ML14316A526

From kanterella
Jump to navigation Jump to search

Issuance of Amendments Cyber Security Plan Implementation Schedule (Tac Nos. MF3409 and MF3410)
ML14316A526
Person / Time
Site: Indian Point  Entergy icon.png
Issue date: 12/11/2014
From: Pickett D
Plant Licensing Branch 1
To:
Entergy Nuclear Operations
Pickett D
References
TAC MF3409, TAC MF3410, FOIA/PA-2016-0148
Download: ML14316A526 (25)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 December 11, 2014 Vice President, Operations Entergy Nuclear Operations, Inc.

Indian Point Energy Center 450 Broadway, GSB P.O. Box 249 Buchanan, NY 10511-0249

SUBJECT:

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2 AND 3 -ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NOS. MF3409 AND MF3410)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 57 to Provisional Operating License No. DPR-5 for Indian Point Nuclear Generating Unit No. 1, Amendment No. 279 to Facility Operating License No. DPR-26 for the Indian Point Nuclear Generating Unit No. 2 and Amendment No. 254 to Facility Operating License No. DPR-64 for the Indian Point Nuclear Generating Unit No. 3. The amendments consist of changes to the Cyber Security Plan Milestone 8 full implementation date in response to your application dated January 30, 2014 and supplemented June 12, 2014.

The amendments revise the Cyber Security Plan Milestone 8 full implementation date and the existing Physical Protection license conditions by extending the full implementation date to June 30, 2016.

A copy of the related Safety Evaluation is enclosed. A Notice of Issuance will be included in the Commission's next regular biweekly Federal Register notice.

Sincerely, Douglas V. Pickett, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos.50-003, 50-247 and 50-286

Enclosures:

1. Amendment No. 57 to DPR-5
2. Amendment No. 279 to DPR-26
3. Amendment No. 254 to DPR-64
4. Safety Evaluation cc w/encls: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 2. LLC ENTERGY NUCLEAR OPERATIONS, INC.

DOCKET NO.50-003 INDIAN POINT NUCLEAR GENERATING UNIT NO. 1 AMENDMENT TO PROVISIONAL OPERATING LICENSE Amendment No. 57 License No. DPR-5

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated January 30, 2014, as supplemented on June 12, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Co111mission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, the license is amended by changes to paragraphs 3.b and 3.d of Facility Operating License No. DPR-5.

Paragraph 3.b) is hereby amended to read as follows:

The Technical Specifications contained in Appendices A and 8, as revised through Amendment No. 57, are hereby incorporated in the license. ENO shall maintain the facility in accordance with the Technical Specifications.

Paragraph 3.d) is hereby amended to read as follows:

a) ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and 10 CFR 50.54{p). The combined set of plans for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54{p). The ENO CSP was approved by License Amendment No. 55 and supplemental amendments.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days.

FOR THE NUCLEAR REGULATORY COMMISSION

Attachment:

Changes to the License Date of Issuance: December 11 , 2014

ATTACHMENT TO LICENSE AMENDMENT NO. §7 PROVISIONAL OPERATING LICENSE NO. DPR-5 DQGKt:T NO. 50-Q03 Replace the following pages of the License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Remove Page Insert Page 2 2 3 3

designated location in Westchester County, New York, in accordance with the procedures and limitations described in the application and this license:

b) ENO, pursuant to the Act and 10 CFR Part 70, to receive and possess up to 1918 kilograms of contained uranium-235 previously received for reactor operation; c) Deleted; d) Deleted; e) ENO, pursuant to the Act and 10 CFR Parts 30 and 70, to receive Arndt. 45 and possess, but not to separate, such byproduct and special 1-31-96 materials as were produced by the prior operation of the facility; f) Deleted.

3. This license shall be deemed to contain and is subject to the conditions specified in Sections 50.54 and 50.59 of Part 50, Section 70.32 of Part 70, Section 40.41 of Part 40, and Section 30.32 of Part 30 of the Commission's regulations: is subject to all applicable provisions of the Act and rules, regulations and orders of the Commission now and hereafter in effect; and is subject to the additional conditions specified below:

a) M9ximum Power Level ENO is prohibited from taking the reactor to criticality, and the facility shall not be operated at any power level.

b) Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 57, are hereby incorporated in the license. ENO shall maintain the facility in accordance with the Technical Specifications.

c) Records In addition to those otherwise required under this license and applicable regulations, ENO shall keep the following records:

1. Reactor operating records, including power levels and period of operation at each power level.
2. Records showing the radioactivity released or discharged into the air or water beyond the effective control of ENO as measured at or prior to the point of such release or discharge.
3. Records of scrams, including reasons therefor.
4. Records of principal maintenance operations involving substitution or replacement of facility equipment or components and the reasons therefor.

Amendment No. 57

5. Records of radioactivity measurements at on-site and off-site monitoring stations.
6. Records of facility tests and measurements performed pursuant to the requirements of the Technical Specifications.

d) ENO shall fully implement and maintain in effect all provisions of the Commission~approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). T +he combined set of plans 1 for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006.

ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No. 55 and supplemental amendments.

1 The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.

Amendment No. 57

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 2. LLC ENTERGY NUCL~AR OPERATIONS. INC.

DOCKET NO. 50-247 INDIAN POINT NUCLEAR GENERATING UNIT NO.2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 279 License No. DPR-26

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated January 30, 2014, as supplemented on June 12, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, the license is amended by changes to paragraphs 2.C.(2) and 2.H of Facility Operating License No. DPR-26.

Paragraph 2.C.(2) is hereby amended to read as follows:

The Technical Specifications contained in Appendices A, B, and C, as revised through Amendment No. 279, are hereby incorporated in the license. ENO shall operate the facility in accordance with the Technical Specifications.

Paragraph 2.H is hereby amended to read as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 266 and supplemental amendments.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days.

FOR THE NUCLEAR REGULATORY COMMISSION Benjamin G. Beasley, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the License Date of Issuance: December 11 , 2014

ATTACHMENT TO LIC(EN§E AMENDMENT NO. 279 FACILITY OPERATING LICENSE NO. DPR-26 DOQKET NQ. SQ-247 Replace the following pages of the License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Remove Page Insert Page 3 3 5 5

instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) ENO pursuant to the Act and 10 CFR Parts 30, 40 and 70, to Arndt. 42 receive, possess, and use in amounts as required any 10-17-78 byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; (5) ENO pursuant to the Act and 10 CFR Parts 30 and 70, to Amdt. 220 possess, but not separate, such byproduct and special 09-06-01 nuclear materials as may be produced by the operation of the facility.

C. This amended license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state Arndt. 241 reactor core power levels not in excess of 3216 megawatts 10-27-04 thermal.

(2) Technical Specifications The Technical Specifications contained in Appendices A, 8, and C, as revised through Amendment No. 279, are hereby incorporated in the license.

ENO shall operate the facility in accordance with the Technical Specifications.

(3) The following conditions relate to the amendment approving the conversion to Improved Standard Technical Specifications:

1. This amendment authorizes the relocation of certain Technical Specification requirements and detailed information to licensee controlled documents as described in TableR, "Relocated Technical Specifications from the CTS," and Table LA, "Removed Details and Less Restrictive Administrative Changes to the CTS" attached to the NRC staffs Safety Evaluation enclosed with this amendment. The relocation of requirements and detailed information shall be completed on or before the implementation of this amendment.

Amendment No. 279

Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 266 and supplemental amendments.

I. Deleted per Amdt. 133, 7-6-88.

J. Deleted perAmdt.133, 7-6-88.

K. ENO shall implement and maintain in effect all provisions of the NRC-approved fire protection program as described in the Updated Final Safety Analysis Report for the facility and as approved in Safety Evaluations Reports dated November 30, 1977, February 3, 1978, January 31, 1979, October 31, 1980, August 22, 1983, March 30, 1984, October 16, 1984, September 16, 1985, November 13, 1985, March 4, 1987, January 12, 1989, and March 26, 1996. ENO may make changes to the NRC-approved fire protection program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

L. Deleted per Amendment 238 M. Deleted per Amendment 238 N. Mitigation Strategy License Condition The licensee shall develop and maintain strategies for addressing large fires and explosions and that include the following key areas:

(a) Fire fighting response strategy with the following elements:

1. Pre-defined coordinated fire response strategy and guidance
2. Assessment of mutual aid fire fighting assets
3. Designated staging areas for equipment and materials
4. Command and control
5. Training of response personnel (b) Operations to mitigate fuel damage considering the following:
1. Protection and use of personnel assets
2. Communications
3. Minimizing fire spread
4. Procedures for implementing integrated fire response strategy
5. Identification of readily-available pre-staged equipment
6. Training on integrated fire response strategy (c) Actions to minimize release to include consideration of:
1. Water spray scrubbing
2. Dose to onsite responders Amendment No. 279

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 3. LLC ENTERGY NUCLEAR OPERATIONS. INC.

DOCKET NO. 50-286 INDIAN POINT NUCLEAR GENERATING UNIT NO. 3 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 254 License No. DPR-64

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated January 30, 2014, as supplemented on June 12, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 3

2. Accordingly, the license is amended by changes to paragraphs 2.C.(2) and 2.G of Facility Operating License No. DPR-64.

Paragraph 2.C.(2) is hereby amended to read as follows:

The Technical Specifications contained in Appendices A, B, and C, as revised through Amendment No. 254 are hereby incorporated in the License. ENO shall operate the facility in accordance with the Technical Specifications.

Paragraph 2.G is hereby amended to read as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and CFR 50.54(p). The combined set of plans for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No. 243 and supplemental amendments.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days.

FOR THE NUCLEAR REGULATORY COMMISSION Benjamin G. Beasley, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the License Date of Issuance: December 11 , 2014

ATIACHMENT TO LICENSE AMENDMENT NO. 254 FACILITY OPERATING LICENSE NO. DPR-64 DOCKET NO. 50-286 Replace the following pages of the License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Remove Page Insert Page 3 3 4 4

(4) ENO pursuant to the Act and 10 CFR Parts 30, 40 and 70, Arndt. 203 to receive, possess, and use in amounts as required any 11/27/00 byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; (5) ENO pursuant to the Act and 10 CFR Parts 30 and 70, to Arndt. 203 possess, but not separate, such byproduct and special 11/27/00 nuclear materials as may be produced by the operation of the facility.

C. This amended license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter 1: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not in excess of 3216 megawatts thermal (100% of rated power).

(2) Technical Specifications The Technical Specifications contained in Appendices A and 8, as revised through Amendment No. 254 are hereby incorporated in the License. ENO shall operate the facility in accordance with the Technical Specifications.

(3) (DELETED) Arndt. 205 2-27-01 (4) (DELETED) Amdt. 205 2-27-01 D. (DELETED) Amdt.46 2-16-83 E. (DELETED) Amdt.37 5-14-81 F. This amended license is also subject to appropriate conditions by the New York State Department of Environmental Conservation in its letter of May 2, 1975, to Consolidated Edison Company of New York, Inc., granting a Section 401 certification under the Federal Water Pollution Control Act Amendments of 1972.

Amendment No. 254

G. ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and CFR 50.54(p). The combined set of plans 1 for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No. 243 and supplemental amendments.

H. ENO shall implement and maintain in effect all provisions of the approved Fire Protection Program as described in the Final Safety Analysis Report for Indian Point Nuclear Generating Unit No. 3 and as approved in NRC fire protection safety evaluations (SEs) dated September 21, 1973, March 6, 1979, May 2, 1980, November 18, 1982, December 30, 1982, February 2, 1984, April 16, 1984, January 7, 1987, September 9, 1988, October 21, 1991, April20, 1994, January 5, 1995, and supplements thereto, subject to the following provision:

ENO may make changes to the approved Fire Protection Program without prior approval of the Commission only if those changes would not adversely affect the ability to achieve and maintain safe shutdown in the event of a fire.

I. (DELETED) Arndt. 205 2/27/01 J. (DELETED) Arndt. 205 2/27/01 K. (DELETED) Amdt. 49 5-25-84 L. (DELETED) Arndt. 205 2/27/01 M. (DELETED) Arndt 205 2/27/01 N. (DELETED) Arndt. 49 5-25-84 1

The Training and Qualification Plan and Safeguards Contingency Plan are Appendices to the Security Plan.

Amendment No. 254

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 57 TO FACILITY OPERATING LICENSE NO. DPR-5.

AMENDMENT NO. 279 TO FAC!LITY OPERATING LICENSE NO. DPR-26.

AND AMENDMENT NO. 254 TO FACILITY OPERATING LICENSE NO. DPR-64 ENTERGY NUCLEAR INDIAN POINT 2. LLC ENTERGY NUCLEAR INDIAN POINT 3. LLC AND ENTERGY NUCLEAR OPERATIONS. INC.

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1. 2 AND 3 DOCKET NOS.50-003. 50-247 AND 50-286

1.0 INTRODUCTION

By application dated January 30, 2014, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14043A092) as supplemented by letter dated June 12, 2014 (ADAMS Accession No. ML14176A089), Entergy Nuclear Operations Inc., (Entergy, the licensee) requested a change to the Provisional Operating License for Indian Point Nuclear Generating Station, Unit No. 1 (IP1) and the Facility Operating Licenses (FOLs for Indian Point Generating Unit Nos. 2 and 3 (IP2 and IP3). The proposed changes would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 and the existing license conditions in the licenses. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

The supplemental letter dated June 12, 2014, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the Nuclear Regulatory Commission (NRC or the Commissions) staff's original proposed no significant hazards consideration determination as published in the Federal Register on May 6, 2014 (79 FR 25899).

Portions of the letter dated January 30, 2014, contain sensitive, unclassified, non-safeguards information and those portions are withheld from public disclosure in accordance with the provisions of paragraph 2.390(d)(1) of Title 10 of the Code of Federal Regulations (1 0 CFR) .

Enclosure 4

2.0 REGULATORY EVALUATION

The NRC staff reviewed and approved the licensee's existing CSP implementation schedule for IP1, IP2 and IP3 via License Amendment Nos. 55, 266 and 243 dated August 2, 2011 (ADAMS Accession No. ML11152A027), concurrent with the incorporation of the CSP into the facilities' licensing bases. The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

  • 10 CFR section 73.54 states:

Each [CSP] submittal must include a proposed implementation schedule.

Implementation of the licensee's cyber security program must be consistent with the approved schedule.

  • The licensee's operating licenses include a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP. The license condition states that:

ENO shall fully implement and maintain in effect all provisions of the Commission approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

  • In a publically available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria that it would consider during its evaluations of the licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. Any subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

3.1 Licensee's Requested Change Amendment Nos. 55, 266 and 243 to DPR-5 for IP1, DPR-26 for IP2, and DPR-64 for IP3 were issued on August 2, 2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (NEI), which the NRC staff found acceptable for licensees to use to

develop their CSP implementation schedules (ADAMS Accession Nos. ML110070348 and ML110600218). The licensee's proposed implementation schedule for the Cyber Security Program identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);
2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);
3) Implement Installation of a deterministic one-way device between lower level devices and higher level devices;
4) Implement the security control "Access Control For Portable And Mobile Devices";
5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements;
6) Identify, document, and implement technical cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;
7) Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;
8) Full implementation of the CSP for all safety, security and emergency preparedness functions.

Currently, Milestone 8 of the Entergy CSP requires the licensee to fully implement the CSP by December 15, 2014. In its January 30, 2014, application, Entergy proposed to change the Milestone 8 completion date to June 30, 2016.

The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum:

1. Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.

The licensee stated that it needs additional time to implement CSP Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program. It further noted that these sections describe requirements for application and maintenance of cyber security controls and described the process of addressing security controls. The licensee described specific activities needing additional time including determining the need for automated security information and event management (SIEM) systems to provide for: audit and accountability; monitoring tools and techniques; analyzing security alerts and advisories; and to assist personnel performing maintenance and

testing activities. It also described time needed for additional physical controls for CDAs outside the security protected area.

2. Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee's application stated that the cyber security assessment process was scheduled to be completed by the second quarter of 2014. Considering that the number of CDAs and existing procedures is in the hundreds and the number of individual cyber security control attributes is also in the hundreds, the total of physical, logical and programmatic changes needed constitutes a significant project involving plant components and systems and substantial planning and resources. As a result, insufficient time will remain in 2014 to conduct modification and change management planning activities and execution. The licensee intends to complete planning for the specific security feature mentioned in ( 1) above in 2014 and implement it in the following 18 months. The complexity of producing the CDA assessment, and the amount of time and resources it would take to complete, are discussed in the NRC Staff Evaluation below.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of June 30, 2016. The revised completion date will prevent costly rework and by extending the Milestone 8 date allows the necessary time to fully integrate cyber controls into the plant processes, provide all the necessary training and change management, and reinforce behavior changes of the entire organization around nuclear cyber security.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall CSP in the context of milestones already completed.

The licensee indicated that there is no significant impact of the requested additional implementation time on the effectiveness of the overall CSP. Milestones 1 through 7 have already been completed and have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against common threat vectors. Additionally, extensive physical and administrative measures are already in place for CDAs because they are plant components, pursuant to the Physical Security Plan and Technical Specification Requirements. The licensee then briefly described how it had implemented Milestones 1 through 7. The NRC staff's evaluation of the effectiveness of the licensee's overall CSP is provided in the NRC Staff Evaluation below.

5) A description of the licensee's methodology for prioritizing completion of work for CDAs associated with significant safety consequences and with reactivity effects in the balance of plant.

The licensee stated, because CDAs are plant components, prioritization follows an established work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related to factors such as safety risk and nuclear defense-in-depth, as well as threats to continuity of electric power generation.

6) A discussion of the licensee's CSP performance up to the date of the license amendment request.

The licensee stated there has been no identified compromise of safety, security, and emergency preparedness (SSEP) functions by cyber means at any Entergy plant. It also noted that it performed a formal Quality Assurance (QA) audit in the last quarter of 2013 that included review of the CSP implementation. There were no significant findings related to overall CSP performance and effectiveness.

7) A discussion of cyber security issues pending in the licensee's corrective action program (CAP).

The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the CAP. Several non-significant issues identified during the QA audit described above have been entered into CAP. Additionally, NRC concerns regarding cyber security Interim Milestone 4 were entered into the CAP for evaluation by the CSAT. Final actions regarding some program activities are pending.

8) A discussion of modifications completed to support the CSP and a discussion of pending cyber security modifications.

The licensee provided a discussion of completed modifications and pending modifications.

3.2 NRC Staff Evaluation The NRC staff has evaluated the licensee's application using the regulatory requirements and the guidance identified above. The NRC staff's evaluation is below:

The NRC staff finds that the actions the licensee noted as being required to implement CSP Section 3, Analyzing Digital Computer Systems and Networks, and Section 4, Establishing, Implementing and Maintaining the Cyber Security Program, are reasonable as discussed below.

The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 and completed prior to December 31, 2012, provide a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with SSEP systems are already protected against cyber attacks. It detailed activities completed for each milestone and noted that several elements of Milestone 8 have already been implemented or will be implemented by the original Milestone 8 date of December 15, 2014. It provided details about the completed milestones and elements. The

NRC staff finds that the licensee's site is much more secure after implementation of Milestones 1 through 7 because the activities the licensee completed mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the NRC has reasonable assurance that full implementation of the CSP by June 30, 2016, will provide adequate protection of the public health and safety and the common defense and security.

The licensee stated that additional time is needed to conduct modifications and change management planning activities and execution. The staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated, in part, due to the NRC expanding the scope of the cyber security requirements to include balance of plant.

As a result, the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The staff finds that the licensee's request to delay final implementation of the CSP until June 30, 2016, is reasonable given the complexity and volume of the remaining unanticipated work.

The licensee proposed a Milestone 8 completion date of June 30, 2016. The licensee stated that changing the completion date of Milestone 8 will provide sufficient time to conduct modifications and change management planning activities and execution particularly with regards to the specific security feature system. The licensee stated its methodology for prioritizing completion of cyber security activities associated with SSEP consequences and reactivity effects in the balance of plant follows an established work management process.

This process places the highest priority on apparent conditions adverse to quality in system, structure, and component design function as well as factors such as safety, risk, defense-in-depth, and threats to the continuity of electric power generation. The licensee stated the remaining Milestone 8 actions will be completed within 18 months from the end of 2014. The NRC staff finds that, based on the large number of digital assets described above and the limited resources with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The staff further finds that the licensees request to delay final implementation of the CSP until June 30, 2016, is reasonable given the complexity and volume of the remaining unanticipated work.

3.3 Technical Evaluation Conclusion The NRC staff concludes that the licensee's request to delay full implementation of its CSP until June 30, 2016 is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for significant cyber attack vectors for the most significant CDAs as discussed in the staff evaluation above; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation schedule was originally developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule.

3.4 Revision to License Conditions By application dated January 30, 2014, the licensee proposed to modify Paragraph 3.d of Provisional Operating License No. DPR-5 for IP1, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The license condition in Paragraph 3.d of Provisional Operating License No. DPR-5 for IP1 is modified as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans' for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No. 55 and supplemental amendments.

By application dated January 30, 2014, the licensee proposed to modify Paragraph 2.H of Facility Operating License No. DPR-26 for IP2, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The license condition in Paragraph 2.H of Facility Operating License No. DPR-26 for IP2 is modified as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). ENO CSP was approved by License Amendment No. 266 and supplemental amendments.

By application January 30, 2014, the licensee proposed to modify Paragraph 2.G of Facility Operating License No. DPR-64 for IP3, which provides a license condition to require the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The license condition in Paragraph 2.G of Facility Operating License No. DPR-64 for IP3 is modified as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments

The license condition in Paragraph 2.G of Facility Operating License No. DPR-64 for IP3 is modified as follows:

ENO shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822), and to the authority of 10 CFR 50.90 and CFR 50.54(p). The combined set of plans for the Indian Point Energy Center, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security, Training and Qualification, and Safeguards Contingency Plan, Revision 0," and was submitted by letter dated October 14, 2004, as supplemented by letter dated May 18, 2006. ENO shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The ENO CSP was approved by License Amendment No.

243 and supplemental amendments.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, New York State official was notified of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

These are amendments to 10 CFR Part 50 licenses that relate solely to safeguards matters and do not involve any significant construction impacts. These amendments are administrative changes to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, these amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

6.0 CONCLUSION

The NRC staff has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna Date: December 11 , 2014

December 11, 2014 Vice President, Operations Entergy Nuclear Operations, Inc.

Indian Point Energy Center 450 Broadway, GSB P.O. Box 249 Buchanan, NY 10511-0249

SUBJECT:

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2 AND 3 -ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NOS. MF3409 AND MF3410)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 57 to Provisional Operating License No. DPR-5 for Indian Point Nuclear Generating Unit No. 1, Amendment No. 279 to Facility Operating License No. DPR-26 for the Indian Point Nuclear Generating Unit No. 2 and Amendment No. 254 to Facility Operating License No. DPR-64 for the Indian Point Nuclear Generating Unit No. 3. The amendments consist of changes to the Cyber Security Plan Milestone 8 full implementation date in response to your application dated January 30, 2014 and supplemented June 12, 2014.

The amendments revise the Cyber Security Plan Milestone 8 full implementation date and the existing Physical Protection license conditions by extending the full implementation date to June 30, 2016.

A copy of the related Safety Evaluation is enclosed. A Notice of Issuance will be included in the Commission's next regular biweekly Federal Register notice.

Sincerely, IRA/

Douglas V. Pickett, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos.50-003, 50-247 and 50-286

Enclosures:

1. Amendment No. 57 to DPR-5
2. Amendment No. 279 to DPR-26
3. Amendment No. 254 to DPR-64
4. Safety Evaluation cc w/encls: Distribution via Listserv DISTRIBUTION:

PUBLIC LPL 1-1 R/F RidsNrrDorl RidsNrrDorllp11-1 RidsNrrDoriDpr RidsNrrPMindianPoint RidsNrrLAKGoldstein RFelts, NSIR JRycyna, NSIR RidsNrrDssStsb RidsRgn1 MaiiCenter RidsAcrsAcnw_MaiiCTR SGiebel, NMSS BWatson, NMSS ADAMS ACCESSION NO ..* ML14316A526 OFFICE LPL 1-1/PM LPL 1-1/PM LPL 1-1/LA NSIR/CSD/DD OGC NMSS/DUWP LPL 1-1/BC NAME AChereskin DPickett KGoldstein RFelts by JBielecki LCamper BBeasley email dated DATE 11/12/2014 11/21/2014 11/20/2014 11/05/2014 12/09/2014 12/11/2014 12/11/2014 OFFICIAL RECORD COPY