Issuance of Amendment Regarding Deviation of Scope of the Cyber Security Plan Implementation and Facility Operating Condition 2.E

ML12292A056
Person / Time
Site:	Summer
Issue date:	12/21/2012
From:	Martin R Plant Licensing Branch II
To:	Gatlin T South Carolina Electric & Gas Co
Martin R
References
TAC ME9515
Download: ML12292A056 (11)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 21,2012 Mr. Thomas D. Gatlin Vice President, Nuclear Operations South Carolina Electric & Gas Company Virgil C. Summer Nuclear Station Post Office Box 88 Jenkinsville, SC 29065

SUBJECT:

VIRGIL C. SUMMER NUCLEAR STATION, UNIT NO.1, ISSUANCE OF AMENDMENT (TAC NO. ME9515)

Dear Mr. Gatlin:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment No. 193 to Renewed Facility Operating License No. NPF-12 for the Virgil C. Summer Nuclear Station, Unit No.1, in response to your letter dated August 30,2012Property "Letter" (as page type) with input value "RC-12-0125, (VCSNS) Unit 1 - License Amendment Request - Cyber Security Plan Implementation Schedule Milestones (LAR 11-04076)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.. The amendment authorizes a deviation to the scope of the Cyber Security Plan Implementation Schedule for Milestone 6 and a revision to the Facility Operating License Condition 2.E to include the deviation.

A copy of the related Safety Evaluation is enclosed. Notice of Issuance will be included in the Commission's Biweekly Federal Register notice.

Sincerely,

/Q~!~

/I Robert E. Martin, Senior Project Manager Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-395

Enclosures:

1. Amendment No. 193 to NPF-12

2. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SOUTH CAROLINA ELECTRIC & GAS COMPANY SOUTH CAROLINA PUBLIC SERVICE AUTHORITY DOCKET NO. 50-395 VIRGIL C. SUMMER NUCLEAR STATION, UNIT NO.1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 193 Renewed License No. NPF-12

1.

The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by South Carolina Electric & Gas Company (the licensee), dated August 30,2012, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

- 2

2.

Renewed Facility Operating License No. NPF-12 is hereby amended by adding the following paragraph to existing License Condition 2.E to read as follows:

SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Virgil C.

Summer Nuclear Station CSP was approved by License Amendment No. 184 as supplemented by a change approved by License Amendment No. 193.

3.

This license amendment is effective as of its date of issuance. The implementation of the cyber security plan (CSP), including key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letters dated March 28, 2011 and August 30, 2012, and approved by the NRC staff with Amendments 184 and 193. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION Robert J. Pascarelli, Chief Plant Licensing Branch 11-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to Renewed Facility Operating License No. NPF-12 Date of Issuance: December 21,2012

ATTACHMENT TO LICENSE AMENDMENT NO. 193 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-12 DOCKET NO. 50-395 Replace the following page of the License with the enclosed page as indicated. The revised page is identified by amendment number and contains a marginal line indicating the areas of change.

Remove Page Insert Page License License License No. NPF-12, page 3 License No. NPF-12, page 3 License No. NPF-12, page 11 a License No. NPF-12, page 11 a

(3)

SCEaG. p~.,.,.Ad and '0 CFR Part TO. 10 naive, poIIUl end fJI. at wryime IPICIII nuclear marerial ** reaccor fuel, t1 eccordlnce wfth !hi Ihiliallonl for lf0fag8.nd emauntl f8qUirld for

,.ctoropel'llllan, U dIIcribId In Ihe F1nII Safety ~ Report..,

amended through AmerIcfment No. 33:

(4).

SCE'&G. pumanr to.... AcI.nd 10 CFR P.nl 30, 40 end 70 CD fVCIJIYI.

poaeq.nd UI8 at..,line arv bppIOciJct.eouroe II'Id apecIaIl'IK:l.t malarial u I6IIId"'IQI'I toUmI8 for raactor 1'IIIItqt,IMIId neutron souroea for reec:tor InIIrul'lllflflllfan and raCllallon IFICIIIIafing equfpn'att callbratton. III'Id as allicin det8CtOnlln lII'I"IOunts.. requhd; (5)

SCE&G, PIRUfII1I1D the Act and to cm Perls 30, ~. and 1'0, to receNe, poNe" and use In II'ftOUnta II reqUfNd any bypn:IdUd. aoun:e or

'pedal nucla 1M1erIaI without realrk:flon 10 chwnicaJ or phJIIcel form,.

for sampre 8I1IIyIis or InItruINtnt ceIbnItlon or e.oc:ilded.

radioactive.ppandUI 01 ~ and (6)

SCE&G, plftuanllo the fr.ct and 10 CFR PaIts 30, ~,...,10, eo PO"' but not sepa1llte. IUctI byproduct.nd ~I nudeBr ntnlS

• my be procU:ed bylhe operation of the fadnty.

C.

lbIe rel"llWGd Ilcenaelhlll bedeemed to contain,.nd IllUbfeet to, Ihe cordtfonI apeclfJed In the Commlssltln'a r**ltonl set tom rn 10 CFA Ctapte11 and 1.1UbfeGl to allIPfIICIbfe proeAliona 011he Act and to Ihe rutes,

,..!fool, end on:larl or 1M COmrnIIeIon now or ha,.....r In.fflOt; and Is

.mjecf 10 the addI1Iol'III condItIonI apaclled or Incorpol1lted below:

(1)

Mulrmlm Pow. lty9l SGe&~ iI,utnocfIeCJ to operate 1M _11Cy at re8Cfor core power Iftel' not In axr:e" of 2100.....u.lhennal.n.coord... wttn 1M ooitdltibria,pac:ifted hltvln end In Atfachment f to 1htI reneWed bInae.

The p~ t... etanup I.-andohlr.... 1dIInIIIac:f In to.. tenaWed ICetIIe ftl bit cornpItItId.. apedfIed.

AttaChment 1.. ~ebV Inc:orporated Ir40 thls re~ 1ceMe.

(2)

I.oleo! SQlClffClt!ml_nd EQ'!!ronmtf1\\ll frptaction PIt!:!

The 'echnlcal SpArltlcdcn. co~ In Appaf1dX A,

• f8V!ted throJ4j1 Amendma11 No*1.93.... the ErMrorINntal ProtectloA Fiin obnIafned in AppendllC B,.. halvby ir'IocJ'porated In the I'II"I8W8d Iicenae. SOUIh Carvlina EIec:Irtc & an ~ shII' op... the facility ~ ac:cordance with th' Technical SpecHlcations and the Erwfrormental ProI8ctIDn Plan.

Renewed FacNIty Operating Lloenle No. NPF*12 Alllendl'llen t No. 193

- 11a D.

An exemption to the requirements of Paragraph III.B.4 of Appendix G to 10 CFR Part 50 is described In Section 5.3.1 of Supplement No. 1to the Office ofNuclear Reactor Regulation's Safety Evaluation Report. A limited exemption to the requirements of Section IV.F.1{b) of Appendix E to 10 CFR Part 50 Is described in a letter from B.J.

Youngblood, NRC to O.W. Dixon, Jr., dated November 2, 1982. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are othe&wlse In the public Interest. The facility Will operate, to the extent authorized herein, In confonnity with the application, as amended. the provisions of the Act, and the rules and regulations of the Commission.

E.

SCE&G shall fully implement and maintain in effect all prOvisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54{p).

The combined set of plans, which contain Safeguards Infonnation protected under 10 CFR 73.21, Is entitled: -Virgil C. Summer Nuclear StatIon Security Plan," as updated through May 15, 2006. This document incrudes the Security Training and Qualification Plan as Appendix Band the Safeguards Contingency Plan as Appendix C.

SCE&G shall fully Implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SCE&G CSP was approVed by License Amendment No. 193.

Renewed Facility Operating License NPF-12 License Amendment NO.1 93

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 193 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-12 SOUTH CAROLINA ELECTRIC & GAS COMPANY SOUTH CAROLINA PUBLIC SERVICE AUTHORITY VIRGIL C. SUMMER NUCLEAR STATION, UNIT 1 DOCKET NO. 50-395

1.0 INTRODUCTION

By letter dated August 30,2012Property "Letter" (as page type) with input value "RC-12-0125, (VCSNS) Unit 1 - License Amendment Request - Cyber Security Plan Implementation Schedule Milestones (LAR 11-04076)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML12248A270), South Carolina Electric & Gas Company (SCE&G, the licensee), submitted a license amendment request (LAR) for the Virgil C. Summer Nuclear Station (VCSNS), Unit No.1.

The proposed change would revise the scope of Cyber Security Plan (CSP) Implementation Schedule Milestone 6 and the existing license condition in the renewed facility-operating license.

Milestone 6 of the CSP implementation schedule concerns the identification, documentation, and implementation of cyber security controls (technical, operational, and management) for critical digital assets (CDAs) related to target set equipment. SCE&G is requesting to modify the scope of Milestone 6 to apply to the technical cyber security controls only. The operational and management controls, as described in NEI 08-09, Revision 6, would be implemented concurrent with the full implementation of the CSP (Milestone 8). Thus, all CSP activities would be fully implemented by the completion date, identified in Milestone 8 of the licensee's CSP implementation schedule. Portions of the letter dated August 30, 2012Property "Letter" (as page type) with input value "RC-12-0125, (VCSNS) Unit 1 - License Amendment Request - Cyber Security Plan Implementation Schedule Milestones (LAR 11-04076)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., contain sensitive unclassified non-safeguards information and, accordingly, those portions are withheld from public disclosure.

2.0 REGULATORY EVALUATION

The Nuclear Regulatory Commission (NRC staff) reviewed and approved the licensee's existing CSP implementation schedule by License Amendment No. 184 dated August 24, 2011 (ADAMS Accession No. ML11201A312), as corrected in NRC letter to SCE&G dated July 12, 2012 (ADAMS Accession No. ML12195A027) concurrent with the incorporation of the CSP into the facility current licensing basis. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

- 2

• Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54 states: "Each [CSP]

submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."

The licensee's facility operating license(s) includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

• Amendment No. 184, dated August 24,2011, which approved the licensee's CSP and implementation schedule, included the following statement: The implementation of the cyber security plan (CSP), including key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter dated March 28, 2011, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90."

• In a letter to the Nuclear Energy Institute (NEI) dated March 1, 2011 (ADAMS Accession No. ML110070348), the NRC staff acknowledged that the cyber security implementation schedule template was "written generically and licensees that use the template to develop their proposed implementation schedules may need to make changes to ensure the submitted schedule accurately accounts for site-specific activities."

3.0 TECHNICAL EVALUATION

Amendment No. 184 to Renewed Facility Operating License No. NPF-12 for VCSNS was issued on August 24, 2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendment. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (NEI), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110600218). The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones: 1) Establish the Cyber Security Assessment Team (CSAT); 2)

Identify Critical Systems (CSs) and Critical Digital Assets (CDAs); 3) Install a deterministic one-way device between lower level devices and higher level devices; 4) Implement the security control "Access Control For Portable And Mobile Devices"; 5) Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds by incorporating the appropriate elements; 6) Identify, document, and implement cyber security controls as per "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;

7) Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and 8) Fully implement the CSP.

3.1 Licensee's Proposed Change Currently, Milestone 6 of VCSNS's CSP requires SCE&G to identify, document, and implement cyber security controls for CDAs that could adversely impact the design function of physical security target set equipment by December 31, 2012. These cyber security controls consist of technical, operational and management security controls. In its August 30, 2012, application, SCE&G proposed to modify Milestone 6 to change the scope of the cyber security controls due to be implemented on December 31,2012, to include only the NEI 08-09, Revision 6, Appendix D

- 3 technical security controls. SCE&G proposes to amend its CSP to provide that operational and management security controls, identified in Milestone 6, will be fully implemented by a later date, which is the completion date identified in Milestone 8 of the CSP implementation schedule. The licensee stated that implementing the technical cyber security controls for target set CDAs provides a high degree of protection against cyber-related attacks that could lead to radiological sabotage. The licensee further stated that many of its existing programs are primarily procedure-based programs and must be implemented in coordination with the comprehensive CSP. The licensee also stated that the existing programs currently in place at VCSNS (e.g.,

physical protection, maintenance, configuration management, and operating experience) provide sufficient operational and management cyber security protection during the interim period until the CSP is fully implemented.

3.2 NRC Staff's Evaluation The intent of the cyber security implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which is set for the date specified in Milestone 8. In addition to Milestone 6 and its associated activities, licensees will be completing six other milestones (Milestones 1 through 5 and Milestone 7) by December 31, 2012. Activities include establishing a Cyber Security Assessment Team, identifying critical systems and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber-related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the cyber security program at VCSNS. The NRC staff has reviewed the licensee's evaluation of the proposed change in its submittal dated August 30, 2012, and finds that by completing Milestones 1 through 5, Milestone 6 with implementation of technical controls to target set CDAs, and Milestone 7, VCSNS will have an acceptable level of cyber security protection until full program implementation is achieved. Technical cyber security controls include access controls, audit and accountability, CDA and communications protection, identification and authentication, and system hardening. These controls are executed by computer systems, as opposed to people, and consist of hardware and software controls that provide automated protection to a system or application. Implementation of technical cyber security controls promotes standardization, trust, interoperability, connectivity, automation, and increased efficiency. For these reasons, the NRC staff concludes that the licensee's approach is acceptable.

The NRC staff also recognizes that full implementation of operational and management cyber security controls in accordance with requirements of the VCSNS CSP will be achieved with full implementation of the VCSNS CSP by the date set in Milestone 8. That is, all required elements for the operational and management cyber security controls in accordance with the VCSNS CSP will be implemented in their entirety at the time of full implementation of the CSP.

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that U[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC, staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the

- 4 licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval pursuant in 10 CFR 50.90.

3.3 Revision to License Condition By letter dated August 30,2012Property "Letter" (as page type) with input value "RC-12-0125, (VCSNS) Unit 1 - License Amendment Request - Cyber Security Plan Implementation Schedule Milestones (LAR 11-04076)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process., the licensee proposed to modify Paragraph 2.E of Renewed Facility Operating License No. NPF-12 for VCSNS Unit 1, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP. The second paragraph of license condition 2.E is modified to read as follows:

SCE&G shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50. 54(p). The Virgil C. Summer Nuclear Station CSP was approved by License Amendment No. 184 as supplemented by a change approved by License Amendment No. 193.

3.4 Summary Based on its review of the licensee's submissions, the NRC staff concludes that the proposed changes to Milestone 6 of the licensee's CSP implementation schedule are acceptable. The NRC staff also concludes that, upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed changes acceptable.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the South Carolina State official was notified of the proposed issuance of the amendment. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

This amendment relates solely to safeguards matters and does not involve any significant construction impacts. Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: M. Corlin Date: December 21, 2012

ML12292A056

. OFFICE NRRlLPL2-1/PM NRRlLPL2-1/LA NSIRlBC' OGC i NAME RMartin SFigueroa C

bin I DATE 12/19/12 10/18/12 10/15/12 12/25/12 NLO

• By memo dated NRRlLPL2-1/BC NRR/LPL2-1/PM RPascarelli RMartin 12/21/12 12121112