ML16064A215

From kanterella
Jump to navigation Jump to search

Issuance of Amendments Cyber Security Plan Implementation Schedule
ML16064A215
Person / Time
Site: Indian Point  Entergy icon.png
Issue date: 04/12/2016
From: Pickett D
Plant Licensing Branch 1
To:
Entergy Nuclear Operations
Pickett D, NRR-DORL 415-1364
References
TAC MF6368, TAC MF6369, TAC MF6370
Download: ML16064A215 (21)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 April 12, 2u16 Vice President, Operations Entergy Nuclear Operations, Inc.

Indian Point Energy Center 450 Broadway, GSB P.O. Box 249 Buchanan, NY 10511-0249

SUBJECT:

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2 AND 3 - ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NOS. MF6368, MF6369, AND MF6370)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 59 to Provisional Operating License No. DPR-5 for Indian Point Nuclear Generating Unit No. 1, Amendment No. 284 to Facility Operating License No. DPR-26 for the Indian Point Nuclear Generating Unit No. 2, and Amendment No. 260 to Facility Operating License No. DPR-64 for the Indian Point Nuclear Generating Unit No. 3. The amendments consist of changes to the Cyber Security Plan Milestone 8 full implementation date in response to your application dated June 16, 2015.

The amendments revise the Cyber Security Plan Milestone 8 full implementation date by extending the full implementation date from June 30, 2016, to December 31, 2017.

A copy of the related Safety Evaluation is enclosed. A Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Sincerely, Douglas V. Pickett, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos.50-003, 50-247, and 50-286

Enclosures:

1. Amendment No. 59 to DPR-5
2. Amendment No. 284 to DPR-26
3. Amendment No. 260 to DPR-64
4. Safety Evaluation cc w/enclosures: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 2. LLC ENTERGY NUCLEAR OPERATIONS, INC.

DOCKET NO.50-003 INDIAN POINT NUCLEAR GENERATING UNIT NO. 1 AMENDMENT TO PROVISIONAL OPERATING LICENSE Amendment No. 59 License No. DPR-5

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated June 16, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, the license is amended by changes to paragraph 3.b of Facility Operating License No. DPR-5.

Paragraph 3.b) is hereby amended to read as follows:

b) Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 59, are hereby incorporated in the license. ENO shall maintain the facility in accordance with the Technical Specifications.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days.

FOR THE NUCLEAR REGULATORY COMMISSION Andrea L. Kock, Deputy Director Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards

Attachment:

Changes to the Provisional Operating License Date of lssuance:Apr i l 1 2, 2o1 6

ATTACHMENT TO LICENSE AMENDMENT NO. 59 PROVISIONAL OPERATING LICENSE NO. DPR-5 DOCKET NO.50-003 Replace the following page of the Provisional Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove Page Insert Page 2 2

designated location in Westchester County, New York, in accordance with the procedures and limitations described in the application and this license; b) ENO, pursuant to the Act and 10 CFR Part 70, to receive and possess up to 1918 kilograms of contained uranium-235 previously received for reactor operation; c) Deleted; d) Deleted; e) ENO, pursuant to the Act and 10 CFR Parts 30 and 70, to receive Arndt. 45 and possess, but not to separate, such byproduct and special 1-31-96 materials as were produced by the prior operation of the facility; f) Deleted.

3. This license shall be deemed to contain and is subject to the conditions specified in Sections 50.54 and 50.59 of Part 50, Section 70.32 of Part 70, Section 40.41 of Part 40, and Section 30.32 of Part 30 of the Commission's regulations; is subject to all applicable provisions of the Act and rules, regulations and orders of the Commission now and hereafter in effect; and is subject to the additional conditions specified below:

a) Maximum Power Level ENO is prohibited from taking the reactor to criticality, and the facility shall not be operated at any power level.

b) Technical Specifications The Technical Specifications contained in.Appendices A and B, as revised through Amendment No. 59, are hereby incorporated in the license. ENO shall maintain the facility in accordance with the Technical Specifications.

c) Records In addition to those otherwise required under this license and applicable regulations, ENO shall keep the following records:

1. Reactor operating records, including power levels and period of operation at each power level.
2. Records showing the radioactivity released or discharged into the air or water beyond the effective control of ENO as measured at or prior to the point of such release or discharge.
3. Records of scrams, including reasons therefor.
4. Records of principal maintenance operations involving substitution or replacement of facility equipment or components and the reasons therefor.

Amendment No. 59

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 2. LLC ENTERGY NUCLEAR OPERATIONS. INC.

DOCKET NO. 50-247 INDIAN POINT NUCLEAR GENERATING UNIT NO. 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 284 License No. DPR-26

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated June 16, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, the license is amended by changes to paragraph 2.C.(2) of Facility Operating License No. DPR-26.

Paragraph 2.C.(2) is hereby amended to read as follows:

(2) Technical Specifications The Technical Specifications contained in Appendices A, B, and C, as revised through Amendment No. 284, are hereby incorporated in the license. ENO shall operate the facility in accordance with the Technical Specifications.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days.

FOR THE NUCLEAR REGULA TORY COMMISSION Travis L. Tate, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License Date of lssuance:Apr i l 1 2, 2O1 6

ATTACHMENT TO LICENSE AMENDMENT NO. 284 FACILITY OPERATING LICENSE NO. DPR-26 DOCKET NO. 50-247 Replace the following page of the Facility Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove Page Insert Page 3 3

instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (4) ENO pursuant to the Act and 10 CFR Parts 30, 40 and 70, Arndt. 42 to receive, possess, and use in amounts as required any 10-17-78 byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; (5) ENO pursuant to the Act and 10 CFR Parts 30 and 70, to Arndt. 220 possess, but not separate, such byproduct and special 09-06-01 nuclear materials as may be produced by the operation of the facility.

C. This amended license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state Arndt. 241 reactor core power levels not in excess of 3216 megawatts 10-27-04 thermal (2) Technical Specifications The Technical Specifications contained in Appendices A, B, and C, as revised through Amendment No. 284, are hereby incorporated in the license.

ENO shall operate the facility in accordance with the Technical Specifications.

(3) The following conditions relate to the amendment approving the conversion to Improved Standard Technical Specifications:

1. This amendment authorizes the relocation of certain Technical Specification requirements and detailed information to licensee controlled documents as described in Table R, "Relocated Technical Specifications from the CTS," and Table LA, "Removed Details and Less Restrictive Administrative Changes to the CTS" attached to the NRC staffs Safety Evaluation enclosed with this amendment. The relocation of requirements and detailed information shall be completed on or before the implementation of this amendment.

Amendment No. 284

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 ENTERGY NUCLEAR INDIAN POINT 3, LLC ENTERGY NUCLEAR OPERATIONS. INC.

DOCKET NO. 50-286 INDIAN POINT NUCLEAR GENERATING UNIT NO. 3 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 260 License No. DPR-64

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Entergy Nuclear Operations, Inc. (the licensee) dated June 16, 2015, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act) and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

Enclosure 3

2. Accordingly, the license is amended by changes to paragraph 2.C.(2) of Facility Operating License No. DPR-64.

Paragraph 2.C.(2) is hereby amended to read as follows:

(2) Technical Specifications The Technical Specifications contained in Appendices A, B, and C, as revised through Amendment No. 260 are hereby incorporated in the License. ENO shall operate the facility in accordance with the Technical Specifications.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 30 days.

FOR THE NUCLEAR REGULA TORY COMMISSION Travis L. Tate, Chief Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Facility Operating License Date of Issuance: April 1 2, 2o1 6

ATTACHMENT TO LICENSE AMENDMENT NO. 260 FACILITY OPERATING LICENSE NO. DPR-64 DOCKET NO. 50-286 Replace the following page of the Facility Operating License with the attached revised page.

The revised page is identified by amendment number and contains marginal lines indicating the areas of change.

Remove Page Insert Page 3 3

(4) ENO pursuant to the Act and 10 CFR Parts 30, 40 and 70, Arndt. 203 to receive, possess, and use in amounts as required any 11/27/00 byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; (5) ENO pursuant to the Act and 10 CFR Parts 30 and 70, to Arndt. 203 possess, but not separate, such byproduct and special 11/27/00 nuclear materials as may be produced by the operation of the facility.

C. This amended license shall be deemed to contain and is subject to the conditions specified in the following Commission regulations in 10 CFR Chapter I: Part 20, Section 30.34 of Part 30, Section 40.41 of Part 40, Sections 50.54 and 50.59 of Part 50, and Section 70.32 of Part 70; and is subject to all applicable provisions of the Act and to the rules, regulations, and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level ENO is authorized to operate the facility at steady state reactor core power levels not in excess of 3216 megawatts thermal (100% of rated power).

(2) Technical Specifications The Technical Specifications contained in Appendices A and B, as revised through Amendment No. 260 are hereby incorporated in the License. ENO shall operate the facility in accordance with the Technical Specifications.

(3) (DELETED) Arndt. 205 2-27-01 (4) (DELETED) Arndt. 205 2-27-01 D. (DELETED) Amdt.46 2-16-83 E. (DELETED) Amdt.37 5-14-81 F. This amended license is also subject to appropriate conditions by the New York State Department of Environmental Conservation in its letter of May 2, 1975, to Consolidated Edison Company of New York, Inc., granting a Section 401 certification under the Federal Water Pollution Control Act Amendments of 1972.

Amendment No. 260

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 59 TO PROVISIONAL OPERATING LICENSE NO. DPR-5 AMENDMENT NO. 284 TO FACILITY OPERATING LICENSE NO. DPR-26 AMENDMENT NO. 260 TO FACILITY OPERATING LICENSE NO. DPR-64 ENTERGY NUCLEAR INDIAN POINT 2. LLC ENTERGY NUCLEAR INDIAN POINT 3. LLC AND ENTERGY NUCLEAR OPERATIONS. INC.

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1. 2 AND 3 DOCKET NOS.50-003. 50-247, AND 50-286

1.0 INTRODUCTION

By application dated June 16, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15173A070), Entergy Nuclear Operations Inc. (Entergy, or the licensee) requested a change to the Provisional Operating License for Indian Point Nuclear Generating Station (Indian Point), Unit No. 1 (IP1) and the Facility Operating Licenses (FOLs) for Indian Point Nuclear Generating Unit Nos. 2 and 3 (IP2 and IP3).

The U.S. Nuclear Regulatory Commission (NRC) staff reviewed and approved the licensee's original Cyber Security Plan (CSP) implementation schedule by License Amendment No. 55 to Provisional Operating License No. DPR-5 for IP1, Amendment No. 266 to Facility Operating License No. DPR-26 for IP2, and Amendment No. 243 to Facility Operating License No. DPR-64 for IP3, dated August 2, 2011 (ADAMS Accession No. ML11152A027), concurrent with the incorporation of the CSP into the facilities' current licensing bases. Subsequently, the staff reviewed and approved License Amendment No. 57 to Provisional Operating License No. DPR-5 for IP1, Amendment No. 279 to Facility Operating License No. DPR-26 for IP2, and Amendment No. 254 to Facility Operating License No. DPR-64 for IP3, dated December 11, 2014, which extended the CSP implementation schedule (ADAMS Accession No. ML14316A526). This schedule required the Indian Point facilities to fully implement and maintain all provisions of the CSP no later than June 30, 2016.

The proposed change would revise the completion date of the Indian Point CSP by extending the date for full implementation from June 30, 2016, to December 31, 2017. The NRC issued a proposed finding that the amendment involves no significant hazards consideration in the Enclosure 4

Federal Register on August 4, 2015 (80 FR 46348). The NRC has not received public comment on this determination.

2.0 REGULATORY EVALUATION

The NRC staff considered the following regulatory requirements and guidance in its review of the current license amendment request to modify the existing CSP implementation schedule:

  • Section 73.54 of 10 CFR, which states, in part, "Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensee's cyber security program must be consistent with the approved schedule."
  • The licensee's FOL, which includes a license condition that requires the licensee to fully implement and maintain in effect all provisions of the Commission-approved CSP.
  • NRC memorandum dated October 24, 2013 (ADAMS Accession No. ML13295A467), in which the NRC staff lists criteria to consider during evaluations of licensees' requests to postpone their cyber security program implementation date (commonly known as Milestone 8).

The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, which states, "Implementation of the licensee's cyber security program must be consistent with the approved schedule." As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the plan, including the key intermediate milestone dates and the full implementation date, shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. All subsequent changes to the NRG-approved CSP implementation schedule, thus, will require prior NRC approval as required by 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit."

3.0 TECHNICAL EVALUATION

3.1 Licensee's Requested Change The NRC staff approved the current Indian Point CSP implementation schedule in Amendment Nos. 57, 279, and 254 on December 11, 2014. These amendments approved the licensee's CSP and associated implementation schedule, as discussed in the safety evaluation issued with the amendment. The licensee's implementation schedule was based on a template prepared by the Nuclear Energy Institute (ADAMS Accession No. ML110600218) that the NRC staff found acceptable for licensees to use to develop their CSP implementation schedules. The licensee's proposed implementation schedule for the CSP identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);
2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);
3) Install deterministic one-way devices between lower level devices and higher level devices;
4) Implement the security control "Access Control For Portable And Mobile Devices;
5) Implement observation and identification of obvious cyber-related tampering to existing insider mitigation rounds by incorporating the appropriate elements;
6) Identify, document, and implement technical cyber security controls in accordance with "Mitigation of Vulnerabilities and Application of Cyber Security Controls" for CDAs that could adversely impact the design function of physical security target set equipment;
7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented;
8) Fully implement the CSP.

Currently, Milestone 8 of the Indian Point CSP requires the licensee to fully implement the CSP by June 30, 2016. In its application dated June 16, 2015, Entergy proposed to change the Milestone 8 implementation date to December 31, 2017.

The licensee submitted its application using the NRC staff's guidance to evaluate requests to postpone Milestone 8 implementation dates. The licensee's application addressed all the criteria in the guidance. The intent of the staggered cyber security implementation schedule was for licensees to demonstrate ongoing implementation of their cyber security program prior to full implementation, which was scheduled for the date specified in Milestone 8. The licensee completed seven other milestones (Milestone 1 through Milestone 7) by December 31, 2012.

Activities included establishing a CSAT, identifying CSs and CDAs, installing deterministic one-way devices between defensive levels, implementing access control for portable and mobile devices, implementing methods to observe and identify obvious cyber-related tampering, and conducting ongoing monitoring and assessment activities for target set CDAs. In their aggregate, the interim milestones demonstrate ongoing implementation of the cyber security program.

The licensee provided the following information pertinent to each of the criteria identified in the NRC guidance memorandum dated October 24, 2013.

(1) Identification of the specific requirement or requirements of the CSP that the licensee needs additional time to implement.

The licensee stated that the following requirements of the CSP require additional time for implementation: Section 3, "Analyzing Digital Computer Systems and Networks," and Section 4, "Establishing, Implementing and Maintaining the Cyber Security Program." The licensee further noted that these sections describe the process for application of cyber security controls and the process of addressing security controls.

(2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated it had hosted a "pilot" Milestone 8 inspection at the Indian Point Energy Center in March 2014. During the pilot, insight was gained into NRC perspective on how to apply the cyber security controls listed in NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6 (ADAMS Accession No. ML101180437). During the pilot inspection, the NRC team reviewed several examples of CDAs with Entergy and indicated the level of detail and depth expected in the technical analyses for cyber security controls referenced in NEI 08-09. Based on this review, Entergy stated that the detail and depth of the technical analysis exceeds Entergy's prior understanding and necessitates a greater effort to achieve than initially anticipated.

The licensee stated that during 2015, each operating Entergy licensee has an inspection of compliance with interim Milestones 1 through 7. The preparation for and support of these inspections required a significant commitment of time from Entergy's most knowledgeable subject matter experts on nuclear cyber security, exceeding the estimate previously developed and thereby, drawing those resources away from Milestone 8 implementation activities.

(3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of December 31, 2017.

During the pilot inspection, the NRC team reviewed several examples of CDAs with the licensee and indicated the level of detail and depth expected for the technical analyses against cyber security controls referenced in NEI 08-09. The licensee stated that based on this review, the detail and depth of the technical analysis exceeds the licensee's prior understanding and necessitates a considerably greater effort to achieve than initially anticipated (4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensee's overall cyber security program in the context of milestones already completed.

The licensee indicated the impact of the requested additional implementation time on the effectiveness of the overall CSP very low, because the milestones already completed have resulted in a high degree of protection of safety-related, important-to-safety, and security CDAs against common threat vectors.

Additionally, extensive physical and administrative measures are already in place for CDAs because they are plant components, pursuant to the Physical Security Plan and Technical Specification requirements. The licensee then provided details about implementation of Milestones 1 through 8.

(5) A description of the licensee's methodology for prioritizing completion of work for CDAs associated with significant safety, security or emergency preparedness (SSEP) consequences and with reactivity effects in the balance-of-plant (BOP).

The licensee stated that since CDAs are plant components, prioritization follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and related factors such as safety risk and nuclear defense-in-depth as well as threats to continuity of electric power generation in the BOP. High focus continues to be maintained on prompt attention to any emergent issue with the CDAs that would potentially challenge the established cyber protective barriers. Additionally, it should be noted that these CDAs encompass those associated with physical security target sets.

(6) A discussion of the licensee's cyber security program performance up to the date of the license amendment request.

The licensee stated that a compromise of an SSEP function by cyber means has not been identified. It also noted a formal Quality Assurance (QA) audit was conducted in the last quarter of 2014. The QA audit included a review of the cyber security program implementation. There were no significant findings related to cyber security program performance and effectiveness.

(7) A discussion of cyber security issues pending in the licensee's corrective action program (CAP).

The licensee stated there are presently no significant (constituting a threat to a CDA via cyber means or calling into question program effectiveness) nuclear cyber security issues pending in the Indian Point CAP. However, several non-significant issues identified during the QA audit described above and identified during NRC inspections have been entered into the CAP.

(8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a discussion of completed modifications and pending modifications.

3.2 NRC Staff Evaluation The NRC staff has evaluated the licensee's application using the regulatory requirements and guidance above. The staff finds that the actions the licensee noted as being required to implement from the CSP, Section 3, "Analyzing Digital Computer Systems and Networks," and Section 4, "Establishing, Implementing and Maintaining the Cyber Security Program," are reasonable as discussed below.

The licensee indicated that the activities described in Milestones 1 through 7 were completed prior to December 31, 2012, and provide a high degree of protection of safety-related,

important-to-safety, and security CDAs against common threat vectors. The NRC staff concludes that the licensee's site is more secure after the implementation of Milestones 1 through 7 because the activities the licensee has completed mitigate the most significant cyber attack vectors for the most significant CDAs. Therefore, the staff has reasonable assurance that full implementation of the CSP by December 31, 2017, will provide adequate protection of the public health and safety and the common defense and security.

The licensee stated that the detail and depth of the technical analysis exceeds Entergy's prior understanding and necessitates a greater effort to achieve than Entergy anticipated when the current implementation schedule was developed. The NRC staff recognizes that CDA assessment work, including application of controls is more complex and resource intensive than Entergy anticipated. As a result, the licensee has a large number of additional tasks not considered when developing its current CSP implementation schedule. The staff concludes that the licensee's request for additional time to implement Milestone 8 is reasonable, given the complexity, volume, and scope of the remaining work required to fully implement its CSP.

The licensee proposed a Milestone 8 completion date of December 31, 2017. The licensee's prioritization of completion of work for CDAs follows the normal work management process that places the highest priority on apparent conditions adverse to quality in system, structure, and component design function and relates to factors such as safety risk and nuclear defense-in-depth. High focus continues to be maintained on prompt attention to any emergent issue with safety-related, security, and important to safety (including BOP) CDAs that would potentially challenge the established cyber protective barriers. The NRC staff concludes that the licensee's methodology for prioritizing work on CDAs is appropriate. The staff further concludes that the licensee's request to delay final implementation of the CSP until December 31, 2017, is reasonable, given the complexity of the remaining work and the licensee's resource constraints.

3.3 Technical Evaluation Conclusion Based on its review of the licensee's submittal, the NRC staff concludes that the licensee's request to delay full implementation of its CSP until December 31, 2017, is reasonable for the following reasons: (i) the licensee's implementation of Milestones 1 through 7 provides mitigation for significant cyber-attack vectors for the most significant CDAs; (ii) the scope of the work required to come into full compliance with the CSP implementation schedule was more complicated than the licensee anticipated when the current CSP implementation schedule was developed; and (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule. Therefore, the staff finds the proposed change acceptable.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the New York State official was notified of the proposed issuance of the amendment. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

This is an amendment of a 10 CFR Part 50 license that relates solely to safeguards matters and does not involve any significant construction impacts. This amendment is an administrative change to extend the date by which the licensee must have its cyber security plan fully implemented. Accordingly, this amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna, NSIR Date: April 12, 2016

April 12, 2016 Vice President, Operations Entergy Nuclear Operations, Inc.

Indian Point Energy Center 450 Broadway, GSB P.O. Box 249 Buchanan, NY 10511-0249

SUBJECT:

INDIAN POINT NUCLEAR GENERATING UNIT NOS. 1, 2 AND 3 - ISSUANCE OF AMENDMENTS RE: CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE (TAC NOS. MF6368, MF6369, AND MF6370)

Dear Sir or Madam:

The U.S. Nuclear Regulatory Commission (the Commission) has issued the enclosed Amendment No. 59 to Provisional Operating License No. DPR-5 for Indian Point Nuclear Generating Unit No. 1, Amendment No. 284 to Facility Operating License No. DPR-26 for the Indian Point Nuclear Generating Unit No. 2, and Amendment No. 260 to Facility Operating License No. DPR-64 for the Indian Point Nuclear Generating Unit No. 3. The amendments consist of changes to the Cyber Security Plan Milestone 8 full implementation date in response to your application dated June 16, 2015.

The amendments revise the Cyber Security Plan Milestone 8 full implementation date by extending the full implementation date from June 30, 2016, to December 31, 2017.

A copy of the related Safety Evaluation is enclosed. A Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Sincerely, IRA/

Douglas V. Pickett, Senior Project Manager Plant Licensing Branch 1-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos.50-003, 50-247, and 50-286

Enclosures:

1. Amendment No. 59 to DPR-5
2. Amendment No. 284 to DPR-26
3. Amendment No. 260 to DPR-64
4. Safety Evaluation cc w/enclosures: Distribution via Listserv DISTRIBUTION:

PUBLIC LPL 1-1 R/F RidsNrrDorl RidsNrrDorlLpl 1-1 RidsNrrDorlDpr RidsNrrPMlndianPoint RidsNrrLAKGoldstein RFelts, NSIR JRycyna, NSIR GDentel, R-1 RidsRgn1 MailCenter RidsACRS_MailCTR KConway, NMSS RidsNsirOd RidsNmssDuwpRDB RecordsAmend ADAMS A ccess1on No.: ML16064A215 *b>Y e-ma1 OFFICE DORL/LPL 1-1/PM DORL/LPL 1-1/LA NSIR/CSD/DD(A)* OGC-NLO NMSS/DUWP/RDB DORL/LPL 1-1/BC (subject to comments)

NAME DPickett KGoldstein JBeardsley JBielecki BWatson TT ate (LRonewicz for)

DATE 3/1/16 3/10/16 2/25/16 4/4/16 4/6/16 4/12/16 OFFICIAL RECORD COPY

Retrieved from "https://kanterella.com/w/index.php?title=ML16064A215&oldid=2629585"