Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 November 17, 2022 MEMORANDUM TO:

Ronald Ballinger, Lead SHINE License Application Review Subcommittee Advisory Committee on Reactor Safeguards FROM:

Jose March-Leuba, Member Advisory Committee on Reactor Safeguards

SUBJECT:

INPUT FOR ACRS REVIEW OF SHINE OPERATING LICENSE APPLICATION - SAFETY EVALUATION REPORT FOR CHAPTER 12, CONDUCT OF OPERATIONS, SECTION 12.4.14, CYBERSECURITY In response to the subcommittees request, I have reviewed the Nuclear Regulatory Commission (NRC) staffs safety evaluation report (SER) with no open items, the associated responses to staff requests for additional information (RAIs) and the applicants final safety analysis report (FSAR), Chapter 12, Section 12.4.14, Cybersecurity. In addition, representatives from SHINE Medical Technologies, LLC (SHINE), met with the Advisory Committee on Reactor Safeguards on September 9, 2022, to discuss Cybersecurity. The following is my recommended course of action concerning further review of this chapter and the staffs associated safety evaluation.

=

Background===

The SHINE facility has provided a summary of the design, administrative, and programmatic controls in their proposed Cybersecurity Plan (CP). The CP identifies latent and active consequences of concern from the point of view of both Safety and Safeguards, and it provides the basis for identifying and protecting critical digital assets.

The CP takes advantage of a favorable instrumentation and controls architecture that segregates the critical digital assets from the world-at-large. SHINE has provided documentation of the controls that have been incorporated to prevent/limit unauthorized physical and electronic access, including physical access, wired communication access, wireless communication access, portable media, and mobile devices.

SER Summary The staff SE and associated responses to staff RAIs document a detailed review covering the most important aspects of Cybersecurity. Based on the above determinations, the NRC staff found that the descriptions and discussions in Section 12.4.14, Cybersecurity, of the SHINE FSAR supplemented by the RAI responses are sufficient and meet the applicable regulatory requirements, guidance, and acceptance criteria, for the issuance of an operating license.

R. Ballinger The staff SER imposes a licensing condition that requires SHINE to develop and maintain an effective CP. The CP must include the nine elements specified in the SER, including:

establishing a cyber team; identifying critical digital assets and controls that define defense in depth and temporary compensatory measures, if necessary; and implementing configuration management, periodic reviews, and incident reporting procedures.

Concerns I did not identify any specific deficiencies not meeting requirements of the review criteria although my review has identified the following topic.

Following existing regulations, SHINE may limit the definition of critical digital assets to only those components that affect safety or security. However, the SHINE facility serves an important and difficult-toreplace service to society [molybdenum-99 (Mo99) for medical treatment]. An argument can be made that the impact to society, including potential deaths in the public at large, is likely several orders of magnitude larger if the facility shuts down than if it suffers a conventional accident. Thus, even though existing regulations dont require it, and it may not even be within the staff purview, the CP should be extended to not just conventional critical digital assets, but to those assets that ensure the facility remains operational.

This topic was presented to the ACRS Full Committee during our October 2022 Meeting Planning and Procedures discussion. The ACRS agreed that this topic will be further explored and to extend it not just to isotope production but to power generation in other plants.

Recommendation As lead reviewer for SHINE Chapter 12, Section 12.4.14, Cybersecurity, I recommend no further action.

References

1.

U.S. Nuclear Regulatory Commission, Cybersecurity, Chapter 12, Section 12.4.14, Staff Safety Evaluation Report, September 6, 2022 (ML2249A324).

2.

SHINE Medical Technologies, LLC, Application for an Operating License Supplement 14, Revision to Final Safety Analysis Report, Chapter 12, Conduct of Operations, January 26, 2022 (ML22034A626).

3.

SHINE Technologies, LLC, Application for Operating License Supplement 14, Revision to Final Safety Analysis Report, Chapter 7, Instrumentation and Control Systems, January 26, 2022 (ML22034A642).

4.

SHINE Technologies, LLC, Final Safety Analysis Report, Chapter 7, Instrumentation and Control Systems, August 31, 2022 (ML22249A136).

R. Ballinger

5.

SHINE Medical Technologies, LLC. Application for an Operating License. Revision 1 of the Response to Request for Additional Information Related to Cybersecurity, July 6, 2022 (ML22223A066).

6.

SHINE Medical Technologies, LLC. Enclosure 1, Application for an Operating License.

Revision 1 of the Response to Request for Additional Information Related to Cybersecurity, July 6, 2022 (ML22223A067 Non-Publicly Available).

R. Ballinger November 17, 2022

SUBJECT:

INPUT FOR ACRS REVIEW OF SHINE OPERATING LICENSE APPLICATION - SAFETY EVALUATION REPORT FOR CHAPTER 12, CONDUCT OF OPERATIONS, SECTION 12.4.14, CYBERSECURITY Package No: ML22319A197 Accession No: ML22321A191 Publicly Available Y

Sensitive N

Viewing Rights:

NRC Users or ACRS Only or See Restricted distribution OFFICE ACRS/TSB SUNSI Review ACRS/TSB ACRS NAME CBrown CBrown LBurkhart JMarch-Leuba DATE 11/17/2022 11/17/2022 11/17/2022 11/17/2022 OFFICIAL RECORD COPY