ML23052A214
| ML23052A214 | |
| Person / Time | |
|---|---|
| Site: | Indian Point  |
| Issue date: | 02/14/2023 |
| From: | Peterson A State of NY, Energy Research & Development Authority |
| To: | Sturzebecher K Office of Nuclear Material Safety and Safeguards |
| References | |
| Download: ML23052A214 (5) | |
Text
February 14, 2023 Karl Sturzebecher Project Manager U.S. Nuclear Regulatory Commission Office of Nuclear Material Safety and Safeguards Reactor Decommissioning Branch Mail Stop: T-5A10 Rockville, MD 20852
Subject:
License Amendment Request to Eliminate Cyber Security Plan Requirements
Dear Mr. Sturzebecher:
New York State opposes Holtec Decommissioning Internationals (Holtec) request to the NRC to amend and remove the Cyber Security Plan requirements for the Indian Point Energy Center (Indian Point) site before all spent fuel at the site has been removed from spent fuel pools and placed into dry cask storage.
Threats to the electricity infrastructure subsector include not only natural disasters but man-made threats and cyber threats as well. Man-made threats include technological, vandalism, theft, and physical attacks. Cyber threats include many of those same factors and may involve hacking, viruses, malware, denial of service attacks, ransomware, or other security breaches, including loss of data. Cyber threats continue to increase in sophistication, magnitude, and frequency.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that all organizationsregardless of sizeadopt and maintain a heightened posture when it comes to cybersecurity and protecting their most critical assets1.
On May 20, 2022, Holtec submitted a License Amendment Request (LAR) to revise license conditions to eliminate the cyber security plan requirements in the Provisional Operating License No. DPR-5 for Indian Point Unit 1, Renewed Facility License No. DPR-26 for Indian Point Unit 2, and Renewed Facility Operating License No. DPR-64 for Indian Point Unit 3.
In assessing Holtecs request, New York State staff have reviewed the following records:
License Amendment Request - to Revise License Condition to Eliminate Cyber Security Plan Requirements dated May 20, 2022 o The
Enclosure:
Evaluation of Proposed Changes o Attachment 1: The Mark-Up Pages of the IP1 Provisional License, IP2 Renewed Facility License, and IP3 Renewed Facility License.
o Attachment 2: The Re-Typed Pages of the IP1 Provisional License, IP2 Renewed Facility License, and IP3 Renewed Facility License.
10 CFR §73.54 Protection of Digital Computer and Communication Systems and Networks.
NRCs Response to NYS Questions Regarding this LAR dated October 07, 2022.
NRC Approved Removal of the Cybersecurity Condition from the Licenses of Duane Arnold, Fort Calhoun, Oyster Creek, Pilgrim, Three Mile Island and San Onofre (TMI Submittal ML19305A889 - TMI Approval ML20297A627; Duane Arnold Submittal ML20136A374 - Duane Arnold Supplement ML21112A178 - Duane Arnold Approval ML21067A642; Fort Calhoun Submittal ML17167A057 - Fort Calhoun Approval ML18047A661; Oyster Creek Submittal ML18317A022 - Oyster Creek Supplement ML19066A317 - Oyster Creek Approval ML20190A161; Pilgrim Submittal ML19115A225 - Pilgrim Approval ML19276C420; San Onofre Submittal ML17142A315 -San Onofre Approval ML17300A042).
Entergy Letter dated November 21, 2019, Application for Order Consenting to Transfers of Control of Licenses and Approving Conforming License Amendments Indian Point Nuclear Generating Units 1, 2 and 3.
1 https://www.cisa.gov/shields-up
As stated above, the State of New York opposes the reduction of cyber security requirements before all spent fuel at the site is removed from the spent fuel pools and placed in dry cask storage. Without the requirements of the Cyber Security Plan, the NRC cannot guarantee that Holtec will assure that digital computer and communication systems and networks are adequately protected against cyber security attacks.
Holtec acknowledges in its Evaluation of Proposed Changes that risk is not eliminated during this decommissioning time period. In Enclosure HDI-IPEC-22-039 (pp. 3), Holtec states that this LAR is based on the significantly reduced risks for a nuclear power facility. Holtec also states (pp. 3):
The spectrum of possible accidents is significantly reduced, and the risk of an offsite radiological release is significantly lower for a decommissioning facility with a permanently defueled reactor than an operating nuclear power reactor. Correspondingly, cyber security risk is reduced due, in part, to the fact that there are significantly fewer critical digital assets (CDAs) needed to protect against and assess radiological events at a decommissioning facility than in comparison to the number at an operating reactor.
However, Holtec does not state that critical digital assets are no longer needed, nor do they state that the risk is zero.
Eliminating cyber security requirements when risk still remains would appear to run counter to the federal governments own cyber security recommendations as issued by CISA.
New York State has previously expressed cybersecurity concerns with regard to decommissioning nuclear facilities. On August 30, 2022, the Attorneys General of New York, Connecticut, Maryland, Michigan, Vermont, and Massachusetts submitted joint comments to the NRC in response to the March 2022 publication of the proposed rule entitled Regulatory Improvements for Production and Utilization Facilities Transitioning to Decommissioning2. On page 74 of that letter, the Attorneys General jointly stated:
The States oppose reducing cyber security requirements in any systems, structures, or components that remain actively in service or potentially useable in response to an emergency or abnormal condition at a decommissioning power reactor site.Properly abandoning digital assets requires the complete and permanent disconnection of all potential power sources to the digital asset, including any potential wireless power source.
2 Joint comments of the Attorneys General of New York, Connecticut, Maryland, Michigan, Massachusetts, and Vermont on August 30, 2022 (ML22257A195).
This includes securely removing all connections between still active and abandoned systems, structures, or components that contain digital assets. 2
We appreciate the continued opportunity to provide input on facility licensing actions and other initiatives through NRCs State Consultation and State Liaison Officer programs. If you have any questions, please contact me.
Sincerely, Alyse Peterson, P.E.
Senior Advisor cc: Doug Tifft, NRC