NRR E-mail Capture - Concurrence on the SE for St. Lucie Cyber Security Plan Milestone 8 Amendment

ML15126A002
Person / Time
Site:	Saint Lucie
Issue date:	05/04/2015
From:	Russell Felts Office of Nuclear Security and Incident Response
To:	Shana Helton Plant Licensing Branch II
References
TAC MF4334, TAC MF4335
Download: ML15126A002 (22)
v • d • e

Text

NRR-PMDAPEm Resource From: Felts, Russell Sent: Monday, May 04, 2015 6:33 AM To: Helton, Shana Cc: Saba, Farideh; Tam, Peter; Rycyna, John

Subject:

RE: Concurrence on the SE for St. Lucie cyber security plan Milestone 8 amendment (TAC MF4334 and MF4335)

Attachments: Saint Lucie cyber security amendment TAC MF4334.docx

Shana, I concur on the attached draft amendment package for St Lucie.

Warm regards, Russ Russell Felts Deputy Director Cyber Security Directorate Office of Nuclear Security and Incident Response (301) 287-3734 (301) 287-3607 (direct)

(301) 512-3156 (cell)

From: Tam, Peter Sent: Friday, May 01, 2015 11:12 AM To: Felts, Russell; Rycyna, John Cc: Saba, Farideh; Helton, Shana

Subject:

Concurrence on the SE for St. Lucie cyber security plan Milestone 8 amendment (TAC MF4334 and MF4335)

Russell:

Using a draft SE provided by John Rycyna, I have prepared a draft amendment package (ADAMS Accession No. ML15121A182). Since the draft SE was not formally transmitted to us, I am now seeking your concurrence on the draft amendment package. A single-sentence email from you to my supervisor Shana Helton will satisfy this need. Thanks.

cxxÜ fA gtÅ Senior Project Manager - Rehired Annuitant Plant Licensing Branch 2-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation 1

Hearing Identifier: NRR_PMDA Email Number: 2041 Mail Envelope Properties (7B2090EE1041E5408EC15DF2B2ED88DD0A997A33E2)

Subject:

RE: Concurrence on the SE for St. Lucie cyber security plan Milestone 8 amendment (TAC MF4334 and MF4335)

Sent Date: 5/4/2015 6:32:41 AM Received Date: 5/4/2015 6:32:43 AM From: Felts, Russell Created By: Russell.Felts@nrc.gov Recipients:

"Saba, Farideh" <Farideh.Saba@nrc.gov>

Tracking Status: None "Tam, Peter" <Peter.Tam@nrc.gov>

Tracking Status: None "Rycyna, John" <John.Rycyna@nrc.gov>

Tracking Status: None "Helton, Shana" <Shana.Helton@nrc.gov>

Tracking Status: None Post Office: HQCLSTR01.nrc.gov Files Size Date & Time MESSAGE 1104 5/4/2015 6:32:43 AM Saint Lucie cyber security amendment TAC MF4334.docx 118127 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received:

Mr. Mano Nazar President and Chief Nuclear Officer Nuclear Division NextEra Energy P.O. Box 14000 700 Universe Boulevard Juno Beach, Florida 33408-0420

SUBJECT:

ST. LUCIE PLANT, UNIT NOS. 1 AND 2 - ISSUANCE OF AMENDMENTS TO REVISETHE CYBER SECURITY MILESTONE 8 COMPLETION DATE IN THE RENEWED FACILITY OPERATING LICENSES (TAC NOS. MF4334 AND MF4335)

Dear Mr. Nazar:

The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment Nos.

andto Renewed Facility Operating License Nos. DPR-67 and NPF-16 for the St. Lucie Plant, Unit Nos. 1 and 2, respectively. These amendments consistof changes to the Renewed Operating Licensesin response to your application dated June 30, 2014, as supplemented by letter dated August 19, 2014.

The amendments revise the completion date for Milestone 8, full implementation, of the Cyber Security Plan from December 31, 2015, to December 17, 2017.

The NRC staffsrelated safety evaluation of the amendmentsis enclosed. The Notice of Issuancewill be included in the Commissions biweekly Federal Register notice.

, as Sincerely, Farideh E. Saba, Senior Project Manager Plant Licensing Branch II-2 Division of Operator Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-335 and 50-389

Enclosures:

1. Amendment Nos. and

2. Safety Evaluation cc w/encls: Distribution via Listserv c

ML15121A182 OFFICE LPLII-2/PM LPLII-2/LA LPLII-2/LA NSIR/CSD/DD DSS/STSB NAME PTam LRonewicz BClayton RFelts RElliott DATE 5/1/15 5//15 5//15 / /15 / /15 OFFICE OGC LPLII-2/BC LPLII-2/PM NAME SHelton PTam DATE / /15 / /15 / /15 FLORIDA POWER & LIGHT COMPANY DOCKET NO. 50-335 ST. LUCIE PLANT, UNIT NO. 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No.

Renewed License No. DPR-67

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Florida Power & Light Company (FPL, the licensee), dated June 30, 2014,as supplemented on August 19, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

c

2. Accordingly, Renewed Facility Operating License No. DPR-67 is amended by changing paragraph 3.B to read as follows:

B. Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No., are hereby incorporated in the renewed license.

FPL shall operate the facility in accordance with the Technical Specifications.

3. Accordingly, Renewed Facility Operating License No. DPR-67 is also amended by changing the last sentence of paragraph 3.F, Physical Protection, to read as follows:

The St. Lucie CSP was approved by License Amendment No. 211 as supplemented by clarifications approved by License Amendment Nos. 214 and

4. This license amendment is effective as of its date of issuance and shall be implemented within 60 days.

FOR THE NUCLEAR REGULATORY COMMISSION Shana R. Helton, Chief Plant Licensing Branch II-2 Division of Operator Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License Date of Issuance:

ATTACHMENT TO LICENSE AMENDMENT NO.

TO RENEWED FACILITY OPERATING LICENSE NO. DPR-67 DOCKET NO. 50-335 Replace the following pages of Renewed Facility Operating LicenseDPR-67 with the attached pages. The revised pagesare identified by amendment number and contain vertical lines indicating the areas of change.

Remove Page Insert Page 3 3 4 4 c

applicableprovisionsoftheActandtotherules,regulations,andordersofthe Commissionnoworhereafterineffect;andissubjecttotheadditionalconditions specifiedorincorporatedbelow:

A. MaximumPowerLevel FPLisauthorizedtooperatethefacilityatsteadystatereactorcorepowerlevels notinexcessof3020megawatts{thermal).

B. TechnicalSpecifications TheTechnicalSpecificationscontainedinAppendicesAandB,asrevised throughAmendmentNo.___areherebyincorporatedintherenewedlicense.

FPLshalloperatethefacilityinaccordancewiththeTechnicalSpecifications.

AppendixB, theEnvironmentalProtectionPlan(Non-Radiological),contains environmentalconditionsoftherenewedlicense. Ifsignificantdetrimentaleffects orevidenceofirreversibledamagearedetectedbythemonitoringprograms requiredbyAppendixBofthislicense,FPLwillprovidetheCommissionwithan analysisoftheproblemandplanofactiontobetakensubjecttoCommission approvaltoeliminateorsignificantlyreducethedetrimentaleffectsordamage.

C. UpdatedFinalSafetyAnalysisReport TheUpdatedFinalSafetyAnalysisReportsupplement submittedpursuantto 10CFR54.21(d),asrevisedonMarch28,2003,describescertainfuture activitiestobecompletedbeforetheperiodofextendedoperation. FPLshall completetheseactivitiesnolaterthanMarch1,2016,andshallnotifytheNRCin writingwhenimplementationoftheseactivitiesiscompleteandcanbeverifiedby NRCinspection.

TheUpdatedFinalSafetyAnalysisReportsupplementasrevisedonMarch28, 2003,describedabove,shallbeincludedinthenextscheduledupdatetothe UpdatedFinalSafetyAnalysisReportrequiredby10CFR50.71(e)(4),following issuanceofthisrenewedlicense. Untilthatupdateiscomplete,FPLmaymake changestotheprogramsdescribedinsuchsupplement withoutpriorCommission approval,providedthatFPLevaluateseachsuchchangepursuanttothecriteria setforthin10CFR50.59andotherwisecomplieswiththerequirementsinthat section.

D. SustainedCoreUncoveryActions Proceduralguidanceshallbeinplacetoinstructoperatorstoimplementactions thataredesignedtomitigateasmall-breakloss-of-coolant accidentpriortoa calculatedtimeofsustainedcoreuncovery.

RenewedLicenseNo.DPR-67 Amendment No._____

c

E. Fire Protection FPL shall implement and maintain in effect all provisions of the approved fireprotection program as described in the Updated Final Safety Analysis Report forthe facility (The fire protection program and features were originally described inFPL submittals L-83-514 dated October 7, 1983, L-83-227 dated April 12, 1983,L-83-261 dated April 25, 1983, L-83-453 dated August 24, 1983, L-83-488 datedSeptember 16,1983, L-83-588 dated December 14,1983, L-84-346 datedNovember 28, 1984, L-84-390 dated December 31, 1984, and L-85-71 datedFebruary 21, 1985) and as approved by NRC letter dated July. 17, 1984, andsupplemented by NRC letters dated February 21,1985, March 5,1987, andOctober 4, 1988, subject to the following provision:

FPL may make changes to the approved fire protection programwithout prior approval of the Commission only if those changeswouldnot adversely affect the ability to achieve and maintain safe shutdownin the event of a fire.

F. Physical Protection The licensee shall fully Implement and maintain in effect all provisions of theCommission-approved physical security. training and qualification, and safeguardscontingency plans including amendments made pursuant to provision of theMiscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55(51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and10 CFR 50.54(p). The combined set of plans, which contains SafeguardsInformation protected under 10 CFR 73.21, is entitled: "Florida Power and Light &FPL Energy Seabrook Physical Security Plan, Training and Qualification Plan andSafeguards Contingency Plan - Revision 3," submitted by letter datedMay 18. 2006. St. Lucie shall fully implement and maintain in effect all provisionsof the Commission-approved cyber security plan (CSP). including changes madepursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The St. LucieCSP was approved by License Amendment No. 211 as supplemented by clarifications approved by License Amendment Nos. 214 and _____.

G. Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions andthat include the following key areas:

(a) Fire fighting response strategy with the following elements:

1. Pre-defined coordinated fire response strategy and guidance

2. Assessment of mutual aid fire fighting assets

3. Designated staging areas for equipment and materials

4. Command and control

5. Training of response personnel (b) Operations to mitigate fuel damage considering the following:

1. Protection and use of personnel assets

2. Communications

3. Minimizing fire spread

4. Procedures for implementing integrated fire response strategy

5. Identification of readily-available pre-staged equipment Renewed License No. DPR-67 Amendment No. 202, 211, 214, ___

c

FLORIDA POWER & LIGHT COMPANY DOCKET NO. 50-389 ST. LUCIE PLANT UNIT NO. 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No.

Renewed License No. NPF-16

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Florida Power & Light Company (FPL, the licensee), dated June 30, 2014,as supplemented on August 19, 2014, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2. Accordingly, Renewed Facility Operating License No. NPF-16 is amended by changing paragraph 3.B to read as follows:

B. Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. ___, are hereby incorporated in the renewed license.

FPL shall operate the facility in accordance with the Technical Specifications.

3. Accordingly, Renewed Facility Operating License No. NPF-16 is also amended by changing the last sentence of paragraph 3.F, Physical Protection, to read as follows:

St. Lucie CSPwas approved by License Amendment No. 160 as supplemented by clarifications approved by License Amendment Nos. 164 and ____.

4. This license amendment is effective as of its date of issuance and shall be implemented within 60 days.

FOR THE NUCLEAR REGULATORY COMMISSION Shana R. Helton,Chief Plant Licensing Branch II-2 Division of Operator Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License Date of Issuance:

ATTACHMENT TO LICENSE AMENDMENT NO.

TO RENEWED FACILITY OPERATING LICENSE NO. NPF-16 DOCKET NO. 50-389 Replace pages of Renewed Operating License NPF-16 as follows. The revised pages are identified by amendment number and contain vertical lines indicating the areas of change.

Remove Page Insert Page 3 3 5 5 c

neutronsourcesforreactorstartup,sealedsourcesforreactorinstrumentation andradiationmonitoringequipmentcalibration,andasfissiondetectorsin amountsasrequired.

D. PursuanttotheActand10CFRParts30,40,and70,FPLtoreceive,possess, anduseinamountsasrequiredanybyproduct,source,orspecialnuclear materialwithoutrestrictiontochemicalorphysicalform,forsampleanalysisor instrumentcalibrationorassociatedwithradioactiveapparatusorcomponents; and E. PursuanttotheActand10CFRParts30,40,and70,FPLtopossess,butnot separate,suchbyproductandspecialnuclearmaterialsasmaybeproducedby theoperationofthefacility.

3. Thisrenewedlicenseshallbedeemedtocontainandissubjecttotheconditions specifiedinthefollowingCommission'sregulations:10CFRPart20,Section30.34of 10CFRPart30,Section40.41of10CFRPart40,Section50.54and50.59of 10CFRPart50,andSection70.32of10CFRPart70;andissubjecttoallapplicable provisionsoftheActandtotherules,regulations,andordersoftheCommissionnowor hereafterineffect;andissubjecttotheadditionalconditionsspecifiedbelow:

A. MaximumPowerLevel FPLisauthorizedtooperatethefacilityatsteadystatereactorcorepowerlevels notinexcessof3020megawatts(thermal).

B. TechnicalSpecifications TheTechnicalSpecificationscontainedinAppendicesA and8,asrevised throughAmendmentNo.___areherebyincorporatedintherenewedlicense.

FPLshalloperatethefacilityinaccordance withtheTechnicalSpecifications.

RenewedLicenseNo.NPF-16 AmendmentNo.___

c

F. Physical Protection The licensee shall fully implement and maintain in effect all provisions of theCommission-approved physical security, training and qualification, andsafeguards contingency plans including amendments made pursuant toprovision of the Miscellaneous Amendments and Search Requirements revisionsto 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90and 10 CFR 50.54(p). The combined set of plans, which contains SafeguardsInformation protected under 10 CFR 73.21, is entitled: "Florida Power and Light &FPL Energy Seabrook Physical Security Plan, Training and Qualification Planand Safeguards Contingency Plan - Revision 3," submitted by letter datedMay 18, 2006. St. Lucie shall fully implement and maintain in effect all provisionsof the Commission-approved cyber security plan (CSP), including changes madepursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

St. Lucie CSP was approved by License Amendment No. 160 as supplemented by clarifications approved by License Amendment Nos. 164 and ____.

G. Before engaging in additional construction or operational activities which mayresult in a significant adverse environmental impact that was not evaluated orthat is significantly greater than that evaluated in the Final EnvironmentalStatement dated April 1982, FPL shall provide written notification to the Office ofNuclear Reactor Regulation.

H. DELETED I. FPL shall notify the Commission, as soon as possible but not later than onehour, of any accident at this facility which could result in an unplanned release ofquantities of fission products in excess of allowable limits for normal operationestablished by the Commission.

J. FPL shall have and maintain financial protection of such type and in suchamounts as the Commission shall require in accordance with Section 170 of theAtomic Energy Act of 1954, as amended, to cover public liability claims.

K. The use of ZIRLOTM clad fuel at St. Lucie Unit 2 will be subject to the followingrestrictions:

FPL will limit the fuel duty for St. Lucie Unit 2 to a baseline modified Fuel DutyIndex (mFDI) of 600 with a provision for adequate margin to account forvariations in core design (e.g., cycle length, plant operating conditions, etc).This limit will be applicable until data is available demonstrating the performanceof ZIRLOTM cladding at Combustion Engineering 16x16 plants.

FPL will restrict the mFDI of each ZIRLOTM clad fuel pin to 110 percent of thebaseline mFDI of 600.

For a fraction of the fuel pins in a limited number of assemblies (8), FPL willrestrict the fuel duty of ZIRLOTM clad fuel pins to 120 percent of the baselinemFDlof600.

Renewed License No. NPF-16

Amendment No. 150, 160, 164, ___

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE RELATED TO AMENDMENT NOS.AND TO RENEWED FACILITY OPERATING LICENSE NOS. DPR-67 AND NPF-16 FLORIDA POWER & LIGHT COMPANY, ET AL.

ST. LUCIE PLANT, UNIT NOS. 1 AND 2 DOCKET NOS. 50-335 AND 50-389

1.0 INTRODUCTION

By letter dated June 30, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14192A022), as supplemented by letter dated August 19, 2014 (ADAMS Accession No. ML14241A422), Florida Power & Light Company (FPL, the licensee) submitted an application for amendment to revise the implementation date of Cyber Security Plan (CSP) Milestone 8. Milestone 8 of the CSP is concerned with the full implementation of the CSP.

Portions of the licenseesJune 30 and August 19, 2014, letterscontain sensitive unclassified non-safeguards information and, accordingly, those portions are withheld from public disclosure in accordance with the provisions of 10CFR2.390(d)(1). The accession numbers cited in the above paragraph refer to the publicly available redacted version.

For the subject application, as supplemented, the Nuclear Regulatory Commission (NRC) published its proposed no significant hazards consideration in the Federal Registeron November 4, 2014 (79 FR 65431).

2.0 REGULATORY EVALUATION

The NRC staff had previously reviewed and approved the licensees CSP implementation schedule by Amendment No. 211 and 160 for Saint Lucie Plant, Unit Nos. 1 and 2, respectively, and concurrently with the incorporation of the CSP into the current licensing bases. Subsequently, the NRC staff issued Amendment Nos. 214 and 164 to revise Milestone 6 for each unit, respectively.

The NRC staff considered the following regulatory requirements and guidance in its review of the current application for amendment to modify the existing CSP implementation schedule:

(1) Titlte 10 of the Code of Federal Regulations,Sectin 73.54 (10CFR73.54) states:

..Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensees cyber security program must be consistent with the approved schedule.

Enclosure

(2) Amendment No. 211 and Amendment No. 160, dated August 31, 2011, which approved the licensees CSP and implementation schedule, include the following statement: St.

Lucie shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

(3) In a publically available NRC memorandum, R. Feltsto B. Westreich,dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria that it would consider during its evaluations of licensees requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

3.0 TECHNICAL EVALUATION

3.1 Licensees Requested Change By Amendment Nos. 211 (for Unit 1) and 160 (for Unit 2)the NRC staff approved the licensees CSP implementation schedule, as discussed in the safety evaluation issued concurrently with those amendments. The implementation schedule had been submitted by the licensee based on a template (ADAMS Accession No. ML110600218)prepared by the Nuclear Energy Institute (NEI), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules. The licensees proposed implementation schedule for the St. Lucie Plant CSP identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3) Install a data diode device between lower level devices and higher level devices;

4) Implement the security control Access Control For Portable And Mobile Devices;

5) Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds;

6) Identify, document, and implement cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;

7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;

8) Fully implement the CSP.

Currently, Milestone 8 of the licensees CSP requires the licensee to fully implement the CSP by December 31, 2015. In its June 30, 2014, application, the licenseeproposed to change the Milestone 8 completion date to December 31, 2017. The licensees application addressed the 8 criteria in the NRCs October 24, 2014 guidance memorandum.

The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum cited in Section 2.0 above.

(1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that the specific CSP requirement requiring additional time to implement is CSP Section 3.1, Analyzing Digital Computer Systems and Networks

Applying CyberSecurity Controls. The licensee provided a list of activities required to implement the CSP requirements.

(2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated that CDA assessment work is resource-intensive.St. Lucie has approximately 2250 CDAs.

• Assessment is challenging due to uncertainty surrounding security controls interpretation.

• The licensee underestimated the level of effort necessary to address security controls.

• Rework is a major concern - budgets are approved in advance on a definedscope of work.

• The licensee will have to increase resources to cope with magnitude of the work identified.

The licensee stated that remediation activities need to be carefully considered:

• Security controls modifications are unique and new to the plant and suppliers.

• Plant modifications cannot affect plant safety and operation.

The licensee stated that there are change management challenges:

• Cyber security integrates into day-to-day plant operations, maintenance, engineering and procurement activities.

• Integration of controls takes longer than anticipated due to work control process and maintenance activities.

• Additional burden on maintenance to address security controls integrity during work on CDAs.

• Cyber security and controls being implemented on CDAs are new to maintenance, engineering and operations.

• Work control planners are challenged by the nuances associated with cyber security controls.

• Training and qualifications of maintenance personnel is a challenge.

• Modifications that added security controls have added new change management issues.

The licensee stated that site training needs and schedules need to be revised and training resources need to be addressed.

(3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of December 31, 2017. The licensee also stated that changing the completion date of Milestone 8 will encompass two additional refueling outages per unit and provides adequate time to complete CDA

assessment, implement design modifications based on assessment results, update existing procedures and develop new procedures to complete full implementation of the CSP.

(4) An evaluation of the impact that theadditional timetoimplement therequirementswill haveon theeffectivenessofthelicensees overallcyber security program in the context of milestones already completed.

The licensee stated that, based on the CSP program implementation activities already completed and activities currently in progress, St. Lucie is secure and FPL will continue to ensure that digital computer and communications systems and networks are adequately protected against cyber attacks during implementation of the remainder of the program by the proposedMilestone 8 date of December 31, 2017. The completed activities provide a high degree of protection against cyber-attacks while St. Lucie implements the full CSP. The licensee provided details about implementation of each of the milestones.

(5) A description of the licensees methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.

The licensee stated that its methodology for prioritizing the St. Lucie CSP Milestone 8 activities is centered on considerations for safety, security, emergency preparedness (EP), and balance-of-plant (continuity of power) consequences. The methodology is based on defense-in-depth, installed configuration of the CDA, and susceptibility to commonly identified threat vectors. Prioritization of CDA assessments begins with safety-related CDAs and continues through the lower priority non-safety-related and EP CDAs as follows:

• Safety-related CDAs

• Physical security CDAs

• Important-to-safety CDAs (including balance-of-plant CDAs that directly impact continuity of power and control system CDAs)

• Non-safety-related and EP CDAs (6) A discussion of the licensees cyber security program performance up to the date of the license amendment request.

The licensee stated that implementation of the requirements of Milestones 1 through 7 has been completed and these improvements are proviging a high degree of protection against cyber attacks, until full program implementation. Further, the licensee stated it has completed a comprehensive self-assessment for all 7 milestones to ensure completeness and effectiveness. Self-assessment issues were entered into the Corrective Action Program (CAP)and addressed for program improvement. Ongoing monitoring and periodic actions provide continuing program performance monitoring.

(7) A discussion of cyber security issues pending in the licensees corrective action program (CAP).

The licensee stated that the St. Lucie CAP is used to document all cyber issues in order to trend, correct, and improve the St. Lucie CSP. The CAP database documents and tracks, from initiation to closure, all cyber security required actions, including issues identified during ongoing program assessment activities. Adverse trends are monitored for program improvement and addressed via the CAP process. Examples of issues and activities pending in the CAP were provided.

(8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a discussion of a completed modification.

3.2 NRC Staff Evaluation The NRC staff evaluated the licensees application using the regulatory requirements and the guidance cited in Section 2.0 above.

The licensee stated that the CSP requirement regarding additional time to implement is found in CSP Section 3.1,Analyzing Digital Computer Systems and Networks Applying Cyber Security Controls. The licensee provided a list of additional activities required to implement the CSP requirement.

The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7 and completed prior to December 31, 2012, provides a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with safety, security, and emergency preparedness systems are already protected against cyber attacks. It detailed activities completed for each milestone and noted that several elements of Milestone 8 have already been implemented or will be implemented by the original Milestone 8 date of September 30, 2014. It provided details about the completed milestones and elements. On such bases, the NRC staff finds that the licensees site is much more secure after implementation of Milestones 1 through 7 because the activities the licensee completed will mitigate the most significant cyber attack vectors for the most significant CDAs.

The licensee proposed a Milestone 8 completion date of December 31, 2017. The licensee stated that changing the completion date of Milestone 8 allows for two additional refueling outages per unit and provides adequate time to complete CDA assessment, implement design modifications based on assessment results, update existing procedures and develop new procedures to complete full implementation of the CSP. The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work is much more complex and resource-intensive than originally anticipated. The licensee has a large number of CDAs and underestimated the level of effort to address security controls for each of the CDAs when developing its CSP implementation schedule. The NRC staff finds that the licensees request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity and scope of the work required to come into full compliance with its CSP.

The licensee stated that its methodology for prioritizing the St. Lucie CSP Milestone 8 activities is centered on considerations for safety, security, emergency preparedness, and balance-of-plant (continuityof power) consequences. The methodology is based on defense-in-depth, installed configuration of the CDA, and susceptibility to five commonly identified threat vectors.

Prioritization of CDA assessments begins with safety-related CDAs and continues through the lower priority non-safety-related CDAs. The NRC staff finds that based on the large number of digital assets described above and the limited resources with the appropriate expertise to perform these activities, the licensees methodology for prioritizing work on CDAs is appropriate.

The NRC staff further finds that the licensees request to delay final implementation of the CSP until December 31, 2017, is reasonable given the complexity of the remaining unanticipated work and the need to perform certain work, including design changes, during scheduled fuel outages.

3.3 Revision to License Condition The licensee proposed to modify the part of License Condition 3.F of Renewed Facility Operating License No. DPR-67 as follows:

St. Lucie shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP). including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The St. Lucie CSP was approved by License Amendment No. 211 as supplemented by aClarifications approved by License Amendment No. 214 and No. _____.

The licensee proposed to modify the part of License Condition 3.F of Renewed Facility Operating License NPF-16 as follows:

St. Lucie shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP). including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). St. Lucie CSP was approved by License Amendment No. 160 as supplemented by aClarifications approved by License Amendment No. 164 and No. _____.

3.4 Summary of Technical Evaluation The NRC staff determines that the licensees request to delay full implementation of its CSP until December 31, 2017, is reasonable for the following reasons: (i) the licensees implementation of Milestones 1 through 7 already provides mitigation for significant cyber attack vectors for the most significant CDAs, as discussed above; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule.

Based on its review of the application, as supplemented, the NRC staff concludes that the licensees implementation of Milestones 1 through 7 has added additional protection which provides mitigation for significant cyber attack vectors forc the most significant CDAs, that the licensees explanation of the need for additional time is compelling, and that it is acceptable for the licensee to complete implementation of Milestone 8, full implementation of the CSP by

December 31, 2017. The NRC staff also concludes that, upon full implementation of the licensees cyber security program, the requirements of the licensees CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds the proposed change acceptable.

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, Florida State official was notified of the proposed issuance of the amendment. The State official had no comment.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments relate solely to safeguards matters and do not involve any significant construction impacts. Accordingly, these amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of these amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna ccDate: c