Text

A B C D E F 1 NRC Staff Comments on NEI 10-04 Revision 2 dated April 2012 2 # Section Page NEI 10-04 Text Proposed Change(s) Comment(s)

Change text to read as follows:

"Licensees must conduct a site-specific analysis of digital computer Licensees must conduct a site-specific analysis of digital and communication systems and networks to identify CDAs that must computer and communication systems and networks to be protected in accordance with the requirements set forth in 10 CFR 3 1 1.2 2 identify CDAs that must be protected. 73.54."

Correct text as follows:

In the context of 10 CFR 73.54, identifying Assets associated with safety-related and important-to-safety functions requires "In the context of 10 CFR 73.54, identifying Aassets associated with a consideration of not just safety and important-to-safety safety-related and important-to-safety functions requires a systems, but those non-safety related systems that can consideration of not just safety and important-to-safety systems, but affect safety functions, including those systems that can those non-safety related systems that can affect safety functions, 4 2 2.1 3 impact reactivity. including those systems that can impact reactivity."

(1) Safety-related systems, structures, and components which are those relied upon to remain functional during and following design-basis events (as defined in 10 CFR 50.49(b)(1)) to ensure the following functions:

(i) The integrity of the reactor coolant pressure boundary; (ii) The capability to shut down the reactor and maintain it in a safe shutdown condition; or (iii)The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to those referred to in 10 CFR 50.34(a)(1), 10 General comment:

CFR 50.67(b)(2), or 10 CFR 100.11 of this chapter, as 5 3 2.1.1 4 applicable. Include references to 10 CFR 54.4(a)(2) and (a)(3)

In addition to the clarification provided in Staff Requirements Memorandum (SRM)

Include the following sentence to this paragraph: COMWCO-10-0001 and SECY 10-0153 concering important to safety systems, Chapter 7 of NUREG 0800 "Standard Review Plan for the Review of Safety Analysis Each licensee has, over time, developed a working Systems that perform important-to-safety functions should include Reports for Nuclear Power Plants: LWR Edition" provides criteria for determining non-application of the term important-to-safety in their licensing those that are required to maintain diversity and defense-in-depth for safety systems that qualify as importantant to safety. Examples include systems that basis. Licensees should rely on their site-specific application safety functions (e.g., the diverse actuation system and credited are necessary to maintain diversity and defense-in-depth for performing safety 6 4 2.1.2 4 in the identification of important-to-safety systems. diverse display systems). functions, such as the diverse actuation system and non-safety displays.

In addition to the clarification provided in Staff Requirements Memorandum (SRM)

COMWCO-10-0001 and SECY 10-0153 concering important to safety systems, Add as the last sentence to the first paragraph: Chapter 7 of NUREG 0800 "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" provides criteria for determining non-

"At a minimum, licensees should identify any systems that are credited safety systems that qualify as importantant to safety. Examples include systems that in their facility licensing basis for the purpose of complying with NRC are necessary to maintain diversity and defense-in-depth for performing safety 7 5 2.1.2 4 First paragraph of the section regulations and/or General Design Criteria." functions, such as the diverse actuation system and non-safety displays.

Additionally, on October 21, 2010, the NRC issued Staff Requirements Memorandum (SRM) COMWCO-10-0001, "regulations of Cyber Security at Nuclear power Plants," to clarify NRC poisitions on structures, systmes, and Add the following statement to the end of this paragraph:

compoennts in the balnce of plant with respect to NRC's Cyber Seucrity Rule. The SRM states: "The Commission "SECY 10-0153 contains the NRC staff response to the SRM. The has determined as a matter of policy that the NRC's cyber SECY identifies the staff interpretation of the SRM as "SSCs in the seucirty rule at 10 CFR 73.54 should be interpreted to BOP that have a nexus to radiological health and safety are those that include structures, systems,a nd components in teh Balance could directly or indirectly affect reacitivty of an NPP, and are therefore of Plant that have a nexus to radiological health and safety at within the scope of important-to-safety functions described in 10CFR 8 6 2.1.2 4 NRC-licensed nuclear power plants." 73.54(a)(1)."

Add to the list: Another source for identification of potential systems to protect may be found in generic communications (including responses) and/or NRC Orders. These systems "Licensee formal communications to the NRC (e.g., responses to would likely be identified in other documentation, but it may not hurt to list those 9 7 2.1.2 5 Last paragraph / listing of section 2.1.2 Generic Communications or NRC Orders)." sources here.

Enclosure 2

A B C D E F 1 NRC Staff Comments on NEI 10-04 Revision 2 dated April 2012 2 # Section Page NEI 10-04 Text Proposed Change(s) Comment(s)

Change text to read as follows:

These computer systems are not a part of the physical protection system, and may not satisfy the requirements of These computer systems are not a part of the physical protection The staff does not agree with the wording used in this case, and that it could be 10 8 2.2 5 10 CFR 73.54(b)(1). system, and may not satisfy the requirements of 10 CFR 73.54(b)(1). misleading in cases where such systems may be within the scope of 10 CFR 73.54.

Change text to read as follows:

These systems may, however, be important for the protection of the Under certain circumstances the compromise of these computer systems can adversly These systems may, however, be important for the public health and safety under certain conditions, and licensees should impact the UA/UAA re-instatement determination of an individual. Therefore these protection of the public health and safety under certain consider the extent to which information stored in these computers is systems may be within the scope of 10 CFR 73.54. However, if licensees implement conditions, and licensees should consider the extent to used in the decision making process for reinstating UAA/UA consistent measures that eliminate the use of these computer systems as a sole source of data which information stored in these computers is used in the with 10 CFR 73.56. Under such conditions, these systems may be verification for making UA/UAA determinations for these certain circumstances, these 11 9 2.2 5 decision making process for reinstating UAA/UA. within the scope of 10 CFR 73.54. computer systems may be out of the scope of 10 CFR 73.54.

Include the following within the list of Security Systems:

Access Authorization

1. Access Authorization Computer Systems [10 CFR 73.56]

If licensees implement measures that elimiate the use of these The compromise of computer systems used to implement portions of the Access computer systems as a sole source of data verification for making Authorization Program for managing data used for making UA/UAA determinations UA/UAA determinations for these certain circumstances these could have an adverse impact on licensee's ability to comply with 10 CFR 73.56 and 12 10 2.2 6 computer systems may be out of the scope of 10 CFR 73.54. the Insider Mitigation Program.

Change text to read as follows:

The emergency preparedness systems wihtin the scope of The emergency preparedness systems within the scope of the cyber-the cyber-security rule are those which, if compromised by a security rule are those which, if compromised by a cyber attack, would cyber attack, would prevent a licensee from implementing prevent a licensee from implementing measures needed for the measures needed for the protection of the public in the event protection of the public in the event of a radiological emergency. Such of a radiological emergency. Such sysetms and equipment sysetms and equipment include digital computer, and communication include digital computer, and communication systems and systems and networks associated with these measures needed for the 13 11 2.3 6-7 networks associated with these measures. protection of the public in the event of a radiological emergency.

Correct text as follows:

Licensees must be able to demonstrate the capability to perform emergency response functions even in cases where Licensees must be able to demonstrate the capability to perform they may use equipment they for which they do not have full emergency response functions even in cases where they may use custody and control and cannot reasonably implement cyber equipment they for which they do not have full custody and control and 14 12 2.3 7 security protective measures. cannot reasonably implement cyber security protective measures.

Backup capabilities should be considered. 10 CFR 50, Appendix E requirements call for reliable primary and backup communications capabilities for certain emergency response functions. In general, licensees have also established backup capabilities for other functions as a matter of prudency (e.g., accident assessment). Such systems should not be vulnerable to a particular cyber attack that would render more than one means inoperable or unreliable.

Unless both the primary and the backup EP systems are vulnerable to the same mode of cyber-attack, only one of these EP systems need be considered under 10 CFR 73.54(b)(1). For example, a licensees Emergency Plan may Change text to read as follows:

require the use of an Internet-based program for tracking, trending, and communicating emergency response data with Backup capabilities should be considered. 10 CFR 50, Appendix E a backup capability that uses analog public telephone lines. requirements call for reliable primary and backup communications In the absence of a common mode cyber-attack that would capabilities for certain emergency response functions. In general, simultaneously render both communications methods licensees have also established backup capabilities for other functions inoperable, only one of these systems would need to be as a matter of prudency (e.g., accident assessment). Digital means of protected as provided in 10 CFR 73.54. It is important to implementing primary and backup communications, to include recognize that the Commissions regulations place emphasis communication systems and networks, are to be protected from cyber 10 CFR 73.54 does not distinguish between primary and backup systems. In addition, on prudent risk reduction measures, but does not require attacks in accordance with 10 CFR 73.54 and the licensees and the cyber security rule specifies the protection of digital assets making the comparison 15 13 2.3 7-8 dedication of resources to handle every possible accident applicants NRC-approved cyber security plans. to analog systems unclear.

Page 2

A B C D E F 1 NRC Staff Comments on NEI 10-04 Revision 2 dated April 2012 2 # Section Page NEI 10-04 Text Proposed Change(s) Comment(s) 16 14 Table 2.3.1 9 10 CFR 50.47(b)(2) Additional Information Column Add IV.A.9 to the listing.

17 15 Table 2.3.2 12 10 CFR 50.47(b)(11) Additional Information Column Change IV.E.1 to read IV.E".

18 16 Table 2.3.3 12 10 CFR 50.47(b)(12) Additional Information Column Change IV.E.5-7 to read IV.E Change text to read as follows:

Support systems as equipment to be protected include those required The original text leaves out systems that perform maintanence and tests. These to provide a stable environment conducive to the operational systems are very vulnerable to compromise as they are not typically physically bound Support systems as equipment to be protected include those requirements of systems associated with SSEP functions and those to specific locations and thus are not afforded some of the physical security protective required to provide a stable environment conducive to the systems that, compromised, may adversely impact systems performing measures that other systems receive. This guidance also leaves out systems that are operational requirements of systems associated with SSEP SSEP functions. This includes any systems that are either directly or either directly or indirectly connected to systems that perform SSEP functions as 19 17 2.4 14 functions. indirectly connected to systems that perform SSEP functions. stated in RG 5.71.

Change text to read as follows:

For example, support systems and equipment may include, but not be limited to, the following:

a) Electrical Power systems whether primary or backup b) HVAC systems For example, support systems and equipment may include, c) Fire protection systems but not be limited to, the following: d) Secondary Power for Detection and Assessment Equipment NRC staff have seen systems, including safety systems, that have dedicated digital a) Electrical Power systems whether primary or backup e) Maintanence and test digital equipment that are used to service, "maintenance" terminals and/or laptops. These devices are used for tasks like b) HVAC systems monitor, troubleshoot and/or install software on systems that perform a updating setpoints, troubleshooting the digital system and installing software patches.

c) Fire protection systems SSEP function Although often not permanently connected to the plant system(s), these "maintenance" d) Secondary Power for Detection and Assessment f) Systems credited in the facility licensing basis for the purpose of systems should be protected from cyber threats at a level commensurate with the 20 18 2.4 14 Equipment complying with NRC regulations and/or General Design Criteria systems that they service.

Change text to read as follows:

1. Is this a non-safety related system whose failure could Is this a non-safety related system whose failure could adversely We should not limit this to prevent satisfactory accomplishment, but expand it to prevent satisfactory accomplishment of any of the functions impact any of the functions identified in the previous three Safety include any adverse impact including delaying or degrading the performance of safety 21 19 4 17 identified in the previous three Safety Systems questions? Systems questions? functions.

Under important-to-safety, add the following:

"6. Is this a non-safety system required to maintain defense-in-depth This is to ensure that systems such as the diverse actuation system are also protected 22 20 4 17 and diversity requirements?" from cyber attacks.

Page 3