011
From:	Nadiyah Morgan Plant Licensing Branch 1
To:	Harden P FirstEnergy Nuclear Operating Co
Morgan Nadiyah, NRR/Dorl, 415-1016
References
TAC ME4383, TAC ME4384
Download: ML112620622 (8)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 September 22, 2011 Mr. Paul A. Harden Site Vice President FirstEnergy Nuclear Operating Company Beaver Valley Power Station Mail Stop A-BV-SEB1 P.O. Box 4, Route 168 Shippingport, PA 15077

SUBJECT:

BEAVER VALLEY POWER STATION, UNIT NOS. 1 AND 2 - CORRECTION LETTER TO THE CYBER SECURITY PLAN AMENDMENT (TAC NOS. ME4383 AND ME4384)

Dear Mr. Harden:

On July 28, 2011, the Nuclear Regulatory Commission (NRC) issued Amendment No. 287 to Renewed Facility Operating License (FOL) No. DPR-66 and Amendment No. 174 to Renewed FOL No. NPF-73 for the Beaver Valley Power Station Unit, Nos. 1 and 2 for approval of the FirstEnergy Nuclear Operating Company Cyber Security Plan and Implementation Schedule, as required by Title 10 of the Code of Federal Regulations 73.54, "Protection of digital computer and communication systems and networks."

For clarification purposes, the NRC staff would like to make some corrections to the amendment. Enclosed are the corrected pages. If you have any questions, please contact me at (301) 415-1016.

Sincerely, adiyah S. Morgan, Project Manager Plant Licensing Branch I-I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-334 and 50-412

Enclosure:

As stated cc w/encl: Distribution via Listserv

-2

2. Accordingly, the license is amended by changes as indicated in the attachment to this license amendment and paragraph 2.C.(2) of the Renewed Facility Operating License No. NPF-73 is hereby amended to read as follows:

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 174, and the Environmental Protection Plan contained in Appendix B, both of which are attached hereto are hereby incorporated in the license. FENOC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

Further, the following paragraph is added to the existing License Condition 2.E:

"FENOC shall fully implement and maintain in effect all provisions of the Commission approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Beaver Valley Power Station CSP was approved by License Amendment No. 174."

3. This license amendment is effective as of the date of its issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 22,2010, as supplemented by letters dated September 28,2010, November 29, 2010, February 3, 2011, and April 6, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

~'VP~

~

Nancy l. Salgado, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the License Date of Issuance: September 22. 2011

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO 287 TO RENEWED FACILITY OPERATING LICENSE NO. DPR-66 AND AMENDMENT NO. 174 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-73 FIRSTENERGY NUCLEAR OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION CORP.

OHIO EDISON COMPANY THE TOLEDO EDISON COMPANY BEAVER VALLEY POWER STATION. UNIT NOS. 1 AND 2 DOCKET NOS. 50-334 AND 50-412

1.0 INTRODUCTION

By application dated July 22, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080034), as supplemented by letters dated September 28, 2010 (ADAMS Accession No. ML102740128), November 29,2010 (ADAMS Accession No. ML103360031), February 3,2011 (ADAMS Accession No. ML110390066), and April 6, 2011 (ADAMS Accession No. ML110980635), FirstEnergy Nuclear Operating Company (the licensee), requested changes to the Renewed Facility Operating Licenses (FOLs) for Beaver Valley Power Station, Unit Nos. 1 and 2 (BVPS-1 and 2) for approval of the licensee's Cyber Security Plan (CSP) and Implementation Schedule, as required by Title 10 of the Code of Federal Regulations (10 CFR) 73.54, "Protection of digital computer and communication systems and networks," (Reference 1). By letter dated April 6, 2011, the licensee supplemented their CSP to address: 1) scope of systems in response to the October 21, 2010, Commission decision (Reference 5); 2) records retention; and 3) implementation schedule.

The supplements dated September 28, 2010, November 29, 2010, February 3, 2011, and April 6, 2011, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Register on October 12, 2010 (75 FR 62599).

The amendments would approve the CSP and associated implementation schedule, and revise Paragraph 2.0 of FOL No. DPR-66 for BVPS-1 and Paragraph 2.E of FOL No. NPF-73 for BVPS-2 to provide a license condition to require the licensee to fully implement and maintain in

-4 submitted a supplement to their CSP on April 6, 2011, to include information on SSCs in the BOP that, if compromised, could affect NPP reactivity.

RG 5.71 and NEI 08-09, Revision 6 are comparable documents; both are based on essentially the same general approach and same set of technical, operational, and management security controls. The submitted CSP was reviewed against the corresponding sections in RG 5.71.

3.0 TECHNICAL EVALUATION

The NRC staff performed a technical evaluation of the licensee's submittal. The licensee's submittal with the exceptions of deviations described in Section 3.23, generally conformed to the guidance in NEI 08-09, Revision 6, which was found to be acceptable by the NRC staff and comparable to RG 5.71 to satisfy the requirements contained in 10 CFR 73.54. The staff reviewed the licensee's submittal against the requirements of 10 CFR 73.54 following the guidance contained in RG 5.71. The NRC staff's evaluation of each section of their submittal is discussed below.

3.1 Scope and Purpose The licensee's CSP establishes a means to achieve high assurance that digital computer and communication systems and networks associated with the following functions are adequately protected against cyber attacks up to and including the DBT:

1. Safety-related and important-to-safety functions;

2. Security functions;

3. Emergency preparedness functions, including offsite communications; and

4. Support systems and equipment which, if compromised, would adversely impact SSEP functions.

The submitted CSP describes achievement of high assurance of adequate protection of systems associated with the above functions from cyber attacks by:

• Implementing and documenting the "baseline" security controls as described in Section 3.1.6 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.3 described in RG 5.71; and

• Implementing and documenting a Cyber Security Program to maintain the established cyber security controls through a comprehensive life cycle approach as described in Section 4 of NEI 08-09, Revision 6, which is comparable to Appendix A, Section A.2.1 of RG 5.71.

Thus, the licensee's CSP, as originally submitted, is comparable to the CSP in NEI-08-09, Revision 6. However, in its submittal dated April 6, 2011, the licensee clarified its original submission and indicated that the scope of systems includes those BOP SSCs that have an impact on NPP reactivity if compromised. This is in response to and consistent with SRM COMWCO-10-0001, "Regulation of Cyber Security at Nuclear Power Plants," October 21,2010 (ADAMS Accession No. ML102940009), in which the Commission stated that the NRC's cyber security rule at 10 CFR 73.54 should be interpreted to include SSCs in the BOP that have a nexus to radiological health and safety. The NRC staff determined that those systems that have a nexus to radiological health and safety could directly or indirectly affect reactivity of a NPP,

- 12 The submitted CSP contains the incorrect section heading, which is a duplicate of CSP Section 4.9, "Evaluate and Manage Cyber Risk." The section title should be, "Policies and Implementing Procedures." The content of this section does not deviate from Section 4.10 of NEI 08-09, Revision 6. The title should be corrected in a future version of the CSP.

Also, the licensee neglected to specify the title of the senior management official who is responsible for nuclear plant operations. Section 4.10 of NEI 08-09, Revision 6 offers the licensee several optional titles that can be selected, or the licensee can provide a senior management official in keeping with its organizational structure. The licensee does state that, "personnel responsible for the management and implementation of the program report to senior nuclear management." This omission does not impede the licensee's assurance that policies and procedures will be managed in a manner consistent with the requirements specified in Section 4.10 of NEI 08-09, Revision 6.

Based on the licensees' statement in their CSP that the personnel responsible for the management and implementation of the [cyber security] program will report to senior nuclear management, the NRC staff finds that the CSP adequately describes cyber security policies and implementing procedures.

3.19 Roles and Responsibilities The submitted CSP describes the roles and responsibilities for the qualified and experienced personnel, including the Cyber Security Program Sponsor, the Cyber Security Program Manager, Cyber Security Specialists, the Cyber Security Incident Response Team (CSIRT), and other positions as needed. The CSIRT initiates in accordance with the Incident Response Plan and initiates emergency action when required to safeguard CDAs from cyber security compromise and to assist with the eventual recovery of compromised systems. Implementing procedures establish roles and responsibilities for each of the cyber security roles in accordance with Section 4.11 of NEI 08-09, Revision 6, which is comparable to Regulatory Position C.3.1.2, Appendix A, Section A.3.1.2, and Appendix C, Section C.10.10 of RG 5.71.

The submitted CSP contains deviations to the roles and responsibilities defined in the NEI 08-09, Revision 6 for the Cyber Security Program Manager and Cyber Security Specialist and creates a new role, Site Cyber Security Program Administrator. The role and responsibility deviations are as follows:

• The Cyber Security Program Manager is designated as the "corporate" Cyber Security Manager, and is identified with cyber security issues at the corporate or fleet-wide level.

In addition to the responsibilities listed in the NEI 08-09, Revision 6 description, this position also interfaces with the newly created position, Site Cyber Security Program Ad min istrator( s).

The Site Cyber Security Program Administrator has several responsibilities that are associated with the NEI 08-09, Revision 6 description of the Cyber Security Specialist. The licensee CSP states that the position can also be a Cyber Security Specialist, but the assigned duties indicate the person in this position will be a lead Cyber Security Specialist. The responsibilities are:

- 15 to the NRC a template for licensees to use to submit their CSP implementation schedules, to which the NRC had no technical objection (

Reference:

Letter from NRC dated March 1, 2011, ADAMS Accession No. ML110070348). These key milestones include:

• Establish the CSAT;

• Identify CSs and CDAs;

• Install a deterministic one-way device between lower level devices and higher level devices;

• Implement the security control "Access Control For Portable And Mobile Devices,"

• Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;

• Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment; and

• Commence ongOing monitoring and assessment activities for those target set CDAs whose security controls have been implemented.

In a letter dated April 6, 2011 (ADAMS Accession No. ML110980635), the licensee provided a revised implementation schedule using the NEI template, with the exception of Milestone 6.

The licensee deviated from the temple for Milestone 6 to address only the NEI 08-09, Rev. 6, Appendix D technical controls, excluding the operational and management controls, on the basis that implementing the technical controls for target set CDAs provides a high degree of protection against cyber related attacks that could lead to radiological sabotage. Furthermore, the licensee's programs that are currently in place (e.g., physical protection, maintenance and work management, configuration management, operational experience, etc) provide a high degree of protection during the interim period until such time that the full cyber security program is implemented. As per the other implementation milestones included in the schedule, the licensee will be implementing certain operational and management controls, including the bulleted list above.

The NRC staff considers this April 6, 2011, supplement the approved schedule as required by 10 CFR 73.54.

Based on the provided schedule ensuring timely implementation of those protective measures that provide a higher degree of protection against radiological sabotage, the NRC staff finds the Cyber Security Program implementation schedule is satisfactory.

3.23 Differences from NEI 08-09, Revision 6 The NRC staff notes the following additional differences between the licensee's submission and NEI 08-09, Revision 6:

In Section 3.1, "Scope and Purpose," the licensee clarified the definition of important-to-safety functions, consistent with SRM-COMWCO-1 0-0001.

- 16

• In Section 3.4, "Cyber Security Assessment Team (CSAT)," the licensee deviated by stating that cyber security controls will be documented by a Cyber Security Specialist and reviewed and approved by members of the CSAT.

• In Section 3.8, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," the licensee deviated by stating in the case of implementing alternative controlsl countermeasures that eliminate threat/attack vector(s) associated with one or more of the cyber security controls, that either an alternative countermeasure that provides at least the same degree of cyber security protection as the corresponding cyber security control will be implemented or an alternative frequency or periodicity for the security control will be implemented.

• In Section 3.18, "Policies and Implementing Procedures," the licensee did not provide the title of the senior management official who is responsible for nuclear plant operations.

• In Section 3.19, "Roles and Responsibilities," the licensee deviated by assigning some of the specific roles and responsibilities to cyber security personnel in a manner that is different than NEI 08-09, Revision 6; all roles and responsibilities are assig ned.

• In Section 3.21, "Document Control and Records Retention and Handling," the licensee clarified the definition of records and supporting documentation that will be retained to conform to the requirements of 10 CFR 73.54.

• In Section 3.22, "Implementation Schedule," the licensee submitted a revised implementation schedule, specifying the interim milestones and the final implementation date, including supporting rationale. The licensee deviated from the template for Milestone 6 to address only the NEI 08-09, Revision 6, Appendix D technical controls.

In its letter dated July 22, 2010, to the NRC requesting approval of the submitted BVPS-1 and 2 CSP, the licensee referenced the inclusion of Attachment 1 as the Glossary containing the terms used within the Plan. The NRC staff considers that the full evaluation of the CSP must include a review of the submitted Glossary to note deviations taken to those definitions used in Appendix B of NEI 08-09, Revision 6. The following listed deviations were noted:

• NEI 08-09, Revision 6 includes the term "cyber incident." The glossary contained in Attachment 1 of the submitted CSP did not include a definition of "cyber incident." The NRC staff requested clarification and the licensee consequently provided an acceptable definition of "cyber incident" as discussed in Section 2.0.

• NEI 08-09, Revision 6, Appendix B defines "critical digital asset" as the following, "a component of a critical system [This includes assets that perform SSEP functions; provide support to, protect, or provide a pathway to critical systems]; or a support system asset whose failure or compromise as a result of a cyber attack would result in an adverse impact to a SSEP function." The Glossary contained in Attachment 1 of the submitted CSP defines "critical digital asset as the

September 22, 2011 Mr. Paul A. Harden Site Vice President FirstEnergy Nuclear Operating Company Beaver Valley Power Station Mail Stop A-BV-SEB1 P.O. Box 4, Route 168 Shippingport, PA 15077

SUBJECT:

BEAVER VALLEY POWER STATION, UNIT NOS. 1 AND 2 - CORRECTION LETTER TO THE CYBER SECURITY PLAN AMENDMENT (TAC NOS. ME4383 AND ME4384)

Dear Mr. Harden:

On July 28, 2011, the Nuclear Regulatory Commission (NRC) issued Amendment No. 287 to Renewed Facility Operating License (FOL) No. DPR-66 and Amendment No. 174 to Renewed FOL No. NPF-73 for the Beaver Valley Power Station Unit, Nos. 1 and 2 for approval of the FirstEnergy Nuclear Operating Company Cyber Security Plan and Implementation Schedule, as required by Title 10 of the Code of Federal Regulations 73.54, "Protection of digital computer and communication systems and networks."

For clarification purposes, the NRC staff would like to make some corrections to the amendment. Enclosed are the corrected pages. If you have any questions, please contact me at (301) 415-1016.

Sincerely,

/raJ Nadiyah S. Morgan, Project Manager Plant Licensing Branch I-I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-334 and 50-412

Enclosure:

As stated cc w/encl: Distribution via Listserv DISTRIBUTION:

PUBLIC RidsNRRDorILPI1-1 RidsNRRPMBeaverValley RidsNrrLASUttle RidsOGCMailCenter RidsNsirDsplscpb RidsNrrDorlDpr LPL1-1 R/F RidsAcrsAcnw&mMailCenter RidsRg 1MailCenter J. Green, NSIR P. Pederson, NSIR ADAMS Accession No : ML112620622 *Via email OFFICE LPL 1-1/PM LPL 1-1/LA LPL 1-1/BC NAME NMorgan SUttle NSalgado (DPickett for)

DATE 9/22/2011 9/22/2011* 9/22/2011 OFFICIAL RECORD COpy