ML15267A381

From kanterella
Jump to navigation Jump to search

Issuance of Amendments Approval of Cyber Security Plan Milestone 8
ML15267A381
Person / Time
Site: Susquehanna  Talen Energy icon.png
Issue date: 11/02/2015
From: Jeffrey Whited
Plant Licensing Branch 1
To: Franke J
Susquehanna
Whited J, NRR/DORL/LPLI-2, 415-4090
References
CAC MF5357, CAC MF5358
Download: ML15267A381 (22)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 November 2, 2015

SUBJECT:

SUSQUEHANNA STEAM ELECTRIC STATION, UNITS 1AND2- ISSUANCE OF AMENDMENTS RE: APPROVAL OF CYBER SECURITY PLAN MILESTONE 8 (CAC NOS. MF5357 AND MF5358)

Dear Mr. Franke:

The U.S. Nuclear Regulatory Commission has issued the enclosed Amendment Nos. 264 and 245 to Renewed Facility Operating License (RFOL) Nos. NPF-14 and NPF-22, for the Susquehanna Steam Electric Station, Units 1 and 2, respectively. These amendments consist of changes to the RFOLs in response to your application dated December 2, 2014, as supplemented by letters dated February 12, 2015; May 4, 2015; and August 28, 2015.

These amendments revise the scheduled completion date for Milestone 8 of the Cyber Security Plan (CSP) implementation schedule, and the existing license conditions in the RFOLs.

Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

A copy of the NRC staff's safety evaluation is also enclosed. Notice of Issuance will be included in the Commission's next regular Biweekly Federal Register Notice.

Sincerely, iJ4 A rJ.:4 Jeffrey A. Whited, Project Manager Plant Licensing Branch 1-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-387 and 50-388

Enclosures:

1. Amendment No. 264 to RFOL No. NPF-14
2. Amendment No. 245 to RFOL No. NPF-22
3. Safety Evaluation cc w/enclosures: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SUSQUEHANNA NUCLEAR. LLC ALLEGHENY ELECTRIC COOPERATIVE, INC.

DOCKET NO. 50-387 SUSQUEHANNA STEAM ELECTRIC STATION. UNIT 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 264 Renewed License No. NPF-14

1. The U.S. Nuclear Regulatory Commission (the Commission or the NRC) having found that:

A The application for the amendment filed by Susquehanna Nuclear, LLC, dated December 2, 2014, as supplemented by letters dated February 12, 2015; May 4, 2015; and August 28, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in Title 1O of the Code of Federal Regulations ( 10 CFR)

Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the regulations of the Commission; C. There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, the license is amended by changes to the Renewed Facility Operating License as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Renewed Facility Operating License No. NPF-14 is hereby amended to read as follows:

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 264, and the Environmental Protection Plan contained in Appendix B are hereby incorporated in the license. Susquehanna Nuclear, LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

3. In addition, the second paragraph of 2.D in Renewed Facility Operating License No. NPF-14 is hereby amended to read as follows:

The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Susquehanna Nuclear, LLC CSP was approved by License Amendment No. 255 and modified by License Amendment Nos. 258 and 264.

4. The license amendment is effective as of its date of issuance and shall be implemented within 60 days of issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule, as submitted by the licensee by letter dated July 22, 2010; as revised by letters dated April 4, 2011, April 30, 2012, December 2, 2014, and August 28, 2015; and as approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved CSP implementation schedule will require prior NRC approval, pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

~-f)S~

Douglas A. Broaddus, Chief Plant Licensing Branch 1-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License Date of Issuance: November 2, 201 5

ATTACHMENT TO LICENSE AMENDMENT NO. 264 RENEWED FACILITY OPERATING LICENSE NO. NPF-14 DOCKET NO. 50-387 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

REMOVE INSERT 3 3 19 19

(3) Susquehanna Nuclear, LLC, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed neutron sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Susquehanna Nuclear, LLC, pursuant to the Act and 10 CFR Parts 30, 40, and 70 to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (5) Susquehanna Nuclear, LLC, pursuant to the Act and 10 CFR Parts 30, 40, and 70 to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This license shall be deemed to contain and is subject to the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level Susquehanna Nuclear, LLC is authorized to operate the facility at reactor core power levels not in excess of 3952 megawatts thermal in accordance with the conditions specified herein. The preoperational tests, startup tests and other items identified in License Conditions 2.C.(36), 2.C.(37), 2.C.(38), and 2.C.(39) to this license shall be completed as specified.

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 264 and the Environmental Protection Plan contained in Appendix B are hereby incorporated in the license. Susquehanna Nuclear, LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

For Surveillance Requirements (SRs) that are new in Amendment 178 to Facility Operating License No. NPF-14, the first performance is due at the end of the first surveillance interval that begins at implementation of Amendment 178. For SRs that existed prior to Amendment 178, including SRs with modified acceptance criteria and SRs whose frequency of performance is being extended, the first performance is due at the end of the first surveillance interval that begins on the date the Surveillance was last performed prior to implementation of Amendment 178.

Renewed Operating License No. NPF-14 Amendment No. 264

(39) Containment Operability for EPU The operating licensee shall ensure that the CPPU containment analysis is consistent with the SSES 1 and 2 operating and emergency procedures.

Prior to operation above CLTP, for each respective unit, the operating licensee shall notify the NRC project manager that all appropriate actions have been completed.

(40) Primary Containment Leakage Rate Testing Program Those primary containment local leak rate program tests (Type B - leakage-boundary and Type C - containment isolation valves) as modified by approved exemptions, required by 10 CFR Part 50, Appendix J, Option B and Technical Specification 5.5.12, are not required to be performed at the CPPU peak calculated containment internal pressure of 48.6 psig (Amendment No. 246 to this Operating License) until their next required performance.

D. The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plan, which contains Safeguards Information protected under 10 CFR 73.21, is entitled:

"Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Security and Contingency Plan for Independent Spent Fuel Storage Facility," and was submitted October 8, 2004.

The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Susquehanna Nuclear, LLC CSP was approved by License Amendment No. 255 and modified by License Amendment Nos. 258 and 264.

E. Exemptions from certain requirements of Appendices G and H to 10 CFR Part 50 are described in the Safety Evaluation Report and Supplements 1 and 2 to the Safety Evaluation Report. In addition, an exemption was requested until receipt of new fuel for first refueling from the requirements for criticality monitors in the spent fuel pool area, 10 CFR Part 70.24. Also, an exemption was requested from the requirements of Appendix J of 10 CFR Part 50 for the first fuel cycle when performing local leak rate testing of Residual Heat Removal (RHR) relief valves in accordance with Technical Specification 4.6.1.2. This latter exemption is described in the safety evaluation of License Amendment No. 13. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest and have been granted pursuant to 10 CFR 50.12. Except as here exempted, the facility will operate, to the extent authorized herein, in conformity with the application, as amended, and the rules and regulations of the Commission and the provisions of the Act.

Renewed Operating License No. NPF-14 Amendment No. 2§6, 258, 202, 264

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SUSQUEHANNA NUCLEAR. LLC ALLEGHENY ELECTRIC COOPERATIVE. INC.

DOCKET NO. 50-388 SUSQUEHANNA STEAM ELECTRIC STATION. UNIT 2 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 245 Renewed License No. NPF-22

1. The U.S. Nuclear Regulatory Commission (the Commission or the NRC) having found that:

A. The application for the amendment filed by Susquehanna Nuclear, LLC, dated December 2, 2014, as supplemented by letters dated February 12, 2015; May 4, 2015; and August 28, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's regulations set forth in Title 10 of the Code of Federal Regulations (10 CFR)

Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the regulations of the Commission; C. There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, the license is amended by changes to the Renewed Facility Operating License as indicated in the attachment to this license amendment and paragraph 2.C.(2) of the Renewed Facility Operating License No. NPF-22 is hereby amended to read as follows:

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 245, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the license. PPL Susquehanna, LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

3. In addition, the second paragraph of 2.D in Renewed Facility Operating License No. NPF-22 is hereby amended to read as follows:

The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP),

including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Susquehanna Nuclear, LLC CSP was approved by License Amendment No. 235 and modified by License Amendment Nos. 239 and 245.

4. The license amendment is effective as of its date of issuance and shall be implemented within 60 days of issuance. The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule, as submitted by the licensee by letter dated July 22, 201 O; as revised by letters dated April 4, 2011, April 30, 2012, December 2, 2014, and August 28, 2015; and as approved by the NRC staff with this license amendment. All subsequent changes to the NRG-approved CSP implementation schedule will require prior NRC approval, pursuant to 10 CFR 50.90.

FOR THE NUCLEAR REGULATORY COMMISSION

c. fjS~

Douglas A Broaddus, Chief Plant Licensing Branch 1-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed Facility Operating License Date of Issuance: November 2, 2015

ATTACHMENT TO LICENSE AMENDMENT NO. 245 RENEWED FACILITY OPERATING LICENSE NO. NPF-22 DOCKET NO. 50-388 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

REMOVE INSERT 3 3 15 15

(3) Susquehanna Nuclear, LLC, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed neutron sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) Susquehanna Nuclear, LLC, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (5) Susquehanna Nuclear, LLC, pursuant to the Act and 10 CFR Parts 30, 40, and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility.

C. This license shall be deemed to contain and is subject to the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level Susquehanna Nuclear, LLC is authorized to operate the facility at reactor core power levels not in excess of 3952 megawatts thermal in accordance with the conditions specified herein. The preoperational test, startup tests and other items identified in License Conditions 2.C.(20), 2.C.(21), 2.C.(22), and 2.C.(23) to this license shall be completed as specified.

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 245, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the license. Susquehanna Nuclear, LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

For Surveillance Requirements (SRs) that are new in Amendment 151 to Facility Operating License No. NPF-22, the first performance is due at the end of the first surveillance interval that begins at implementation of Amendment 151. For SRs that existed prior to Amendment 151, including SRs with modified acceptance criteria and SRs whose frequency of performance is being extended, the first performance is due at the end of the first surveillance interval that begins on the date the Surveillance was last performed prior to implementation of Amendment 151.

Renewed Operating License No. NPF-22 Amendment No. 245

EMF-2209(P), Revision 2, Addendum 1 is published and the operating licensee verifies that the additive constants from the approved report have been incorporated in the cycle specific analyses.

D. The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The plan, which contains Safeguards Information protected under 10 CFR 73.21, is entitled: "Physical Security Plan, Training and Qualification Plan, Safeguards Contingency Plan and Security and Contingency Plan for Independent Spent Fuel Storage Facility," and was submitted October 8, 2004.

The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Susquehanna Nuclear, LLC CSP was approved by License Amendment No. 235 and modified by License Amendment Nos. 239 and 245.

E. DELETED F. Susquehanna Nuclear, LLC shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

G. The information in the Updated Final Safety Analysis Report (UFSAR) supplement, as revised, submitted pursuant to 10 CFR 54.21 (d), shall be incorporated into the UFSAR no later than the next scheduled update required by 10 CFR 50.71(e) following the issuance of this renewed operating license. Until this update is complete, the operating licensee may not make changes to the information in the supplement.

Following incorporation into the UFSAR, the need for prior Commission approval of any changes will be governed by 10 CFR 50.59.

H. The UFSAR supplement, as revised, submitted pursuant to 10 CFR 54.21 (d),

describes certain future activities to be completed prior to and/or during the period of extended operation. The licensee shall complete these activities in accordance with Appendix A of NUREG-1931, "Safety Evaluation Report Related to the Susquehanna Steam Electric Station, Units 1 and 2," dated November, 2009. The licensee shall notify the NRC in writing when activities to be completed prior to the period of extended operation are complete and can be verified by NRC inspection.

I. All capsules in the reactor vessel that are removed and tested must meet the requirements of American Society for Testing and Materials (ASTM) E 185-82 to the extent practicable for the configuration of the specimens in the capsule. Any changes to the capsule withdrawal schedule, including spare capsules, must be approved by the staff prior to implementation. All capsules placed in storage must be maintained for future insertion. Any changes to storage requirements must be approved by the staff, as required by 10 CFR Part 50, Appendix H.

Renewed Operating License No. NPF-22 Amendment No. ~. ~. 24J, 245

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 264 AND 245 TO RENEWED FACILITY OPERATING LICENSE NOS. NPF-14 AND NPF-22 SUSQUEHANNA NUCLEAR. LLC ALLEGHENY ELECTRIC COOPERATIVE. INC.

SUSQUEHANNA STEAM ELECTRIC STATION. UNITS 1 AND 2 DOCKET NOS. 50-387 AND 50-388

1.0 INTRODUCTION

By application dated December 2, 2014 (Reference 1), as supplemented by letters dated February 12, 2015 (Reference 2), May 4, 2015 (Reference 3), and August 28, 2015 (Reference 4) Susquehanna Nuclear, LLC (Susquehanna, the licensee) submitted a license amendment request (LAR), proposing changes to Renewed Facility Operating License (RFOL)

Nos. NPF-14 and NPF-22 for the Susquehanna Steam Electric Station, Units 1 and 2 (SSES),

respectively.

The proposed amendments would revise the Cyber Security Plan (CSP) Milestone 8 completion date. In addition, the amendments would revise the existing license condition in the SSES RFOLs, which requires the licensee to fully implement and maintain in effect all provisions of the U.S. Nuclear Regulatory Commission (NRC or Commission)-approved CSP. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP. The CSP and associated implementation schedule for SSES were previously approved by the NRC staff by letters dated July 21, 2011 (Reference 5), and October 17, 2012 (Reference 6). Portions of References 1 and 2 contain sensitive unclassified non-safeguards information, and those portions are withheld from public disclosure in accordance with the provisions of Title 10 of the Code of Federal Regulations (10 CFR) Section 2.390(d)(1).

The supplemental letter dated August 28, 2015, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the NRC staff's original proposed no significant hazards consideration determination as published in the Federal Register on July 7, 2015 (80 FR 38776).

Enclosure 3

This LAR was submitted by PPL Susquehanna, LLC; however, on June 1, 2015 (Reference 7),

the NRC staff issued an amendment changing the name on the SSES license from PPL Susquehanna, LLC to Susquehanna Nuclear, LLC. This amendment was issued subsequent to an order issued to SSES on April 10, 2015 (Reference 8), approving an indirect license transfer of the SSES license to Talen Energy Corporation.

2.0 REGULATORY EVALUATION

2.1 SSES Units 1 and 2 CSP In Reference 5, the NRC staff issued a license amendment approving the licensee's existing CSP implementation schedule, concurrent with the incorporation of the CSP into the facilities' current licensing bases. The licensee's CSP implementation schedule was based on a template developed by the Nuclear Energy Institute, which the NRC staff found acceptable for licensees to use (Reference 9). The licensee's proposed implementation schedule for the cyber security program identified completion dates and bases for the following eight milestones:

1. Establish the Cyber Security Assessment Team (CSAT);
2. Identify critical systems and critical digital assets (CDAs);
3. Install a deterministic one-way device between lower level devices and higher level devices;
4. Implement the security control, "Access Control for Portable and Mobile Devices";
5. Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds by incorporating the appropriate elements;
6. Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;
7. Commence ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and
8. Fully implement the CSP for all safety, security, and emergency preparedness functions (Milestone 8).

In Reference 6, the NRC staff issued a license amendment approving revisions to CSP Milestones 3 and 6.

2.2 Description of Proposed Changes Currently, Milestone 8 of the SSES CSP requires the licensee to fully implement the CSP by December 1, 2015. In Reference 1, Susquehanna proposed to change the Milestone 8 completion date to July 1, 2018. However, in Reference 4, Susquehanna revised this request

and proposed to change the Milestone 8 completion date to December 31, 2017. The change in the proposed completion date was based on conversations between Susquehanna and the NRC staff.

In Reference 1, the licensee proposed to modify paragraph 2.D of RFOL Nos. NPF-14 and NPF-22 for SSES. License Condition 2.D requires the licensee to fully implement and maintain in effect all provisions of the NRG-approved CSP, including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

Following the approval of this license amendment, the license condition in paragraph 2. D of RFOL No. NPF-14 for SSES, Unit 1, will be revised to state:

The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Susquehanna Nuclear, LLC CSP was approved by License Amendment No. 255 and modified by License Amendment Nos. 258 and 264.

Following the approval of this license amendment, the license condition in paragraph 2.D of RFOL No. NPF-22 for SSES, Unit 2, will be revised to state:

The operating licensee shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Susquehanna Nuclear, LLC CSP was approved by License Amendment No. 235 and modified by License Amendment Nos. 239 and 245.

2.3. Regulatory Review The NRC staff considered the following plant-specific licensing basis information, regulatory requirements and guidance in its review of the current LAR to modify the existing CSP implementation schedule:

  • 10 CFR Section 73.54, "Protection of digital computer and communication systems and networks," states, in part: "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."
  • The licensee's RFOLs include License Condition 2. D that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP, including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).
  • Reference 5, which approved the licensee's CSP and implementation schedule, included the following statement: "The implementation of the CSP, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee by letter July 22, 2010, as supplemented by letter dated April 4, 2011, and approved by the NRC staff with this license amendment.

All subsequent changes to the NRG-approved CSP implementation schedule will require prior NRG approval pursuant to 10 CFR 50.90."

  • Review criteria provided by the NRC staff in a publically available memorandum dated October 24, 2013 (Reference 10). The NRC staff listed criteria to consider during evaluations of licensees' requests to postpone their CSP implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement of 10 CFR 73.54, which states, "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRG staff explained in its letter to all operating reactor licensees dated May 9, 2011 (Reference 11 ), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. Thus, all subsequent changes to the NRG-approved CSP implementation schedule will require prior NRC approval as required by 10 CFR 50.90.

3.0 TECHNICAL EVALUATION

3.1 Licensee's Proposed Change The NRC staff evaluated the licensee's LAR against the regulatory requirements and the guidance cited in Section 2.0 of this safety evaluation. In its LAR, the licensee provided the following information pertinent to each of the eight criteria identified in the NRC guidance memorandum (Reference 10):

1) Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.

The licensee stated that additional time was needed to implement Section 3, "Analyzing Digital Computer Systems and Networks and Applying Security Controls," of the CSP. The licensee further noted that CDA assessment work is resource intensive; solution development life cycle and implementation is process intensive; remediation activities need to be carefully considered; there are change management challenges; and that training is required on new programs, processes, and procedures.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated that despite a project team of 15 full-time-equivalent staff, including qualified information systems security professionals, SSES is experiencing major challenges with full implementation of Milestone 8. The primary contributing factors to these challenges include a large volume of effort associated with documentation of CDA assessment and analysis using the deterministic process in CSP Section 3.1. Despite the project team size, the rate of completion of CDA assessment does not support the Milestone 8 completion within the

current full implementation date. Likely scope changes concerning CDA identification and security controls will require significant rework, such as:

  • changes to newly issued procedures and updated existing procedures;
  • revision of training materials and delivery of training;
  • CDA assessment tool rework, programming, and validation; and
  • rework to adjust completed CDA assessment work.

The licensee also stated that CDA assessment work is resource intensive:

  • SSES underestimated the level of effort necessary to address security controls using the deterministic criteria in CSP Section 3.1.6.
  • CSAT review of table tops, walk downs, and assessment documentation is very resource intensive and time consuming.
  • Rework is a major concern since budgets are approved in advance based on the defined scope that considers a limited amount of rework.
  • SSES will need to increase resources to cope with the magnitude of work involved in each CDA assessment.

The licensee went on to detail further reasons additional time is needed to implement Milestone 8. In summary, the reasons include:

  • challenges in procurement of new cyber equipment;
  • suppliers releasing products that have not been adequately documented and tested, requiring corrective action investigations by Susquehanna;
  • new tasks added to normal maintenance activities;
  • challenges integrating cyber security controls into control process and maintenance activities; and
  • significant challenges regarding the training of personnel to support all facets of CSP implementation.
3) A proposed completion date consistent with the remaining scope of work and the resources available.

The licensee initially proposed a Milestone 8 completion date of July 1, 2018, but revised that date to December 31, 2017. The licensee also provided the following information:

  • SSES has implemented all Milestone 1 through 7 requirements.
  • SSES is on track to design all Milestone 8 cyber security-related modifications in 2016, with the implementation completed by the end of 2017.
  • The two primary factors in SSES's extension request are the ongoing identification of cyber control 'gaps' in CDAs and the need to design and implement modifications (engineering changes) to close any gaps identified in the CDA analysis.
  • SSES is on track to complete the CDA analysis and define methods to close any gaps by the end of February 2016. This work is an input to the design and implementation of plant modifications, which will be completed in stages.
  • Non-outage modifications will be implemented in 2016 and 2017; Unit 2 outage modifications will be implemented in 2017.
  • SSES is on track to complete all non-outage and Unit 2 related work by the end of 2017.

In concert with the work already completed, this will provide SSES with substantial cyber security protections.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

Section 4.4 of Reference 1 states, in part, that:

Based on the cyber security implementation activities already completed, and completion of activities already in progress, SSES is cyber secure and will continue to ensure that digital computer and communication systems and networks are adequately protected against cyber-attacks during implementation of the remainder of the program by the proposed [Milestone] 8 date of

[December31,201n.

SSES has completed the implementation of the Interim Milestones 1 through 7 required by December 31, 2012. []The completed activities provide a high degree of protection against cyber security attacks while SSES implements the full program. [ ]

The additional time requested to complete [Milestone] 8 will not impact the over-all effectiveness of the cyber security program. Considering the cyber security program currently in place, the completed Milestones 1 through 7, [] and prioritizing completion of activities in progress, there is no impact to SSES's safe and reliable power operation. The extended [Milestone] 8 date will allow for completion of the CDA assessments and the resultant remediation. The revised date encompasses [] additional refueling outages for implementation of modifications required as a result of the CDA assessments. The [Milestone] 8 extension will also provide time to fully integrate the cyber security plan into plant programs, processes, procedures and training.

The licensee also provided a detailed discussion about implementation of each milestone.

5) A description of the licensee's methodology for prioritizing completion of work for CDAs associated with significant safety consequences and with reactivity effects in the balance of plant (BOP).

Section 4.5 of Reference 1 states, in part, that:

SSES methodology for prioritizing [Milestone] 8 activities and CDA assessments includes considerations for safety, security, emergency preparedness (EP), and BOP (continuity of power) consequences. The methodology includes consideration of the defense in depth, installed configuration of CDAs and

susceptibility to the five commonly identified threat vectors listed in the NRC Cyber Security SOP (significance determination process). The SSES prioritization for CDA assessments will also address the impact and schedule effect of "Outage based Modifications.

6) A discussion of the licensee's cyber security program performance up to the date of the LAR.

The licensee stated Milestones 1 through 7 activities were completed by December 31, 2012, and provide a high degree of protection against cyber security-related attacks during implementation of the full program. The licensee discussed significant aspects of its program and noted that a Nuclear Oversight audit of all seven interim milestones and ongoing quality assurance surveillances under the physical security surveillance program have concluded that SSES has an effective program. Audit issues were entered into the corrective action program (CAP) database and addressed for program improvement. SSES has performed a comprehensive self-assessment for all seven milestones to ensure completeness and effectiveness of the implemented actions and is implementing ongoing monitoring and time-based periodic actions to provide continuing program performance monitoring.

7) A discussion of cyber security issues pending in the licensee's CAP.

Section 4. 7 of Reference 1 states, in part, that:

SSES uses the site CAP to document all cyber issues in order to trend, correct, and improve the SSES cyber security program. The CAP database documents and tracks from initiation through closure, all cyber security required actions including issues identified during on-going program assessment activities.

Adverse trends are monitored for program improvement and addressed via the CAP process.

The licensee provided examples of cyber issues in its CAP.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a discussion of completed modifications and pending modifications.

3.2 NRC Staff Evaluation The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work to include application of controls is much more complex and resource intensive than originally anticipated, and the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule.

The licensee stated that the scope of actions and resources required to fully implement its CSP were not anticipated when the implementation schedule was originally determined. The NRC staff finds that the licensee's request for additional time to implement Milestone 8 is reasonable,

given the unanticipated complexity and scope of the work required to come into full compliance with its CSP.

The licensee has made reasonable progress toward full implementation of the CSP. The licensee indicated that completion of the activities associated with the CSP, as described in Milestones 1 through 7, provides a high degree of protection to ensure that the most significant digital computer and communication systems and networks associated with EP functions are protected against cyber-attacks. The NRC staff finds that the licensee's site is more secure after the implementation of Milestones 1 through 7, because the activities the licensee has completed mitigate the most significant cyber-attack vectors for the most significant CDAs.

The licensee proposed a Milestone 8 completion date of December 31, 2017. The licensee stated that changing the completion date of Milestone 8 allows for the application of changes to CDAs, procedures, and cyber security controls; provides the necessary time to methodically plan, implement, and test the required additions or changes; and allows those additions or changes that require a design change to be performed. The licensee stated its methodology for prioritizing Milestone 8 activities is centered on considerations for EP and BOP consequences.

The methodology is based on defense-in-depth, installed configuration of the CDA and susceptibility to the five commonly identified threat vectors. Prioritization for CDA assessment begins with safety-related CDAs and continues through lower priority non-safety and EP CDAs.

The NRC staff finds that based on the large number of digital assets described above and the limited resources with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The NRC staff further finds that the licensee's request to delay final implementation of the CSP until December 31, 2017, is reasonable, given the complexity of the remaining unanticipated work.

Based on its review of the licensee's submissions, the NRC staff concludes that the licensee's completed implementation of Milestones 1 through 7 provides significant protection against cyber-attacks; the licensee's explanation of the need for additional time is compelling, and it is acceptable for Susquehanna to complete implementation of Milestone 8, full implementation of the CSP, by December 31, 2017. The NRC staff also concludes that upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met. Therefore, the NRC staff finds that the proposed changes to the Milestone 8 completion date and License Condition 2.D are acceptable.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the NRC Staff notified the appropriate Pennsylvania State official of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

These amendments relate solely to safeguards matters and do not involve any significant construction impacts. These amendments to 10 CFR Part 50 licenses are an administrative change to extend the date by which the licensee must have its CSP fully implemented.

Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in

10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of these amendments.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

7.0 REFERENCES

1. Susquehanna Steam Electric Station Proposed Amendment No. 317 to License NPF-14 and Proposed Amendment No. 289 to License NPF-22: "Changes to Cyber Security Implementation Schedule," December 2, 2012 (Agencywide Documents Access and Management System (ADAMS) Package Accession No. ML14336A239).
2. Susquehanna Steam Electric Station Proposed Amendment No. 317 to License NPF-14 and Proposed Amendment No. 289 to License NPF-22: "Supplemental Information Associated with Changes to Cyber Security Implementation Schedule," February 12, 2015 (ADAMS Accession No. ML15044A053).
3. Susquehanna Steam Electric Station Proposed Amendment No. 317 to License NPF-14 and Proposed Amendment No. 289 to License NPF-22: "Content of the No Significant Hazard Determination Does not Contain Security-Related Information," May 4, 2015 (ADAMS Accession No. ML15124A668).
4. Susquehanna Steam Electric Station Proposed Amendment No. 317 to License NPF-14 and Proposed Amendment No. 289 to License NPF-22: "Supplement to Change Proposed Milestone 8 Date," August 28, 2015 (ADAMS Accession No. ML15243A008).
5. NRC Letter, "Susquehanna Steam Electric Station, Units 1 and 2 - Issuance of Amendment Re: Approval of the PPL Susquehanna, LLC Cyber Security Plan," July 21, 2011 (ADAMS Accession No. ML11152A009).
6. NRC Letter, "Susquehanna Steam Electric Station, Units 1 and 2 - Issuance of Amendments Re: Approval of Cyber Security Plan Milestones 3 and 6," October 17, 2012 (ADAMS Accession No. ML12265A298).
7. NRC Letter, "Susquehanna Steam Electric Station, Units 1 and 2 - Issuance of Conforming Amendment Re: Indirect Transfer of Renewed Facility Operating Licenses to Susquehanna Nuclear, LLC. June 1, 2015 (ADAMS Accession No. ML15054A066).
8. NRC "Order Approving Transfer of Licenses and Conforming Amendments" related to the Susquehanna Steam Electric Station, Units 1 and 2, April 10, 2015 (ADAMS Accession No. ML15058A073).
9. Nuclear Energy Institute Template for the Cyber Security Plan Implementation Schedule

-Attachment, February 28, 2011 (ADAMS Accession No. ML110600218).

10. NRC Memorandum from R. Felts to B. Westreich, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests" (ADAMS Accession No. ML13295A467).
11. NRC Letter, "Cyber Security Plan Implementation Schedule," May 9, 2011 (ADAMS Accession No. ML110980538).

Principal Contributor: John Rycyna, NSIR Date: November 2, 2015

ML15267A381 *by e-mail dated 9/23/15 OFFICE DORL/LPLl-2/PM DORL/LPLl-2/LA NSIR/CSD/DD* OGC (NLO) DORL/LPLl-2/BC DORL/LPLl-2/PM DBroaddus NAME JWhited LRonewicz RFelts JMaltese JWhited (REnnis for)

DATE 10/29/2015 10/13/2015 9/23/2015 10/29/2015 11 /02/2015 11 /02/2015