Text

U.S. Nuclear Regulatory Commission Public Meeting Summary

Title:

Notice of Virtual Meeting to Discuss Meeting on NRC Draft Inspection Procedure 71130.10, Cyber Security Meeting Identifier: 759363953 Date of Meeting: April 01, 2021, 1:00 PM to 2:00 PM Location: Virtual Meeting via Teams Type of Meeting: Observation Purpose of the Meeting:

The purpose of this meeting is to discuss with the Nuclear Energy Institute (NEI), the industry, and the public the implementation of the U.S. Nuclear Regulatory Commission (NRC) Draft Inspection Procedure (IP) 71130.10, Cyber Security.

General Details:

The NRC staff conducted a virtual public meeting with the NEI, industry and public stakeholders to discuss the implementation of the NRC Draft IP 71130.10, Cyber Security. Mark Lintz from the Cyber Security Branch, Office of Nuclear Security and Incident Response (NSIR), began the meeting by thanking all the participants and attendees. Due to the complexity of the online format, participant introductions were not conducted. Instructions for the format and procedures for participating in the meeting were provided.

Shana Helton, Director, Division of Physical and Cyber Security Policy, provided opening remarks. She thanked the attendees for participating in the efforts to improve the draft IP. She provided a brief summary of the power reactor cyber security program implementation since 2013. Ms. Helton noted that the draft IP introduced performance metrics and performance testing, which are intended to provide the staff with additional insight into the effective implementation of power reactor cyber security programs. She concluded by saying that the NRC is open to future interactions with the stakeholders to ensure that there is a good shared understanding of new IP.

James Beardsley, Chief, Cyber Security Branch, NSIR provided more detail on the history of the NRC cyber security oversight program. He mentioned that the NRC is trying to incorporate performance information into the cyber security inspection program that, to date, has been more compliance-based. Mr. Beardsley noted that the new procedure reduced the inspections from two weeks to one and shifted inspections from triennial to biennial. He stated that the staff goal is to get the draft IP through the internal review and concurrence process by early July, then to work with industry to schedule table-top meetings and to discuss implementation of the IP. Mr.

Beardsley added that the staff wanted to complete the table-top exercises in fall, 2021, providing time to evaluate lessons learned for potential IP updates to support new inspections beginning in January 2022.

Enclosure

Ralph Costello, Cyber Security Branch, explained that a working group, composed of subject matter experts from NRC headquarters and the regions, developed this draft IP. He also discussed the shift to performance-based oversight and performance metrics.

Mr. Beardsley discussed performance-informed initiatives in the draft IP. The goal was to focus on the on-going operation of the cyber security program. The previous inspection program looked at both on-going operation and the development and implementation of the cyber security programs. To address performance, the staff developed two areas that are expected to provide valuable input on program implementation. First, the staff will evaluate licensee performance based on the metrics that they use to manage cyber security program implementation. The staff looked at the inspection program, the elements in the IP, and the licensee cyber security plans, which are in their license commitment, and drafted metrics that will demonstrate effective licensee conduct of their cyber security program. The base inspection team consists of two inspectors and two contractors. If the licensee provides metrics that meet the intent of the IP, then the staff will reduce the inspection team by one contractor. Second, the staff would evaluate licensee performance testing to demonstrate effective program implementation. If the licensee sets up a test bed to conduct testing and provides a report on testing results to the inspection team, the staff expects that this will enable several IP requirements to be met. Use of performance testing information would reduce the inspection team by one inspector. He stressed that staff wants industry feedback on how the staff has structured this approach and how clear the requirements are in the IP.

The meeting was opened to the industry and other stakeholders, for their feedback on the draft IP. Rick Mogavero, NEI noted that, in the current cyber security program, most nuclear power plants have now been inspected twice, and that these inspections have resulted in findings that are both low in number and in significance. The results have led to a more informed effort in developing the draft IP. The draft IP appears to capture the essence of what was proposed in the NEI Cyber Security Program Performance Review Document. He then stated that inspection efficiency could be improved by eliminating overlapping inspection areas. He added that the industry has concerns about resource allocation and scope in the IP and wants the staff to verify that the IP resource estimate accurately reflects the actual inspection complement and hours on site. Mr. Mogavero acknowledged the performance metrics and performance testing portions of the IP and stated that the industry is clear as to the intended purpose of these two new areas. Regarding testing, he added that more specifics would help both industry and inspectors. Mr. Mogavero noted the industry practices focus on program efficiency, and may not match the IP metrics, as currently written. The industry could face a major burden to rewrite their programs to match the IP. He closed by adding that the NEI will submit a letter to the staff with industry comments on inspection clarity.

Alexandria Corl, Exelon, asked about the environment of performance-based testing, and whether the test bed need be plant-specific. Jim Beardsley responded that his expectation is that each licensee would conduct testing to demonstrate that the installed technology is effectively performing the tasks that it is designed to perform. That testing could use a generic test environment and apply to multiple sites.

Steve Flickinger, Exelon, noted the potential operational risk of the metrics. In the case of a CDA that is in-service on an operating system, the industry would not want to elevate the chance of a human performance error that would compromise reactor safety.

Jason Castro noted that some sections in the IP do not specify inspection areas, leaving it open to interpretation, though a request for information could clarify this. He then noted that Section 2

3.6 a/b implies the exclusion of some tested areas, while allowing the inspectors to include those same areas in the on-site inspection and asked the staff to review that section. He added that 3.6 b contains a provision for a reduction in the inspection team, while 3.6 a does not; he suggested that both sections should have the same provision for reduction.

Jim Beardsley provided closing remarks. He stated that he appreciated all the comments that had been received, and that all would be evaluated for incorporation into the IP. The staff desires clarity in the IP. Although the IP is used primarily by the staff, if the industry does not understand the requirements, then it is difficult for a licensee to prepare for inspection. Mr.

Beardsley reviewed the comments received during the meeting, for clarity. He said that he looked forward to getting the NEI feedback and any other feedback stakeholders were interested in providing.

List of Participants April 1, 2021 Industry and Public Stakeholders Jim Andersen Harry Balian Jana Bergman Teressa Calligan Evan Cann Evan Cann Jason Castro Alyson Coates Alexandria Corl Dave Costley Joseph Cristiano Brian Derrico Jason DeVore Shannon Eggers Nathan Faith Dave Feitl Steve Flickinger Pamela Frey Allen Fulmer Jan Geib Scott Greenslit T. Gregory Bill Gross Amy Hardin James Keele Jack Kostreba Yubo Lei Roy Linthicum Wes Lottes Fred Madden Kim March Rich Mogavero Chris Niffenegger Stella Opara Heather Pickard P. Robinson Manu Sharma Dedrick Shelmire Jack Southers Christopher Stonecipher Joseph Sykes Russell Thompson Barry Westreich David Wroblewski NRC Staff Jim Beardsley Phil Braaten Ralph Costello Glenn Dentel James Drake Sam Graves Shana Helton Kim Lawson-Jenkins Eric Lee Mark Lintz Shiattin Makor Tony Nakanishi Amar Patel Brandon Pinson Jeff Rady Michele Sampson Melana Singletary Dariusz Szwarc Nick Taylor Shakur Walker Dan Warner 3