NRC-2022-000178 - Resp 1 - Final, the NRC Has Made Some, or All, of the Requested Records Publicly Available

ML22174A033
Person / Time
Site:	FitzPatrick
Issue date:	06/16/2022
From:	NRC/OCIO
To:
Shared Package
ML22174A031	List: ML22174A032 ML22174A033
References
FOIA, NRC-2022-000178
Download: ML22174A033 (55)
v • d • e

Text

U.S. NUCLEAR REGULATORY COMMISSION REGULATORY GUIDE 5.81, REVISION 1 Issue Date: December 2019 Technical Lead: Wesley Held and Stacy Prasad TARGET SET IDENTIFICATION AND DEVELOPMENT FOR NUCLEAR POWER REACTORS (U)

A. INTRODUCTION (U)

Purpose (U)

(U) This regulatory guide (RG) describes approaches a nd methodologies that the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for meeting the requirements of Title 10 of the Code of Federal Regulations ( 10 CFR) Part 73, "Physical Protection of Plants and Materials" (Ref. 1),

Section 73.55, " Requirements for Physical Protection of Licensed Activities in Nuclear Power Reactors Against Radiological Sabotage." The guidance in this RG identifies what the NRC staff considers acceptable for applicant or licensee analysis, development, documentation, and evaluation of target set elements and target sets, inc lud!ing operator actions that may be credited to prevent significant core damage (e.g., non-localized fuel melting and/or core destruction) or loss of spent fuel coolant and exposure of spent fuel.

Applicability (U)

(U) This RG provides guidance for power reactor applicants and licensees under 10 CFR Part 50, "Domestic Licensing of Production and Uti lization Facilities" (Ref. 2), and under IO CFR Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Pla nts" (Ref. 3). New reactor applicants should consider this guidance in preparing an application for a combined license under 10 CFR Part 52.

Applicable Rules and Regulations (U)

• (U) 10 CFR 73.55 provides the performance basis and criteria for physical protection programs at NRC-licensed nuclear power reactor facil ities.

o (U) 10 CFR 73.55(a)(3): "The licensee is responsible for maintaining the onsitephysical protection program in accordance with Commission regulations through the implementation of security plans and written security implementing procedures."

o 10 CFR 73.55(b)(2): "To satisfy the general performance objective of paragraph (b)( l) of this section, the physical protection program must protect against the design basis threat of radiological sabotage as stated in § 73. l ."

NOTICE: The Staff Regulatory Guidance section (Section C of this regulato1y guide) and the appendices contain sensitive unclassified information identified as Official Use Only- Security-Related Information. When Section C and the appendices arc

• emoved from this regulatory guide, the remainder of this document is DECONTROLLED. This RG is also available through the NRC's Agencywidc Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-r111/ada111s.html, under ADAMS Accession Number (No.) MLI 9253C754. The regulatory analysis may be found in ADAMS under Accession No. MLl5352A2 I5. The associated draft guide DG-5047 may be found in ADAMS under Accession No.MLl3 168A036, and he staff responses to the public comments on DG-5047 may be found under ADAMS Accession No. ML19253C788.

6FFICML t,;91) m,LY SEetHttT¥*fttlLA:TEB IN'16ltf'flA:Tl6N

o (U) IO CFR 73.55(b)(4): "The licensee shall analyze and identify site-specific conditions, including target sets, that may affect the specific measures needed to implement the requ irements of this section and sha ll account for these conditions in the design of the physical protection program."

o (U) IO CFR 73.55(t)(J ): "The licensee shall document and maintain the process used to develop and identify target sets, to include the site-specific analyses and methodologies used to determine and group the target set equipment or elements."

o (U) 10 CFR 73.55(f)(2): "The licensee shall consider cyber attacks in the development and identification of target sets."

o (U) 10 CFR 73.55(f)(3): "Target set equipment or elements that are not contained within a protected or vital area must be identified and documented consistent with the requirements in§ 73.55(f)(l) and be accounted for in the licensee' s protective strategy."

o (U) 10 CFR 73.55(t)(4): "The licensee shall implement a process for the oversightof target set equipment and systems to ensure that changes to the configuration of the identified equipment and systems are considered in the licensee's protective strategy.

Where appropriate, changes must be made to documented target sets."

o (U) 10 CFR 73.55(111): "As a minimum the licensee sha ll review each clement of the physical protection program at least every 24 months."

Related Guidance (U)

• (U) NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (LWR Edition)" (Ref. 4), Section 13.6, "Physical Security," establishes criteria that the NRC staff intends to use in evaluating whether an applicant or licensee meets NRC regulations to construct and operate nuclear power plants.

• (U) RG 5.69, "Guidance for the Application of the Radiological Sabotage Design-Basis Threat in the Design, Development, and Implementation of a Physical Security Protection Program that Meets 10 CFR 73.55 Requirements" (SG l) (Ref. 5), provides an approach that the NRC considers acceptable for applying the radiological sabotage design-basis threat (DBT) in the design, development, and implementation of a physical security system and associated programs to satisfy the general performance objectives and requirements in 10 CFR 73.55.

• (U) RG 5.7 1, "Cyber Security Programs for N uclear Facil ities," issued January 2010 (Ref. 6),

provides an approach that the NRC staff considers acceptable for complying with the Commission's regulations for the protection of digital computers, communications systems, and networks from a cyber attack.

• (U) RG 5.74, " Managing the Safety/Security Interface" (Ref. 7), provides a method of compliance for managi ng the interface between safety and security, as required by 10 CFR 73.58, "Safety/Security Interface Requirements for Nuclear Power Reactors."

RG 5.81 , Rev.I , Page 2 6FFltAi:: 09£ 6NLY 9E!tJRl'f\1 ltE!Ln-'fE!B INF'6~M'ft6N

Purpose of Regulatory Guides (U)

(U) The NRC issues RGs to describe to the pub! ic methods that the staff considers acceptable for use in implementing specific parts of the agency's regulations, to explain techniq ues that the staff uses in evaluating specific problems or postulated events, and to provide guidance to applicants. RGs are not substitutes for regu lations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act (U)

(U) This RG provides voluntary guidance for implementing the mandatory information collections covered by IO CFR Part 73 that are subj ect to the Paperwork Reduction Act of I 995 (44 U.S.C. 3501 et seq.). These information collections were approved by the Office of Management and Budget (0MB), approval number 3150-0002. Send comments regarding this infonnation collection to the Information Services Branch (T6-A I OM), U.S. Nuclear Regulatory Commission, Washingto n, DC 20555-0001 , or by e-mai l to lnfocollccts.Rcsourcc@nrc.gov, and to the 0MB reviewer at: 0MB Office of Information and Regulatory Affairs (3150-0011 , 3150-0151 , and 3 150-0002), Attn: Desk Officer for the Nuclear Regulatory Commission, 725 17th Street, NW, Washington, DC 20503; e-mail:

oira submission@omb.eop.gov.

Public Protection Notification (U)

(U) The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid 0MB control number.

RG 5.81 , Rev. I , Page 3 6FFltAi:: 09£ 6NLY 9E!tJRl'f\1 ltE!Ln-'fE!B INF'6~M'fl6N

Table of Contents (U)

A. INTRODUCTION (U)--------------------------------------------1 B. DISCUSSION (0)--------------------------------------------------------------------------------------s C. STAFF REGULATORY GUIDANCE (U) ------------------------------------------------------7

1. Target Set Development Process Overview (U) ---------------------------------7

2. Establish the Target Set Analysis Team (Step 1) (U)----------------------9

3. Determine Target Objectives (Step 2) (U)------------------------ ------------------------- 10

4. Identify Target Set Elements (Step 3) (U) ---------- ----*--------------10

5. Generate Target Sets (Step 4) (U)----------------------------------------------------------15

6. Screen for Achievable Target Set Elements (Step 5) (U)--------*---------25

7. Target Set Characterization (U) ------------------------------------*----------- 26 D. IMPLEMENTATION (U) --------------------------------------------------------------------------------29 GLOSSARY (U)------------------------------------------------------------------------------------------------------- 31 REFERENCES (0)-------------------------------------------------------------------------------------------------- 33 Appendix A: Target Set In formation Worksheet (U) ------------------------------------------------------------------A-1 Appendix B: Site/Unit Target Set List (U) ----------------------------------------------------------------------------------8-1 Appendix C: Target Set Information- Example 1 (U) ----------------------------------------------------------------C-1 Appendix D: Target Set Information- Example 2 (U) ---------------------------------------------------------------0-1 Appendix E: Target Set l nformation- Example 3 (U) ----------------------------------------------------------------E-1 Appendix F: Offsite Equipment Locations (U) ----------------------------------------------------------------------------F-1 Appendix G: Target Set Time Justifications (U) ------------------------------------------------------------------------G-1 Appendix H: Target Set Time Piping, Wall Specifications, and Fuel Pool Target Additional Data Spee ifications (U) --------------------------------------------------------------------------------------------------------------------H-1 Appendix I: Target Set Ana lysis Team Makeup (U) -------------------------------------------------------------------1-1 Appendix J: Target Set Worksheet Acronym Page (U) ---------------------------------------------------------------J-1 RG 5.81 , Rev. I , Page 4 6FFltAi:: 09£ 6NLY 9E!tJRl'f\1 ltE!Ln-'fE!B INF'6~M'ft6N

B. DISCUSSION (U)

Reason for Revision (U)

(U) Revision I ofRG 5.81 incorporates lessons learned from operating experience since the original publication of the guide. Specifically, this revision clarifies issues that have been identified through interactions with stakeholders and inspection activities. This revision also endorses, in part, Nuclear Energy Institute (NEI) 13-05, "Target Set Template [Site] Security Target Sets," Revision 0, dated March 27, 2014, which was previously deemed acceptable for use in a memo dated May 6, 20 I4 (ADAMS Accession No. ML14085A064) (Ref. 8), with the exception noted in Section C, Staff Regulatory Guidance.

Background (U)

(U) The staff issued Revision 0 of this RG in 20 IO to provide initial guidance for the identification and development of target sets at operating nuclear power facilit ies.

(U) The regulatory requirements in 10 CFR 73.55 provide the performance basis and criteria for physical protection programs at NRC-licensed nuclear power reactor faci lities. These requirements are intended to outl ine the development, implementation, and maintenance of an effective physical protection program through performance-based criteria that the licensee must achieve to provide high assurance that activities involving special nuclear material are not inimica l to the common defense and security and do not constitute and unreasonable risk to the public health and safety. To provide high assurance, the physical protection program must protect against the DBT of radiological sabotage. The concept of high assurance of adequate protection found in security regulations is equivalent to reasonable assurance, as discussed in "StaffRequirements- SECY-16-0073- Options and Recommendations for the Force on Force inspection Program in Response to SRM-SECY-14-0088" (Ref. 9)

(U) To satisfy the design requirements and maintain consistency with IO CFR 73.55(b), each licensee shall design its physical protection program in a manner that accounts for site-specific conditions and applies defense in depth to ensure that the physical protection program maintains at all times the capabilities to detect, assess, interdict, and neutralize threats up to an including the DBT of radiological sabotage. To accomplish this, each licensee should apply and integrate site-specific physical security systems, components, and activities (i.e., engineered systems, procedures, and people) to serve specific functions within the physical protection program. Consistent with 10 CFR 73.55(b)(4), the licensee shall analyze and identify site-specific conditions, including target sets, that may affect the specific measures needed to implement the requirements of IO CFR 73.55 and shall account for these conditions in the design of the physical protection program. The identification of plant equipment, including nonvital or nonsafcty-related equipment, required to maintain reactor core and spent fuel pool integrity is essential in protecting equipment to prevent significant core damage and spent fuel sabotage. The further grouping and categorization of equipment into target sets is an integral component in the development of a physical protection program and protective strategy.

(U) Consistent with 10 CFR 73.55(f)(l), the licensee shall document and maintain the process used to develop and identify target sets, to include the site-specific analyses and methodologies used to determine and group the target set equipment or elements.

(U) A target set is the minimum combination of equipment or operator actions (i.e., target set elements) that, if all are preven ted from performing their intended safety function or prevented from being accomplished, would likely result in significant core damage (e.g., non-incipient, non-localized fue l RG 5.81, Rev.I, Page 5 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

melting and/or core destruction) or a loss of spent fuel pool coolant inventory and exposure of spent fuel, barring extraordinary actions by plant operations. Radiological sabotage with respect to spent fuel can be caused by a loss of spent fuel pool water inventory and subsequent exposure of spent fuel, thereby creating the potential for the release of fission products. During the development of target sets, applicants or licensees should ensure that only the minimum number of target set elements are included in a target set.

(U) The identification of complete and accurate target sets is the primary basis for the development of the site's protective strategy. The identification of target sets should consider, among other factors, every possible location to disable a target set element (i.e., all accessible locations of a piping or cable run), the target set element's accessibility, and the adversary's ability to identify the target set element. Then applicants and licensees should use the screening process described below to identify those target set elements that are with in the capabilities of the DBT adversary to compromise, destroy, or render non-functional. Each target set element, including nonvital or nonsafcty-rclatcd equipment, must be protected.

Harmonization with International Standards (U)

(U) The International Atomic Energy Agency (IAEA) has established a series of safety guides and standards constituting a high level of safety for protecting people and the environment. lAEA safety guides present international good practices that, while not required, increasingly reflect best practices to help users striving to achieve hjgh levels of safety. Pertinent to this RG, lAEA Nuclear Security Series No. 13, "Nuclear Security Recommendations on Physica l Protection of Nuclear Materia and Nuclear Facilities (INFCIRC/225/Revision 5)" (Ref. 10), contains guidance on target set identification and protentional radiological consequence. This RG, while designed to provide guidance on NRC rules and regulations, incorporates simi lar guidel ines and is consistent with the basic target set identification principles in IAEA Nuclear Security Series No. 13.

Documents Discussed in Staff Regulatory Guidance (U)

(U) This RG endorses, in part, the use of a process described in NEI 13-05, which may contain references to other codes, standards, or third-party guidance documents ("secondary references"). If a secondary reference has itself been incorporated by reference into NRC regulations as a requirement, then licensees and applicants must comply with that standard as set forth in the regulation. If the secondary reference has been endorsed in an RG as an acceptable approach for meeting an NRC requirement, then the standard constitutes a method acceptable to the NRC staff for meeting that regulatory requirement as described in the specific RG. Tf the secondary reference has neither been incorporated by reference into NRC regulations nor endorsed in a RG, then the secondary reference is neither a legally binding requirement nor a "generic" NRC-approved acceptable approach for meeting an NRC requirement.

However, licensees and applicants may consider and use the information in the secondary reference, if appropriately justified, consistent with current regulatory practice, and consistent with applicable NRC requirements.

RG 5.81, Rev.I, Page 6 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

C. STAFF REGULATORY GUIDANCE (U)

(U) The licensee is responsible for complying with all applicable NRC requirements and, in accordance with 10 CFR 73.55(b)(2), must implement a physical protection program that adequately protects against the DBT of radiological sabotage described in l O CFR 73. l , "Purpose and Scope," with consideration given to those adversary characteristics determined applicable by the Commission.

Licensees should direct questions about regulatory requirements for physical and cyber protection to the appropriate NRC Headquarters or regional staff.

(U) Each applicant o r I icensee is responsible for analyzing and identify ing site-specific conditions that affect how NRC requirements are implemented and accoun ting for these site-specific conditions in the design and implementation of the onsite physical protection program. Although determined to be acceptable to the NRC, the approaches and examples given in this RG are not intended to be all-inclusive.

1. Target Set Developme nt Process Overview (U)

(U) The target set development and oversight process accounts for all plant modes of operation and accounts for all plant configuration changes made to target set elements. Site-specific processes and procedures should be established to assess and manage the safety/security interface interactions (e.g., maintenance oftarget set element equipment, mode changes) so that neither safety nor security is compromised. Each target set element should be sufficient to prevent core damage or spent fuel sabotage if all other target set elements in that specific target set were lost with or without the disruption of offsite power. During the process of identifying and developing the target sets, fire and fire protection systems and features should be considered.

(U) When identifying and developing target sets, the licensee should include those critical systems and critical digital assets (CDAs) that if compromised could have an adverse impact on one or more target set elements. The inclusion of CDAs as pa11 of target set development should be considered as these C DAs are identified.

(U) In accordance with 10 CFR 73.55(f)(4), the licensee shall implement a process for the oversight of the target set equipment and systems to ensure that changes to the configuration of the identified equipment and systems are considered in the protective strategy. Where appropriate, changes must be made to documented target sets.

(U) ln accordance with IO CFR 73.55(m), "Security Program Reviews," as a minimum the licensee shall review each element of the physical protection program at least every 24 months. Reviews shall be conducted-(!) (U) within 12 months following initial implementation of the physical protection program or a change to personnel, procedures, equipment, or facilities that could adversely affect security; (2) (U) as necessary based on site-specific analyses, assessments, or other performance indicators; and (3) (U) by individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsitc physical protection program.

RG 5.81 , Rev.I , Page 7 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

1.1 (U) This review ensures that any program, procedure, o r equipment changes are evaluated to determine their potential impact on the target sets.

(U) The regulation in 10 CFR 73.55(b)(4) states that "[t]he licensee shall analyze and identify site-specific conditions, including target sets, that may affect the specific measures needed to implement the requirements of this section and shall account for these conditions in the design of the phys ica l protection program."

1.2 (U) This site-specific a nalysis is necessary to ensure that the design of the physical protection program accounts for correct and accurate target sets. Both the analysis and the outcome of the analysis should be documented.

(U) The regulation in IO CFR 73.55(b)(10) states that " [t]he licensee shall use the site corrective action program to track, trend, correct and prevent recurrence of failures and deficiencies in the p hysical protection program."

1.3 (U) Target sets are part of the physical protection program; therefore, fai lures or deficiencies associated with the target sets o r the target set process are subject to the requirements in 10 CFR 73.55(6)(10).

(U) The regulation in 10 CFR 73.55(f)( I) states that "[t]he licensee shall document and maintain the process used to develop and identify target sets, to include the site-specific analyses and methodologies used to determine and group the target set equipment or elements."

1.4 (U) This documentation shou ld include, but is not limited to, the follow ing:

• (U) the process of target set element identification, including the relationship of vital equipment to target set elements, the consideration ofCDAs, how nonvital equipment and operator actions are identified, and the application ofrisk-informed insights;

• (U) the process for considering the effects of cyber attacks on each target set and each element of the target set;

• (U) target set analysis (TSA) team composition (i.e., team members, their appl icable qualifications, and their roles);

• (U) a list ofTSA input documents, such as site layout drawings and probabilistic risk assessment (PRA) analyses;

• (U) methodologies and processes used to determine and group the target set equipment, including the basis for the equipment combinations used in tbeTSA;

• (U) the malevo lent act that initiates the event for each target set; and

• (U) the methodology and process for target set generation.

1.5 (U) The follow ing steps provide an acceptable methodology for the identification and documentation of target sets.

• (U) Step I: Establ ish a qualified Target Set Analysis Team.

RG 5.81, Rev.I , Page 8 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

6FFtCtiltL USE m,L'f 91£Ct11UT I -ftl9tnTl£B tP,F6ftr.MTl6N

• (U) Step 2: Determine the high-level target obj ectives.

• (U) Step 3: Identify the target set elements that need to be dismpted, damaged, or otherwise made nonfunctional by an adversary force to achieve its objectives.

• (U) Step 4: Generate target sets that identify those combinations of equipment, areas, or operator actions that if disrupted, damaged, or otherwise made nonfunctional would result in the adversary achieving its objectives.

• (U) Step 5: Identify and provide justification for the removal of target set elements from further consideration if they are beyond the adversary's capability to neutralize.

1.6 (U) The staff endorses NEI 13-05, in part, for use by nuclear power reactor licensees and applicants in developing target sets. Specifically, the NRC find s that N El 13-05 defines a process and standard template for documenting target sets that addresses each of the four elements in 10 CFR 73.55(f) and is aligned with the five-step process for target set identification described in the TSA process shown in the figure below:

(U) The content of the figure is u nclassified STEP I STEP 2 STEP3 STEP4 STEP 5 Screen for Establish Identify Generate Achie\'able Target Set Determine Target Target Target Target Analysis Elements Sets Objectives Elements Team (U) NEI 13-05 uses the concept of " adversary in terference precluded time," which refl ects the anticipated time that a " credited operator action" can be completed because of offsite law enforcement response. This concept is contingent on the effective integration of offsite law enforcement tactical response capabil ities. The NR C has not accepted a method for determining or implementing adversary interference precluded time. The staff is not endorsing the use of adversary interference p recluded time, as described in NEI 13-05, for target set identification.

2. Establishing the Target Set Analysis Team (Step 1) (U) 2.1 (U) Each team member should have technical expertise in the area(s) he or she will ana lyze. The TSA documentation should describe the team members, their applicable q ualifications, and their roles (See Appendix I, "Target Set Analysis Team Makeup" ). The TSA team should include subject matter experts in a variety of areas, which may include, but are not limited to, the fo llow ing:

• (U) reactor eng ineering (e.g., core and spent fuel pool reactivity characteristics),

• (U) plant syste ms and design (e.g., electrical, mechanical, and fire protection),

• (U) operations (e.g., senior reactor operator or equivalently qualified individuals),

• (U) PRA,

• (U) security operations (e.g., knowledge of adversary characteristics, tactics, systems, and procedures),

RG 5.81, Rev.I , Page 9 8FFtCtAi:: tf9E 8NLY 9ECtJRt'f\1 ltEL?r:'fE8 INF8~1Aft8N

• (U) training (e.g., operations and security trainings), and

• (U) cybersecurity.

2.2 (U) The information provided above on the composition of the TSA team identifies subject matter experts in multiple disciplines and is not intended to restrict or prescribe the specific composition of the TSA team to those experts identified; however, it may be beneficial to retain target set members fami liar with the identified target sets and target set process ratherthan create a team of new members each time changes are evaluated. The subject matter expertise listed is provided for consideration only; the licensee should determine the specific composition of its TSA team.

3. Determining Target Objectives (Step 2) (U) 3.1 (U) Step 2 determines the high-level target objectives. Target sets should address high-level adversary target objectives associated with radiologica I releases: significant core damage and spent fuel sabotage. While the goal of the adversary is to achieve these objectives, the goal ofa physical protection system, at a minimum, is to ensure that at least one target set element of each target set remains opera tional to prevent the adversary from achieving its objectives.

3.2 (U) Target sets should address two high-level adversary target objectives associated with radiological releases: significant core damage and spent fuel sabotage. Each is described below.

o (U) Significant core damage target sets include those with a minimum combination of equipment or operator actions which, if all are prevented from performing their intended function or prevented from being accomplished, wou ld likely result in significant core damage (e.g., non- inc ipient, non-localized fuel melting and/or core destruction), barring extraordinary actions by plant operations. Extraordinary actions are those that exceed the credible operator actions described in Section 5.5.

3.3 (U) Spent fue l sabotage target sets include those with a combination of equipment or operator actions which, if prevented from perfonning their intended function or prevented from being accomplished, would likely result in a loss of spent fuel pool water inventory and subsequent exposure of spent fue l, thereby creating the potential for the release of fission products..

3.4

4. Target Set Elements (Step 3) (U) 4.1 Identifying Target Set Elements (U)

(U) Target set element identification should be based on site-specific analysis of potential accident progression scenarios, major and support system alignment and configuration, procedures, and passive support systems such as fire and flood protection.

(U) Site-specific PRA provides a starting point for the identification of target set elements and combinations. PRA models various plant responses to events that challenge plant operation and may result in core damage.

RG 5.81 , Rev.I, Page 10 8FFtCtAi:: 09£ 8NLY 9E!CtJRl'f\1 ltE!Ln-'fE!B INF8~M'ft8N

(U) In addition to safety-related and vital equipment typically identified in PRA modeEs, target sets may contain nonvital equipment and operator actions. Operator actions should be incorporated as part of the assumptions for these e lements to be included as target set e lements.

Operator actions are those that must be performed in response to an adversary attack to prevent significant core damage. These actions should meet the acceptance criteria for credible operator actions described in Section 5.5.

4.2 Target Sets External to the Protected Area (U)

(bX7)(F) 4.3 Applicable Plant Modes (U)

(U) As stated in 10 CFR 73 .5 5(t)(4), the licensee shall ensure that changes to the configuration of the identified equipment and systems are considered in the licensee's protective strategy.

Licensees should evaluate the impact that the un ique aspects of each applicable reactor mode of operation and configuration have on target sets so that the protective strategy can account for any differences. The target set list should include the applicable site-specific plant operating mode or operating condition.

(U) The fol lowing are typical reactor modes or operating conditions:

(U) For a Boiling-Water Reactor: (U) For a Pressurized-Water Reactor:

(U) Mode I- Power Operation (U) Mode I- Power Operation (U) Mode 2- Startup (U) Mode 2- Startup (U) Mode 3-Hot Shutdown (U) Mode 3-Hot Standby (U) Mode 4- Cold Shutdown (U) Mode 4-Hot Shutdown (U) Mode 5- Refueling (U) Mode 5-Cold Shutdown (U) Mode 6-Refueling 4.4 Additional Target Set Element Information (U)

(U) Target set element identification should consider the types of equipment described in the following sections. Single-element target sets are target sets where all of the adversary actions can be completed in one location.

• Offsite Consequences (U)

(U) Equipment that functions to prevent offsite release ( e.g., containment isolation failure, bypass, or overpressurization failure), but has no role in the prevention of core damage, should not be included as target set elements within a given target set.

• Critical Digital Assets-Cybersecurity (U)

(U) Consistent with the requirements of IO CFR 73.55(t)(2), cyber attacks shall be considered in the development and identification of target sets. The licensee's RG 5.81, Rev.I , Page 11 8FFtCtAi:: 09£ 8NLY 9E!CtJRl'f\1 ltE!Ln-'fE!B IPifF8~M'ft8N

cybersecurity program should identify CDAs whose compromise could prevent the function of one or more target set elements, including CDAs that support a target set element or multiple target set elements. The inclusion ofCDAs in target set development should be considered as these CDAs are identified. This may include CDAs that are not part of an existing target set and target sets that could be completely composed of CDAs.

[DJOJ (U) RG 5.71 and NEI-08-09, Revision 6, "Cyber Security Plan for Nuclear Power Reactors," issued April 2010 (ADAMS Accession No. MLI0 l 180437), further discuss the identification of a CDA.

• Location-Based Target Set Elements (U)

• Equipment and Operator Actions-Risk-Info rmed Insights (U)

(U) PRA can provide risk insights to be considered during the development of the list of target set elements. Licensees may consider us ing existing PRA elements identi fied below.

(bX7)(F)

(U) Risk-informing target sets does not refer to the use of dominant PRA cut-sets or PRA importance rankings that can be derived from the PRA results. Dominant cut-sets and importance rankings are based on the underlying equipment reliability and availability, which represent the expected performance of the equipment for nonsecurity-related events to prevent core damage. The basic relialbility and availability of equipment are not related to the vulnerabi lity of the equipment to adversary action.

RG 5.81 , Rev.I , Page 12 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

• Probabilistic Risk Assessment Elements (U) r 0

(bX7)(F) 0 0

0 0

0 RG 5.8 1, Rev. I, Page 13 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

(bX7XF) 4.5 Determining the Functions That Prevent Significant Core Damage (U)

(U) To identify the potential target set elements, the licensee shou ld identify the initiating event that starts the sequence of events that potentially leads to the adversary achieving its objective of significant core damage or spent fu el sabotage. The licensee should also identify the equipment and operator actions that cou ld be used to prevent achievement of the objective.

4.6 Initiating Events (U)

(bX7XF)

(U) Each initiating event includes equipment-induced or human-induced events that have similar requirements to prevent core damage. Therefore, initiating events may be directly related to lost or degraded equipment, operator actions, or both. For example, regardless of whether a loss of main feedwater occurs because of a mechanical flow control problem or because of an operator error, each event results in a similar plant response and therefore could be grouped into a single initiating event. Both systemic and spatial initiating events should be considered. Once the applicable initiating events are identified, the appropriate equipment and operator actions that will prevent significant core damage can be determined.

RG 5.81 , Rev.I , Page 14 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

4.7 Functions to Prevent Significant Core Damage (U)

(bX7)(F)

(bX7)(F)

(U) For each identified target set e lement, the associated equipment and its locations should be identified. This inc ludes the primary functions, such as those identified above, and support system functions (e.g., electrical buses, emergency diesel generators) that are necessary for the primary systems to perform. The Level I PRA typically identifies these intersystem dependencies.

Insights gained from the success criteria analysis developed for the PRA can be used in the determination of the minimum set of equipment required for the success of each safety function.

When identifying targe t set elements and associated equipment, the location(s) of the target set elements and associated equipment should be included in the process. The identification of the equipment location should include the building, elevation, and room, along with other detailed information pertaining to the equipment, such as coordinates that identify the location within an area or markings or descriptions detailed enough for a responder with very limited site knowledge to find the equipment, assess its condition, and provide it protection. Diagrams can help make this task less b urdensome.

5. Generate Target Sets (Step 4) (U)

(U) To obtain the target sets, the target set elements ide ntified in Step 3 are evaluated to identify combinations that, if disrupted, damaged, o r otherwise made nonfunctioning by an adversary force, would result in the adversary achieving the identified objectives (i.e., significant core damage or spent fuel sabotage).

(U) Risk-informed insights from the PRA may be used to develop combinations of target set elements that, when ne utralized, lead to significant core damage. PRA can be used to identify the minimum number of combinations of equipment required to operate. PRA can also be used to identify the minimum levels of performance per component during a specific period of time, or conditions under which an operator action is necessary, to ensure that the intended functions are satisfied.

RG 5.81 , Rev. I, Page 15 8FFtCtAi:: 09£ 8NLY 9E!CtJRl'f\1 ltE!Ln-'fE!B INF8~M'ft8N

(U) Target sets may be generated by combining target set elements through the use of fault trees, event tree analysis, and/or combining them manually. A key element of the TSA is identification of the plant areas associated with target set equipment o r required operator actions. Consistent with 10 CFR 73 .55(t)(3), target set elements or target sets that are not contained within a protected or vital area must be identified and documented, consistent with the requirements of 10 CFR 73.55(t)(l), and must be accounted for in the licensee's protectivestrategy.

5.1 Target Set Development Assumptions (U)

(U) Target sets should be developed using the following assumptions:

• (U) Actions would be implemented in accordance with existing licensee procedural direction;

• r XIXFJ r X7XF) 1*X1XFJ CbX7XF)

RG 5.81, Rev.I , Page 16 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

5.2.1 (bX7XF) 5.2.2 (bX7XF) 5.3 Consideration of Flooding Impacts (U) 5.3.1 (U) Adversary action can result in the breach of pipes and tanks that have a direct impact on the associated system's function or other target set elements and secondary impacts as a result of internal flooding. The impact of flooding should be considered based on existing site analyses and information. The flooding concern is not only for the equipment at the location of the attack but also for the impact of flooding on equipment in adjacent and lower levels, considering the potential fo r the flood to spread beyond the location of the pipe or tank breach. The areas for consideration include the following:

RG 5.81, Rev.I , Page 17 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

• (U) flood sources in the immediate vicinity of target set elements,

• (U) flood sources outside the vicinity of target set elements with the potential for unrestricted flow to the vici nity of the target set elements ( e.g., breaching ofwatertight barriers), and

• (U) target set e lements within the flood source compartment.

5.3.2 (U) Where existing analysis indicates that the breaching of watertight barriers could impact target set elements, those barriers should be considered as alternative or additional target set elements or as a location(s) to make an element(s) nonfunctional.

5.3.3 (U) If operator actions from the control room meet the credible operator action criteria as described in Section 5.5 of th is RG and would prevent the flooding, then floodi ng from pumped sources (such as from a lake) could be screened out of further consideration for inclusion as a target set element. The licensee shall document and maintain the process used to make this determination as described in IO CFR 73.55(f).

5.4 Plant Configuration Changes due to Maintenance and Mode Changes (U) 5.4.1 (U) Consistent with IO CFR 73.55(t)(4), licensees shall consider changes in plant configuration in their protective strategy. These configuration changes may be pennanent (which may require changes to documented target sets) or temporary (wh ich may require notification to the security organization). Temporary configuration changes typically would not be required in the following examples:

• (U) quickly transiting through modes,

• (U) rapid ly changing plant conditions,and

• (U) present conditions not expected to change a s the assessment is being made.

5.4.2 (U) Licensees should monitor temporary changes and amend the status when they expect that these changes will no longer be temporary. In either case, licensees should consider the impact of configuration changes on their target sets and/or protective strategy as adjustments may be necessary. Licensees should also consider the effects of mode changes. Consistent with IO CFR 73.58, the NRC requires that licensees assess a nd manage potential confl icts between security activities and other plant activities that could adversely affectplant security or plant safety, before implementing changes to plant configurations fac ility conditions or security.

Licensees must assess and manage these interactions (e.g., maintenance of target set element equipment, mode changes) so that neither safety nor security is compromised. RG 5.74 contains information on managing safety and security interactions.

5.5 Consideration of Credible Operator Actions (U)

(U) For target set development, operator actions are categorized as preventive, since they are credited target set actions performed in response to an adversary attack to prevent significant core damage or spent fuel sabotage. These types of actions are described below. The criteria for crediting operator actions for IO CFR 73.55(t), "Target Sets," can be found in the statement of considerations of the "Power Reactor Security Requirements" Final Rule (74 FR 13926, 13960; March 27, 2009) (Ref. 11). The fo llowing six criteria should be satisfied to credit operator actions:

RG 5.81 , Rev.I , Page 18 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

• (U) Sufficient time is available to implement actions (Time),

• (U) Environmental conditions allow access (Environment),

• (U) Adversary interference is precluded (Adversary Interference),

• (U) Equipment is available and ready for use (Equipment),

• (U) Approved procedures exist (Procedures), and

• (U) Training is conducted on the existing procedures under conditions similar to the scenarios assumed (Tra ining).

(U) The intent is not to preclude operator actions outside the control room, but to give reasonable assurance that the operator is available at the appropriate location and capable of performing the necessary action without the possibility of neutral ization during travel.

5.5.1 Time (U)

(U) Operators should have sufficient time to implement required actions in time to prevent core damage or spent fuel sabotage. In addition, operator actions should account for system recovery time and should be completed prior to onset of core damage or spent fuel sabotage.

(U) The following examples show acceptable achievements of this criterion, but are not an exhaustive list:

• f(bX7)(F)

(U) The follow ing examples show unacceptable applications of this criterion, but are not an exhaustive list:

• CbX7)(F) 5.5.2 Environment (U)

(U) The environmental conditions expected during the event should allow personnel access, as RG 5.81, Rev.I , Page 19 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

necessary, to allow operator actions to be completed successfully. A licensee may credit only those operator actions that do not require operators to enter areas that would subject them to extreme environmental conditions. Such conditions include extreme environments (e.g., high radiation, high heat, breathing hazard) or conditions created by the adversaries ( e.g., steam leaks, flooding, fire, electrical hazards).

(U) The follow ing example shows acceptable achievement of this criterion, but is not an exhaustive list:

(U) The following examples show unacceptable applications of this criterion, but are not an exhaustive list:

(bX7)(F) 5.5.3 Adversary lnterference (CJ)

(bX7XF)

RG 5.81 , Rev.I, Page 20 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

(bX7)(F)

(U) The follow ing examples show acceptable applications of the adversary interference criterion, but are not an exhaustive list:

• '.l>X7)(F)

(U) The following examples show unacceptable applications of this criterion, but are not an exhaustive list:

• (bX7)(F) 5.5.4 Equipment (U)

(U) All equipment required for operator actions should be available, ded icated, staged, maintained in accordance with standard practices and/or vendor requirements, and should be continuously ready for use with periodic verification that the equipment remains in a ready state.

Equipment should also be located in the vicinity of the operator action or on the operator's route and accounted for in the determination of the operator timeline. Credit should not be given for equipment outside of the protected area. ln addition, equipment to overcome darkness should be considered.

(U) The following examples show acceptable achievement of this criterion, but are not an exhaustive list:

• 1>X7)(F)

RG 5.81, Rev.I, Page 21 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

(U) The following examples show unacceptable applications of this criterion but are not an exhaustive list:

• Kt,X7)(F) 5.5.5 Procedures (U)

(U) Approved procedures should exist, and operators should use approved procedures that are specific to the task being performed. Credit should not be given for hypothesizing that the operations staff can adequately diagnose the precise equipment disabled and/or locations of the adversary inside the facility. Procedures should be developed for the specific task with clear, step-by-step instructions in the detail necessary for a trained person to perform the function or task in the context of an adversary attack. The operator should possess the capability to communicate with the control room or have some ability to understand when to take required actions .

Instructions should include specific entry conditions or equivalent guidance (e.g., normal operating, alarm response, abnormal or off-normal, emergency operating, or possibly referenced surveillance procedures). Severe accident management guidelines (SAMGs), extensive damage mitigating guidelines (EDMGs), and Diverse and Flexible Mitigation Capability (FLEX) support guidelines (FSGs) are not considered actions to prevent significant core damage and, therefore, should not be credited. SAMGs, EDMGs, and FSGs provide guidance for possible actions that may help the site mitigate significant events with core damage. The eng ineering supporting SAMGs, EDMGs, and FSGs that prevent core damage may not be available (i.e., do not meet one or more of the criteria for credible operator actions). Nonetheless, SAMGs, EDMGs, and FSGs can be included in Section 11 , "Additional Considerations," of the Target Set Information Worksheet (see Appendix A). The standalone individual procedures with entering conditions outside of SAMGs, EDMGs, or FSGs may be credited as the approved procedures criterion for credible operator action.

(U) The follow ing examples show acceptable achievements of this criterion, but are not an exhaustive list:

• CbX7)(F)

RG 5.81 , Rev.I, Page 22 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

• r...._

x_1XF

_ ) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___,

(U) The following ex.amples show unacceptable applications of this criterion, but are not an exhaustive list:

• CbX7)(F) 5.5.6 Training (U)

(U) Through training, o perators should become practiced and able to complete required actions.

This training should provide the operators the ability to complete required actions during an adversary attack. The training should include preplanned routes of travel, security/operations interface, communication, and methods to determine that the operator action is warranted. All operators expected to perform this function should be trained and receive refresher traLning as appropriate. Operator refresher training for target sets should be frequent enough to maintain proficiency in the operator actions for the approved procedures consistent with the licensee's operator training programs. Basing the refresher training on the systematic approach to tra ining process would not necessarily be excluded under these conditions.

(U) The fo llowing examples show acceptable achievements of thiscritcrion, but are not an exhaustive list:

• CbX7)(F)

(U) The following examples show unacceptable applications of this criterion, but are not an exhaustive list:

-0)(7)(F)

RG 5.81 , Rev.I , Page 23 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

5.6 Credit for Fire Protection Features (U)

CbX7)(F)

CbX7)(F) 5.7 Targets Not Contained within a Protected or Vital Area (U)

(U) Consistent with 10 CFR 73.55(t)(3), target set equipment or elements that are not contained within a protected or vital area must be identified and documented consistent with the requirements in 10 C FR 73.55(t)(l) and accounted for in the licensee's protective strategy. Those target set elements that cannot be protected, such as electrical transmission lines that support offsite power, should be considered to be disabled, lost, or made nonfunctioning at any time.

However, unprotected equipment may be assumed to operate w hen this would intensify the effects of an attack. For example, if the loss of offsite power is timed to occur after direct current systems are destroyed, field flash and control of emergency diesel generators may not function.

(U) To take credit for operator actions for targets that are not within a protected or vital area, the six criteria listed in Section 5.5 of this RG, independent of their location, should be satisfied.

5.8 Random Failures of Equipment (U)

(U) Random failures should not be assumed to occur simultaneously with an act of radiological sabotage because random failures typically occur at such a low frequency that their simultaneous occurrence with a sabotage event is unlikely.

RG 5.81 , Rev. I, Page 24 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

5.9 Alternative Approaches (U)

(U) A primary objective of the physical protection program and protective strategy is to demonstrate the ability to protect target sets. Whi le the assumed goal of the adversaiy is to disable a complete target set, the goal of the physical protection program and protective strategy is to ensure that at least one element of each target set remains in order to prevent the adversary from achieving its objective. This goal can be achieved by protecting each target set or by protecting a set of equipment derived from the target sets that includes one e lement from each target set.

5.10 Safe-Shutdown Equipment (U)

(U) The approach of identifying a path to safe shutdown and the associated location of all supporting equipment or operator actions may not result in a comprehensive list of target set elements. These paths may not represent the minimum set of locations that require protection due to variables such as redundant safety features and the varying locations from which these safety featu res can be controlled (e.g., differing capabi lities of control room panels and auxiliary shutdown panels). Licensees should consider these variables in the identification of target set elements.

6. Screen for Achievable Target Set Elements (Step 5) (U)

(U) Achievable target set elements are those that are within the capabilities of a DBT adversary to compromise, destroy, o r render nonfunctional, independent of response strategy. Achievable target set elements are determined by the capabi lities of the DBT adversary. The definition and development of target sets do not consider the success of the security organization.

(U) The abi lity to neutralize target set elements can be eva luated during the identification of initiating events. The advantage of performing an evaluation at each stage of the process is that such evaluations may help el iminate functions (and therefore equipment) from the list of target set elements and reduce the level of effort needed to identify equipment and cable locations.

CbX7XF)

(bX7XF)

RG 5.81 , Rev.I, Page 25 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

7. Target Set Characterization (U)

(U) Understanding the adversary perspective regarding target sets can be beneficial to the effective implementation of the site protective strategy and the prevention of significant core damage and spent fuel sabo tage. After the development of target sets, licensees should consider eva luating their target sets using the information in this section to better understand how an adversary may view and select a target set as the objective of an attack.

(b)(7)(F)

(U) Characterizing target sets requires the consideration and evaluation of a w ide variety of information, much of w hich is site specific.

(U) The list provided below is not exhaustive but provides examples of information that should be considered when characterizing target sets for desirability:

• (U) consideration of the malevolent act that initiates the event(s) (e.g., adversary resources, task time to neutralize target set elements);

• (U) the anticipated outcome and the basis for that outcome in terms of why significant core damage or spent fuel sabotage w ill occur resulting from compromise of the target set;

• (U) the estimated time to significant core damage or spent fuel sabotage for the target set, assuming that all elements of the target set have been made nonfunctional (a key input in determining desirability); and

• (U) a determination of predicted radiological release and whether it will exceed the limits of IO CFR Part I 00, " Reactor S ite Criteria" (Ref. 12), for each target set (including offsite consequences).

RG 5.81 , Rev. I, Page 26 OFFtCtAi:: 09£ ONLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNFO~M'ftON

(bX7)(F)

(U) If the licensee wants to include the characterization of desirable target sets in the Target Set Information Worksheet (see Appendix A), this information can be captured in Sections 8, 11, or

14. The licensee should not exclude a location based on its being less desirable. Instead, the information on desirability should be used to inform the physical protection strategy.

(U) In determining the desirability of target sets to adversaries, licensees must consider the susceptibi lity of target set equipment containing CDAs to cyber attack. RG 5.7 1, "Cyber Security Programs for Nuclear Facilities," contains information on CDAs.

(bX7XF)

(bX7XF)

(bX7XF)

(bX7XF)

RG 5.81, Rev.I , Page 27 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

Of'f't t!l iltt UStl ONLY StWUftt'f 15-fttltilt'ftlB INfilORMiltFflOPii CbX7)(F)

RG 5.81, Rev.l, Page 28 Ofilf.1Mi:: USE ONLY SEUftt'f¥ RELA'fl38 INfilOR'l'ttJlr'flOPt

Ofilfiltet)LlcL UStl OUL f st:eUIUf 15-ftl!'.LNt'tlB tNfilOftf'tl)LlcEffOP, D. IMPLEMENTATION (U)

(U) The RC staff may use this regulatory guide as a reference in its regulatory processes, such as licensing, inspection, or enforcement. However, the RC staff does not intend to use the guidance in this regulatory guide to support NRC staff actions in a manner that would constitute backfitting as that term is defined in 10 CFR 50.109, "Backfitting," and as described in NRC Management Directive 8.4, "Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests" (Rev. 13), nor does the NRC staff intend to use the guidance to affect the issue finality of an approval under l 0 CFR Part 52, "Licenses, Certifications, and Approvals for uclear Power Plants." The staff also does not intend to use the guidance to support NRC staff actions in a manner that constitutes fo1ward fitting as that term is defined and described in Management Directive 8.4. If a licensee believes that the RC is using this regulatory guide in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfitting or forward fitting appeal with the NRC in accordance with the process in Management Directive 8.4.

RG 5.81 , Rev.I , Page 29 Ofilf.1Mi:: USE ONLY SEUftt'f¥ RELA'fl38 INfilOR'l'ttJlr'flOPt

GLOSSARY (U) achievable target Target set element that is within the capabilities included in the design-basis threat set element (DBT).

(U) critical digital asset A subcomponent of a critical system that consists of or contains a digital device, (CDA) computer, or communication system or network.

(U) critical system (CS) An analog or digital technology-based system inside or outside of the plant that performs or is associated with a safety-related, important to safety, security, or emergency preparedness fu nction. These CSs include, but are not limited to, plant systems, equipment, communication systems, networks, offsite communications, or suppo1t systems or equipment, that perform or are associated with a safety related, important to safety, security, or emergency preparedness functio n.

(U) cyber attack The manifestation of either physical or logical (i.e., electronic or digital) threats against computers, communication systems, or networks that may (I) originate from either inside or outside the licensee's faci lity, (2) have internal and external components, (3) involve physical or logical threats, (4) be directed or non-directed in nature, (5) be conducted by threat agents having either malicious or non-malicious intent, and (6) have the potential to result in direct or indirect adverse effects or consequences to critical digital assets or critical systems. This includes attempts to gain unauthorized access to a critical digital asset's and/or critical system's services, resources, or information and attempts to cause an adverse impact to a safety, important-to-safety, security, or emergency-preparedness function. Further background on cyber attacks which are up and including the SBT, can be found in Sections l.l(c), 1.2, and 1.5 of RG 5.69, "Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design, Development and Implementation of a Physical Security Program that Meets 10 CFR 73.55 Requirements." Cyber attacks may occur individually or in any combination.

(U) desirable target sets Target sets that would be identified by an adversary as requiring the least resources to neutralize.

(U) identifiable There is adequate information or a means to provide this in formation on the (pertaining to cables) location and function of the cable target set element (e.g., labels, observation tlu*ough walkdown, existing analysis, site documentation), and an adversary can visually recognize the cable target set.

(U) Levell An analysis that estimates the frequency of accidents that cause damage to the probabilistic risk nuclear reactor core. This is commonly called "core damage frequency."

assessment (U) operator action An action taken in response to an adversary attack to prevent significant core damage. Operator actions should meet the credible operator actions acceptance criteria to be considered target set elements.

(U) radiological Any deliberate act directed against a p lant or transport in which an sabotage activity licensed pursuant to IO CFR Part 73 of NRC's regulations is conducted, or RG 5.81 , Rev. I Page 33 8FFtCtAi:: 09£ 8NLY 9E!CtJRl'f\1 ltE!Ln-'fE!B INF8~M'ft8N

against a component of such a plant o r transport which could d irectly or indirectly endanger the public health and safety by exposure to radiation. (10 CFR 73.2 and http://www.nrc.gov/reading-rm/basic-ref/glossary/radiological-sabotage.html)

(U) safety-related Those structures, systems, and components that are relied on to remain functional structu res, systems, during and follow ing design-basis events to assure:

and components (U) the integrity of the reactor coolant pressure boundary; or (U) the capability to shut down the reactor and maintain it in a safe shutdown condition; or (U) the capability to prevent or mitigate the consequences of accidents, which could result in potential offsite exposures comparable to the applicable guidel ine exposures given in 10 CFR 50.34(a)(l) or 10 CFR 100.1 1, as applicable.

(U) spent fuel sabotage A loss of spent fuel pool water inventory and exposure of spent fuel, barring extraordinary actions by plant operations.

(U) target set The minimum combination of equipment or operator actions, which, if all are prevented from performing their intended safety function or prevented from being accomplished, would likely result in significant core damage (e.g., non-incipient, non-localized fuel melting and/or core destruction) or a loss of spent fuel pool coolant inventory and exposure of spent fuel , barring extraordinary actions by plant operations.

(U) target set element Equipment or operator actions that perform a function, as pat1 of a target set, to prevent significant core damage or spent fuel damage and arc included in the licensee's protective strategy.

(U) vital equipment Any equipment, system, device, or material, the fai lure, destruction, or release of which could directly or indirectly endanger the public health and safety by exposur to radiation . Equipment or systems required to function to protect publ ic health and safety fo llowing such fai lure, destruction, or release are also considered to be vital.

RG 5.81 , Rev. l Page 34 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln-'fE!B tNF8~M'ft8N

REFERENCES 1 I. (U) U.S. Code of Federal Regulations (CFR), " Physical Protection of Plants and Materials,"

Part 73, Chapter l, Title 10, "Energy."

2. (U) CFR, " Domestic Licensing of Production and Util ization Facilities," Part 50, Chapter I, Title I 0, "Energy."

3. (U) CFR, "Licenses, Certifications, and Approvals for Nuclear Power Plants," Part 52, Chapter 1, Title 10, "Energy."

4. (U) U.S. Nuclear Regulatory Commission (NRC), NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (LWR Edition)," Section 13.6, "Physical Security," Washington, DC.

5. (U) NRC, Regulatory G uide (RG) 5.69, "Guidance for the Application of the Radiological Sabotage Design Basis Threat in the Design, Development, and Implementation ofa Physical Security Program That Meets 10 CFR 73.55 Requirements (SGI)," Washington, DC. (Not publicly available)

6. (U) NRC, RG 5.7 1, "Cyber Security Programs for Nuclear Facilities," Washington,DC.

7. (U) NRC, RG 5.74, "Managing the Safety/Security Interface," Washington, DC.

8. Nuclear Energy Institute (NE!) 13-05, "Target Set Template [Site] Security Target Sets,"

Revision 0, Washington, DC, March 27, 2014. (Notpubliclyavailable)

9. (U) NRC, SECY-16-0073, "StaffRequirements- SECY-16-0073- Options and Recommendations for the Force on Force Inspection Program in Response to SRM-SECY-14-0088," Washington, DC, October 5, 2016 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML16279A345)

10. (U) IAEA Nuclear Security Series No. 13, "Nuclear Security Recommendations on Physical Protection of Nuclear Materia and Nuclear Facilities (INFCIRC/225/Revision 5)," Vienna, Austria.2 PL1blicly available NRC published documents are available electronically through the NRC Library on the NRC's public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRC's Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html The documents can also be viewed online or printed for a fee in the NRC's Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; ore-mail pdr.resource@nrc.gov. Documents that are withheld from the public can be requested by those individuals who have established a "need-to-know" and possess access permission to ofticial use only- security-related information (OUO-SRI) or safeguards information (SGI) (or security clearance for classificddocuments).

Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site:

WWW.IAEA.Org/ or by writing the International Atomic Energy Agency, P.O. Box I00 Wagramer Strasse 5, A-1400 Vienna, Austria.

RG 5.8 1, Rev. 1 Page 35 8FFtCtAi:: 09£ 8NLY 9E!CtJRt'f\1 ltE!Ln'fE!B tNF8~M'ft8N

Ofilfilte t)LlcL UStl ONL f st:eUftl'f 15-ft l!:L)Llc'ft)ft INfilOftf'tl)LlcEffOP,

11. (U) RC, "Power Reactor Security Requirements," Federal Register, o. 58: p. 13960, Washington, DC, March 27, 2009.

12. (U) CFR, "Reactor Site Criteria," Part 100, Chapter I, Title 10, "Energy."

13. (U) NRC, Management Directive 8.4, "Management of Facility-Specific Backfitting and Infonnation Collection," Washington, DC.

RG 5.81 , Rev. 1 Page 2 Ofilf.1Mi:: USE ONLY SEUftt'f¥ RELA'fl38 INfilOR'l'ttJlr'flOPt

APPENDIX A TARGET SET INFORMATION WORKSHEET (U)

(U) This appendix provides a worksheet that may be used to document identified target sets.

When completed, this worksheet is an acceptable method to submit target sets for inspection with any needed supplemental background information. The information in this worksheet, when completed, is considered safeguards information and should be protected as such.

E0 1IQ S8 9 The content of this worksheet, when not completed, is official use only-security-related informatio n. When site-specific information is applied, this document becomes safeguards information.

TARGET SET INFORMATION WORKSHEET Attribute I Description (bX7)(F)

RG 5.8 1, Rev. I Appendix A, Page A- 1 6flflte twL (;919 6 PU ;Y 9EetHttT¥*ft'EL'11:TEB INfl6ltf'fUTl6N

TARGET SET INFORMATION WORKSHEE T Attribute I Description (bX7)(F)

RG 5.8 1, Rev. I Appendix A, Page A-2 6flflte twL (;919 6 PU;Y 9EetHttT¥*ft'EL'11:TEB 1Nfl6ltf'f1'11:Tl6N

TARGET SET INFORMATION WORKSHEE T Attribute I Description (bX7XF)

RG 5.8 1, Rev. I Appendix A, Page A-3 6flflte twL (;919 6 PU;Y 9EetHttT¥*ft'EL'11:TEB 1Nfl6ltf'f1'11:Tl6N

APPENDIXB SITE/UNIT TARGET SET LIST(U)

(U) This appendix is a template providing an overview of identified target sets and associated information. The information in this template, when completed, is considered safeguards information and should be protected as such.

Target Set# I Target Set Objective I Reactor Modes of Revision, E ffective Applicability I Date (b)(7)(F)

RG 5.8 I, Rev.I Appendix B, Page B-1 6FFlb\1:: f:f9E 6NLY 9EtHU'f¥*HLn'fE8 INF6m.U'fl6N

APPENDIXC TARGET SET INfORftlA't'IOP, EXA1'1:PLE 1 (U)

(U) This appendix is a template that can be used to document identified target sets (TSs). The information in this template, when completed, is considered safeguards information and should be protected as such.

(Ot!~-t! tU' The information in th is appendix is officia l use only-security-related informatio n

~QUQ S~ ~- Since the appendix is an example, each line will not be portion marked OUO-SRI. When site-specific information is supplied, this document becomes safeguards information.

(bX7)(F)

RG 5.8 1, Rev. I, Appendix C, Page C-2 6FFlt:b\1:: t;9E 6NLY 9Et:t;lltT\'*ft'EL,:Jc:TEB INF6R1,IJ.lrTl6P~

(bX7)(F)

RG 5.8 1, Rev. I, Appendix C, Page C-3 6FFlt:b\1:: t;9E 6NLY 9Et:t;lllT\'*ft'EL,:Jc:TEB INF6R\,UTl6P~

(b)(7)(F)

RG 5.8 1, Rev. I , Appendix C, Page C-4

(bX7)(F)

RG 5.8 1, Rev. I, Appendix C, Page C-5 6FFlt:b\1:: t;9E 6NLY 9Et:t;lllT\'*ft'EL,:Jc:TEB INF6R1,IJ.lrTl6P~

CbX7XF)

RG 5.8 1, Rev. I , Appendix C, Page C-6

APPENDIXD TARGET SET INFORMATION-EXAMPLE 2 (U)

(U) This appendix is an alternative template that can be used to document identified target sets (TSs). The information in this template, when completed, is considered safeguards information and should be protected as such.

(6t::l6 SIU~ The information in this appendix is official use only- security-related information (Oh'O 9'R:,1). Since it is an example, each line will not be portion marked OUO-SRI. When site-specific information is supplied, this document becomes safeguards information.

(bX7)(F)

RG 5.81, Rev. 1, Appendix D, Page-I 8Fli11Ch4tb l,OE 8NL"t 01£el,ft:I T"i'*ft:1£b;l(fl£6 m ..8 ft:!'fl A'.Tl 6P~

(bX7)(F)

RG 5.81, Rev. 1, Appendix D, Page-2 8FFICh4tb l,OE 8NL"t 01£el,ft:I T"i'*ft:1£b;l(fl£6 m~6ft:!'fl }l(Tl 6P~

(b)(7)(F)

RG 5.81, Rev. 1, Appendix D, Page-3 8Fli11Ch4tb l,OE 8NL"t 01£etlft:I T"i'*ft:1£b;l(fl£6 m ..8 ft:!'fl}l(Tl6P~

APPENDIXE TARGET SET INFORMATION-EXAMPLE 3 (U)

(U) This appendix is a template that can be used to document identified target sets (TSs). The information in this template, when completed, is considered safeguards information and should be protected as such.

(Q~Q ~RI~ The information in this appendix is official use only- safety-related information (t9Ut9-9~I). Since this appendix is an example, each line w ill not be portion marked OUO-SRI. When site-specific information is supplied, this document becomes safeguards information.

(bX7)(F)

RG 5.81, Rev. I, Appendix E, Page E-1 6fftetA1J U9E 6ULY 9EetJIU'f\'*~L1lc'fEB 1Uf6Ml/l'fl6f,

(bX7XF)

RG 5.81, Rev. I, Appendix E, Page E-2 6fftetA1J U9E 6ULY 9EetJIU'f\'*~L1lc'fEB lriif6MU'fl6f,

(b)(7)(F)

RG 5.81, Rev. I, Appendix E, Page E-3 6fftetA1J U9E 6ULY 9EetJIU'f\'*~L1lc'fEB lriif6MU'fl6f,

APPENDIXF OFFSITE EQUIPMENT LOCATIONS (U)

(With Example/Sample Data) (U)

(U) This appendix is a template that can be used to document offsite equipment locations.

(("J'tteJ--'lU) The information in this appendix is official use only- security-related information (OtJQ i>JU1. Since the appendix is an example, each line will not be portion marked OUO-SRI.

(bX7)(F)

RG 5.81, Rev. 1, Appendix F, Page F-1 61'11'1te t1\1:J U9E 6NLY SlsWRITY llELATlsB ml'16Mftn1'16,,

APPENDIXG TARGET SET TIME JUSTIFICATIONS (U)

(With Example/Sample Data) (U)

(U) This appendix is a template that can be used to document target set time justifications.

(OUO BfM, The infonnation in this appendix is official use only-security-related information EOUO Bfil). Since the appendix is an example, each line will not be portion marked OUO-SRJ. The timing analysis of these events was perfonn ed using the Modular Accident Analysis Program (MAAP) developed by the Electric Power Research Institute for use in probabilistic risk assessment (PRA). This program is used as the basis for the [Site] PRA.

(b 7)(1')

RG 5.81, Rev. 1, Appendix G, Page G-1 6flfiilt:l,:!d, tJ91i3 6NLY 91i3t:UMEfT juft-EL,l(f'li3D fNfii61tftf5lr"fl6N

8PPIChlrL USE 8NLY 9ECU:lll'fY R-E!LJ!c'fEB mP8RflllJ!c'fl8P~

APPENDIXH TARGET SET TIME PIPING, WALL SPECIFICATIONS, AND FUEL POOL TARGET SET ADDITIONAL DATA (U)

(With Example/Sample Data) (U)

Inside Diameter 19 in.

Material ASTM B&PV Section I ASA B3 l.l Stainless Steel Pipe Wall Thickness ~2 in.

Pipe Insulation Fiberglass and lagging - 5 in.

Inside Diameter 16.47 in.

Material Seamless stainless steel SA 376 TP 316 (NG) outside Drywell Pipe Wall Thickness 1. 753 in.

Pipe Insulation Thermal and lagging - 5 in.

Piping on 345 ft elevation I0 in. NPS Inside Diameter 5.625 in.

Material Seamless stainless steel ASTM A3 12 or A376 TP 316 Pipe Wall Thickness 1.5 in.

Pipe Insulation None All Pump Discharges 16 in. NPS Inside Diameter 10.02 in.

Material Seamless A- I 06 Carbon Steel.

Pipe Wall Thickness 0.965 in.

Pipe Insulation None All Pump Suctions 12 in. NPS Inside Diameter 9.00 in.

Material Seamless A-106 Carbon Steel Pipe Wall Thickness 1.625 in.

Pipe Insulation None RG 5.81, Rev. 1, Appendix H, Page H-2 8Fli11Ch4tb l,OE 8NL"t 91£Cl,ft:IT"i'*ft:1£bJl(fl£8 IN"8ft:!'flA'.Tl8N

6fJfilleh!tL USE 6NL't5 SEeUttt'fY MLJlr'fEO INfl6ftMJlr'fl6Pif Applicable Target Sets: 1 F ueIP00IW aIIS,peeifi1ca ti ons LINER Thickness/Material: 1/8 in./stainless steel SIDE Wall Concrete Thickness Reinforcing Ratio/Scheme North 52 in. 0.075 South 92 in. 0.075 East 92 in. 0.0748 West (>95 ft elevation) 84 in. 0.080 West (<95 ft elevation) 52 in. 0.0375 RG 5.81 , Rev. 1, Appendix H, Page H-3 Qf;lf;ll CtMJ USE ONLY SEeU M FfY lttlt::A'fEO 1Nfil61Mtb-'l:Ff l6P*

APPENDIX I TARGET SET ANALYSIS TEAM MAKEUP (U)

(QPQ SR9 The information in this appendix is official use only- security-related information

~OUO SR-I}. Since the appendix is an example, each line will not be portion marked OUO-SRI.

The team established for the development of the [Site] target sets consisted of dedicated personnel with expertise in the following disciplines:

CbX7XF)

RG 5.81 , Rev. 1, Appendix I, Page 1-1 6flfltetwL l'.'.1315 6f*LY 3Eel'.'JlltT\'*fttlLWTEt, mfl6ft:f'fl)!lrT16N

APPENDIXJ TARGET SET WORKSHEET ACRONYM PAGE (U)

(U) The information in this appendix provides an example of a target set worksheet acronym page. It is unclassified and will not be p01tion marked.

ABN abnormal AC alternating current ATWS anticipated transient without scram CDA critical d ig ital asset CRD control rod drive DC direct current EAL emergency action level ECCS emergency core cooling system EOG emergency diesel generator EMRY electrometric relief valve EOP emergency operating procedure EPRl Electric Power Research Institute gpm gallons per minute HELB high-energy line break HPCI high-pressure coolant injection hr hour ill. inch kV kilovolt LLOCA large loss-of-coolant accident LOCA loss-of-coolant accident LOOP loss of offsite power LSP local shutdown panel MAAP Modular Accident Analysis Program MCC motor control center MCR main control room NEJ Nuclear Energy Institute OPCON operating condition PRA probabilistic risk assessment psig pounds per square inch gauge RCIC reactor core isolation cool ing RHRSW residual heat removal service water RPV reactor pressure vessel RSDP remote shutdown panel RSP remote shutdown panel RG 5.81, Rev. l, Appendix J, Page J-2 8FFICl7-\:L t;9E 8NL'i 9ECl'.HltT\'*fttlL7-\:TEt, mF6ft:f'flJ!lrT16N

Ofilfiltt!liltt UStl ONLY StWUftt'f 15-fttltilt'ftlB INfilORMiltFflOPii SAMG Severe Accident Management Guidelines SBO station blackout SCBA self-contained breathing apparatus SRV safety-relief valve SSPP site security program plan TAF top of active fu l TSA target set analysis VDC voltage direct current RG 5.81, Rev. 1, Appendix J, Page J-3 8FFICblm U913 8NLY SIWURt'fY MLA'ftlB INfilOMt;Jr'flOH