ML12348A232
| ML12348A232 | |
| Person / Time | |
|---|---|
| Site: | Braidwood  |
| Issue date: | 12/13/2012 |
| From: | Robert Daley Engineering Branch 3 |
| To: | Pacilio M Exelon Generation Co, Exelon Nuclear |
| Stuart Sheldon | |
| References | |
| IR-13-406 | |
| Download: ML12348A232 (10) | |
See also: IR 05000456/2013406
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
REGION III
2443 WARRENVILLE ROAD, SUITE 210
LISLE, IL 60532-4352
December 13, 2012
Mr. Michael J. Pacilio
Senior Vice President, Exelon Generation Company, LLC
President and Chief Nuclear Officer, Exelon Nuclear
4300 Winfield Road
Warrenville, IL 60555
SUBJECT:
BRAIDWOOD STATION, UNITS 1 AND 2 NOTIFICATION TO PERFORM A
TEMPORARY INSTRUCTION 2201/004 INSPECTION AND REQUEST FOR
INFORMATION FOR INSPECTION REPORT NUMBER 05000456/2013406;
Dear Mr. Pacilio:
On April 8, 2013, the U.S. Nuclear Regulatory Commission (NRC) will begin an inspection of
Temporary Instruction (TI) 2201/004 at your Braidwood Station, Units 1 and 2. The TI
inspection will be performed to evaluate and verify your ability to meet the interim milestone
requirements of the NRCs Cyber Security Rule, Title 10, Code of Federal Regulations (CFR),
Part 73, Section 54, Protection of Digital Computer and Communication Systems and
Networks.
In accordance with 10 CFR 73.54, each nuclear power plant licensee was required to submit a
proposed cyber security plan (CSP) and implementation schedule for NRC approval. On
December 14, 2009, by letter (ML093080517) to the Nuclear Energy Institute (NEI), the NRC
provided their expectations for the proposed implementation schedule. On January 5, 2011, by
letter, (ML110060093) to the NRC, NEI issued an initial Template for the Cyber Security Plan
Implementation Schedule, (ML110060097). On February 28, 2011, by letter (ML110600206) to
the NRC, NEI provided a revised, Template for the Cyber Security Plan Implementation
Schedule. The purpose of the letters attachment was to provide the licensee with a generically
written template to develop their proposed CSP implementation schedule. Utilization of the
generic template required the licensee to make conforming changes to ensure the submitted
schedule accurately accounted for site-specific activities. Based on an NRC technical review,
(ML110070348) the template was found acceptable to develop the licensees CSP
implementation schedule (i.e., Milestones 1 through 8). On March 31, 2011, by letter
(ML110940225) to the NRC, Exelon provided a revised CSP and implementation schedule that
accounted for the site-specific activities. On August 10, 2011, by letter (ML111861341), the
NRC issued an amendment that approved the Braidwood Station CSP and associated
implementation schedule. In addition, the amendment revised the existing facility operating
license condition regarding physical protection to require the station to fully implement and
maintain in effect all provisions of the NRC-approved CSP.
M. Pacilio
-2-
The subject TI inspection provides a programmatic level review and verification of the licensees
site-specific implementation of Interim Milestones 1 through 7. The schedule for the onsite TI
Inspection for the Interim Milestones 1 through 7 is as follows:
Information Gathering Visit: March 25 - 29, 2013; and
Cyber Security TI Inspection: April 8 - 12, 2013.
The purpose of the information gathering visit is to: (1) obtain information and documentation
needed to support the TI inspection; (2) become familiar with your cyber security program and
plant layout; and (3) arrange administrative details, such as office space, availability of
knowledgeable office personnel and to ensure unescorted site access privileges.
In order to assure a productive TI inspection, we have enclosed a request for documents
needed to ensure that the inspectors are adequately prepared. These documents have been
divided into four groups. The first group lists information necessary to aid the inspectors in
planning for the TI inspection. It is requested that this information be provided to the lead
inspector via mail or electronically no later than March 8, 2013. The second group also lists
information and possible areas for discussion necessary to assist the inspectors during the TI
inspection. It is requested this information be available during the information gathering visit,
(March 25, 2013). The third group of requested documents consists of those items that the
inspectors will review, or need access to, during the TI inspection. Please have this information
available by the first day of the onsite inspection week, (April 8, 2013). The fourth group lists
the information necessary to aid the inspectors in tracking questions and answers identified as a
result of the TI inspection. It is requested that this information be provided to the lead inspector
as the information is generated during the TI inspection. It is important that all of these
documents are up to date and complete in order to minimize the number of additional
documents requested during the preparation and/or the onsite portions of the TI inspection.
The lead inspector for this inspection is Dr. Stuart Sheldon. We understand that our regulatory
contact for this inspection is Mr. Murtaza Abbas of your organization. If there are any questions
about the TI inspection or the material requested, please contact the lead inspector at (630) 829
9727 or via e-mail at stuart.sheldon@nrc.gov.
This letter does not contain new or amended information collection requirements subject to the
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection
requirements were approved by the Office of Management and Budget, control number 3150-
0011. The NRC may not conduct or sponsor, and a person is not required to respond to, a
request for information or an information collection requirement unless the requesting document
displays a currently valid Office of Management and Budget control number.
M. Pacilio
-3-
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter, its
enclosure, and your response (if any) will be available electronically for public inspection in the
NRC Public Document Room or from the Publicly Available Records System (PARS)
component of NRC's Agencywide Document Access and Management System (ADAMS).
ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading rm/adams.htm
(the Public Electronic Reading Room).
Sincerely,
/RA/
Robert Daley, Chief
Engineering Branch 3
Division of Reactor Safety
Docket Nos. 50-456; 50-457
Enclosure:
Document Request for Cyber Security Temporary Instruction 2201/004 Interim
Milestones 1 - 7 Inspection
cc w/encl:
Distribution via ListServ'
DOCUMENT REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004
1
Enclosure
Inspection Report: 05000456/2013406; 05000457/2013406
Onsite Dates:
March 25 - 29, 2013 (Information Gathering Visit)
April 8 - 12, 2013 (Cyber Security TI Inspection)
Procedure:
Temporary Instruction 2201/004, Inspection of Implementation of Interim
Cyber Security Milestones 1 - 7
Lead Inspector:
Dr. Stuart Sheldon
(630) 829-9727
stuart.sheldon@nrc.gov
I.
Information Requested Prior to the Information Gathering Visit
The following information is requested by March 8, 2013. If you have any questions
regarding this request, please call the lead inspector as soon as possible. All information
should be sent to Dr. Stuart Sheldon (e-mail address stuart.sheldon@nrc.gov). Electronic
media is preferred. Where information is provided that includes tables and/or lists of data
or other such information, please do not scan such tables and/or lists as images. The
preferred file format is a searchable pdf file on a compact disk (CD). The CD should be
indexed and hyper-linked to facilitate ease of use. Please provide three copies of each
CD submitted (one for each inspector and for a cyber security contractor).
A.
Cyber Security TI Documentation
1.
Provide a list of all documents required to complete each of the Cyber Security
Milestones 1 through 7 identified by letter (ML110940225) dated March 31,
2011, Enclosure 3 - Exelon Cyber Security Plan Revised Implementation
Schedule. Provide each milestone in a separate folder on the CD (e.g.,
Milestone 1, Milestone 2, etc.). Each milestone document shall be listed in a
table as follows:
MILESTONE X, where X equals 1 through 7
Document
Number
Title
Description
Rev Status
No. 1
No. 2
No. 3
No. 4
etc.
Based on the list of documents identified in I.A.1 above, for each milestone
document where the Status is identified as completed, place the completed
document in its associated folder and hyperlink the associated document
number to the completed document. For each document, the Status should
be identified as not started, in-progress or completed.
DOCUMENT REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004
2
Enclosure
In addition to the documents identified in I.A.1 above, ensure the documents
identified below (I.A.2 - I.A.8) for MILESTONE 1 - 7 are included in the I.A.1 table
above.
2.
MILESTONE 1 - Provide the following documentation for the Cyber Security
Assessment Team (CSAT):
a.
Procedures establishing the CSAT team;
b.
List of CSAT members noting primary areas of responsibility;
c.
Procedures detailing qualification requirements for CSAT members; and
d.
Supporting documentation that demonstrates each CSAT member meets
the requirements to fulfill their respective position on the team. For
example, member resumes; evaluation of previous education and
experience; training required by your implementing procedures and
supporting documentation which shows training was completed; or
industry certifications).
3.
MILESTONE 2 - Provide the following documentation:
a.
List of plant systems noting which system have been identified as critical
systems (CSs); and
b.
Procedure documenting the process by which CSs and Critical Digital
Assets (CDAs) are identified in accordance with (IAW) your CSP,
Section 3.1.3.
4.
MILESTONE 3 - Provide the following documentation:
a.
Procedures establishing your cyber defensive architecture. Explain any
variances from your CSP, Section 4.3, and tracking documents for their
correction;
b.
Provide an overview of your cyber defensive architecture, preferably with
overview level diagrams showing the various levels and location of the
subject deterministic one-way device; and
c.
Provide details of the implementation of the subject deterministic one-way
device.
5.
MILESTONE 4 - Provide the following documentation:
a.
Procedures implementing the security control Access Control for
Portable and Mobile Devices. Include any training material or
promotional literature distributed to staff associated with the control.
6.
MILESTONE 5 - Provide the following documentation:
DOCUMENT REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004
3
Enclosure
a.
Procedures implementing the requirements described in Milestone 5; and
b.
Training materials associated with the changes to plant programs
associated with Milestone 5.
7.
MILESTONE 6 - Provide the following documentation:
Procedures documenting the process by which technical cyber security
controls have been identified for those CDAs which require the implementation
of technical security controls for Milestone 6.
8.
MILESTONE 7 - Provide the following documentation:
Procedures implementing the ongoing monitoring and assessment activities as
described in your CSP, Section 4.4.
B.
Cyber Security Supporting Documentation
1.
Provide a copy of the current version of the updated safety analysis
report (USAR), Technical Specifications (TS), and technical requirements
manual (TRM) or equivalent.
2.
Provide a copy of the current cyber security Health Report, if available.
3.
Provide a copy of the current plant drawings use for operator training that
provide additional information on system operation, system operating
parameters, setpoints, etc. (e.g., some licensees refer to these drawings as
Horse Notes) for identified cyber security CSs, if available.
4.
Provide operator training lesson plans and/or operator training aids for
identified cyber security CSs, if available.
II.
Information Requested During the Information Gathering Visit (March 25 - 29, 2013)
The following information is requested to be provided to the inspectors during the onsite
information gathering visit. It is requested that the following information be provided on
three sets of CDs (searchable, if possible).
A.
General Information:
1.
A listing of abbreviations and/or designators for plant systems;
2.
Organizational chart for corporate and site personnel involved in establishing,
overseeing, and maintaining the Cyber Security Program and;
3.
A phone list for licensee personnel.
B.
Facility Information:
1.
Provide a presentation/discussion of your CSP, existing cyber security CSs,
and associated CDAs.
DOCUMENT REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004
4
Enclosure
2.
Provide a list and discussion of currently scheduled or planned cyber security
related modifications to be installed in the plant.
C.
Specific Information Associated with the Milestones:
1.
MILESTONE 3- Be prepared to provide an overview walkdown of the cyber
architecture within the plant including safety, security and emergency
preparedness related CDAs.
2.
MILESTONE 6- Be prepared to present information for target set CDAs
including a list of target set CDAs, and documentation of the process for
identifying them.
3.
MILESTONE 6- For selected CDAs, be prepared to produce documentation for
each of the technical controls in Appendix D of NEI 08-09, Revision 6, the
results of reviews required under your CSP, Section 3.1.6.
(a)
For controls that are implemented, provide the procedures implementing
the control. Common controls for all CDAs may be provided in a separate
list with the procedures implementing each of them;
(b)
For alternate controls that have been implemented, provide the
documented basis for employing alternative countermeasures, and the
procedures implementing the alternative measures; and
(c)
Where controls have been deemed unnecessary, provide the threat
vector analysis supporting the conclusion that the threat vector does not
exist.
4.
MILESTONE 7 - For the CDAs selected above, be prepared to produce
documentation for each of the technical controls in Appendix D of NEI 08-09,
Revision 6, and the results of immediate activities required under your CSP,
Section 4.4.
(a)
For all controls that are implemented, provide the objective evidence that
the control is effective IAW your CSP, Section 4.4.3.1. This may be
combined with the documentation provided for Milestone 6;
(b)
Documentation for common controls for all CDAs may be provided in a
separate list with the procedures implementing each of them; and
(c)
Provide governing procedures and results of vulnerability scans
performed to comply with your CSP, Section 4.4.3.2.
DOCUMENT REQUEST FOR CYBER SECURITY TEMPORARY INSTRUCTION 2201/004
5
Enclosure
III.
Information Requested to be Available on First Day of the Onsite Inspection Week
(April 8, 2013)
The following information is requested to be provided on the first day of the TI inspection.
It is requested that this information be provided on three sets of CDs (searchable, if
possible).
Any updates to information previously provided.
IV.
Information Requested to be Provided Throughout the Temporary Instruction
Inspection Assessment
Copies of the list of questions/documents requested identified by the inspector
and the status/resolution of the information requested (provided daily during the
TI inspection to each inspector).
If you have questions regarding the information requested, please contact the lead inspector.
M. Pacilio
-3-
In accordance with 10 CFR 2.390 of the NRC's "Rules of Practice," a copy of this letter, its
enclosure, and your response (if any) will be available electronically for public inspection in the
NRC Public Document Room or from the Publicly Available Records System (PARS)
component of NRC's Agencywide Document Access and Management System (ADAMS).
ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading rm/adams.htm
(the Public Electronic Reading Room).
Sincerely,
/RA/
Robert Daley, Chief
Engineering Branch 3
Division of Reactor Safety
Docket Nos. 50-456; 50-457
Enclosure:
Document Request for Cyber Security Temporary Instruction 2201/004 Interim
Milestones 1 - 7 Inspection
cc w/encl:
Distribution via ListServ'
DOCUMENT NAME: G:\\DRSIII\\DRS\\Work in Progress\\Ltr 121312 Braidwood Cyber RFI.docx
Publicly Available
Non-Publicly Available
Sensitive
Non-Sensitive
To receive a copy of this document, indicate in the concurrence box "C" = Copy without attach/encl "E" = Copy with attach/encl "N" = No copy
OFFICE
RIII
RIII
RIII
RIII
NAME
SSheldon:ls
RCDaley
DATE
12/11/12
12/13/12
OFFICIAL RECORD COPY
Letter to Mr. Michael Pacilio from Mr. Robert C. Daley dated December 13, 2012.
SUBJECT:
BRAIDWOOD STATION, UNITS 1 AND 2 NOTIFICATION TO PERFORM A
TEMPORARY INSTRUCTION 2201/004 INSPECTION AND REQUEST FOR
INFORMATION FOR INSPECTION REPORT NUMBER 05000456/2013406;
DISTRIBUTION
RidsNrrDorlLpl3-2 Resource
RidsNrrPMBraidwood Resource
RidsNrrDirsIrib Resource
Chuck Casto
Cynthia Pederson
DRPIII
DRSIII