Carolina Power & Light Company and Florida Power Corporation'S License Amendment Request - Cyber Security Plan Implementation Schedule Milestones

ML12268A055
Person / Time
Site:	Harris, Brunswick, Crystal River, Robinson
Issue date:	09/12/2012
From:	Pitesa B Duke Energy Corp
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
RA-12-031
Download: ML12268A055 (17)
v • d • e

Text

SOW We PbndMon ECOTW

• 2* SOLEU Cch

• O*Wm NC 2201-1006 O Box 1006 - ECOOTH PQ cuti7m NC 2r2.1oo 10 CFR 50.4M. t .y, 10 CFR 50M9O Seoflt: RA412,031 September 12, 2012 Washingto, DC 2065550001 D a0-N0 / .PR-iO AND DPR.82

~T~ RT Wf PLANT DOCETNO. 040k LICENSEM TNG.NP B.Q*~O STEAMI.ELE.CTIC PAT, UNI;TWN. 2 OOWOAVIW Lt3NSE ,UN S T QI. -EY

1. NRC letMer, &rnsm k Steam, Ecfr Plant, Unis I and Z, H. B. Robinson Stem Etc PIstW, LWR N.2, Shearon Hals Nuclw Power Plft, Unt 1, and Cry"a River Lt 3 NuceAr GewatkgPlant- asuan of License Amendments Regardng Apptw of Cyber $ecwfty Plan (TAC N.. AIE4228, &E4226, ME4227, AE4228, and ME4229), dated July 29,2011 (ADAMS Accession No. ML11193A028)

2. ro EnegwW Wier, Response to ind#*y Geek Request Ibr Addin lnforton on the Cwvkn Power and Light Companyand Fkosl Power CoporsionCybr Secwly Plan, RevIsbn 0, dated April 7, 2011 (ADAMS Accession No. MLIII108AO22)

Ladies and Gentlemen:

In Reference 1, the NRC issued license amendments for the Facility Operating Licenses for the above listed plants that approved the CaroiaPower &Light Company and Flor*ak Power CorporatlonC$ber Secufty Planand associated Implmentation milestone schedule.

The Cyber Ser* Plan Implementation Schedule contained in Reference 2 was utilized as a portion of the basis for the NRC's safety evasution report provided by Reference 1.

Carolina Power &Light Company (CP&L) and Florida Power Corporation (FPC) are planning to impWnent the requWiremet of Implementation Schedule Milestone 6 ina slightly different manner than described in the approved mplemrntatlon Schedule. Although no change to www. duke -energyxcorn S'w r3-_

Wfth States Nuclear Regulatory Commission RA-124031 Page 2 the Implementation Schedule date Is proposed, the change to the description of the milestone activity iS chse0Matlveby considered to be a change to the Implementation Schedule, and in accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, CP&L and FPC ire subma g this requestfor an amendment to the Facility Operating Uoenses for the plant* Iistd above. The CaolinaPower &Liht Company end Flodda Power Coqxoratln Cyber Secy Plan, Revision 0 was "rviously provided In Reference 2.

Attachrnmnt I prqvides an evalUation of fte proposed change. Attachment2.,contalns proposed marked-up facility operating license pages for the Physical Protection license condition for #thelOfts listed above to reference the commitment change provided In this submittal. Attachment 3 contuins a d"ange to the scope of Implementation Milestone 6.

The proposed changes have been evaluated inaccordanae with 10 CFR 50.91(aXt) using actera in 10 CFR 60.92(c), and it has been determined that e changes Involve no sianificant hazards consideration. The bases for these determinations are Included In .

CP&L and FPC request these license amendments be effective as of its date of Issuance.

Alhough this request is neither exigent nor emergency, your review and approval is requested prior to Decemnbe 31, 2012.

This Submittal contains a revised regulatory commitment as Identified in Attachment 3.

Should you have any questions concerning this letter, or require additonal information, please contact Donna Alexander at 919-646-5357.

Ideclare under penalty of perjury that the foregoing is true and correct. Executed on Sincerely, aml Pbses Senior Vice Presideint Nuclear Operations Attachments:

1. Analysis of Proposed Facility Operating Ucense Change

2. Proposed Facility Operating License Changes (Mark-up)

3. Revised Cyber Security Plan Implementation Schedule

United States Nuclear Regulatory Commission RA-12-031 Page 3 cc: USNRC Region 11 USNRC Resident Inspector BSEP, Unit Nos. I and 2 USNRC Resident Inspector - CR3 USNRC Resident Inspector - SHNPP, Unit No. I USNRC Resident Inspector - HIBRSEP, Unit No. 2 F. Saba, NRR Project Manager - OSEP, Unit Nos. I and 2; CR3 A. T. Billoch Col6n, NRR Project Manager - SHNPP, Unit No. 1; HBRSEP, Unit No. 2 State of Floridd Contact Chair - North Carolina Utilities Commission W. L.Cox, III, Section Chief N.C. D04SR S. E. Jenkins, Manager, Radioactive and Infectious Waste Managermnt Section (SC)

A. Gantt, Chief, Bureau of Radiological Health (SC)

Attorney General (SC)

.~.

1.!a. ~h z$A .4..- 0' *.. p.~A - -"

.. ,+

• A, -

+- .

.1

, M a.-..l A 'I RA4*43i Aatwis oV0npsS F*ftcf QPWA14Wonfl hapw

..

• A,-  ;

r *.

A-A 1 o 1 A A A A A.

. , .. .A A . . A a...........*...

~. . . A A...

A *AAAA a' I,

Attachment I to RA-12-031 Page 1 of 5 i.0 suUMwik OeUmnl This license amendment request (tAR) includes a proposed change to the scope of a Cyber Security Plan Implementation schedule milestone and a proposed revision to the existing facility op erating license Physical Protection license condition.

2.0 DzMLU O 61CUPIOW in Reference 1, the CarolnaPower &Ug Company and FloridaPower 0,iporadonCyber Seciy Plan arid associated Implementation schedule were approved by the NRC. Because the Cyber Security Pm i Schedule contained InReference 2 was utized as a portion of the basis for the NRC'. safety ev~iuatIon provided by Reference 1,this LAM includes:

a proposed changeto the existing facility operating license for the Physical Protection/Security license condition for Brunswick Steam Electrlc Plant, Unit Nos. I and 2 (BSEP, Unit Nos. I and 2), Crystal River Unit 3 Nuclear Generating Plant (CR-3), Shearon Harris Nuclear Power Plant, Unit No. I (SH1N4PP, Unit No. 1), and H. B. Robinson Steam Electric Plarit, Unit No. 2 (HBRSEP, Unit No. 2)to reference the change to an implemnentation schedule milestone and a proposed Revised Cyber .Security Plan'Implementation Schedule for the scope of Milestone 6.

Milestone 6 requires the'IdentifIcation, documentation, and Implementation of cyber security controls for critical digital assets (CDAs) that could adversely Impact the design function of physical security target set equipment by no later than December 31, 2012. This change revises the sope of Milestone6 to apply to onfyftchnical cyber security controls.

3.o TEHNICMz4. 8VEA"MA ON InRefernoe 3, the Nuclear Energy Institute (NEI) transmitted to the NRC an Implementation schedule template to aid compliance with the NRC's cyber security regulations codified In 10 CFR 73.54 which was acknowledged InReference 4 by the NRC. NEI engaged the Industry In an effo~t to ensure that licensees submit an Implementation schedule consistent with the template provided in Reference 3. Carolina Power &Light Company (CP&L) and Florida Power Corporation (FPC) provided the requested Implementation schedule InReference 2 in accordance with the template, which the NRC approved In Reference 1.

During the industry's efforts to submit Implementation schedules, several other licensees changed, via deviation, the implementation schedule Milestone 6 scope. Milestone 6 of the template regards the Identification, documentation, and Implementation of cyber security controls for target set critical digital assets (COA) by December 31, 2012. The other licensees' Milestone 6 deviation was to change the scope of cyber security controls to be addressed to include only the NEI 08-09, Revision 6, Appendix 0 technical controls, excluding the operational and management controls, on the basis that implementing the technical controls for target set CDAs provides a high degree of protection against cyber-related attacks that could lead to radiological sabotage. Furthermore, these other licensees justified that existing licensee programs that are currently Inplace (e.g., physical protection, maintenance and work management, configuration management, and operational experience, etc.) provide a high degree of operational and management protection during the interim period until such time that the full Cyber Security Program Is Implemented. The NRC found the deviations to Milestone 6 scope for other licensees to be acceptable, and issued Safety Evaluations to plants whose implementation schedule Incorporated the deviation. Precedent is cited in Section 4.2.

In Reference 2, CP&L and FPC previously submitted the Implementation schedule without articulating the deviation to the scope of Milestone 6. Milestone 6 with the deviation focuses the

Attschment I to RA-12-031 Page 2 of 5 efforts on the application of technical cyber security controls to those COAs that are part of a target set or could Impact the proper functioning of target set equipment. Sased on the above justificatio and the fact that this has already been approved for several other licensees, CP&L and FPC are requesting these license amendments Inordeir to specify that the cyber security controls being Identified, documented, and Implemented InMiestone,6 are the technical cyber, security controls and existing plant programs are sufficient to satisfy the Milstone 6 operational and management controls referenced in the CarolinePower &Light Company andFlorida Power CorporationCyb Secry Plan.

in conclusion, existing programs at BSEP, Unit Noe. 1 and 2 CR-3, 6HNPP, Unit No. 1, and HIRSEP, Unit No. 2 currently'In place (e.g., physical protection, Maintenance and work management, and configuration management, operational e-xprence, etc.) provide sufficient operatinal and management protection during the Interim period uhs such time that the full Cyber Security Program is Implemented. The cyber security controls to be Identified, documented, and implemented In Milestone $.of the Revised Cyber Security Plan Implementation Schedule (Attachment 3) are t, technical cyber security controls excluding the operational and management controls refrenhced in the Codins Power&Light Company and FloridaPower Corporation yber S ecufit Planthat will be completed following evaluation of

'theremainin 0DM and WWplemnted wit full Cyber Security Program implementation.

This LAR Includes the proposed ctange to the existing operating license condition for "Physical Protection" (Attkhment 2) for BSEP, Unit Nos. I and 2, CR-3, SHNPP, Unit No. 1, and HBRSEP, Unit No. 2. The LAR contPMns the proposed Revised Cyber Security Plan Implementation Schedule (Attachment 3). The LAR also provides a revised list of regulatory commitments (Attoahmt 3).

. i

Attachment I to RA-12-031 Page 3 of 5 4.0 ftUILAVOUWIVA.UIIOK 4.1 AoiBgt &adto= 8aulrem eGra 10 CFR 73.4 requires lioensees to maintain and Implement a cyber security plan, Brunswick Steam Electric Plant Unit Nos. I and 2 (Renewed Facility Operating License Nos. DPR-71 and DPR-M2),Cryst River Unit 3 Nuclear Generating Pant (Facility Operating Ucense No. DPR-72), Shearon ftf.t Nuclear Power Plant, Unit No. 1, (Renewed Facility Operating License No.

NPF-63), and H. 8. Robinson Steam Electric Plant, Unit No, 2 (Renewed Facility Operating License No. OPR-23) Include a Physical Protection license condition that requires Carolina Power &Ught Company (CP&L) or Florida Power Corporation (FPC)to fully Implement and maintain in effe~t all provisions of the Commlssion-approved cyber security plan, Including changes rmade pursuantto the of 10 CFR 50.90 and V0 CFR 50.64(p).

4.2 Amendment No. 203 for the Callaway Plant (Reference 5)approved an implementation schedule using the Nuclear Energy Institute (NEI) template (Reference 3), with the exception of Milestone 6. The Caltaway Plant deviated from the template for Milestone 6 to address only the NEI 08-09, Revision 6, Appendix D technical controls, excluding the operational and management controls, on the basis that Implementing the technical controls for the target set COAs provides a.high degree of protection -against cyber related attacks that could lead to radiological sabotage .

The changes being proposed by CP&L and FPC In this ame ndment request am similar to those approved,n the Callaway Plant Amendment No. 203.

4.3 Ses nseat CP&L and FPC are requesting an amendment to the Facility Operating Licenses to revise the Physical Protection license conditon as it relates to the cyber secuity plan. This chne Iniludes a propoW deviation to the .scope of a Cyber Securpy Plan Implementation Schedule milestone and a loposed revision to he.PFaqi*ity Operating Lcenses to Include the proposed deviation. Specifically, CP&L and FPC propose a change to the scope of Implementation Milestone a to apply to only technical coer security controls.

CP&L and FPC.has evaluated wheh or not a significant hazards consideratim Is Involved with the proposed amendment by focusing on the three standards set forth In 10 CFR 50.92, Issuance of Amendmet as discussed below:  %

1., oe the propo*~ chang invoe 8sin*icat nes Inthe probabilit or consequences of an accident previously evaluated?

Response: No.

p change t6 *W0yer Sewu Plan Implementation Schedule Is administrative Innature. This change does not alter accident analysis assumptions, add any Initiators, or affect the function of plant systems or the manner Inwhich systems are

.,operated, maintained, modified, tested, or Inspected. The proposed change does not require any plant modifications which affect the performance capability of the structures, systems, and components relied upon to mitigate the consequences of postulated accidents and has no Impact on the probability or consequences of an accident previously evaluated.

Therefore, the proposed change does not Involve a significant increase Inthe probability or consequences of an accident previously evaluated.

Attachment I to RA-12-031 Page 4 of 5 2., Does the d change create the possibility of a new or different kind of accident from any acdent previously evaluated?

Response: No.

The Proposed change to the Cyber Secuity Plan Impnemntaftno Schedule Is administrative Innature. This proposed change does not after accident analysis assumptlns, add any Initiators, or affect the function of plant systems or the manner in Which systems are operated, m.intained, modified, tested, or inspected. The proposed change does not require any plant modifications which affect the performance capability of the structures, systems, and compohents rliled upon to mitigate the consequences of postulMhd accidents and does not create the possibility of a new or different kind of accident from any accident previously evaluated.

Therefore, the proposed change does: not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Does the proposed change Involve a Significant reduction Ina margin of safety?

Respne No.

Plant safety margins are established through limiting conditions for.operation, limiting safety system asetngs, and *etylimits speifWiedn-the technical spqcfcations. The proposed change to the Cyber Secu~ity Plan Implementation Sch~du( is administrative Innature. Because there is no change to these established safety margins as result of this change, the proposed change does not Involve a significant reduction Ina margin of safety.

Therefore, the proposed change does not Involve a significant reduction Ina margin of safety.

Based on the above, CP&L and FPC conclude that the proposed change presents no significant hazards consideration under the standards set forth In 10 CFR 50.92(c), and accordingly, a finding of 'no significant hazards co*slderatIon Is justified.

4.4 Conclusij1n In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public wil not be endangered by operation Inthe proposed manner;, (2) such activities wMl be conducted Incompliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

.0 1MVIALCONSIOERAT1O The proposed amendment provides a change to the Cyber Security Plan Implementation Schedule. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in 10 CFR 51.22(cX12). Therefore, pursuant to 10 CFR 51.22(b), no environmental Impact statement or environmental assessment need be prepared Inconnection with the issuance of the amendment.

Attachment I to RA-12-031 Page 6 of 6 6.0 REF2NSWCG I. NRC hotwr, Brunswick Steam Electric Plant,Units I and 2, H. B. Robinson Steam Elecic Plant,Unit No.2, Shearon HaWs Nuclear PowerPlant, Unit 1, and CrystalRiver Unit3 Nuclear GeneratingPlant- Issuance of License Amendments RegardingApproval of Cyber Security Plan (TAC Nos. ME4224 ME4224,ME4227, ME4228, and ME4229).

dated July 29,2011 (ADAMS Accession No. MLII 193A028)

2. Progress Energy letter, Response to Industry GenericReques for Additional Inormatkin on the CarolinaPowerand Light Companyand FloridaPower Corporatlon Cyber Security Plan, Revision 0. dated April 7, 2011 (ADAMS Accession No. MLII108A022)

3. Letter from Chris Earls (NEI) to Richard P. Correia (NRC), Template for the Cyber Security Plan ImPaementationSchedule, dated February 28, 2011 (ADAMS Accession No. MLI 10600211 and MLI 10600218)

4. Letter froi Richard P. Correlas (N%.) to C-41s Earls (NEt), Template for the Cyber Security PlanImplementation Schd*6u1, dated March 1.2011 (ADAMS Accession No. MLl110070348) T.

5. NRC letter from M.C. Thedani, USNRC, to A. C. tieftin, Union Electric Company, Callaway Amnt LUnit V- Iss4ance of Amendment Re: Approval of Cyber Security Plan (TAC No. ME4536)," August 17,2011 (ADAMS Accession No. MLI 12140087)

AttachmentS RM*431 Propee PeeUI~r ~~bwj Umw chamgw ~ISm*upI

Attedwment 2to RA-12-031 ft"e I Of 5 Druni~ck Sham Ehmscti Piwit, UMi No. 1, Docket No. 503251/Rnwswd Lcense No. OPR-11 As"I rJ`e-03:231

~~"f 4 ~e~Sw 12m oclwm- I-vn s*, ~ ~~~ n~

f t .I Z it -caf cer n;, e~5es 1,V vt 9tr

-ZI%

Aftachment 2 to RA-12-031 Paoe 2 of 5 SrnxMick Slasm Elecftr Phan, LUit No. 2 Docke No.60-324 / Rw~m Lcenee No. DPR-62

• ,,!it levenzpw to -presst buA-t

!ý pmu# 4ja to awtbtfl ant tonw itn C^oncte mes aronn-5 rvwlfoc) An- l, xar 23it-'tlqý4t 1o ff bet ~9g4Z.,r+t M ý Rs~e~u UcnS No ~42

AtUtaM 2 to RA-12-031 Paoe 3of 5 Cryta Re Unkt 3 Nuc ear Genert*n Plt Docket No. 50-302/ Llcerne No. OPR-72 DO SN ht ko" m gIfu mtr o mwm l praw*& of #0t 0o-~rvp*Xmm pwecm WPWI4y tWMV~ and qw0k. wiw ofguords OvrwUIwIC *K *Av wfin tv~ mf pwouww o p"Wmao"fl Zawl 27* WmrE toand Smtw of 10 CPR 50.30 WE 10 CPR 0Cp.54(

T"peu *w cob't S~atqww hnksmmnc pmeecwe uuidse 10 Ce'R ?.21, vr Revoieao 4" by eWoAedMy IC 2M. end "Gwd ?*u*t ai OUNci Pit RaoVo Voubwto by MW dts Sypsuiflmr 30 200" w iUpOWWOO by Wft~ ddd OOMcW 20 "N0 Wid &ep0~b 29.2M0 I"e N40mH" tho my no~tW~ "E ffor I-~4 d w of lie comftwm4"v*tw so*$" p10m cSP limue~ cdwe~sing pwe~w w to Vw OV*ft Of 10 C .W WEO M 10 CPR 505"p Tt. hcw,,,s CS wa 0mvoad by Lbame Avmw toNd W38.

FVAdY OP"AS bes No. CDPR-72 Aqwnronigtt No, 33W I

Attmchment 2 to RA-12-031 Pop.4 of 5 Shswaon Hmftf Nudw Powe Ptard, Uni No.1I Docket No. 80400/ ftmoftd Licnse No. NPF-63 E.

Th' CPR. 03 !' ImpOM~

I" "'lll rtzf 219" VCtl fo~R~

90y VIA 5MSW sOf ..ano tUCg

• WfA I-Zr -t :FA27!h21 ar WJO VbsO~ .ým ra ;V CPA~~~~~~~~-

1C 0Mp-4S0U. mw ~$~

wcý,st azv9. fr4 cAtoti 6 *nr y wv2 O. Ie"~ C a~mv-0 Irre T~ Vtm C-tw O smy 1046~ ~ ~ ~ ~ CMIAtMýcotm

~~-t o ~ ~m41

~ ~O 2O~~$~uM Ose9 y sr Pixcvl 4e

~o A 2010. Vftit01 ý3 WPO~d~ .m*O4~fleto J~~~~nC2tt ~%,1 "8ý r a"e rRýhopor tfvn req~~~~~~~~4a 10tCP)09" 6NP 95 ~ ~ ~ w~ao uu~c e~c~m ~ tor rq L~i Oeq~tWVC

1. @~~~~~~~eIv~t o3 f oy *tý

-I3om.ry vctg

Altachmentt2 to RA-12-031 pap6 o14 .89.1Robknon $sun Electvtc Plant, Unit No. 2 Docket No. 50281 / Psnfwod LUcene No. DPR-23 CC9 Re~hbo ~ i~pinrnng ~icanat No DP~.2)

Anwnem~t ~ 2~$

ý, A, I ' ,I... ?, . t 1 2 .

• *4,.*~'.

I.

~.t., ~ "9 Af

' F A,

A' I." 4 .~b

~

'V '

VA-A4Jt 7 1~v~ VI,

'"ttg~.sr)u.. &

. I

.1 . I -

AClwchW mS 1 -

NayOjn -nf nn

'I

.. : . A '

a.., ,*~- I.

to RA-12-031 Revio Carb Ptow & WCemp am" AMd Pomwr Cropoallo 6Or1m.. Palsan (f (--rm a Identify, document, and Dec 31, 2012 The sib - - program provides high assurance that these

-~wm are protected from physical harm by an adversary. The cytb controls Inaccordance with the securiy prga wA enhane the Cybe Security %Pla Section proteio of COAs asoiae with 3.11.8 'Mitigation of tegeses lnlotim~wl ~tCyber Vtdnerab~ites and Application of Cyber S*tuuffy Controls' for Secrt Plan secnt controls to target gt critica dgm asset set CDA* prodes a high degree of (COM) that could adverseyt protection Sginst a cyti-rvlaled wImact te design funtion of attacks that could lead to radiological hscal "cur* target sme sabotage. Secutlty controls wigl be equpmnt. addressed Inaccordance with Cyber Security Plan Section 3.1.6 with the The Implementation of controls exception of those that requir a thaW reuire a deeign design modification.

modification that are not flnlsh by the completion date wvill be documen~ Inthe site N~e tt.

t~%t f~ )~sft4 'j conflgwavoon mngmn anchor chang cOntro prra to assure completion of the deepg miodifIcation as soon as possible, Wu no Mute than the fkiina ' TeMMntation dael.

P 0 p#1IKr agii cýs-rjti