ML18058A642

From kanterella
Jump to navigation Jump to search
Enclosure 2: Palo Verde Nuclear Generating Station, Units 1, 2 & 3 - Cyber Security Plan, Rev. 3, Summary of Changes Report
ML18058A642
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 02/16/2018
From:
Arizona Public Service Co
To:
Office of Nuclear Material Safety and Safeguards, Office of Nuclear Reactor Regulation
Shared Package
ML18054A146 List:
References
102-07651-MDD/MSC
Download: ML18058A642 (12)


Text

PVNGS Cyber Security Plan, Revision 3 Summary of Changes Report

1. Description of Changes made in Revision 3:

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location Page 1 (NRC approval via License Amendment No. 185, as (NRC approval via License Amendment No. 185, as ML# 17254A499, Palo Verde Nuclear Generating supplemented by change approved by License supplemented by changes approved by License Station, Units 1, 2, and 3 - Issuance of Amendments Amendment No. 190 [Ref. #201) Amendment No. 190 [Ref. #20] and License Amendment to Modify the Completion Date for Implementation of No. 204 [Ref. #23]) Milestone 8 of the Cyber Security Plan (CAC Nos.

MF9833, MF9834, and MF9835), dated September 27, 2017.

Page 15 For CDAs, the information in Sections 3.1.3 - 3.1.5 is For CDAs, the information in Sections 3.1.3 - 3.1.5 is ADDENDUM 1 TO NEI 08-09, CYBER SECURITY utilized to analyze and document one or more of the utilized to analyze and document one or more of the PLAN FOR NUCLEAR POWER REACTORS, following: following actions. NEI 13-10 may be used to satisfy the REVISION 6, DATED APRIL 2010.

actions in 3.1.6.

1. Implementing the cyber security controls in Appendices D and E of this Plan. 1. Implementing the cyber security controls in Appendices D and E of this Plan.
2. Implementing alternative controls/countermeasures that eliminate threat I attack 2. Implementing alternative vector(s) associated with one or more of the cyber controls/countermeasures that mitigate the consequences security controls enumerated in (1) above by: of the threat I attack vector(s) associated with one or more of the cyber security controls enumerated in (1)
a. Documenting the basis for employing above by:

alternative countermeasures;

a. Documenting the basis for employing
b. Performing and documenting the analyses of alternative countermeasures; the CDA and alternative countermeasures to confirm that the countermeasures provide the same or greater cyber b. Performing and documenting the analyses of security protection as the corresponding cyber security the CDA and alternative countermeasures to confirm that control; and the countermeasures mitigate the threat/attack vector the control is intended to protect; and C. Implementing alternative countermeasures that provide at least the same degree of cyber security C. Implementing alternative countermeasures protection as the corresponding cyber security control; determined in Section 3.1.6.2.b; Page 17 . CDAs providing safety and security functions . CDAs providing safety functions are allocated ADDENDUM 1 TO NEI 08-09, CYBER SECURITY are allocated to the highest defensive level, and are to the highest defensive level, and are defended from PLAN FOR NUCLEAR POWER REACTORS, defended from lower defensive levels. lower defensive levels. REVISION 6, DATED APRIL 2010.

Page 18 . Security architecture design incorporates . Security architecture design incorporates ADDENDUM 1 TO NEI 08-09, CYBER SECURITY unidirectional fail secure data flow devices/mechanisms. unidirectional fail secure data flow devices/mechanisms PLAN FOR NUCLEAR POWER REACTORS, with the exception of communication voice and data REVISION 6, DATED APRIL 2010.

networks (systems) used by the Security organization to meet 10CFR73.55G) (Communication requirements) and Security Plan requirements for onsite and offsite communications that require bi-directional communication to meet regulatory and plan requirements.

Page # COid I New)

Old Language Revised Language Basis for Change(s)

& Location Page 20/ 21 4.4.3.2 Vulnerability Scans 4.4.3.2 Vulnerability Assessments and Scans ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, Electronic vulnerability scanning of CDAs is performed Vulnerability assessments or electronic vulnerability REVISION 6, DATED APRIL 2010.

when security controls are first applied, and as required scanning of CDAs are performed as described in by specific guidance in the cyber security controls in Appendix E, 12, "Evaluate and Manage Cyber Risk,"

Appendices D and E. When new vulnerabilities that could when new vulnerabilities that could affect the cyber affect the cyber security posture of CDAs are identified, security posture of CDAs are identified.

vulnerability scanning will be performed.

When new vulnerabilities are discovered, the issue is Vulnerability scan reports are analyzed and vulnerabilities documented in the Corrective Action Program (CAP).

that could result in a risk to SSEP functions at the site are CAP evaluations should consider the threat vectors remediated. Information obtained from the vulnerability associated with the vulnerability. Vulnerabilities that pose scanning process is shared with appropriate personnel to a risk to SSEP functions are mitigated when the CAP ensure that similar vulnerabilities that may impact evaluation concludes remediation is required to maintain interconnected or similar CDA(s) are understood, adequate defense-in-depth. Information obtained from the evaluated and mitigated. vulnerability assessment or scanning process is shared with appropriate personnel to ensure that similar When there is a risk of operational disruption, electronic vulnerabilities that may impact interconnected or similar vulnerability scans are conducted during periods of CDA(s) are understood, evaluated and mitigated.

scheduled outage. Test beds and vendor maintained environments may be used for or in substitution for Prior to performing vulnerability scans, risk of operational performing vulnerability scans. disruption must be considered. The assessment and scanning process must not adversely impact SSEP Assessment and scanning processes must not adversely functions. If this could occur, CDAs are removed from impact SSEP functions. If this could occur, CDAs are service or replicated (to the extent feasible) before removed from service or replicated (to the extent feasible) assessment and scanning is conducted. Scans should be before assessment and scanning is conducted. If conducted during scheduled outage periods.

vulnerability assessments or scanning cannot be Development or test beds or vendor maintained performed on a production CDA because of the potential environments may be used to perform vulnerability scans.

for an adverse impact on SSEP functions, alternate controls (e.g., providing a replicated system or CDA to conduct scanning) are employed.

A vulnerability assessment may be used as a substitute for vulnerability scanning where there is risk of an adverse impact to SSEP functions, and when off-line, replicated or vendor test beds are not available. When new vulnerabilities are discovered, the vulnerability assessment considers the same threat vectors as the identified vulnerabilities. When vulnerability assessments are used to verify security controls, the assessment targets the threat vectors the security controls address. In both cases, the vulnerability assessment verifies that the vulnerability or threat vector is addressed to provide high assurance of adequate protection that SSEP functions are protected from cyber attacks up-to and including the Design Basis Threat.

L

Page# (Old / New)

Old Language Revised Language Basis for Change(s)

& Location Page 33 1.2 ACCOUNT MANAGEMENT 1.2 ACCOUNT MANAGEMENT ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This Technical cyber security control: This Technical cyber security control: REVISION 6, DATED APRIL 2010.

. Manages and documents CDA accounts, Manages and documents CDA accounts, including authorizing, establishing, activating, modifying, including authorizing, establishing, activating, modifying, reviewing, disabling, and removing accounts. reviewing, disabling, and removing accounts.

. Reviews CDA accounts consistent with the . Reviews CDA accounts consistent with the access control list provided in the design control package, access control list provided in the design control package, access control program, cyber security procedures and access control program, cyber security procedures and initiates required actions on CDA accounts at least every initiates required actions on temporary granted CDA 31 days. accounts at least every 31 days.

. Requiring access rights to be job function . Licensee policies/procedures shall not allow based. temporary, guest, and emergency accounts unless their

. Conducting reviews when as individual's job use is documented.

function changes to ensure that rights remain limited to Accounts on CDAs (Group or individual) shall the individuals job function. only be authorized/terminated through station

. policies/procedures.

Employs computerized mechanisms that support CDA account management functions. The CDA . Requiring access rights to be job function will automatically: based.

0 Terminate emergency accounts within a . Any unauthorized accounts identified through maximum time period of inactivity at least every 31 days an audit on a CDA will be documented in CAP for or at the point they are no longer required to support 1) a resolution.

CDA disaster/attack recovery effort and/or 2) actions in response to a nuclear I natural (e.g. earthquake, flood, For CDAs that do not utilize Centralized Account etc.) event, whichever is greatest. Emergency accounts Management may remain active for the life-cycle of 1) CDA disaster recovery activities and/or 2) activities required to recover

. CDAs will use common role based group accounts to the extent possible. (Admin, User, from a nuclear I natural event. [PVNGS Addition] Maintenance) 0 Temporary I guest accounts are not allowed on . Accounts will be used to enforce least privilege CDAs 0 Disable inactive accounts within 31 days.

. As a minimum, Accounts will be reviewed during maintenance/design activities where Create and protect audit records for account rooUprivileged level access is required.

0 creation, deletion and modification, . If individuals are granted unique access rights, Document and notify system administrators of then conduct reviews as individual's job function changes 0

to ensure that rights remain limited to the individual's job account creation, deletion and modification activities.

This is to make system administrators aware of any function.

account modifications and can investigate potential cyber For CDAs that utilize Centralized Account Management attacks.

. Accounts will be reviewed every 31 days .

. Conduct reviews when an individual's job function changes to ensure that rights remain limited to the individual's job function.

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location Page 35

. Documents the justification and details for . Documents the justification and details for ADDENDUM 1 TO NEI 08-09, CYBER SECURITY alternative controls/countermeasures where a CDA alternative controls/countermeasures where a CDA PLAN FOR NUCLEAR POWER REACTORS, cannot support account/node locking or delayed login cannot support account/node locking or delayed login REVISION 6, DATED APRIL 2010.

attempts. Where a CDA cannot perform account/node attempts where CDAs do not support centralized logging:

locking or delayed logins due to significant adverse impact on performance, safety, or reliability, alternative 0 Alternative controls/countermeasures are controls/countermeasures are employed to include: employed including: 24x7 monitoring, located in a Vital Area, located within a locked cabinet, or other physical o Real time logging and recording of control.

unsuccessful login attempts. . Where a CDA cannot perform account/node 0 Real time alerting of designated personnel with locking or delayed logins due to significant adverse the security expertise for the CDA through alarms when impact on performance, safety, or reliability, alternative the number of defined consecutive invalid access controls/countermeasures are employed to include:

attempts is exceeded.

o Real time logging and recording of unsuccessful login attempts.

0 Real time alerting of designated personnel with the security expertise for the CDA through alarms when the number of defined consecutive invalid access attempts is exceeded.

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location Page 35/36 1.8 SYSTEM USE NOTIFICATION 1.8 SYSTEM USE NOTIFICATION ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This Technical cyber security control: This Technical cyber security control: REVISION 6, DATED APRIL 2010.

. Displays a "System Use Notification" message . Where the design of the CDA supports the use before granting system access informing potential users: of System Use Notification message and implementation does not have an adverse impact on the SSEP function:

0 That the user is accessing a restricted system.

0 Displays a "System Use Notification" message 0 That system usage may be monitored, before granting system access informing potential users:

recorded, and subject to audit.

0 That the user is accessing a restricted system.

0 That unauthorized use of CDAs is prohibited and subject to criminal and civil penalties, and 0 That system usage may be monitored, recorded, and subject to audit.

0 That the use of CDAs indicates consent to monitoring and recording. o That unauthorized use of CDAs is prohibited

. Ensures that CDA "System Use Notification" and subject to criminal and civil penalties, and message provides privacy and security notices. 0 That the use of CDAs indicates consent to

. Approves CDA "System Use Notification" monitoring and recording.

Ensures that CDA "System Use Notification" message before its use. 0

. Ensures that CDA "System Use Notification" message provides privacy and security notices.

Approves CDA "System Use Notification" message remains on the screen until the user takes 0 explicit actions to log on to the CDA. message before its use.

. Installs physical notices where a CDA cannot 0 Ensures that CDA "System Use Notification" support System Use Notifications. message remains on the screen until the user takes explicit actions to log on to the CDA.

PREVIOUS LOGON NOTIFICATION 1.9 This Technical cyber security control:

. Installs physical notices at a central location to inform plant personnel of the potential consequences of

. Configures CDAs, upon successful logon, to unauthorized access to CDAs where System Use Notification are not provided on the CDA.

display the date and time of the last log on and the number of unsuccessful logon attempts since the last 1.9 PREVIOUS LOGON NOTIFICATION successful logon.

. This Technical cyber security control:

Administratively requires end users to report any suspicious activity to the Cyber Security Program . If the current design configuration of the CDA's Manager. operating system supports previous logon notification, then configures CDAs, upon successful logon, to display the date and lime of the last logon and the number of unsuccessful logon attempts since the last successful logon.

. Administratively requires end users to report any suspicious activity to the Cyber Security Program Manager.

Page 37 1.14 AUTOMATED LABELING 1.14 AUTOMATED LABELING ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This Technical cyber security control ensures hard and DELETED REVISION 6, DATED APRIL 2010.

soft copy information in storage, in process, and in transmission is labeled.

L

Page # (Old I New)

Old Language Revised Language Basis for Change(s)

& Location Page 41 . Configures CDAs so that auditable events are . Configures CDAs so that auditable events are ADDENDUM 1 TO NEI 08-09, CYBER SECURITY adequate to support after-the-fact investigations of adequate to support after-the-fact investigations of PLAN FOR NUCLEAR POWER REACTORS, security incidents, and security incidents, REVISION 6, DATED APRIL 2010.

. Adjusts the events to be audited within the . Create and protect audit records for account CDAs based on current threat information and ongoing creation, deletion and modification, and assessments of risk. . Adjusts the events to be audited within the CDAs based on current threat information and ongoing assessments of risk.

Page 42 2.5 RESPONSE TO AUDIT PROCESSING 2.5 RESPONSE TO AUDIT PROCESSING ADDENDUM 1 TO NEI 08-09, CYBER SECURITY FAILURES FAILURES PLAN FOR NUCLEAR POWER REACTORS, REVISION 6, DATED APRIL 2010.

This Technical cyber security control: This Technical cyber security control manages responses

. Ensures CDAs provide a warning when to audit processing failures by performing the following:

allocated audit record storage volume reaches a defined For CDAs that are part of centralized logging, if percentage of maximum audit record storage capacity, audit processing capabilities fail for a CDA or security which is based on the function of how quickly storage boundary device, alerts are sent to designated officials.

capacity is consumed, and documents the organization's resources and response times.

. If the design configuration of the CDA's supports, provide a warning when allocated audit record

. Ensures justification and details of alternate storage volume reaches a defined percentage of compensating security controls are documented where a maximum audit record storage capacity. The storage CDA cannot respond to audit processing failures. volume limit is based on the function of how quickly

. Responses to audit failures include the use of storage capacity is consumed and the organization's resources and response times.

an external system to provide these capabilities.

. If audit processing capabilities fail for a CDA or

. Actions are taken to preserve the audit logs for record retention requirements and after-the-fact security boundary device, the following occurs: investigations.

o Alerts are sent to designated officials in the event of an audit processing failure.

. Auditing failures will be assessed and determination of the device functionality should follow the Auditing failures are treated as a failure of the CAP process.

0 CDA or security boundary device . Justification and details for alternate Ensures CDAs with auditing failures take the compensating security controls are documented for those 0

following additional actions: instances in which a CDA cannot respond to audit processing failures.

1. Shut down the CDA,
2. Failover to a redundant CDA, where necessary to prevent adverse impact to safety, security or emergency preparedness functions,
3. Overwrite, when necessary, the oldest audit record(s), and
4. Stop generating audit records.

Page 44 The time of CDAs are synchronized from a dedicated The time of CDAs are synchronized from a dedicated ADDENDUM 1 TO NE! 08-09, CYBER SECURITY source protected at an equal or greater level than the source protected at an equal or greater level than the PLAN FOR NUCLEAR POWER REACTORS, CDA existing on the security network, attached directly to CDA existing on the security network, attached directly to REVISION 6, DATED APRIL 2010.

the CDA, or via SNTP and a trusted kev manaaement the CDA, via a GPS-based time server or via SNTP and a

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location process. trusted key management process.

Page 45 3.2 APPLICATION PARTITIONING/SECURITY 3.2 APPLICATION PARTITIONING/SECURITY ADDENDUM 1 TO NEI 08-09, CYBER SECURITY FUNCTION ISOLATION FUNCTION ISOLATION PLAN FOR NUCLEAR POWER REACTORS, REVISION 6, DATED APRIL 2010.

This Technical cyber security control: This Technical cyber security control:

. Configures CDAs to separate applications into . Configures CDAs to separate applications into user functionality (including user interface services) and user functionality (including user interface services) and CDAs management functionality. CDAs management functionality.

. Configures CDAs to isolate security functions . Configures CDAs to isolate security functions from non-security functions. This is accomplished from non-security functions. This is accomplished through partitions, domains, etc., including control of through partitions, domains, etc., including control of access to and integrity of the hardware, software, and access to and integrity of the hardware, software, and firmware that perform these security functions. firmware that perform these security functions.

. Configures CDAs to employ underlying . Where a CDA cannot support security function hardware separation mechanisms to facilitate security isolation implements alternative physical controls, such function isolation. as:

. Configures CDAs to isolate critical security 0 Physically restricts access to the CDA, functions (i.e., functions enforcing access and information flow control) from both non-security functions and other 0 Monitors and records physical access to the security functions. CDA to timely detect and respond to intrusions,

. Configures CDAs to minimize the number of 0 Uses auditing/validation measures (e.g.,

security guard rounds, periodic monitoring of tamper non-security functions included within the isolation boundary containing security functions. seals) to detect unauthorized access and modifications to

. Configures CDAs security functions as the CDAs, 0 Ensures that individuals who have access to independent modules that avoid unnecessary interactions between modules. the CDA are qualified, and

. Configures CDAs security functions as a 0 Ensures that those individuals are trustworthy and reliable per 10 CFR 73.56.

layered structure minimizing interactions between levels of the design and avoid any dependence by lower levels on the functionality or correctness of higher levels, or

. Implements alternative controls and documents the justification for alternative controls/countermeasures where a CDA cannot support security function isolation and implements the following:

0 Physically restricts access to the CDA, 0 Monitors and records physical access to the CDA to timely detect and respond to intrusions, 0 Uses auditing/validation measures (e.g.,

security guard rounds, periodic monitoring of tamper seals) to detect unauthorized access and modifications to the CDAs, 0 Ensures that individuals who have access to the CDA are qualified, and 0 Ensures that those individuals are trustworthy

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location and reliable per 10 CFR 73.56.

Page 46 3.5 RESOURCE PRIORITY 3.5 RESOURCE PRIORITY ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This Technical cyber security control configures CDAs to DELETED REVISION 6, DATED APRIL 2010.

limit the use of resources by priority thus preventing lower-priority processes from delaying or interfering with the CDAs servicing of any higher-priority process.

Page 48 3.5 THIN NODES 3.18 THIN NODES ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This Technical cyber security control configures CDAs DELETED REVISION 6, DATED APRIL 2010.

and consoles to employ processing components that have minimal functionality and data storage.

Page 48 3.20 HETEROGENEITY 3.20 HETEROGENEITY ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This Technical cyber security control employs diverse DELETED REVISION 6, DATED APRIL 2010.

information technologies in the implementation of CDAs.

3.21 FAIL IN KNOWN (SAFE) STATE 3.21 FAIL IN KNOWN (SAFE) STATE DELETED This cyber security control ensures the following:

  • CDAs fail in a state that ensures that SSEP functions are not adversely impacted by the CDA's failure, and
  • A loss of availability, integrity, or confidentiality, in the event of a failure of the CDA or a component of the CDA is prevented.

Page 65/66 5 PHYSICAL AND OPERATIONAL 5 PHYSICAL PROTECTION ADDENDUM 1 TO NE! 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, ENVIRONMENT PROTECTION This family of security controls implements and REVISION 6, DATED APRIL 2010.

5.1 PHYSICAL AND OPERATIONAL documents physical protections for CDAs located ENVIRONMENT PROTECTION POLICIES AND outside the protected area. Physical protections for PROCEDURES CDAs located inside the protected area are provided by the Physical Security Plan to comply with 10CFR73.55.

For those CDAs located outside of the protected area, develop, implement, and review in accordance with 10 5.1 PHYSICAL PROTECTION POLICIES AND CFR 73.55(m), and updates: PROCEDURES

  • A formal, documented physical and This security control develops, implements, and reviews operational environment protection policy that in accordance with 10 CFR 73.55(m), and updates:

addresses:

  • A formal, documented physical protection o The purpose of the physical security program policy that addresses:

as it relates to protecting the CDAs; o The purpose of the physical security program o The scope of the physical security program as as it relates to protecting the CDAs; it applies to the organization's staff and third-party 0 The scope of the physical security program as

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location contractors; it applies to the organization's staff and third-party contractors; 0 The roles, responsibilities and management accountability structure of the physical security program 0 The roles, responsibilities and management to ensure compliance with security policies and other accountability structure of the physical security program regulatory commitments. to ensure compliance with security policies and other

. Formal, documented procedures to facilitate regulatory commitments.

the implementation of the physical and operational Formal, documented procedures to facilitate environment protection policy and associated physical the implementation of the physical protection policy and and operational environment protection security associated physical protection security controls.

controls.

Page 66 5.3 PHYSICAL & ENVIRONMENTAL 5.3 PHYSICAL PROTECTION ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, PROTECTION This security control consists of securing and REVISION 6, DATED APRIL 2010.

This security control consists of securing and documenting physical access to CDAs. Physical documenting physical access to CDAs. Physical security controls (e.g., physically isolate environment, security controls (e.g., physically isolate environment, locked doors, etc.) are employed to limit access to locked doors, etc.) are employed to limit access to CDAs.

CD As and to prevent degradation of the operational environment which could impact the correct performance of CDAs (e.g., by temperature, humidity, dust, vibration, and electromagnetic interference or radio frequency interference).

Page 67 6 DEFENSE-IN-DEPTH 6 DEFENSE-IN-DEPTH ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This security control implements and documents a This security control implements and documents a REVISION 6, DATED APRIL 2010.

defensive strategy that: defensive strategy that:

. Allocates the appropriate degree (i.e., level 4, . Allocates the appropriate degree (i.e., level 4, 3, etc.) of cyber security protection to CDAs that carry 3, etc.) of cyber security protection to CDAs that carry out safety, important-to-safety, security, and emergency out safety, important-to-safety, security, and emergency preparedness functions, and protect those CDAs from preparedness functions, and protect those CDAs from lower defensive levels. lower defensive levels.

. Controls/restricts remote access to CDAs . Controls/restricts remote access to CDAs located in the highest defensive level. located in the highest defensive level.

. Allocates at least the second highest degree . Allocates at least the second highest degree of cyber security protection (i.e., of cyber security protection (i.e.,

level 3) to CDAs providing data acquisition functions and level 3) to CDAs providing data acquisition functions and protect those CDAs from lower defensive levels. protect those CDAs from lower defensive levels.

. Allows only one-way direct data flow from . Allows only one-way direct data flow from the

Page # {Old / New}

Old Language Revised Language Basis for Change{s)

& Location higher security levels to lower security levels. more secure to less secure security levels in

. Ensures that data flow from one level to other accordance with Section 4.3 of the licensee's CSP.

levels occurs through a device that enforces the security Ensures that data flow from one level to other policy between levels and detect, prevent, delay, levels occurs through a device that enforces the security mitigate, and recover from a cyber attack coming from policy between levels and detect, prevent, delay, the lower security level. mitigate, and recover from a cyber attack coming from the lower security level.

Page 69 0 Allows no information of any kind, including 0 Allows no information of any kind, including ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, handshaking protocols, to be transferred directly from handshaking protocols, to be transferred directly (i.e.,

REVISION 6, DATED APRIL 2010.

networks or systems existing at the lower security level without traversing the boundary control device) from to networks or systems existing at the higher security networks or systems existing at the less secure level to level; networks or systems existing at the more secure level; Page 74/75 8.5 CDABACKUPS 8.5 CDABACKUPS ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, This security control consists of: This security control consists of: REVISION 6, DATED APRIL 2010.

. Conducting backups of user-level and system- . Conducting backups of user-level and system-level information. level information.

. Backing up CDAs at an interval identified for . Backing up CDAs at an interval identified for the CDA or based on trigger events. the CDA or based on trigger events.

. Protecting backup information at the storage . Protecting backup information at the storage location. location.

. Testing and documenting backup information . Testing and documenting backup information at an interval identified by no less than every 31 days to at an interval identified in the licensee's procedures and verify media reliability and information integrity. justification is provided for the interval according to the licensee's assessments to verify media reliability and information integrity.

Page 84/85 This security control consists of establishing, This security control consists of establishing, ADDENDUM 1 TO NEI 08-09, CYBER SECURITY PLAN FOR NUCLEAR POWER REACTORS, implementing and documenting requirements to implementing and documenting requirements to REVISION 6, DATED APRIL 2010.

evaluate and address the following: evaluate and address the following:

. Scan for access vulnerabilities in the CDAs no . Screen for applicable CDA vulnerability notices no less frequently than every 92 days, and at less frequently than every 92 days, and at random intervals, and as necessary when new vulnerabilities random intervals, and as necessary when new affecting the CDAs are identified and reported; vulnerabilities affecting the CDAs are identified and

. Employ vulnerability scanning tools and reported; techniques that promote interoperability among tools For CDA Vulnerability Assessments:

and automate parts of the vulnerability management . Ensure confiauration information used to L

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location process by using standards for: identify applicable cyber threats and vulnerabilities is accurate and updated when new CDAs are installed and placed into production.

. Ensure applicable threat and vulnerability information for CDAs is entered into the licensee Corrective Action Program (CAP) and evaluated in accordance with the fleet/site process.

. Ensure identified corrective actions required to mitigate threat vectors associated with applicable threat and vulnerability notifications and maintain adequate defense-in-depth are documented and tracked in CAP.

For CDA Vulnerability Scans, licensees should perform the following activities to the extent possible:

. Employ vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for:

Page 89 The extensive workload associated with full The extensive workload associated with full ML# 17254A499, Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments implementation of the Cyber Security Plan (CSP) implementation of the Cyber Security Plan (CSP) to Modify the Completion Date for Implementation of requires prioritization to assure those activities that requires prioritization to assure those activities that Milestone 8 of the Cyber Security Plan (CAC Nos.

provide higher degrees of protection against radiological provide higher degrees of protection against radiological MF9833, MF9834, and MF9835), dated September sabotage are performed first. Therefore the CSP sabotage are performed first. Therefore the CSP 27, 2017.

implementation schedule will be implemented with two implementation schedule will be implemented with two major milestone dates. The first milestone date of no major milestone dates. The first milestone date of no later than December 31, 2012, includes the activities later than December 31, 2012, includes the activities listed in the table below. The second milestone date, listed in the table below. The second milestone date, September 30, 2017, includes the completion of all December 31, 2017, includes the completion of all remaining actions that result in the full implementation of remaining actions that result in the full implementation of the cyber security plan for all applicable Safety, the cyber security plan for all applicable Safety, Security, and Emergency Preparedness (SSEP) Security, and Emergency Preparedness (SSEP) functions. This date also bounds the completion of all functions. This date also bounds the completion of all individual asset security control design remediation individual asset security control design remediation actions. actions. [Ref. #23]

Page 92 September 30, 2017 December 31, 2017 ML# 17254A499, Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments to Modify the Completion Date for Implementation of Milestone 8 of the Gyber Security Plan (GAG Nos.

MF9833, MF9834, and MF9835), dated September 27, 2017.

L

Page # (Old / New)

Old Language Revised Language Basis for Change(s)

& Location Page 92 2) the approved and budgeted modification then 2) the approved and budgeted modification then ML# 17254A499, Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments enters the T+24 scheduled Outage Modification process enters the T+24 scheduled Outage Modification process to Modify the Completion Date for Implementation of which ensures that the cyber security modifications will which ensures that the cyber security modifications will Milestone 8 of the Cyber Security Plan (CAC Nos.

be implemented over the next two years. (September be implemented over the next two years. (September MF9833, MF9834, and MF9835), dated September 30, 2014 plus 1 year design/budget/schedule+ 2 year 30, 2014 plus 1 year design/budget/schedule+ 2 year 27, 2017.

scheduled outage modification process = September 30, scheduled outage modification process = September 30, 2017. 2017. Subsequent LAR extended this date to December 31, 2017. [Ref. #23].

2.

Conclusion:

As can be seen from the List of Changes, above, the changes made in Revision 3 of the PVNGS CSP did not result in a reduction in the level of effectiveness of the requirements in the CSP. This revision was made to incorporate Addendum 1 to NEI 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, dated April 2010. Addendum 1 to NEI 08-09 Revision 6 was endorsed by the NRG on April 25th, 2017. It also incorporated ML# 17254A499, Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments to Modify the Completion Date for Implementation of Milestone 8 of the Cyber Security Plan (CAC Nos. MF9833, MF9834, and MF9835), dated September 27, 2017.