ML15302A075
| ML15302A075 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 03/08/2016 |
| From: | Blake Purnell Plant Licensing Branch III |
| To: | Boles B FirstEnergy Nuclear Operating Co |
| Blake Purnell, NRR/DORL | |
| References | |
| CAC MF5892 | |
| Download: ML15302A075 (14) | |
Text
Mr. Brian D. Boles Site Vice President UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 Mmh 8, 2016 FirstEnergy Nuclear Operating Company Mail Stop A-DB-3080 5501 North State, Route 2 Oak Harbor, OH 43449-9760
SUBJECT:
DAVIS-BESSE NUCLEAR POWER STATION, UNIT NO. 1 -
ISSUANCE OF AMENDMENT REVISING THE COMPLETION DATE FOR MILESTONE 8 OF THE CYBER SECURITY PLAN (CAC NO. MF5892)
Dear Mr. Boles:
The U.S. Nuclear Regulatory Commission (NRC or the Commission) has issued the enclosed Amendment No. 290 to Facility Operating License No. NPF-3 for the Davis-Besse Nuclear Power Station (DBNPS), Unit No. 1. The amendment is in response to your application dated March 12, 2015 (Agencywide Documents Access and Management System (ADAMS)
Accession No. ML15072A052), as supplemented by letter dated May 6, 2015 (ADAMS Accession No. ML15127A202).
The amendment approves the revised schedule for full implementation of Milestone 8 of the cyber security plan (CSP) at DBNPS by extending the date from July 1, 2016, to December 31, 2017. The amendment also revises the second paragraph of license condition 2.D of Renewed Facility Operating License No. NPF-3 to incorporate the revised CSP implementation schedule.
A copy of the safety evaluation (SE) is also enclosed. The NRC staff has determined that the SE does not contain security-related information pursuant to Title 10 of the Code of Federal Regulations (10 CFR), Section 2.390, "Public inspections, exemptions, requests for withholding."
The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.
Docket No. 50-346
Enclosures:
- 1. Amendment No. 290 to NPF-3
- 2. Safety Evaluation cc w/encls: Distribution via Listserv Sincerely, (Jj fdl Blake Purnell, Project Manager Plant Licensing Branch 111-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 FIRSTENERGY NUCLEAR OPERATING COMPANY AND FIRSTENERGY NUCLEAR GENERATION, LLC DAVIS-BESSE NUCLEAR POWER STATION, UNIT NO. 1 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE DOCKET NO. 50-346 Amendment No. 290 Renewed License No. NPF-3
- 1.
The U.S. Nuclear Regulatory Commission (the Commission) has found that:
A.
The application for amendment filed by FirstEnergy Nuclear Operating Company (FENOC, the licensee) dated March 12, 2015, as supplemented by letter dated May 6, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act}, and the Commission's rules and regulations set forth in 10 CFR Chapter I; B.
The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.
There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D.
The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.
The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.
- 2.
Accordingly, the Renewed Facility Operating License No. NPF-3 is amended by changes as indicated in the attachment to this license amendment. The second paragraph of license condition 2.D of Renewed Facility Operating License No. NPF-3 is amended to read as follows:
FENOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The FE NOC CSP was approved by License Amendment No. 283 and is amended by License Amendment No. 290.
- 3.
This license amendment is effective as of its date of issuance and shall be implemented within 30 days of the date of issuance.
FOR THE NUCLEAR REGULATORY COMMISSION Justin C. Poole, Acting Chief Plant Licensing Branch 111-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
Attachment:
Changes to the Renewed Facility Operating License Date of lssuance:Mm:h 8, 2016
ATTACHMENT TO LICENSE AMENDMENT NO. 290 RENEWED FACILITY OPERATING LICENSE NO. NPF-3 DOCKET NO. 50-346 Replace the following pages of the Renewed Facility Operating License with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.
Remove License NPF-3 Page L-11 License NPF-3 Page L-11
2.D.
FENOC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21, is entitled: "Davis-Besse Nuclear Power Station Physical Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan Revision 4," submitted by letter dated May 18, 2006.
FENOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The FE NOC CSP was approved by License Amendment No. 283 and is amended by License Amendment No. 290.
E.
This license is subject to the following antitrust conditions:
Definitions Entity shall mean any electric generation and/or distribution system or municipality or cooperative with a statutory right or privilege to engage in either of these functions.
Wheeling shall mean transportation of electricity by a utility over its lines for another utility, including the receipt from and delivery to another system of like amounts but not necessarily the same energy. Federal Power Commission, The 1970 National Power Survey, Part 1, p. 1-24-8.
License Conditions Approved By the Atomic Safety and Licensing Appeal Board*
(1)
Applicants shall not condition the sale or exchange of wholesale power or coordination services upon the condition that any other entity:
(a) enter into any agreement or understanding restricting the use of or alienation of such energy or services to any customers or territories; "Applicants" as used by the Appeal Board refers to the Toledo Edison Company, Cleveland Electric Illuminating Company, Duquesne Light Company, Ohio Edison Company and Pennsylvania Power Company although none of these entities are currently Licensees for this facility.
L-11 Renewed License No. NPF-3 Amendment No. 290
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 290 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-3.
FIRSTENERGY NUCLEAR OPERATING COMPANY FIRSTENERGY NUCLEAR GENERATION, LLC DAVIS-BESSE NUCLEAR POWER STATION, UNIT NO. 1 DOCKET NO. 50-346
1.0 INTRODUCTION
By application dated March 12, 2015, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15072A052), as supplemented by letter dated May 6, 2015 (ADAMS Accession No. ML15127A202), FirstEnergy Nuclear Operating Company (FENOC or the licensee) submitted a license amendment request (LAR) for Davis-Besse Nuclear Power Station (DBNPS), Unit No. 1.
The supplemental letter dated May 6, 2015, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC or Commission) staff's proposed no significant hazards consideration determination as published in the Federal Register on May 5, 2015 (80 FR 25720).
The proposed change revises the completion date of the cyber security plan (CSP), by extending the date for full implementation of the CSP Milestone 8 at DBNPS, from July 1, 2016, to December 31, 2017. The second paragraph of license condition 2.D of Renewed Facility Operating License No. NPF-3 is also amended.
2.0 REGULATORY EVALUATION
The NRC staff reviewed and approved the licensee's existing CSP implementation schedule in License Amendment No. 283 to the DBNPS license, by letter dated August 31, 2011 (ADAMS Accession No. ML111890298). Amendment No. 283 revised the existing license and requires DBNPS to fully implement and maintain all provisions of the CSP. The existing schedule requires that Milestone 8 be completed no later than July 1, 2016.
The NRC staff considered the following regulatory requirements and guidance in its review of the license amendment request to modify the existing CSP implementation schedule:
Section 73.54 of 10 CFR states, in part, that:
Each [CSP] submittal must include a proposed implementation schedule.
Implementation of the licensee's cyber security program must be consistent with the approved schedule.
The licensee's current license include a license condition that requires the licensee to fully implement and maintain in effect all provision of the NRG-approved CSP.
Review criteria provided by the NRC staffs internal memorandum, "Review Criteria for Title 10 of the Code of Federal Regulations Part 73.54, Cyber Security Implementation Schedule Milestone 8 License Amendment Requests," dated October 24, 2013 (ADAMS Accession No. ML13295A467), is considered in evaluating a licensee's request to postpone their cyber security program implementation date (commonly known as Milestone 8).
Both 10 CFR 73.54 and License Amendment No. 283 to the DBNPS license require that changes made to the CSP implementation schedule must have prior NRC approval.
The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that "[i]mplementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRC-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90.
3.0 TECHNICAL EVALUATION
3.1 Licensee's Requested Change Amendment No. 283 to the DBNPS license was issued on August 31, 2011. The NRC staff also approved the licensee's CSP implementation schedule, as discussed in the safety evaluation issued with the amendment. The licensee's NRG-approved implementation schedules for the CSP identified completion dates and bases for the following eight milestones:
- 1) Establish a cyber security assessment team.
- 2) Identify critical systems and critical digital assets (CDAs).
- 3) Install a deterministic one-way device between lower level devices and higher level devices.
- 4) Implement the security control "Access Control for Portable and Mobile Devices."
- 5) Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds by incorporating the appropriate elements.
- 6) Identify, document, and implement technical cyber security controls for CDAs that could adversely impact the design function of physical security target set equipment, in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls."
- 7) Commence ongoing monitoring and assessment activities of implemented security controls for the target set of CDAs.
- 8) Fully implement the CSP for all safety, security, and emergency preparedness (EP) functions.
Currently, Milestone 8 of the DBNPS CSP requires the licensee to fully implement the CSP by July 1, 2016. The licensee submitted its application on March 12, 2015, after the NRC staff issued the NRC guidance memorandum on October 24, 2013. The application requests to extend the completion date for Milestone 8 to December 31, 2017, for DBNPS. Attachment 1 to the application included the revised CSP implementation schedule. The licensee's application provided information pertinent to each of the criteria identified in the NRC guidance.
- 1)
Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.
The licensee stated that additional time is need to implement Section 3.1, "Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls," of its CSP.
- 2)
Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.
DBNPS is experiencing challenges with full implementation of Milestone 8 within the current implementation date. The licensee stated that there is a large volume of effort associated with documentation of CDA assessment and analysis. The licensee also pointed out that uncertainty regarding which method to use in performing cyber-security assessments resulted in delays. The issuance of Nuclear Energy Institute (NEI) 13-10, Revision 0, "Cyber Security Control Assessments," in December 2013; Revision 1 in September 2014; and Revision 2 in January 2015, describe a method for conducting cyber-security assessments.
The application justified the need for additional time to implement Milestone 8. The licensee explained the resource intensive nature of assessing the approximately 1000 CDAs at DBNPS. The licensee stated that remediation activities need to be carefully considered and that there are change management challenges. In addition, the licensee notes cyber security must be integrated into day-to-day plant operations, maintenance, engineering, and procurement activities.
- 3)
A proposed completion date for Milestone 8 is consistent with the remaining scope of work to be conducted and the resources available.
The licensee requested to extend the completion date for Milestone 8 at DBNPS to December 31, 2017. The licensee stated: "Changing the completion date for milestone 8 will allow more time to methodically plan and schedule the implementation of the required design changes as well as provide more time to prioritize work efforts and schedule resources to help avoid rework and scope change."
- 4)
An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.
The application stated: "[t]he cyber security implementation activities that have already been completed ensure that DBNPS is, and will continue to be, secure and that digital computer and communication systems and networks are adequately protected against cyber attacks during implementation of the remainder of the program by the proposed milestone 8 date of December 31, 2017."
DBNPS has completed the implementation of milestones 1 through 7 and identified completed activities for each milestone. The licensee stated:
The additional time requested to complete milestone 8 will not impact the overall effectiveness of the cyber security program. With the cyber security program currently in place, the completed milestones 1 through 7, implementation of the "Good Faith Letter" [nonpublic NRC memorandum dated July 1, 2013] actions and the completion of prioritized activities in progress, there is no impact to DBNPS's safe and reliable power operation. The proposed milestone date encompasses additional time for implementation of modifications required as a result of the CDA assessments. The milestone 8 extension will also provide time to fully integrate the cyber security plan into plant programs, processes, procedures, and training.
- 5)
A description of the licensee's methodology for prioritizing completion of work for critical digital assets associated with significant safety consequences and with reactivity effects in the balance of plant.
The licensee stated:
DBNPS's methodology for prioritizing milestone 8 activities is centered on considerations for safety, security, emergency preparedness (EP), and balance of plant (BOP) (continuity of power) consequences. The methodology is also based on defense-in-depth, installed configuration and complexity of the CDA and susceptibility to... commonly identified threat vectors.... Prioritization for CDA assessment begins with safety-related CDAs and continues through the lower priority non-safety and EP CDAs....
- 6)
A discussion of the licensee's cyber security program performance up to the date of the LAR.
The licensee stated that the activities it completed under CSP Milestones 1 through 7 provide a high degree of protection against cyber security-related attacks during implementation of the full program. The licensee discussed its implementation of completed milestones. The licensee also stated that ongoing monitoring and time-based periodic actions provide continuing program performance monitoring.
- 7)
A discussion of cyber security issues pending in the licensee's corrective action program (CAP).
The amendment application stated:
DBNPS uses the CAP to document adverse cyber issues in order to trend, correct, and improve the cyber security program. Conditions adverse to quality are captured in the CAP database and tracked from initiation through closure. Adverse trends are monitored for program improvement and addressed via the CAP process.
The application also provided examples of issues and activities in the CAP.
- 8)
A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.
The application provided a discussion of completed modifications.
3.2
NRC Staff Evaluation
The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance discussed above. The NRC's staff's evaluation is below. The NRC staff finds that the actions the licensee noted as being required to implement CSP, Section 3.1, "Analyzing Digital Computer Systems and Networks," are reasonable as discussed below.
The licensee stated that it completed implementation of the CSP activities described in Milestones 1 through 7 prior to December 31, 2012, and it also completed the actions required by the "Good Faith Letter." 1 The licensee indicated that completion of these activities provides "a high degree of protection against cyber security attacks while DBNPS implements the full program." The NRC staff concludes that the licensee's site is more secure after the implementation of Milestones 1 through 7 because these activities provide significant protection against cyberattacks. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 31, 2017, will provide adequate protection of the public health and safety and the common defense and security.
The scope of actions and resources required to fully implement its CSP were not anticipated when the implementation schedule was originally determined. The NRC staff recognizes that CDA assessment work, including application of controls, is much more complex and resource intensive than originally anticipated, in part due to the NRC expanding the scope of the cyber security requirements to include balance of plant. As a result, the licensee must complete a large number of additional tasks not originally considered when developing its CSP implementation schedule.
The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the staff recognizes that CDA assessment work is much more complex and resource intensive than originally anticipated and that the licensee has a large number of additional tasks not originally considered when developing its CSP implementation schedule. The NRC staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable given the unanticipated complexity, volume, and scope of the remaining work required to fully implement its CSP.
The licensee proposed to change DBNPS's original Milestone 8 completion date of July 1, 2016.
The licensee stated that changing the completion date for Milestone 8 allows for the application of changes to CDAs, procedures, and cyber security controls. The delayed completion date 1 NRC Memorandum dated July 1, 2013, "Enhanced Guidance for Licensee Near-Term Corrective Actions to Address Cyber Security Inspection Findings and Licensee Eligibility for 'Good Faith' Attempt Discretion" (Nonpublic ADAMS Accession No. ML13178A203).
provides the necessary time to "methodically plan and schedule the implementation of the required design changes as well as provide more time to prioritize work efforts and schedule resources to help avoid rework and scope change." The licensee stated its methodology for prioritizing Milestone 8 activities is centered on considerations for safety, security, EP functions, equipment important to safety, and BOP consequences. The methodology is based on defense-in-depth, installed configuration of the CDA, and susceptibility to commonly identified threat vectors. Prioritization for CDA assessment begins with safety-related CDAs and continues through lower priority non-safety and EP CDAs. The NRC staff concludes that based on the large number of digital assets described above and the limited resources with the appropriate expertise to perform these activities, the licensee's methodology for prioritizing work on CDAs is appropriate. The staff further concludes that the licensee's request to delay final implementation of the CSP until December 31, 2017, is reasonable given the complexity of the remaining unanticipated work.
3.3 Technical Evaluation Conclusion
Based on the licensee's completion of Milestones 1 through 7 and the licensee's submissions, the NRC staff determined that the licensee's cyber security program provides significant protection against cyberattacks. The staff found the licensee's explanation for the extension of time reasonable. The staff also determined that the licensee's CAP provides assurance that the cyber security program, as currently implemented, will remain effective because issues will be identified and addressed.
The NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 31, 2017, is acceptable for the following reasons: (1) the licensee's implementation of Milestones 1 through 7 provides significant protection against cyberattacks; (2) the scope of the work required to come into full compliance with the CSP implementation schedule was more complicated than anticipated and not reasonably foreseeable; and (3) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule.
The NRC has reasonable assurance that the full implementation of the CSP by December 31, 2017, will provide adequate protection of the public health and safety and for the common defense and security. The NRC also concludes that upon full implementation of the licensee's cyber security program, the requirements of the licensee's CSP and 10 CFR 73.54 will be met.
Therefore, the NRC staff finds the proposed change acceptable.
3.4 Revision to License Condition 2.D By letter dated March 12, 2015, the licensee proposed to modify the license condition associated with the CSP. The revised paragraph for license condition 2.D is as follows:
FENOC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The FENOC CSP was approved by License Amendment No. 283 and is amended by License Amendment No. 290.
Based on the information in Section 3.0 of this safety evaluation and the modified license condition described above, the NRC staff concludes this is acceptable.
4.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Ohio State official was notified of the proposed issuance of the amendment. The State official had no comments.
5.0 ENVIRONMENTAL CONSIDERATION
This is an amendment to a 10 CFR Part 50 license that relates solely to safeguards matters and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.
6.0 CONCLUSION
The Commission concludes, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributors: John Rycyna, NSIR Date of issuance: M:m:i1 8, 2016
The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.
Docket No. 50-346
Enclosures:
- 1. Amendment No. 290 to NPF-3
- 2. Safety Evaluation cc w/encls: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsRgn3MailCenter Resource RidsNrrDorllpl3-2 Resource RecordsAmend Resource Accession Number: ML15302A075 OFFICE LPL3-2/PM LPL3-2/LA NAME BPurnell SRohrer DATE 3/1/16 2/29/16 Sincerely, IRA/
Blake Purnell, Project Manager Plant Licensing Branch 111-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation LPL3-2 R/F JRycyna, NSIR JAnderson, NSIR RidsNrrPMDavisBesse RidsNrrLASRohrer Resource RidsACRS_MailCTR Resource
- via e-mail NSIR/CSD/DD*
OGC LPL3-2/BC(A)
LPL3-2/PM JBeardsley PJehle NLO JPoole BPurnell 2/25/16 2/18/16 3/8/16 3/8/16 OFFICIAL RECORD COPY