ML14281A065

From kanterella
Jump to navigation Jump to search

Issuance of Amendment Nos. 202 and 190, Revise Operating License Conditions Related to Cyber Security Plan Milestone 8 Full Implementation Date
ML14281A065
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 01/29/2015
From: Lisa Regner
Plant Licensing Branch IV
To: Koehl D
South Texas
Singal B
References
TAC MF4121, TAC MF4122
Download: ML14281A065 (20)


Text

UNITED STATES

  • NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 January 29, 2015 Mr. Dennis L. Koehl President and CEO/CNO STP Nuclear Operating Company South Texas Project P.O. Box 289.

VVadsworth, TX 77483

SUBJECT:

SOUTH TEXAS PROJECT, UNITS 1 AND 2 - ISSUANCE OF AMENDMENTS RE: APPROVAL OF THE REVISED CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NOS. MF4121 AND MF4122)

Dear Mr. Koehl:

The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment No. 202 to Facility Operating License No. NPF-76 and Amendment No. 190 to Facility Operating License No. NPF-80 for the South Texas Project (STP), Units 1 and 2, respectively. The amendments consist of changes to the Technical Specifications (TSs) in response to your application dated May 8, 2014.

The amendments approve the revised schedule for implementation of the cyber security plan (CSP) and revise paragraph 2.F of Facility Operating License Nos. NPF-76 and NPF-80 for STP, Units 1 and 2, respectively, to incorporate the revised CSP implementation schedule. The CSP and associated implementation schedule for STP, Units 1 and 2, were previously approved by the NRC staff by letter dated July 26, 2011.

A copy of our related Safety Evaluation is also enclosed. The Notice of Issuance will be included in the Commission's next biweekly Federal R gister notice.

isa M. Regner, Senior Project Manager Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-498 and 50-499

Enclosures:

1. Amendment No. 202 to NPF-76
2. Amendment No. 190 to NPF-80
3. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 STP NUCLEAR OPERATING COMPANY DOCKET NO. 50-498 SOUTH TEXAS PROJECT. UNIT 1 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 202 License No. NPF-76

1. .The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by STP Nuclear Operating Company (STPNOC)*

acting on behalf of itself and for NRG South Texas LP, the City Public Service Board of San Antonio (CPS), and the City of Austin, Texas (COA) (the licensees), dated May 8, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.

  • The issuance of this license amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10CFR Part 51 of the Commission's regulations and all applicable requirements have been sati~fied.
  • STPNOC is authorized to act for NRG South Texas LP, the City Public Service Board of San Antonio, and the City of Austin, Texas, and has exclusive responsibility and control over the physical construction, operation, and maintenance of the facility.

Enclosure 1

2. Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and Paragraph 2.F of Facility Operating License No. NPF-76 is hereby amended to read, in part, as follows:

STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

STPNOC CSP was approved by License Amendment No. 197 and supplemented by License Amendment No. 202.

3. The license amendment is effective as of its date of issuance and shall be implemented within 90 days from the date of issuance. The full implementation of the CSP will be in accordance with the implementation schedule submitted by the licensee on May 8, 2014, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION Eric R. Oesterle, Acting Chief Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License No. NPF-76 Date of Issuance: January 29, 2015

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 STP NUCLEAR OPERATING COMPANY DOCKET NO. 50-499 SOUTH TEXAS PROJECT. UNIT 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 190 License No. NPF-80

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by STP Nuclear Operating Company (STPNOC)*

acting on behalf of itself and for NRG South Texas LP, the City Public Service Board of San Antonio (CPS), and the City of Austin, Texas (COA) (the licensees), dated May 8, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), arid the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, as amended, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this license amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

  • STPNOC is authorized to act for NRG South Texas LP, the City Public Service Board of San

. Antonio, and the City of Austin, Texas, and has exclusive responsibility and control over the physical construction, operation, and maintenance ofthe facility.

Enclosure 2

2. Accordingly, the license is amended by changes as indicated in the attachment to this license amendment, and Paragraph 2.F of Facility Operating License No. NPF-80 is hereby amended to read, in part, as follows:

STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

STPNOC CSP was approved by License Amendment No. 185 and supplemented by License Amendment No. 190.

3. The license amendment is effective as of its date of issuance and shall be implemented within 90 days from the date of issuance. The full implementation of the CSP will be in accordance with the implementation schedule submitted by the licensee on May 8, 2014, and approved by the NRC staff with this license amendment. All subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION Eric R. Oesterle, Acting Chief Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License No. NPF-80 Date of Issuance: January 29, 2015

ATTACHMENT TO LICENSE AMENDMENT NOS. 202 AND 190 FACILITY OPERATING LICENSE NOS. NPF-76 AND NPF-80 DOCKET NOS. 50-498 AND 50-499 Replace the following pages of the Facility Operating License Nos. NPF-76 and NPF-80 with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Facility Operating License No. NPF-76 REMOVE . INSERT Facility Operating License No. NPF-80 REMOVE INSERT SOUTH TEXAS LICENSE - 9..-

(4) The facility has bee~ granted a sc.hedular exemption from Section 50.71 (e)(3)(i) of 10 CFR 50 to extend the date for submittal of the updated Final Safety Analysis Report to no later than one year after the date of issuance *of a low power license for the South Texas Project, Unit-2. This exemption is effective until August 1990. The staff's environmental assessment was published on December 16, 1987

. (52 FR 47805). .

E.* Fire ProteCtion STPNOC shall implement and maintain in effect all provisions of the approved fire protection program as described in the Final Safety Analysis Report through Amendment No. 55 and the Fire Hazards. Analysis Report through Amendment No. 19, and submittals dated April 29, May 7, 8 and 29, June 11, 25 and 26, .

1987; February 3, March 3, and November 20, 2009; January 20, 201 0; and as approved in the SER (NUREG-0781) dated April1986 and its Supplements, subject to the following provision:

STPNOC may make changes*to the approved fire protection program without prior approval of the Commission, only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

F. Physical Security STPNOC shall fully implement and maintain in effect all provisions of the physical security, training.ar:Jd qualification, and safeguards contingency plans previously approved by the Commis_sion and all amendments and revisions to such plans made pursuant tq th~ authority under ~0 CFR 50.90 and 10 CFR 50.54(p).

The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions. to .1.0 CFR73:55 (51 FR 27817 and 27822), and the authori~y of.

10*CFR50.90 and.10 CFR 50._54(p)*. The combined,set.ofplans, which contains*

Safeguards lnform~tion protected under 10. CF_R 73:21 ;. is entitled: "South Texas Project Electric Generating-Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision .2'~ submitted by letters dated May 17 and 18, 2006.

  • STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved cybersecurity plan (CSP), including changes made.

pursuant to the authority of tO CFR 50.90 and 10 CFR 50.54(p). STPNOC CSP was approved by License Amendment No. 197 and supplemented by License Amendment No. 202.

G. Not used H. Financial Protection.

The OVI,Iners shall have and maintain firianci~l protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

Amendment No. 202

)*

  • ~~iiJij~
  • \~*,\**

"<t< '.

  • ,*.*,,.*'"*~. . :. -.:~,* .,. 8 - , . ' '"/.\

'f'-T- .. ....

~*

(2), The facility was previously granted exemption from the criticality monitoring requirements of 10 CFR 70.24 ~See Materials License No.

  • SNM-1983 dated August 30, 1988 and Section Ill. E. of the SER dated August 30, 1988). The South Texas Project Unit 2 is hereby exempted from the criticality monitoring provisions of 10 CFR 70.24 as applied to fuel assemblies held under this license.

(3) The facility requires a temporary exemption from the scheduler requirements of the decommissioning planning rule, 10 CFR 50.33(k) and 10 CFR 50. 75. The justification for this exemption is contained in Section 22.2 of Supplement 6 to the Safety Evaluation Report. The staff's environmental assessment was published on December 16, 1988 (53 FR 50604). Therefore, pursuant to 10 CFR 50.12(a)(1), 50.12(a)(2)(ii) and 50.12(a)(2)(v), the South Texas Project, Unit 2 is hereby granted a temporary exemption from the schedular requirements of 10 CFR 50.33(k) and 10 CFR 50.75 and is. required to submit the

  • decommissioning plan for both South Texas Project, Units 1 and 2 on or before July 26, 1990.

E. Fire Protection STPNOC shall implement and maintain in effect all provisions of the approved fire protection program as described in tile Final Safety Analysis Report through Amendment No. 62 a*nd the Fire Hazards Analysis Report through Amendment No. 19,and submittals dated April 29, May. 7, 8 and 29, June 11, 25, and.26, .

1987; February 3, March 3, and November 20, 2009; January 20, 201 0; and as approved in the SER (Nl,.JRE.G-0781) dated April 1986 and its Supplements, subject to the following provisions:*

STPNOC may make changes to the approved fire protection program without prior approval of the Commission, only ifthose changes would not adversely affect the ability to achieve arid maintain safe shutdown in the event of a fire ..

F. Physical Security The licensee shall fully implement and maintain in effect all provisions *ofthe Commission-approved physical security, training and qualification, and *.

  • STPNqC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR50.54(p). STPNOC CSP was* approved by license Amendment No. 185 and supplemented by License Amendment No. 190.
  • Amendment No. 190

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE.OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 202 AND 190 TO FACILITY OPERATING LICENSE NOS. NPF-76 AND NPF-80 STP NUCLEAR OPERATING COMPANY, ET AL.

SOUTH TEXAS PROJECT, UNITS 1 AND 2 DOCKET NOS. 50-498 AND 50-499

1.0 INTRODUCTION

By application dated May 8, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14142A013), STP Nuclear Operating Company (STPNOC, the licensee) submitted a license amendment request (LAR) regarding the facility operating licenses (FOLs) of South Texas Project (STP), Units 1 and 2. Portions of the letter dated May 8, 2014, contain sensitive unclassified non-safeguards (security-related) information and, accordingly, those portions are withheld from public disclosure in accordance with Title 10 of the Code of Federal Regulations (1 0 CFR), paragraph 2.390(d)(1 ).

The proposed amendment would revise the date of Cyber Security Plan (CSP) implementation schedule Milestone 8 and the existing license condition 2.F in the FOLs. Milestone 8 for the CSP implementation schedule is associated with the full implementation of the CSP. The CSP and associated implementation schedule for STP, Units 1 and 2, was previously approved by the U.S. Nuclear Regulatory Commission (NRC) staff by letter dated July 26, 2011 (ADAMS Accession No. ML111920082).

2.0 REGULATORY EVALUATION

The NRC staff reviewed and approved the licensee's existing CSP implementation schedule for STP, Units 1 and 2, by License Amendment No. 197 to FOL No. NPF-76 for STP Unit 1 and by License Amendment 185 to FOL No. NPF-80 for STP Unit 2, by letter dated July 26, 2011 (ADAMS Accession No. ML111920082), concurrent with the incorporation of the CSP into the facilities' current licensing bases. In the May 8, 20141etter, the licensee requested a change to the implementation date for Milestone 8 of the CSP. The NRC staff considered the following regulatory requirements and guidance in its review of current license amendment to modify the existing CSP implementation schedule: *

  • Title 10 of the Code of Federal Regulations (CFR), section 73.54, "Protection of digital computer and communication systems and networks," which states, in Enclosure 3

part, that: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."

  • The licensee's FOLs include a licen.se condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP (License Condition 2.F for STP, Units 1 and 2 FOLs).
  • In a publically available NRC memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML 13295A46), the NRC staff listed criteria that it would consider during its evaluations of licensees' requests to postpone their cyber security programs implementation dates (commonly known as Milestone 8).

The NRC staff does not regard the STP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

3.1 Background The NRC staff issued Amendment No. 197 to FOL NPF-76 for STP, Unit 1 and Amendment No. 185 to FOL NPF-80 for STP, Unit 2 on July 26, 2011, approving the licensee's CSP (ADAMS Accession No. ML111920082). The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation i!?sued with the amendment.

The implementation schedule was based on a template prepared by the Nuclear Energy Institute (NEI) (letter dated February 28, 2011; ADAMS Accession No. ML110600206), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules by letter dated March 1, 2011 (ADAMS Accession No. ML110070348). The licensee's proposed implementation schedule for CSP identified completion dates and bases for the following eight milestones:

  • Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);
  • Install a deterministic one-way device between lower level devices and a firewall between higher level devices;
  • Implement the security control "Access Control For Portable And Mobile Devices";
  • Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds;
  • Identify, document, and implement cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;
  • Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;

3.2 Licensee's Requested Change Currently, Milestone 8 of the STP CSP requires the licensee to fully implement the CSP by February 28, 2015. In the May 8, 20141ettei', the licensee requested to change the Milestone 8 completion date to June 30, 2017. The licensee has also proposed to modify Paragraph 2.F of FOLs NPF-76 and NPF-80 for STP, Units 1 and 2, respectively, to reflect the revised full implementation schedule for the CSP.

The licensee's current amendment is consistent with the review criteria set forth in the NRC staff's October, 24, 2013 memorandum developed to evaluate requests to postpone Milestone 8 implementation dates. The following criteria are stated in the memorandum:

1. Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.
2. Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
3. A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

4." An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of. the licensee's overall cyber security program in the context of milestones already completed.

5. A description of the licensee's methodology for prioritizing completion of work for CDAs associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant.
6. A discussion of the licensee's cyber security program performance up to the date of the license amendment request.
7. A discussion of cyber security issues pending in the licensee's corrective
  • action program. *
8. A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided the following information pertinent to each of the eight evaluation criteria identified in the NRC staff memorandum.

1. Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.
  • The licensee stated that it needed additional time to implement CSP Section 3.1, "Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls." The licensee further noted that there are ongoing issues that need resolution prior to completing implementation of CSP Section 3.1. These issues include NRC and industry discussions about CDAs and security controls;. definition of security controls; resource intensive CDA assessment work; the need for careful consideration of remediation activities; change management challenges must be addressed; and training is required on new processes, procedures and programs.
2. Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

In its May.8, 2014, LAR, the licensee stated, in part, that Despite a cyber security project team of 10 full time staff, STPNOC is experiencing major challenges with full implementation of Milestone 8. The project team includes 5 Certified Information Systems Security Professionals (CISSPs) and four degreed Electrical/Computer Engineers.

The licensee also noted there is a large volume of effort associated with documentation of CDA assessment and analysis. The licensee provided a detailed justification for the additional time to fully implement the CSP, as follows:

a) CDA assessment work is resource intensive.

  • STPNOC has approximately 1450 CDAs for Units 1 & 2.
  • Assessment tool set-up is challenging due to uncertainty surrounding security controls interpretation.
  • STPNOC underestimated the level of effort necessary to address security controls using the deterministic criteria in CSP 3. 1.6.
  • Rework is a major concern since resources are allocated in advance based on the defined scope that considers a limited amount of rework.

b) Remediation activities need to be carefully considered.

  • Security controls modifications are unique*and new to the plant and suppliers. *
  • Plant modifications must be carefully implemented to ensure they do not impact plant safety and operation. STPNOC has experienced several challenges associated with cyber security equipment suppliers' understanding of their own products and its limitations; resulting in implementation delays and unrecognized resource commitments for both the vendor and STPNOC.
  • Suppliers are releasing products that have not been adequately documented and tested which results in corrective action investigations and resource drain.
  • Plant equipment vendors have taken exception to the cyber security controls in specifications, placing the entirety of implementation and integration of cyber controls on STPNOC personnel.
  • Integrating existing systems with newer security products has impacts on existing system resources and is complicating the implementation of technical cyber security controls.
  • Plant modifications require additional coordination when considering whether they can be implemented during power operations or require a unit outage to perform. This is further limited by the planned outage windows, which are typically 30 days in duration and only occur every 18 months in each unit.

c) Change management challenges.

  • Cyber security is challenging because it integrates into day to day plant operations, maintenance, engineering, and procurement activities.
  • Integration of cyber security controls is taking longer than expected due to impacts on the work control process and maintenance activities.
  • Added burden on maintenance to address security control integrity during maintenance work on CDAs.
  • Cyber security for plant CDAs is new, and the security controls being implemented on the plant CDAs are new to Maintenance, System Engineering, and Operations. When plant CDA modifications include new products, and installation requires operating system parameter changes, the modifications must be implemented cautiously to ensure safe reliable operation of plant equipment. Before modifications are implemented, significant verification analysis and testing must be performed to minimize or eliminate impacts to plant equipment.
  • The Work Control Center (WCC) Planners are challenged by the nuances associated with cyber security controls. STPNOC will be spending additional resources to train the Planners to better understand cyber security and how it impacts work planning.
  • Maintenance on CDAs is required to be performed by trained and qualified technicians. Training the technicians is a challenge.

Maintenance Department training schedules are normally established at least a year in advance. Cyber security training requirements are adding emergent training scope to the schedule.

  • Plant modifications that added cyber security controls have created new change management challenges. As cyber security controls are implemented, new tasks are added to normal maintenance activities. The full impact of cyber security controls on maintenance processes are difficult to predict when plant modifications to add cyber controls are initially seeped and developed.

d) Training on new programs, processes and procedures

  • The site training needs and schedules are normally established up to a year in advance and have to be presented to, and approved
  • by, the STPNOC Training Review Boards. Cyber security training adds a new burden on training resources that was not fully understood when the new cyber-related processes and procedures were first being developed. STPNOC initially underestimated the level of effort and coordination needed to meet the requirements of STPNOC's systematic approach to training process. Cyber security training needs can be accommodated outside of normal training cycles, but this adds an unanticipated burden on training resources.
3. A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of June 30, 2017, to complete CDA assessments, imple*ment design modifications based on assessment results, update existing

procedures, and develop new program procedures to complete full implementation of the cyber security program. The licensee also stated that changing the completion date of Milestone 8 will encompass two additional refueling outages per unit and provide adequate time to plan and schedule the implementation of the modifications identified as the result of CDA assessments.

4. An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

In its May 8, 2014, LAR, the licensee stated, in part, that:

Based on the cyber security implementation activities already completed, and completion of activities already in progress, STPNOC is secure and will continue to ensure that digital computer and communication systems and networks are adequately protected ~gainst cyber attacks during implementation of the remainder of the program by the proposed Milestone 8 date of June 30, 2017.

The licensee provided details about the implementation of each milestone in its May 8, 2014, LAR. The licensee completed the implementation of interim Milestones 1 thru 7, and these activities provide a high degree of protection against cyber security attacks during the time in which STPNOC is implementing their full program.

5. A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety, security, or emergency preparedness consequences and with reactivity effects in the balance of plant.

In its May 8, 2014, LAR, the licensee stated, in part, that STPNOC methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, emergency preparedness (EP), and balance of plant (BOP) (continuity of power) consequences. The methodology is based on defense in depth, installed configuration of the CDA and susceptibility to the five commonly identified threat vectors listed. in the NRC Cyber Security SOP (significance determination process). Prioritization for CDA assessment begins with safety related CDAs and continues through the lower priority non-safety and EP CDAs:

  • Physical Security CDAs
  • Important to Safety CDAs (including BOP CDAs that directly impact continuity of power) and control system CDAs
6. A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

In its May 8, 2014, LAR, the licensee stated that Interim Milestones 1 thru 7 activities and other actions, completed by December 31, 2012, provide a high degree of protection against cyber

  • security-related attacks. In its May 8, 2014, LAR, the licensee provided discussions about implementing various milestones and stated that a Quality Audit of the seven interim milestones under the Physical Security Program concluded that STPNOC has an effective CSP. The issues identified during the audit were entered into the corrective action program (CAP) for program improvement. The Utilities Service Alliance self-assessment scheduled for the second quarter of 2014, included the cyber security action items implementation to epsure completeness and effectiveness of the implemented actions. On-going monitoring and time-based periodic actions provide continuing program performance monitoring.
7. A discussion of cyber security issues pending in the licensee's corrective action program (CAP).

The licensee stated that STPNOC uses the site CAP to document cyber issues in order to trend, correct, and improve the STP cyber security program. The CAP database documents track all cyber security required actions, including issues identified during on-going program assessment activities, from initiation through closure. Adverse trends are monitored for program improvement and addressed via the CAP process. In its May 8, 2014, LAR, STPNOC provided the examples of issues and activities included in the CAP.

8. A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

In its May 8, 2014, LAR, the licensee provided a discussion of the completed and pending

  • modifications.

3.3 NRC Staff Evaluation The NRC staff has evaluated the licensee's application using the regulatory requirements and the guidance identified above in Section 2 of this SER. Based upon this evaluation, and for the reasons discussed below, the staff has concluded that the additional time requested by the licensee to implement Milestone 8 is reasonable.

The licensee indicated that the milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against threat vectors. The

  • NRC staff finds these actions provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with SSEP systems are already protected against cyber attacks. The licensee detailed activities completed .

for each milestone. The NRC staff finds that the licensee's site is much more secure after implementation of Milestones 1 through 7 because the activities the licensee completed mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by June 30, 2017, will provide adequate protection of the public health and safety and the common defense and security.

The licensee stated that there is insufficient time remaining to complete the scope of actions required to fully implement its CSP (the cyber security assessment process) prior to its current Milestone 8 implementation date. The NRC staff recognizes that cyber security assessment work is much more complex and resource-intensive than originally anticipated, in part due to the NRC expanding the scope of the cyber security requirements to include BOP CDAs. *As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The NRC staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity, volume, and scope of the remaining work required to fully implement its CSP.

The licensee originally proposed a Milestone 8 completion date of February 28, 2015. The licensee stated that changing the completion date of Milestone 8 allows for designing and planning for security features to fully implement the security controls required by the CSP. It also allows for activities that require a refueling outage for implementation. The licensee stated its methodology for prioritization of work for CDAs follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related factors such as safety risk and nuclear defense-in-depth, as well as threats to continuity of electric power generation in the BOP. The NRC staff concludes that based on the large number of digital assets described above and the limited personnel with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further concludes that the licensee's request to delay final implementation of the CSP until June 30, 2017, is reasonable given the complexity of the rem'aining unanticipated work and the need to perform certain work, during the scheduled refueling outage.

The intent of the CSP implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which is set for the date specified in Milestone 8. Activities include establishing a CSAT, identifying CSs and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the

3.4 Revision to License Condition 2.F In the LAR dated May 8, 2014, the licensee proposed to modify Paragraph 2.F of FOI,..

Nos. NPF-76, and NPF-80 for STP, Units 1 and 2, respectively, which provide license conditions to require the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.

Current Licensing Condition The current license condition in Paragraph 2.F of FOL No. NPF-76 for STP, Unit 1, states, in part, that STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved Cyber security plan (CSP), including changes made

pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). STPNOC CSP was approved by License Amendment No. 197.

The current license condition in Paragraph 2.F of FOL No. NPF-80 for STP, Unit 2, states, in part, that STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). STPNOC CSP was approved by License Amendment No. 185.

Revised Licensing Condition The revised license condition in Paragraph 2.F of FOL No. NPF-76 for STP, Unit 1, would state:

STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). STPNOC CSP was approved by License Amendment No. 197 and supplemented by License Amendment No. 202.

The revised license condition in Paragraph 2.F of FOL No. NPF-80 for STP, Unit 2, would state:

STPNOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). STPNOC CSP was approved by License Amendment No. 185 and supplemented by License Amendment No. 190.

Based on the information in Section 3.0 of this safety evaluation and the modified license condition described above, the NRC staff concludes that the proposed Milestone 8 date is acceptable. *

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the Texas State official was notified of the proposed issuance of the amendment. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments to Part 50 licenses relate solely to safeguards matters and do not involve any significant construction impacts and are confined to modifications to systems used for security. This amendment is an administrative change to extend the date by which the licensee must have its cyber security plan fully implemented. The NRC staff has determined that the amendments involve no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12)(ii). Pursuant to

10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna, NSIR/CSD Date: January 29, 2015

ML14281A065 *SE memo dated OFFICE NRR/DORLILPL4-1 /PM NRR/DORL/LPL4-1 /PM NRR/DORL/LPL4-1 /LA NSIR/CSD/DD NAME SGoetz BSingal JBurkhardt RFelts DATE 10/16/14 10/16/14 10/14/14 12/17/14 OFFICE OGC NRR/DORLILPL4-1 /BC(A) NRR/DORL/LPL4-1 /PM NAME NStAmour NLO EOesterle LRegner DATE 1/28/15 1/29/15 1/29/15