Issuance of Amendments 234 and 227 to Revise the Cyber Security Plan Milestone 8 Completion Date in the Facility Operating Licenses (CAC Nos. L53132 and L53133)

ML16252A207
Person / Time
Site:	San Onofre
Issue date:	01/23/2017
From:	Vaaler M Reactor Decommissioning Branch
To:	Thomas J. Palmisano SOUTHERN CALIFORNIA EDISON CO.
VAALER M, 415-3178, T-8F05
References
CAC L53132, CAC L53133
Download: ML16252A207 (32)
v • d • e

Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 January 23, 2017 Mr. Thomas J. Palmisano Vice President and Chief Nuclear Officer Southern California Edison Company San Onofre Nuclear Generating Station P.O. Box 128 San Clemente, CA 92674-0128

SUBJECT:

SAN ONOFRE NUCLEAR GENERATING STATION, UNITS 2 AND 3 -

ISSUANCE OF AMENDMENTS TO REVISE THE CYBER SECURITY PLAN MILESTONE 8 COMPLETION DATE IN THE FACILITY OPERATING LICENSES (CAC NOS. L53132 AND L53133)

Dear Mr. Palmisano:

The U.S. Nuclear Regulatory Commission (NRC) has issued the enclosed Amendment No. 234 to Facility Operating License No. NPF-10 and Amendment No. 227 to Facility Operating License No. NPF-15 for the San Onofre Nuclear Generating Station (SONGS), Units 2 and 3, respectively. The amendments consist of changes to the Facility Operating Licenses in response to your application dated June 16, 2016 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML16172A075), as supplemented by letter dated September 6, 2016 (ADAMS Accession No. ML16252A288).

The amendments approve a revised schedule for implementation of the SONGS Cyber Security Plan (CSP) Milestone 8 and revise Paragraph 2.E in each of the Facility Operating Licenses to reflect this amended schedule. The SONGS CSP and associated implementation schedule for SONGS, Units 2 and 3, were previously approved by the NRC staff by letter dated July 28, 2011 (ADAMS Accession No. ML111960323), and further modified by letter dated October 1, 2015 (ADAMS Accession No. ML15209A935).

The NRC staff has determined that its documented safety evaluation does not contain Sensitive Security-Related Information (SUNSI) pursuant to Title 10 of the Code of Federal Regulations (10 CFR) Section 2.390, Public inspections, exemptions, requests for withholding.

T. Palmisano A copy of the related Safety Evaluation is provided in Enclosure 3. The Notice of Issuance will be included in the Commission's next biweekly Federal Register notice.

Sincerely,

/RA/

Marlayna G. Vaaler, Project Manager Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards Docket Nos. 50-361 and 50-362

Enclosures:

1. Amendment No. 234 to NPF-10

2. Amendment No. 227 to NPF-15

3. Safety Evaluation cc w/encls: Distribution via Listserv

ML16252A207 *by memo **by e-mail OFFICE NMSS/RDB/PM NMSS/DUWP/LA NSIR/CSD/DD OGC/NLO NMSS/RDB/BC NAME MVaaler CHolston JBeardsley* PJehle** BWatson DATE 9/1/2016 9/8/2016 12/19/2016 1/13/2017 1/23/2017 UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY THE CITY OF RIVERSIDE, CALIFORNIA DOCKET NO. 50-361 SAN ONOFRE NUCLEAR GENERATING STATION, UNIT 2 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 234 License No. NPF-10

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Southern California Edison Company, et al.

(SCE or the licensee), dated June 16, 2016, as supplemented by letter dated September 6, 2016, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, as supplemented, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51, Environmental Protection Regulations for Domestic Licensing and Related Regulatory Functions, of the Commissions regulations and all applicable requirements have been satisfied.

Enclosure 1

2. Accordingly, Facility Operating License No. NPF-10 is amended by changing the last sentence of paragraph 2.E to read as follows:

The SONGS CSP was approved by License Amendment No. 225, as supplemented by changes approved by License Amendments 231 and 234.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 60 days of issuance, but no later than December 31, 2017.

FOR THE NUCLEAR REGULATORY COMMISSION

/RA/

Bruce A. Watson, CHP, Chief Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards

Attachment:

Change to Facility Operating License No. NPF-10 Date of Issuance: January 23, 2017

ATTACHMENT TO LICENSE AMENDMENT NO. 234 TO FACILITY OPERATING LICENSE NO. NPF-10 DOCKET NO. 50-361 Replace the following page of the Facility Operating License No. NPF-10 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the area of change.

Facility Operating License No NPF-10 REMOVE INSERT 9 9

E. SCE shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21 is entitled: "San Onofre Nuclear Generating Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision 2, submitted by letter dated May 15, 2006. SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 225, as supplemented by changes approved by License Amendments 231 and 234.

Pursuant to NRC's Order EA-13-092, dated June 5, 2013, NRC reviewed and approved the license amendment 232 that permitted the security personnel of the licensee to possess and use certain specific firearms, ammunition, and other devices, such as large-capacity ammunition feeding devices, notwithstanding local, State, and certain Federal firearms laws that may prohibit such possession and use.

F. This license is subject to the following additional condition for the protection of the environment:

Before engaging in activities that may result in a significant adverse environmental impact that was not evaluated or that is significantly greater than that evaluated in the Final Environmental Statement, SCE shall provide a written notification of such activities to the NRC Office of Nuclear Reactor Regulation and receive written approval from that office before proceeding with such activities.

G. DELETED H. SCE shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

I. SCE shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

J. Deleted 1

• On September 29, 1983, the Safeguards Contingency Plan was made a separate, companion document to the Physical Security Plan pursuant to the authority of 10 CFR 50.54.

Amendment No. 234

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY THE CITY OF RIVERSIDE, CALIFORNIA DOCKET NO. 50-362 SAN ONOFRE NUCLEAR GENERATING STATION, UNIT 3 AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 227 License No. NPF-15

1. The Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment by Southern California Edison Company, et al.

(SCE or the licensee), dated June 16, 2016, as supplemented by letter dated September 6, 2016, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, as supplemented, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51, Environmental Protection Regulations for Domestic Licensing and Related Regulatory Functions, of the Commissions regulations and all applicable requirements have been satisfied.

Enclosure 2

2. Accordingly, Facility Operating License No. NPF-15 is amended by changing the last sentence of paragraph 2.E to read as follows:

The SONGS CSP was approved by License Amendment No. 218, as supplemented by changes approved by License Amendments 224 and 227.

3. This license amendment is effective as of the date of its issuance and shall be implemented within 60 days of issuance, but no later than December 31, 2017.

FOR THE NUCLEAR REGULATORY COMMISSION

/RA/

Bruce A. Watson, CHP, Chief Reactor Decommissioning Branch Division of Decommissioning, Uranium Recovery and Waste Programs Office of Nuclear Material Safety and Safeguards

Attachment:

Change to Facility Operating License No. NPF-15 Date of Issuance: January 23, 2017

ATTACHMENT TO LICENSE AMENDMENT NO. 227 TO FACILITY OPERATING LICENSE NO. NPF-15 DOCKET NO. 50-362 Replace the following page of the Facility Operating License No. NPF-15 with the attached revised page. The revised page is identified by amendment number and contains marginal lines indicating the area of change.

Facility Operating License No. NPF-15 REMOVE INSERT 8 8

Report. These exemptions are authorized by law and will not endanger life or property or the common defense and security and are otherwise in the public interest.

Therefore, these exemptions are hereby granted. The facility will operate, to the extent authorized herein, in conformity with the application, as amended, the provisions of the Act, and the regulations of the Commission.

E. SCE shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification, and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p ). The combined set of plans, which contain Safeguards Information protected under 10 CFR 73.21 is entitled: "San Onofre Nuclear Generating Station Security, Training and Qualification, and Safeguards Contingency Plan, Revision 2," submitted by letter dated May 15, 2006. SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 218, as supplemented by changes approved by License Amendments 224 and 227.

Pursuant to NRC's Order EA-13-092, dated June 5, 2013, NRC reviewed and approved the license amendment 225 that permitted the security personnel of the licensee to possess and use certain specific firearms, ammunition, and other devices, such as large-capacity ammunition feeding devices, notwithstanding local, State, and certain Federal firearms laws that may prohibit such possession and use.

F. This license is subject to the following additional condition for the protection of the environment:

Before engaging in activities that may result in a significant adverse environmental impact that was not evaluated or that is significantly greater than that evaluated in the Final Environmental Statement, SCE shall provide a written notification of such activities to the NRC Office of Nuclear Reactor Regulation and receive written approval from that office before proceeding with such activities.

G. DELETED H. SCE shall notify the Commission, as soon as possible but not later than one hour, of any accident at this facility which could result in an unplanned release of quantities of fission products in excess of allowable limits for normal operation established by the Commission.

I. SCE shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

2

• On September 29, 1983, the Safeguards Contingency Plan was made a separate, companion document to the Physical Security Plan pursuant to the authority of 10 CFR 50.54.

Amendment No. 227

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 234 TO FACILITY OPERATING LICENSE NO. NPF-10 AND AMENDMENT NO. 227 TO FACILITY OPERATING LICENSE NO. NPF-15 SOUTHERN CALIFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY THE CITY OF RIVERSIDE, CALIFORNIA SAN ONOFRE NUCLEAR GENERATING STATION, UNITS 2 AND 3 DOCKET NOS. 50-361 AND 50-362

1.0 INTRODUCTION

By letter dated June 12, 2013 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML131640201), Southern California Edison (SCE, the licensee) submitted a certification to the U.S. Nuclear Regulatory Commission (NRC) indicating its intention to permanently cease power operations at the San Onofre Nuclear Generating Station, Units 2 and 3 (SONGS), as of June 7, 2013, pursuant to Title 10 of the Code of Federal Regulations (10 CFR) paragraph 50.82(a)(1)(i). By letters dated June 28, 2013 (ADAMS Accession No. ML13183A391), and July 22, 2013 (ADAMS Accession No. ML13204A304), SCE submitted certifications of permanent removal of fuel from the Unit 3 and Unit 2 reactor vessels as of October 5, 2012, and July 18, 2013, respectively, pursuant to 10 CFR 50.82(a)(1)(ii).

Upon docketing of these certifications, and pursuant to 10 CFR 50.82(a)(2), the SONGS Units 2 and 3 facility operating licenses no longer authorize operation of the reactors or emplacement or retention of fuel into the reactor vessels. Spent fuel is currently stored onsite in the spent fuel pools (SFPs) and in the onsite independent spent fuel storage installation (ISFSI).

By application dated June 16, 2016 (ADAMS Accession No. ML16172A075), as supplemented by letter dated September 6, 2016 (ADAMS Accession No. ML16252A288), the licensee requested a change to the facility operating licenses for SONGS, Units 2 and 3. The proposed change would revise the date of Cyber Security Plan (CSP) Implementation Schedule Milestone 8 to December 31, 2019, and update the associated license condition in the facility operating licenses. Milestone 8 of the CSP implementation schedule concerns the full implementation of the CSP.

Enclosure 3

The NRC staff previously reviewed and approved the licensees CSP implementation schedule for SONGS, Units 2 and 3, in License Amendment Nos. 225 and 218, which were approved by letter dated July 28, 2011 (ADAMS Accession No. ML111960323), concurrently with the incorporation of the CSP into the facilities current licensing bases. The SONGS CSP implementation schedule was further modified by License Amendment Nos. 231 and 224, which were approved by letter dated October 1, 2015 (ADAMS Accession No. ML15209A935).

The supplement to the current application, dated September 6, 2016, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the staff's original proposed no significant hazards consideration determination as published in the Federal Register on August 2, 2016 (81 FR 50735).

2.0 REGULATORY EVALUATION

The NRC staff considered the following regulatory requirements and guidance during its review of the June 16, 2016, application to modify the existing SONGS CSP implementation schedule:

1) The regulations in 10 CFR 73.54, Protection of digital computer and communication systems and networks, state, in part, that: Each [CSP] submittal must include a proposed implementation schedule. Implementation of the licensees cyber security program must be consistent with the approved schedule.

2) License Amendment Nos. 225 and 218 for SONGS, Units 2 and 3, respectively, dated July 28, 2011, which approved the licensees CSP and implementation schedule, added the following text to the facility operating licenses for SONGS, Units 2 and 3:

SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

3) In a publicly-available NRC memorandum from R. Felts to B. Westreich, dated October 24, 2013 (ADAMS Accession No. ML13295A467), the NRC staff listed the criteria to consider during evaluations of licensees requests to postpone their cyber security program implementation date (commonly known as Milestone 8). See Section 3.1 of this Safety Evaluation for details of these criteria.

4) The NRC staff does not regard the CSP milestone implementation dates as regulatory commitments that can be changed unilaterally by the licensee, particularly in light of the regulatory requirement at 10 CFR 73.54, that states, in part, [i]mplementation of the licensees cyber security program must be consistent with the approved schedule.

As the NRC staff explained in its letter to all operating reactor licensees dated May 9, 2011 (ADAMS Accession No. ML110980538), the implementation of the CSP, including the key intermediate milestone dates and the full implementation date shall be in accordance with the implementation schedule submitted by the licensee and approved by the NRC. Accordingly, all subsequent changes to the NRC-approved CSP implementation schedule will require prior NRC approval as required by 10 CFR 50.90, Application for amendment of license, construction permit, or early site permit.

3.0 TECHNICAL EVALUATION

3.1 Licensees Requested Change By License Amendment Nos. 225 (for Unit 2) and 218 (for Unit 3), the NRC staff approved the licensees CSP implementation schedule, as discussed in the safety evaluation issued concurrently with the amendment. The SONGS CSP implementation schedule was further modified by License Amendment Nos. 231 (for Unit 2) and 224 (for Unit 3), as discussed in the safety evaluation issued concurrently with the amendment, to extend the Implementation Schedule Milestone 8 date to December 31, 2017.

The initial SONGS CSP implementation schedule was submitted by SCE on July 22, 2010, as supplemented by letters dated September 29 and November 30, 2010, and March 31 and June 16, 2011 (ADAMS Accession Nos. ML102080039, ML102730183, ML103350155, ML11112A028, and ML11171A191, respectively). The SONGS CSP implementation schedule was based on a template prepared by the Nuclear Energy Institute (NEI) (ADAMS Accession No. ML110600218). The NRC staff found it acceptable for licensees to use the template to develop their CSP implementation schedules (see letter, R. P. Correia to C. E. Earls, dated March 1, 2011 (ADAMS Accession No. ML110070348)). The licensees initial implementation schedule from the July 22, 2010, submittal, as supplemented, for the SONGS CSP identified completion dates and bases for the following eight milestones:

1) Establish the Cyber Security Assessment Team (CSAT);

2) Identify Critical Systems (CSs) and Critical Digital Assets (CDAs);

3) Install a deterministic one-way device between lower level devices and higher level devices;

4) Implement the security control Access Control For Portable And Mobile Devices;

5) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds;

6) Identify, document, and implement cyber security controls in accordance with Mitigation of Vulnerabilities and Application of Cyber Security Controls for CDAs that could adversely impact the design function of physical security target set equipment;

7) Ongoing monitoring and assessment activities for those target set CDAs whose security controls have been implemented; and

8) Fully implement the CSP.

Currently, Milestone 8 of the licensees CSP requires SCE to fully implement the CSP by December 31, 2017. In its June 16, 2016, application, as supplemented, SCE requested to change the Milestone 8 completion date to December 31, 2019.

The licensees application, as supplemented, addressed each of the criteria identified in the NRCs October 24, 2013, guidance memorandum cited in Section 2.0, above, as follows:

1) Identification of the specific requirement or requirements of the cyber security plan that the licensee needs additional time to implement.

The licensee stated that the specific CSP requirements requiring additional time to implement are related to CSP, Section 3.1, Analyzing Digital Computer Systems and Networks and Applying Cyber Security Controls. There are currently approximately 2000 CDAs left at SONGS (reduced from approximately 3350 CDAs as described in SCE's previous extension request). SONGS is actively working to further reduce the number of CDAs to approximately 850 by the first quarter of 2017 as a result of the ongoing decommissioning activities at *the plant. An effort associated with the documentation of CDA assessment and analysis using the deterministic process in CSP, Section 3.1, is underway for each of the SONGS remaining CDAs.

However, the SONGS decommissioning plan supports moving the remaining spent fuel from the spent fuel pool to the newly constructed independent spent fuel storage installation (ISFSI) expansion by the end of 2019, with a potential early finish date of mid-2018. Once the transition to an ISFSl-only configuration is complete, a majority of the remaining CDAs will no longer be necessary and may be removed from service. The licensee stated that implementing mitigation activities for the current CDAs solely to meet the current Milestone 8 date only to remove the associated CDAs from service shortly thereafter in the ISFSl-only configuration is not an effective use of resources.

2) Detailed justification that describes the reason the licensee requires additional time to implement the specific requirement or requirements identified.

The licensee stated that the purpose of the SONGS CSP is to provide protection against cyber-attacks for CDAs in Structures, Systems, and Components (SSCs) that provide a significant Safety, Security, or Emergency Preparedness (SSEP) function at SONGS, Units 2 and 3, and the ISFSI. Following transition to an ISFSl-only configuration, Critical Systems (CS) that performed SSEP functions at SONGS, Units 2 and 3, will no longer be required and, consequently, the current CDAs associated with those functions will no longer need to be protected subject to 10 CFR 73.54.

The SONGS decommissioning plan supports moving the spent fuel from the spent fuel pool to the ISFSI by the end of 2019 (with a potential early finish date of mid-2018) at which time implemented system mitigations associated with SSEP functions at SONGS, Units 2 and 3, (i.e., a majority of mitigations) will be removed from service. As the decommissioning agent, SONGS believes that allocating resources to mitigation of CDAs that will shortly be removed from service is not a prudent use of resources. The proposed extension would allow SCE to forego mitigation of those CDAs that would no longer be required in an ISFSl-only configuration, as the associated SSEP functions would be eliminated by transition to an ISFSl-only configuration prior to the time that the mitigations are required to be completed. SCE further notes the significantly reduced risk profile presented by SONGS in the permanently shutdown configuration.

3) A proposed completion date for Milestone 8 consistent with the remaining scope of work to be conducted and the resources available.

The licensee proposed a Milestone 8 completion date of December 31, 2019, in order to help to avoid the diversion of resources needed to assess and mitigate those CDAs slated for retirement in the ISFSI-only configuration that will not be fully retired by the current Milestone 8 completion date of December 31, 2017.

4) An evaluation of the impact that the additional time to implement the requirements will have on the effectiveness of the licensees overall cyber security program in the context of milestones already completed.

The licensee stated that, based on the cyber security implementation activities already completed, and completion of activities already in progress, SONGS is cyber secure and SCE will continue to ensure that digital computer and communication systems and networks are adequately protected against cyber attacks during implementation of the remainder of the program by the proposed Milestone 8 date of December 31, 2019. The licensee stated that the implementation of the completed milestones provides a high degree of protection against cyber attacks.

SONGS successfully completed the implementation of Interim Milestones 1 through 7 by December 31, 2012, as approved by the NRC and described in License Condition 2.E.

The implementation of these milestones provides a high degree of protection against cyber attacks. Implementation of Milestone 8 (Full Program Implementation) is in progress. Assessments for all remaining CDAs are underway and will be completed by the currently required implementation date of December 31, 2017. The CSP infrastructure integrating the cyber security procedures and training into the plant processes is underway and will be completed by the current Milestone 8 completion date of December 31, 2017 (ready for implementation, if needed]). The new spent fuel pool island cooling system CDAs have been assessed and mitigated.

Additionally, SONGS has fully implemented the 10 CFR 73.77 Cyber Security Event Notification rule, which provides the NRC with notification of cyber attacks in order to inform the U.S. Department of Homeland Security (DHS), federal intelligence and law enforcement agencies of cyber security-related events that could (1) endanger public health and safety or the common defense and security, (2) provide information for threat assessment processes, or (3) generate public or media inquiries. Based on the above measures to implement the CSP milestones, the NRC staff has determined that the impact of the proposed extension to the implementation of Milestone 8 on the effectiveness of the overall cyber security program at SONGS will be minimal.

5) A description of the licensees methodology for prioritizing completion of work for critical digital assets associated with significant safety security, or emergency preparedness consequences and with reactivity effects in the balance of plant.

The licensee stated that all Safety Related CDAs have been removed from service in the portions of the facility that are already undergoing decommissioning activities since

SONGS is in a permanently shutdown and defueled condition. All spent fuel is expected to be in dry storage by the end of 2019 (with a potential early finish date of mid-2018).

Since permanent cessation of operations, several major changes have taken place at SONGS. Safety-related structures, systems, and components have largely been re-classified as non-safety-related and removed from service. Due to the more than four years of decay time since the last operation of the reactors the decay heat load has significantly decreased in the spent fuel pools. The time-to-boil in the spent fuel pool has consequently increased from a matter of a few hours to several days.

All remaining CDAs related to the maintenance and security of the spent fuel pool are being assessed and mitigated commensurate with their importance to safety. These assessments are currently scheduled to be complete by the existing Milestone 8 completion date of December 31, 2017. The NRC staff finds that based on the large number of digital assets already assessed, and the fact that a smaller number of CDAs will remain when the facility is in the ISFSI-only configuration, the licensees methodology for scheduling the remaining work on CDAs is appropriate.

6) A discussion of the licensees cyber security program performance up to the date of the license amendment request.

The licensee stated that the Interim Milestones 1 through 7 activities completed by December 31, 2012, provide a high degree of protection against cyber security related attacks during implementation of the remaining program. The licensee provided discussions concerning the implementation of completed milestones and discussed the April 15, 2013 (ADAMS Accession No. ML13105A433), inspection report prepared by the NRC concerning the SONGS implementation of Milestones 1 through 7, and no NRC-identified or self-revealing findings were identified during the inspection.

While a single licensee-identified violation was listed in the inspection report, the NRC determined the violation to be of very low security significance (i.e., Green as determined by the Physical Protection Significance Determination Process) and was treated as a non-cited violation. Inspection observations were entered into the SONGS corrective action program (CAP). An independent self-assessment of the program for Implementation Milestones 1 through 7 has been performed by SCE, and all identified findings and recommendations are either complete or being tracked to completion in the SONGS CAP.

7) A discussion of cyber security issues pending in the licensees CAP.

The licensee stated that the SONGS CAP is used to document cyber issues to trend, correct, and improve the SONGS cyber security program. Ongoing monitoring and time based periodic actions provide continuing program performance monitoring, and the CAP database documents and tracks, from initiation through closure, all cyber security required actions, including issues identified during ongoing program assessment activities. Adverse trends are monitored for program improvement and addressed via the CAP process. The licensee also provided examples of issues and activities pending and resolved in the SONGS CAP.

8) A discussion of modifications completed to support the cyber security program and a discussion of pending cyber security modifications.

The licensee provided a brief discussion of completed modifications and pending modifications, including those related to ISFSI security in support of the CSP, which will be based on completion of the CDA assessments currently in progress.

3.2 NRC Staff Evaluation of Requested Change The NRC staff evaluated the licensees application, as supplemented, using the regulatory requirements and guidance cited in Section 2.0 of this Safety Evaluation. The licensee stated that the CSP requirement regarding additional time to implement is found in CSP, Section 3.1, Analyzing Digital Computer Systems and Networks Applying Cyber Security Controls. The licensee provided a list of additional activities required to implement the CSP requirement.

The licensee indicated in its application that completed activities associated with the CSP, as described in Milestones 1 through 7, and completed prior to December 31, 2012, provide a high degree of protection and that the most significant digital computer and communication systems and networks associated with SSEP systems are already protected against cyber attacks while SONGS implements the full program. The licensee also detailed activities completed for each milestone and provided details about the completed milestones and elements. On this basis, the NRC staff finds that the licensees site is more secure after implementation of Milestones 1 through 7 at SONGS because the activities that the licensee completed will mitigate the most significant cyber attack vectors for the most significant CDAs. In addition, the site is more secure because of the significantly reduced risk profile presented by SONGS in the permanently shutdown and defueled configuration.

The licensee proposed a Milestone 8 completion date of December 31, 2019. The NRC staff has had extensive interaction with the nuclear industry since licensees first developed their CSP implementation schedules. Based on this interaction, the NRC staff recognizes that CDA assessment work is much more complex and resource-intensive than originally anticipated. In addition, due to the unplanned permanent shutdown of SONGS, Units 2 and 3, the licensee has a large number of additional tasks that it did not consider when it originally developed its CSP implementation schedule. The NRC staff concludes that the licensees request for additional time to implement Milestone 8 is reasonable, given the effectiveness of the SONGS CSP with Milestones 1 through 7 already in place, the reduced risk profile in the permanently shutdown configuration, and the unanticipated complexity and scope of work required to come into full compliance with the current CSP.

The NRC staff further finds that the licensees request to delay final implementation of the CSP until December 31, 2019, is reasonable. In reaching this finding, the staff considered: (1) the need to perform design changes during decommissioning activities; (2) the status of the plant and the cyber security program; (3) the completion of the cyber security remediation of the Plant Security System; (4) the reduced fire risk; (5) the time since last reactor operation; and (6) the significantly reduced risk profile presented by SONGS in the permanently shutdown and defueled configuration. Therefore, the NRC has reasonable assurance that full implementation of the CSP by December 31, 2019, will provide adequate protection of the public health and safety and the common defense and security.

3.3 Revision to License Conditions By letter dated June 16, 2016, the licensee proposed to modify Paragraph 2.E of Facility Operating License Nos. NPF-10 and NPF-15 with a license condition requiring the licensee to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The licensee proposed to modify part of License Condition 2.E of Facility Operating License No. NPF-10, as follows:

SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 225, as supplemented by changes approved by License Amendments 231 and 234.

The licensee proposed to modify part of License Condition 2.E of Facility Operating License No. NPF-15, as follows:

SCE shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The SONGS CSP was approved by License Amendment No. 218, as supplemented by changes approved by License Amendments 224 and 227.

3.4 Summary of Technical Evaluation The NRC staff has determined that the licensees request to delay full implementation of its CSP until December 31, 2019, is reasonable for the following reasons: (i) the licensees implementation of Milestones 1 through 7 already provides mitigation for significant cyber attack vectors for the most significant CDAs, as discussed above; (ii) the status of the cyber security program, the completion of the cyber security remediation of the Plant Security System, the significantly reduced risk profile presented by SONGS in the permanently shutdown configuration, and the time since last reactor operation ensures that SONGS is cyber secure; (iii) the licensee has reasonably prioritized and scheduled the work required to come into full compliance with its CSP implementation schedule; (iv) the scope of the work required to come into full compliance with the CSP implementation schedule was much more complicated than anticipated and not reasonably foreseeable when the CSP implementation schedule was originally developed; and (v) the licensee is utilizing tools to sufficiently manage the impact of the requested additional implementation time on the overall CSP.

Based on its review of the application, as supplemented, the NRC staff concludes that the licensees implementation of Milestones 1 through 7 has added additional protection that provides mitigation for significant cyber attack vectors for the most significant CDAs, that the licensees explanation of the need for additional time to complete Milestone 8 given the transfer to an ISFSI-only configuration by the end of 2019, is compelling, and that it is acceptable for the licensee to complete implementation of Milestone 8, full implementation of the CSP, by December 31, 2019. The NRC staff also concludes that, upon full implementation of the licensees cyber security program, the requirements of the licensees CSP and 10 CFR 73.54

will be met. Therefore, the NRC staff finds the proposed change to the completion date for full implementation of the SONGS CSP acceptable.

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the California State official was notified by email on December 16, 2016, of the proposed issuance of the amendments. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

The amendments to the SONGS 10 CFR Part 50 facility operating licenses relate solely to safeguards matters and do not involve any significant construction impacts. The amendments are administrative changes to extend the date by which the licensee must have its Cyber Security Program fully implemented. The Commission has previously issued a proposed finding that the amendments involve no significant hazards consideration, and there have been no public comments on such finding, which was published in the Federal Register on August 2, 2016 (81 FR 50735). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(12). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.

6.0 CONCLUSION

The NRC staff has concluded, based on the considerations discussed above, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributor: John Rycyna, NSIR Date: January 23, 2017