ML20137Z874

From kanterella
Jump to navigation Jump to search
Expresses Appreciation for Opportunity to Participate in Important Efforts Re Infrastructure Vulnerability.Response to Questionnaire Encl
ML20137Z874
Person / Time
Issue date: 04/10/1997
From: Shirley Ann Jackson, The Chairman
NRC COMMISSION (OCM)
To: Marsh R
AFFILIATION NOT ASSIGNED
Shared Package
ML20137Z880 List:
References
NUDOCS 9704250131
Download: ML20137Z874 (6)
v  d  e


Text

_ _ - . - _ _ - _ . _ _ . _ - . . . . _ - -_ . . . . . _ _ _ _ _ _ . _

s 4

I e

[ I.

t UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001

, g e

T., g April 10, 1997 CHAIRMAN 1

i Mr. Robert T. Marsh, Chairman President's Commission on Critical i Infrastructure Protection P.O. Box 46258 Washington, D.C. 20050-6258

Dear Chairman Marsh:

]

Thank you for the opportunity to participate in your important efforts

regarding infrastructure vulnerability. The U.S. Nuclear Regulatory Commission is committed to ensuring that the nation's nuclear power reactor operations art conducted in a safe manner, and effective nuclear safeguards are an important component in that effort to protect public health and safety.

. Our response to your questionnaire is enclosed, and if you have additional questions, please contact Mr. John J. Davidson of aur Safeguards staff at (301) 415-8130.

Sincerely, t 4 Shirley Ann Jackson l

Enclosure:

As stated ,

)- DI 1

1 4

0 h& il(Y3On y kb

>r - O + m-Co Coom

--nnon c~

9704250131 9704to PDR CONHS NRCC -

CORRESPONDENCE PDR '

3 IllIIlIlli1111lIlIll!IlllIl

- F>p#yn-pg {g

.p g

NUCLEAR REGULATORY COMMISSION RESPONSE TO THE

. PRESIDENT'S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION QUESTIONNAIRE FOR UTILITY REGULATORY AGENCIES MEMBERSHIP

1. Please describe the regulatory jurisdiction of your agency, its annual budget and number of employees, and attach a list of your commissioners and key staff.

I Response: The mission of the Nuclear Regulatory Commission is to ensure that  !

i civilian uses of nuclear materials in the United States -- in the operation of

nuclear power plants and fuel cycle operations, and in medical, industrial,
and research applications -- are carried out with adequate protection of

) public health and safety,. and the environment, and include protecting and

! safeguarding nuclear materials and nuclear power plants in the interest of

national security. NRC accomplishes its responsibilities through the l
licensing and regulatory oversight of nuclear reactor operations and other l activities involving the possession and use of nuclear materials and wastes, J l the safeguarding of nuclear materials and facilities from theft and/or  !

l sabotage, the issuance of rules and standards; and by inspection and l i enforcement actions.

FY97 Budget
$476.8 million.

Staff: 3061 FTE.

~

i Commissioners: Chairman Shirley Ann Jackson j Commissioner Kenneth C. Rogers Commissioner Greta J. Dicus l . Commissioner Nils J. Diaz Commissioner Edward McGaffigan, Jr.

l- Executive Direct'or for Operations: Mr. L. Joseph Callan, i'

j

2 THREATS AND VULNERABILITIES E. What tre the physical and cyber threats to, and vulnerabilities of, the critical infrastructures of your regulated utilities? What reports have been prepared by your agency or others regarding these threats and vulnerabilities?

What are the critical links in the infrastructure that may underlie a vulnerability?

Response: Although no significant credible threat to NRC-licer. sed facill ties or materials has been identified, prudence dictates that physical security for nuclear material and facilitie's be required according to the potential risk.to public health and safety and common defense and security. Absent a credible or "real"' threat to nuclear facilities or materials, staff defined design basis threats (DBTs). based on a comprehensive survey and analysis of threats, acts of terrorism, or other violent criminal acts. The DBTs are enumerated in 10 CFR 73.1. Using these DBTs, NRC-licensed power reactor facilities must design a physical protection system that includes components outlined in 10 CFR 73.55. Studies addressing the development of the DBTs include the

" Generic Adversary Characteristics Study," and the " Insider Study."

In addition,. through its licensing and regulatory requirements, the NRC requires power reactor facilities to implement and maintain backup power sources to provdie essential power for the facility.in the event of the loss of offsite power. Although these requirements do not addre 4 power grid reliability, they do ensure that the power reactor recilities can cope with,

-and withstand, challenges to the power grid.

Regarding cyber threats, efforts'to more closely examine this issue have been initiated to determine its significance to NRC-licensed facilities. It can be noted for the facilities themselves that nuclear power plant instrumentation and control systems, whether computer-bassd or analog, are not generally vulnerable to external tampering cr sources of degradation. i i

3. What changes in civil and criminal-laws would you recommend to afford greater protection for critical infrastructures?

i

-l Response: NRC does not recommend any changes at this time.

4 3

STRATEGIES

, 4. What action could your agency take to assist your regulatory utilities in protecting their critical infrastructures against physical and cyber threats?

Would your agency assist in publicizing the urgent need to protect against such threats? Should there be industry-wide infrastructure assurance 4 standards to protect against such threats? If so, would your agency assist in the development of such standards? Does your agency have the authority to mandate compliance with such standards by its regulated utilities?

Response: NRC actions to assist its regulated utilities in protecting their critical infrastructure is limited to the power reactor facilities and do not address potential vulnerabilities in the energy distribution system. NRC currently requires the implementation of measures at power reactors and does not have the authority to initiate any actions regarding perceived vulnerabilities in the electrical distribution grid. Regarding cyber threats, as noted in response to question 2. above, nuclear power plant instrumentation i and control systems are not generally vulnerable to external tampering or i sources of degradation. If a significant vulnerability to a cyber threat were identified, NRC would take aopropriate followup action to ensure adequate protection for public health and safety, oe garding the issue of publiciting the urgent need to protect against such threats, NRC has already publicized the need to protect against such threats and our requirements in this area are published in 10 CFR Part 70. Turning to assurance standards, current physical protection requirements, enumerated in 10 CFR 73.55, establish a standard i level of protection for nuclear power reactor facilities nationwide, but as i noted in the outset of this respon e, this level of protection does not extend I to use energy distribution system. In addition to physical protection requirements, through routine physical protection inspections and other forms

of evaluations, NRC staff ensures that implemented physical protection systems at power reactor licensees are adequate and that compliance with NRC physical protection requirements is maintained. If deficiencies in physical protection systems are noted or violations of NRC physical protection requirements are identified, a range of response or enforcement options is available to NRC.

At this time NRC has no recommendation concerning the need for industry-wide infrastructure assurance standards.

4 l

PUBLIC-PRIVATE SECTOR COOPERATION l

5. What problems would be created if the public and private sectors were to jointly ensure adequate protection of critical infrastructures (both physical and cyber)?

Response: The public (NRC) and private sector (nuclear utilities) already work together in the area of physical protection, and NRC considers nuclear power reactors to be protected adequately against the DBT for radiological sabotage.

6. How could the public and private sectors share specific threat and vulnerability information, on a non-adversarial and non-attribution basis, and pursue solutions to adequately protect these infrastructures? What role should your agency perform in gathering and sharing information?

Response: NRC periodically has disseminated threat-related information, in the form of an Advisory, to licensees, whenever the need has arisen, usually based on information provided by the Federal Bureau of Investigation (FBI).

In other circumstances, threat-related information has been provided to certain licensees by NRC and the FBI. NRC routinely monitors the threat environment and maintains an active liaison program with Federal agencies concerned with counterterrorism. As noted above, information in unclassified form periodically is provided to licensees.

7. What types of model security guidelines, either physical or cyber, has your agency developed? Are these guidelines mandatory or voluntary, and to what extent have they been implemented? What issues should be considered in order for the public and private sectors to effectively address these threats (e.g., regulatory or antitrust issues, incentives for private sector to better assure critical infrastructures, liability insurance)?

Response: See 10 CFR references in 2. above. Additional guidance also has been prepared by NRC. This guidance includes a Standard Review Plan that provides references to specific guidance on selected topics relating to physical protection systems; generic letters to power reactor licenses, regulatory guides on specific issues; and information notices and bulletins on timely contemporaneous subjects. These various forms of guidance may require mandatory action on the part of the power reactor licensee or may merely provide suggested ways in which compliance may be achieved. The legal mandate for NRC to require physical protection at nuclear power reactors was provided in the Atomic Energy Act of 1954, as amended, and in the Energy Reorganization Act of 1974. Again, it must be emphasized that this array of guidance is directed at physical protection at the power reactor facility and not the energy distribution system.

5 PUBLIC-PRIVATE SECTOR COOPERATION - continued

8. What action could the government take to facilitate protection of our critical infrastructures (e.g., sharing intelligence information, tax incentives for infrastructure protection, crisis assistance)?

Response: No recommendations at this time.

9. What actions would you recommend the government not take?

Response: Infrastructure vulnerability has been addressed by a number of agencies and interagency committees in the past. These efforts should be reviewed and consolidated before substantial new efforts are undertaken.

STUDIES

10. Has your organization published, or does it plan to publish, any studies on the protection of critical infrastructures? If so, please identify. Such studies can be f. eld in confidence by the PCCIP, without disclosure pursuant to Freedom of Information requests, because it is a part of the Office of the President.

Response: No.

11. Are you aware of such studies by other organizations that the PCCIP should examine? If so, please identify.

Response: The U.S. Department of Energy has been active in the area of infrastructure vulnerability and may have completed studies or reports of infrastructure vulnerabilities.

CONCLUSION

12. Do you have any other comments regarding this topic?  :

Response: NRC nas no additional comments at this time. )

I

.

Retrieved from "https://kanterella.com/w/index.php?title=ML20137Z874&oldid=2826982"