ML15245A542
| ML15245A542 | |
| Person / Time | |
|---|---|
| Site: | Diablo Canyon  |
| Issue date: | 09/30/2015 |
| From: | Lingham S Plant Licensing Branch IV |
| To: | Halpin E Pacific Gas & Electric Co |
| Lingam S | |
| References | |
| TAC MF5078, TAC MF5079 | |
| Download: ML15245A542 (20) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mr. Edward D. Halpin Senior Vice President and Chief Nuclear Officer Pacific Gas and Electric Company Diablo Canyon Power Plant P.O. Box 56, Mail Code 104/6 Avila Beach, CA 93424 September 30, 2015
SUBJECT:
DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 - ISSUANCE OF AMENDMENTS REGARDING REVISION TO THE CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE COMPLETION DATE (TAC NOS. MF5078 AND MF5079)
Dear Mr. Halpin:
The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 220 to Facility Operating License No. DPR-80 and Amendment No. 222 to Facility Operating License No. DPR-82 for the Diablo Canyon Power Plant, Unit Nos. 1 and 2, respectively. The amendments consist of changes to the Cyber Security Plan (CSP) implementation schedule completion date in response to your application dated October 17, 2014, as supplemented by letter dated February 19, 2015.
The amendments revise the CSP Milestone h (commonly known as Milestone 8) full implementation schedule completion date from December 31, 2015, to December 31, 2017, and revise existing license conditions in the facility operating licenses to incorporate the revised CSP implementation schedule. Milestone h of the CSP implementation schedule concerns the full implementation of the CSP.
A copy of the related Safety Evaluation is enclosed. The Notice of Issuance will be included in the Commission's next regular biweekly Federal Register notice.
Docket Nos. 50-275 and 50-323
Enclosures:
- 1. Amendment No. 220 to DPR-80
- 2. Amendment No. 222 to DPR-82
- 3. Safety Evaluation cc w/encls: Distribution via Listserv Sincerely, Siva P. Lingam, Project Manager Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 PACIFIC GAS AND ELECTRIC COMPANY DOCKET NO. 50-275 DIABLO CANYON NUCLEAR POWER PLANT, UNIT NO. 1 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 220 License No. DPR-80
- 1.
The Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment by Pacific Gas and Electric Company (the licensee), dated October 17, 2014, as supplemented by letter dated February 19, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in Title 10 of the Code of Federal Regulations ( 10 CFR) Chapter I; B.
The facility will operate in conformity with the application, the provisions of the*
Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 1 O CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
- 2.
Accordingly, the license is amended by changes to the Technical Specifications as indicated in the attachment to this license amendment, and Paragraph 2.C.(2) of Facility Operating License No. DPR-80 is hereby amended to read as follows:
(2)
Technical Specifications The Technical Specifications contained in Appendix A and the Environmental Protection Plan contained in Appendix B, as revised through Amendment No. 220, are hereby incorporated in the license. Pacific Gas & Electric Company shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan, except where otherwise stated in specific license conditions.
- 3.
In addition, Paragraph 2.E of Facility Operating License No. DPR-80 is hereby amended with additional text to read as follows:
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
The PG&E CSP was approved by License Amendment No. 210, as supplemented by a change approved by License Amendment No. 220.
- 4.
This license amendment is effective as of its date of issuance and shall be implemented within 60 days from the date of issuance. All subsequent changes to the NRG-approved CSP implementation schedule as approved by the NRC staff with this license amendment will require prior NRC approval pursuant to 10 CFR 50.90.
Attachment:
Changes to the Facility Operating License No. DPR-80 and Technical Specifications FOR THE NUCLEAR REGULATORY COMMISSION
~z~
Michael T. Markley, Chief Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: September 3 o, 2O1 5
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 PACIFIC GAS AND ELECTRIC COMPANY DOCKET NO. 50-323 DIABLO CANYON NUCLEAR POWER PLANT, UNIT NO. 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 222 License No. DPR-82
- 1.
The Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment by Pacific Gas and Electric Company (the licensee), dated October 17, 2014, as supplemented by letter dated February 19, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in Title 10 of the Code of Federal Regulations ( 10 CFR) Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
- 2.
Accordingly, the license is amended by changes to the Technical Specifications as indicated in the attachment to this license amendment, and Paragraph 2.C.(2) of Facility Operating License No. DPR-82 is hereby amended to read as follows:
(2)
Technical Specifications (SSER 32. Section 8)* and Environmental Protection Plan The Technical Specifications contained in Appendix A and the Environmental Protection Plan contained in Appendix B, as revised through Amendment No. 222, are hereby incorporated in the license. Pacific* Gas & Electric Company shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan, except where otherwise stated in specific license conditions.
- 3.
In addition, Paragraph 2.E of Facility Operating License No. DPR-82 is hereby amended with additional text to read as follows:
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
The PG&E CSP was approved by License Amendment No. 212, as supplemented by a change approved by License Amendment No. 222.
- 4.
This license amendment is effective as of its date of issuance and shall be implemented within 60 days from the date of issuance. All subsequent changes to the NRC-approved CSP implementation schedule as approved by the NRC staff with this license amendment will require prior NRC approval pursuant to 10 CFR 50.90.
Attachment:
Changes to the Facility Operating License No. DPR-82 and Technical Specifications FOR THE NUCLEAR REGULA TORY COMMISSION Michael T. Markley, Chief Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Date of Issuance: September 30, 201 5
ATTACHMENT TO LICENSE AMENDMENT NO. 220 TO FACILITY OPERATING LICENSE NO. DPR-80 AND AMENDMENT NO. 222 TO FACILITY OPERATING LICENSE NO. DPR-82 DOCKET NOS. 50-275 AND 50-323 Replace the following pages of the Facility Operating License Nos. DPR-80 and DPR-82, and Appendix A Technical Specifications with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Facility Operating License No. DPR-80 REMOVE INSERT Facility Operating License No. DPR-82 REMOVE INSERT (4)
Pursuant to the Act and 10 CFR Parts 30, 40, and 70, to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (5)
Pursuant to the Act and 10 CFR Parts 30, 40, and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
C.
This License shall be deemed to contain and is subject to the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:
(1)
Maximum Power Level The Pacific Gas and Electric Company is authorized to operate the facility at reactor core power levels not in excess of 3411 megawatts thermal (100% rated power) in accordance with the conditions specified herein.
(2)
Technical Specifications The Technical Specifications contained in Appendix A and the Environmental Protection Plan contained in Appendix B, as revised through Amendment No. 220 are _hereby incorporated in the license.
Pacific Gas & Electric Company shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan, except where otherwise stated in specific license conditions.
(3)
Initial Test Program The Pacific Gas and Electric Company shall conduct the post-fuel-loading initial test program (set forth in Section 14 of Pacific Gas and Electric Company's Final Safety Analysis Report, as amended), without making any major modifications of this program unless modifications have been identified and have received prior NRC approval. Major modifications are defined as:
- a.
Elimination of any test identified in Section 14 of PG&E's Final Safety Analysis Report as amended as being essential; Amendment No. 220 E.
Physical Protection The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54 (p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Diablo Canyon Power Plant, Units 1 and 2 Physical Security Plan, by Training and Qualification Plan, and Safeguards Contingency Plan," submitted by letter dated May 16, 2006.
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The PG&E CSP was approved by License Amendment No. 210, as supplemented by a change approved by License Amendment No. 220.
F.
Deleted.
G.
Deleted.
H.
Financial Protection.
PG&E shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.
I.
Mitigation Strategy License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas:
(a)
Fire fighting response strategy with the following elements:
- 1.
Pre-defined coordinated fire response strategy and guidance
- 2.
Assessment of mutual aid fire fighting assets
- 3.
Designated staging areas for equipment and materials
- 4.
Command and control
- 5.
Training of response personnel (b)
Operations to mitigate fuel damage considering the following:
- 1.
Protection and use of personnel assets
- 2.
Communications
- 3.
Minimizing fire spread
- 4.
Procedures for implementing integrated fire response strategy
- 5.
Identification of readily-available pre-staged equipment
- 6.
Training on integrated fire response strategy
- 7.
Spent fuel pool mitigation measures (c)
Actions to minimize release to include consideration of:
- 1.
Water spray scrubbing
- 2.
Dose to onsite responders Amendment No. 220 (4)
Pursuant to the Act and 1 O CFR Parts 30, 40, and 70, to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (5)
Pursuant to the Act and 10 CFR Parts 30, 40, and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.
C.
This License shall be deemed to contain and is subject to the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:
(1)
Maximum Power Level The Pacific Gas and Electric Company is authorized to operate the facility at reactor core power levels not in excess of 3411 megawatts thermal (100% rated power) in accordance with the conditions specified herein.
(2)
Technical Specifications (SSER 32. Section 8)* and Environmental Protection Plan The Technical Specifications contained in Appendix A and the Environmental Protection Plan contained in Appendix B, as revised through Amendment No. 222, are hereby incorporated in the license.
Pacific Gas & Electric Company shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan, except where otherwise stated in specific license conditions.
(3)
Initial Test Program (SSER 31. Section 4.4.1)
Any changes to the Initial Test Program described in Section 14 of the FSAR made in accordance with the provisions of 10 CFR 50.59 shall be reported in accordance with 50.59(b) within one month of such change.
- The parenthetical notation following the title of many license conditions denotes the section of the Safety Evaluation Report and/or its supplements wherein the license condition is discussed.
Amendment No. 222 (10)
Pipeway Structure DE and ODE Analysis (SSER 32, Section 4)
Prior to start-up following the first refueling outage PG&E shall complete a confirmatory analysis for the pipeway structure to further demonstrate the adequacy of the pipeway structure for load combinations that include the design earthquake (DE) and double design earthquake (DOE).
(11)
Spent Fuel Pool Modification The licensee is authorized to modify the spent fuel pool as described in the application dated October 30, 1985 (LAR 85-13) as supplemented.
Amendment No. 6 issued on May 30, 1986 and stayed by the U.S. Court of Appeals for the Ninth Circuit pending completion of NRC hearings is reinstated.
Prior to final conversion to the modified rack design, fuel may be stored, as needed, in either the modified storage racks described in Technical Specification 5.6.1.1 or in the unmodified storage racks (or both) which are designed and shall be maintained with a nominal 21-inch center-to-center distance between fuel assemblies placed in the storage racks.
(12)
Additional Conditions The Additional Conditions contained in Appendix D, as revised through Amendment No. 202, are hereby incorporated into this license. Pacific Gas and Electric Company shall operate the facility in accordance with the Additional Conditions.
D.
Exemption (SSER 31, Section 6.2.6)
An exemption from certain requirements of Appendix J to 10 CFR Part 50 is described in the Office of Nuclear Reactor Regulation's Safety Evaluation Report, Supplement No. 9. This exemption is authorized by law and will not endanger life or property or the common defense and security and is otherwise in the public interest. Therefore, this exemption previously granted in Facility Operating License No. DPR-81 pursuant to 10 CFR 50.12 is hereby reaffirmed. The facility will operate, with the exemption authorized, in conformity with the application, as amended, the provisions of the Act, and the regulations of the Commission.
E.
Physical Protection The licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provision of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Diablo Canyon Power Plant, Units 1 and 2 Physical Security Plan, Training and Qualification Plan and Safeguards Contingency Plan," submitted by letter dated May 16, 2006.
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The PG&E CSP was approved by License Amendment No. 212, as supplemented by a change approved by License Amendment No. 222.
Amendment No. 222
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 220 TO FACILITY OPERATING LICENSE NO. DPR-80 AND AMENDMENT NO. 222 TO FACILITY OPERATING LICENSE NO. DPR-82 PACIFIC GAS AND ELECTRIC COMPANY DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 DOCKET NOS. 50-275 AND 50-323
1.0 INTRODUCTION
By letter dated October 17, 2014 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14290A603), as supplemented by letter dated February 19, 2015 (ADAMS Accession No. ML15050A437), Pacific Gas and Electric Company (PG&E, the licensee) submitted a license amendment request (LAA) to revise the Cyber Security Plan (CSP) Milestone h (commonly known as Milestone 8) full implementation schedule completion date from December 31, 2015, to December 31, 2017, for Diablo Canyon Power Plant (DCPP),
Unit Nos. 1 and 2. The supplemental letter dated February 19, 2015, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC) staff's original proposed no significant hazards consideration determination as published in the Federal Registeron April 7, 2015 (80 FR 18659).
2.0 REGULATORY EVALUATION
The NRC staff reviewed and approved the licensee's existing CSP implementation schedule for DCPP Unit Nos. 1 and 2 by License Amendment Nos. 210 and 212, respectively, dated July 15, 2011 (ADAMS Accession No. ML111640274). The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:
Title 1 O of the Code of Federal Regulations (10 CFR), Section 73.54 states, in part: "Each [CSP] submittal must include a proposed implementation schedule.
Implementation of the licensee's CSP must be consistent with the approved schedule."
The licensee's facility operating licenses include license conditions that require the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.
In a publicly-available NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their CSP implementation date.
The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[l]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. MU 10980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRG-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.
3.0 TECHNICAL EVALUATION
3.1 Background
Amendment No. 210 to Facility Operating License (FOL) DPR-80 and Amendment No. 212 to FOL DPR-82 for DCPP Units 1 and 2, respectively, were issued on July 15, 2011 (ADAMS Accession No. ML111640274). The NRC staff approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendments. The implementation schedule had been submitted by the licensee based on a template prepared by the Nuclear Energy Institute (ADAMS Accession No. ML110600218), which the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules (ADAMS Accession No. ML110070348). The licensee's proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones:
a)
Establish the Cyber Security Assessment Team (CSAT};
b)
Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);
c)
Install a deterministic one-way device between lower level devices and higher level devices; d)
Implement the security control "Access Control For Portable And Mobile Devices;"
e)
Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds by incorporating the appropriate elements; f)
Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment; g)
Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; h)
Full implementation of the CSP for all safety, security and emergency preparedness functions.
3.2 Proposed Operating License Changes In the LAA dated October 17, 2014, the licensee proposed the following change to license conditions:
Current Paragraph 2.E of FOL No. DPR-80 for DCPP, Unit No. 1 states:
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The PG&E CSP was approved by License Amendment No. 210.
Revised Paragraph 2.E of FOL No. DPR-80 for DCPP, Unit No. 1 would state:
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The PG&E CSP was approved by License Amendment No. 210, as supplemented by a change approved by License Amendment No. 220.
Current Paragraph 2.E of FOL No. DPR-82 for DCPP, Unit No. 2 states:
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 10 CFR 50.54(p). The PG&E CSP was approved by License Amendment No. 212.
Revised Paragraph 2.E of FOL No. DPR-82 for DCPP, Unit No. 2 would state:
PG&E shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 1 O CFR 50.90 and 1 O CFR 50.54(p). The PG&E CSP was approved by License Amendment No. 212, as supplemented by a change approved by License Amendment No. 222.
3.3 Proposed Milestone h Change Currently, Milestone h of the DCPP CSP requires the licensee to fully implement the CSP by December 31, 2015. In its October 17, 2014, application, and February 19, 2015, supplement, PG&E proposed to change the Milestone h completion date to December 31, 2017.
3.4
NRC Staff Evaluation
The cyber security implementation schedule demonstrates the licensee's ongoing implementation of its CSP prior to full implementation. For DCPP, the date for full implementation is specified by Milestone h. CSP implementation activities include establishing a CSAT, identifying CSs and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber-related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the CSP.
The importance of ongoing implementation is reflected in the NRC staff's October 24, 2013, guidance for considering request~ to postpone the CSP full implementation date. The criteria in the guidance are:
- 1)
Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.
- 2)
Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
- 3)
A proposed completion date for Milestone 8 [Milestone h for DCPP] consistent with the remaining scope of work to be conducted and the resources available.
- 4)
An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall CSP in the context of milestones already completed.
- 5)
A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.
- 6)
A discussion of the licensee's CSP performance up to the date of the license amendment request.
- 7)
A discussion of cyber security issues pending in the licensee's corrective action program.
- 8)
A discussion of modifications completed to support the CSP and a discussion of
. pending cyber security modifications.
The licensee submitted its application on October 17, 2014, after the NRC staff issued the guidance. The licensee's application addressed each of the criteria in the guidance. The NRC staff has evaluated the licensee's application addressing the above criteria in its submittal dated October 17, 2014, and its February 19, 2015, supplement. The NRC staff's evaluation is below, numbered as the criteria are above.
- 1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.
The licensee stated that the requirement of the CSP that it needs additional time to implement is CSP Section 3.1, Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls. The licensee identified the challenges to completing implementation of the CSP requirement.
- 2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
The licensee noted that there are ongoing issues that need resolution prior to completing implementation of CSP Section 3.1. These include CDA assessment; remediation activities; change management; and training on new processes, procedures and programs. The licensee stated it is experiencing major challenges with full implementation of Milestone h. It noted a significant effort associated with documentation of CDA assessment and analysis. More than 600 security controls must be addressed for each of approximately 2,300 CDAs. The rate of completion of CDA assessment does not support Milestone h completion within the current full implementation date. The licensee then stated DCPP underestimated the level of effort necessary to address security controls using the deterministic criteria in Section 3.1.6 of CSP.
The NRC staff acknowledges implementation issues with large numbers of CDAs and the need to address many controls for each. Based on the information provided by the license.e in its application, the NRC staff concludes that DCPP would not be able to fully implement its CSP by December 31, 2015. The staff recognizes that CDA assessment work is resource intensive and that the licensee has a large number of CDAs. The staff agrees remediation activities must be carefully considered. The staff understands that CSP implementation has created change management challenges as it has impacted many aspects of the licensee's plant processes including maintenance, engineering, and procurement. The staff understands that CSP implementation has affected longstanding training schedules. Based on the above, the NRC staff concludes that the licensee's explanation of the need for additional time is justified, given the unanticipated complexity and scope of the work required to come into full compliance with its CSP.
- 3) A proposed completion date for Milestone 8 [Milestone h for DCPP] consistent with the remaining scope of work to be conducted and the resources available.
The licensee proposed a Milestone h completion date of December 31, 2017, and stated the revised Milestone h date is necessary to perform CDA assessments, initiate design modifications based on assessment results, update existing procedures, and develop new program procedures to complete full implementation of the CSP. Additionally, it noted the revised completion date will provide adequate time to plan and schedule the implementation of design changes identified as a result of the CDA assessments.
Based on the license's application, the NRC staff concludes that delaying final implementation of the CSP will provide an opportunity for the licensee to complete the large volume of work in an orderly manner and avoid rework.
- 4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall CSP in the context of milestones already completed.
The licensee indicated it was secure based on the CSP activities already completed, and that PG&E will continue to ensure, that digital computer and communication systems and networks are protected adequately against cyber-attacks during implementation of the remainder of the program by the proposed Milestone h date. It then detailed the activities completed in each of the milestones a through g. The activities address significant cyber-attack vectors and applied controls to the most significant CDAs.
The NRC staff concludes the licensee provided sufficient justification that the additional time requested will not adversely impact the overall effectiveness of the CSP and is, therefore, acceptable.
- 5) A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.
The licensee stated that its methodology for prioritizing Milestone h activities is centered on considerations for safety, security, emergency preparedness (EP), and balance of plant (BOP) consequences. The methodology is based on defense-in-depth, installed configuration of the CDA and susceptibility to commonly identified threat vectors. Prioritization for CDA assessment begins with safety-related CDAs and continues through lower priority non-safety and EP CDAs.
The NRC staff concludes that the licensee's methodology for prioritizing work on CDAs is sufficiently justified and is, therefore, acceptable.
- 6) A discussion of the licensee's CSP performance up to the date of the license amendment request.
The licensee stated that Milestone a through g activities and other actions implemented by December 31, 2012, provide a high degree of protection against cyber security related attacks.
The licensee discussed its implementation of various milestones that provide program controls and modifications for protection to significant CDAs from common attack vectors. Ongoing licensee Quality Assurance surveillances have concluded that the licensee has an effective program. The NRC staff's inspection issues were entered into the corrective action program (CAP) and are being addressed for program improvement. Ongoing monitoring and time-based periodic actions provide continuous program performance monitoring.
The NRC staff concludes that the licensee's completion of Milestones a through g provides assurance of protection against cyber-attacks. The NRC staff concludes that the licensee has sufficient quality tools at its disposal to verify the effectiveness of the CSP and to address program issues in its CAP and is, therefore, acceptable.
- 7) A discussion of cyber security issues pending in the licensee's corrective action program.
The licensee stated that the DCPP CAP is used to document all cyber security issues in order to trend, correct, and improve DCPP's CSP. The CAP database documents and tracks, from initiation through closure, cyber security required actions, including issues identified during ongoing program assessment activities. Adverse trends are monitored for program improvement and addressed via the CAP process. The licensee listed cyber security program issues and activities pending in the CAP.
The NRC staff concludes that the examples provided evidence of sufficient program development for implementation of an effective CAP for the CSP and is, therefore, acceptable.
- 8) A discussion of modifications completed to support the CSP and a discussion of pending cyber security modifications.
The licensee provided a discussion of completed modifications and pending modifications.
These are consistent with the discussions provided above. The licensee's completed and planned implementation actions provide assurance that digital computer and communication systems and networks are adequately protected against cyber-attacks, up to and including the design basis threat established by 10 CFR 73.1 (a)(1 )(v), until the full program is implemented by the proposed date. Therefore, the NRC staff concludes that the lipensee's request to delay final implementation of the CSP until December 31, 2017, is acceptable.
3.5 NRC Staff Conclusion
Based on its review of the licensee's submissions, the NRC staff concludes that implementation of Milestones a through g provides significant protection against cyber-attacks; that the licensee's explanation of the need for additional time is compelling, and that it is acceptable for DC~P to complete Milestone h (full implementation of the CSP) by December 31, 2017. The NRC staff has reasonable assurance that full implementation of the CSP by December 31, 2017, will provide adequate protection of the public health and safety and the common defense and security. The NRC staff also concludes that, upon full implementation of the licensee's CSP, the requirements of the licensee's CSP and 10 CFR 73.54 will be met.
Therefore, the NRC staff concludes that the proposed change is acceptable.
4.0 STATE CONSULTATION
In accordance with the Commission's regulations, the appropriate California State official was notified of the proposed issuance of the amendments. The State official had no comments.
5.0
- ENVIRONMENTAL CONSIDERATION The amendments relate solely to safeguards matters and do not involve any significant construction impacts. The amendments are an administrative change to extend the date by which the licensee must have its CSP fully implemented. Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 1 O CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.
6.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributor:
J. Rycyna, NSIR/CSD Date: ;September 3 0, 201 5
ML15245A542 OFFICE NRR/DORL/LPL4-1/PM NAME Slingam DATE 09/02/2015 OFFICE OGC NAME JMaltese DATE 09/24/2015 Sincerely, IRA/
Siva P. Lingam, Project Manager Plant Licensing Branch IV-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation RidsNrrDorlDpr Resource RidsNrrLAJBurkhardt Resource RidsNrrPMDiabloCanyon Resource RidsRgn4MailCenter Resource J. Rycyna, NSIR/CSD
- via memo NRR/DORL/LPL4-1/LA NSIR/CSD/DD JBurkhardt (MHenderson for)
RFelts*
09/04/2015 8/28/15 NRR/DORL/LPL4-1 /BC NRR/DORL/LPL4-1 /PM MMarkley Sling am 09/30/2015 09/30/2015