Text

Notification of Inspection of Temporary Instruction 2201/004, Inspection of Implementation of Interim Cyber Security Milestones 1-7, (NRC Inspection Report 05000416/2015405) and Request for Information (Letter)
	ML15068A295
Person / Time
Site:	Grand Gulf
Issue date:	03/06/2015
From:	Greg Werner; NRC/RGN-IV/DRS/EB-2
To:	Kevin Mulligan; Entergy Operations
	Werner G
References
	IR 2015405
	Download: ML15068A295 (5)
	v • d • e

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

UNITED STATES

NUCLEAR REGULATORY COMMISSION

REGION IV

1600 E LAMAR BLVD

ARLINGTON, TX 76011-4511

March 6, 2015

Mr. Kevin Mulligan

Site Vice President Operations

Entergy Operations, Inc.

Grand Gulf Nuclear Station

P.O. Box 756

Port Gibson, MS 39150

SUBJECT: GRAND GULF NUCLEAR STATION - NOTIFICATION OF INSPECTION OF

TEMPORARY INSTRUCTION 2201/004, INSPECTION OF IMPLEMENTATION

OF INTERIM CYBER SECURITY MILESTONES 1-7, (NRC INSPECTION

REPORT 05000416/2015405) AND REQUEST FOR INFORMATION

Dear Mr. Mulligan:

On June 1, 2015, the U.S. Nuclear Regulatory Commission (NRC) will begin an inspection of

Entergy Operations, Inc. cyber security program implementation for Grand Gulf Nuclear Station,

using the guidance in Temporary Instruction 2201/004, Inspection of Implementation of Interim

Cyber Security Milestones 1-7. As previously discussed with members of your staff, the

inspection will be performed to assess and verify that the cyber security program interim

implementation milestones have been implemented in accordance with the Regulatory

Requirements of 10 CFR 73.54 and NRC-approved cyber security plans and implementation

schedules.

In accordance with 10 CFR 73.54, each nuclear power plant licensee was required to submit a

proposed cyber security plan and implementation schedule for NRC approval. On

February 28, 2011, NEI provided a revised Template for the Cyber Security Plan

Implementation Schedule, for the purpose of providing licensee's with a generic template to aid

in the development of their cyber security plan and implementation schedule. Based on the

NRC review (Agencywide Documents Access and Management System (ADAMS)

ML110070348), the template was found acceptable to develop cyber security plans and

implementation schedules.

With a variety of valid operational and technical issues, full implementation dates varied among

the operating fleet of nuclear power reactors. The NRC staff worked with the nuclear industry to

devise seven interim implementation milestones to ensure a level of protection against cyber

Enclosure transmitted herewith contains SUNSI. When separated from enclosure, this

transmittal document is decontrolled.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

-2-

security threats at each power reactor until full implementation of 10 CFR 73.54 is achieved. In

its NRC-approved implementation schedule, each licensee committed to meet these seven

interim milestones by December 31, 2012. These seven milestones are: (1) establishment of a

Cyber Security Assessment Team (CSAT); (2) identification and documentation of critical

systems and critical digital assets; (3) installation of protective devices between lower and

higher security levels as described in the Cyber Security Plan; (4) implementation of access

control for portable mobile devices; (5) observation for and identification of obvious cyber

related tampering; (6) implementation of cyber security controls for critical digital assets that

could adversely impact the design function of target set equipment; and (7) implementing and

commencing on-going monitoring and assessment activities.

By letter, dated July 22, 2010 (ML102070563) and supplemented by letter, dated April 4, 2011

(ML110950647), Entergy Operations, Inc. submitted a license amendment request which

included a request for approval of the Grand Gulf Nuclear Station Cyber Security Plan (CSP)

and implementation schedule.

The inspection of the interim cyber security program at the Grand Gulf Nuclear Station will be

limited to the verification of implementation of Milestones 1-7. Milestone 8 will be inspected on

a future date.

The schedule for the onsite inspection for Milestones 1-7 is as follows:

Information Gathering Visit: May 19-21, 2015

Milestone Inspection: June 1-5, 2015

The purpose of the information gathering visit is to: (1) obtain information and documentation

needed to support the TI inspection; (2) become familiar with the Grand Gulf Nuclear Station

cyber security program, personnel, and plant layout; and (3) arrange logistical details, such as

office space, availability of knowledgeable staff, and to ensure unescorted site access

privileges.

In order to assure an efficient inspection, we have enclosed a request for information describing

documents needed to aid the inspectors in preparing for and conducting the temporary

instruction inspection. These documents have been divided into four groups. The first group

lists information necessary to aid the inspectors in planning for the inspection. It is requested

that this information be provided to the lead inspector via mail or electronically by May 4, 2015,

if possible. The second group also lists information and possible areas for discussion

necessary to assist the inspectors during the inspection. It is requested this information be

available during the information gathering visit (May 19 - 21, 2015). The third group of

requested documents consists of those items that the inspectors will review, or need access to,

during the inspection. Please have this information available by the first day of the onsite

inspection week (June 1, 2015). The fourth group lists the information necessary to aid the

inspectors in tracking questions and answers identified as a result of the inspection. It is

requested that this information be provided to the lead inspector as the information is generated

during the inspection. It is important that all of these documents are up to date and complete in

order to minimize the number of additional documents requested during the preparation and/or

the onsite portions of the inspection.

OFFICIAL USE ONLY - SECURITY-RELATED INFORMATION

-3-

The team leader for this inspection is Greg Pick. We understand that our contact for this

inspection is Sherri Sweet. If there are any questions about the inspection or the material

requested, please contact Greg at (817) 200-1270 or via e-mail at greg.pick@nrc.gov.

This letter does not contain new or amended information collection requirements subject to the

Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection

requirements were approved by the Office of Management and Budget, control

number 3150-0011. The NRC may not conduct or sponsor, and a person is not required to

respond to, a request for information or an information collection requirement unless the

requesting document displays a currently valid Office of Management and Budget control

number.

This letter and the material enclosed herewith contains Security-Related Information in

accordance with 10 CFR 2.390(d)(1) and its disclosure to unauthorized individuals could

present a security vulnerability. Therefore, this letter and the material in the enclosure will not

be made available electronically for public inspection in the NRC Public Document Room or

from the Publicly Available Records (PARS) component of the NRC's Agencywide Documents

Access and Management System (ADAMS).

Sincerely,

/RA/ John Mateychick for

Gregory E. Werner, Branch Chief

Engineering Branch 2

Division of Reactor Safety

Docket: 50-416

License: NPF-29

Nonpublic Enclosure:

Cyber Security Temporary Instruction

(TI) 2201/004 (Milestones 1-7)

Request for Information