Text

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 REGION I TSURUGA CYBERSECURITY INSPECTION PLAN TYPE OF INSPECTION: Cybersecurity Team Inspection INSPECTION MODULE: IP 71130.10, Cybersecurity, effective 1/1/22 FACILITY: Tsuruga Nuclear Power Station REPORT NUMBER: 09000231/2025403 INSPECTION DATES: 3 March to 8 March 2025 ENTRANCE MEETING: Date:

3 March Time:

11:00am Location: Onsite & Teams EXIT MEETING: Date:

Friday, 7 March 2025 Time:

9:30am Location: Onsite & Teams INSPECTION ANNOUNCED: YES CORNERSTONES: Security Prepared by:

Michael Brown Date: 2025 January Michael Brown, Senior Reactor Inspector (Lead)

Engineering Branch 2, DORS Approved by:

Date:

Barb Akew, Chief Engineering Branch 2, DORS Concurred by:

Date:

Jane Doe, Chief Reactor Projects Branch 2, DORS

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 NRC Team Name Position E-mail Address/Phone Michael Brown Team Lead Michael.Brown@nrc.gov; (cell) 302-438-1507 John Doe Senior Reactor Inspector John.Doe@nrc.gov Hazel Nutt Cybersecurity Contractor Hazel.Nutt@nrc.gov Chris P. Bacon Cybersecurity Contractor Chris.p.bacon@nrc.gov Name Position E-mail Address Clark Kent Senior Resident Inspector Clark.Kent@nrc.gov Ann Chovey Resident Inspector Ann.Chovey@nrc.gov LICENSEE TEAM Name Position Phone Number E-mail Address Sin Bad Licensing 861-555-5718 Sin.bad@tsuruganuclear.com Marsha Mellow Licensing 861-555-5716 Marsha.Mellow@tsuruganuclear.com Bea Mine Technical lead 861-555-2076 Bea.mine@tsuruganuclear.com Barry Cuda Technical lead (backup) 861-555-1791 Barry.Cuda@tsuruganuclear.com Plant Address 1 Myojincho, Tsuruga, Fukui 914-0842 For directions in Google/Apple Maps, just search Tsurua Nuclear Power Station or click this link: https://goo.gl/maps/XaF4o6PdJeFQ67

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 Plant Area Overview Access, Badging, and Team Location If you are not badged at Tsuruga, you will need to stop at the Training Building first. The Training Building is on your right as you are driving down the access road towards the site.

When you arrive, proceed to the second floor of the Training Building to obtain your badge. If you have any questions or run into issues, call/text me or reach out to Sin Bad (contact numbers above).

Parking: There will be parking spaces reserved for the Cybersecurity team for the week. These spots are in the smaller parking lot on your left hand side once you turn off the access road. See green highlighted area in the pictures below.

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 WiFi/Monitors: Wi-Fi access will be provided by the licensee via email. If you dont already have it, download the VIP Access app to setup your one time password (see NRC intranet for how-to) so you can access the VPN from the Tsuruga network. There will be several external monitors in the team room available for use with priority given to the inspectors.

Team Room Location: The team will be located on the 3rd floor of the admin building. After you process through the main security access facility, you will proceed down the hall and outside. The admin building will be on your right as you head South (refer to pictures above).

The entrance will be on your right-hand side. When you get off of the elevators, make two lefts and the team conference room will be on your right.

Meetings/Debriefs During the prep week, we will have a meeting on Monday 2025/02/24 and Wednesday 2025/02/29 to go over the inspection plan and any items that need attention before the onsite week.

The inspection team will meet daily during the inspection week from 12:30pm - ~1:00pm to over any Findings, Issues of Concern, Observations or Support items of interest. Please try to schedule interviews and walkdowns so that you are available to support this meeting.

I will meet with the licensee each day at 3:00pm to go over inspection status and any issues of concern that develop. If I need technical support from someone for this meeting, Ill let you know. Otherwise, feel free to keep inspecting.

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 HCM Hours Estimates:

Date Inspection Week Where Est. Hours (per inspector)

HRMS Task Code 17/2 -21/2 TL - prep Remote 24 SPD - Security Prep and Doc 24/2 - 28/2 Team - Prep Remote 32 SPD - Security Prep and Doc 3/3 - 7/3 Team - Direct Inspection On-Site 35 +/- 4 SG 2201 - Security Direct Inspection 12/16 - 12/20 Team - Doc Remote 24 SPD - Security Prep and Doc Estimated Total BI effort per inspector 35 +/- 4 Estimated Total BI effort 105 +/- 12 Note: Inspectors in Training, Observers, and NSIR/CSB Point of Contact will not charge time to the direct inspection CACs. Please use ZG0106 (or other non-direct CAC if applicable)

Inspection Report Number: 09000231/2025403 EPID: I-2025-231-0012 Additional Task Codes:

SCM - Security Inspection COM SGT - Security Inspection Travel Inspection Requirements 03.01 Review Ongoing Monitoring and Assessment Activities a

Review the process established by the licensee to conduct ongoing monitoring and assessments. Verify that the licensee conducts assessments required by the CSP b

Verify that the licensee conducts an appropriate effectiveness analysis as specified in the CSP. The review requires an evaluation of the cyber security program and the required controls, but at least every 24 months or at the frequency specified in the CSP.

c Verify that the licensee performs vulnerability assessments or scans as described by the CSP, including the capability to correct exploited weaknesses.

03.02 Verify Defense-in-Depth Protective Strategies a

Verify that the licensee maintained the defensive architecture, its capability to detect, to respond to, and to recover from cyber-attacks, as described by the CSP.

b Verify that the licensee maintains controls and elements to ensure boundary protection for the cyber security levels and ensures that integrity of data is

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 maintained. These protections can include host intrusion protection for devices and network intrusion detection/prevention for their network flows.

c Verify that the licensee maintained the implemented security controls to provide high assurance that the CDAs are continuously protected against cyber-attacks.

d Verify that the licensee has established access controls, and authentication and user-identification capabilities.

e Verify that the licensee has continued to control portable media and mobile devices in accordance with the CSP.

03.03 Review of Configuration Management and Change Control a

Verify that the licensee evaluates modifications to CDAs prior to implementation to assure that digital computer and communications systems and networks are adequately protected against cyber-attacks.

b Verify that the licensee performs a security impact analysis prior to making changes to CDAs to manage the cyber risk resulting from the changes.

c Verify that the licensee has implemented appropriate supply chain and service acquisition controls for replacement CDAs 03.04 Review of Cyber Security Program a

Verify that any changes to the CSP did not reduce the safeguards effectiveness of the plan. Changes to the CSP can be made according to the requirements of 10 CFR 50.54(p). Verify that the licensee performs activities in accordance with their implementing procedures b

Verify that the licensee established an incident response process, including contingency plans, and procedures. Verify that the licensee properly evaluated and responded to cyber security incidents, including effectively implementing their reporting requirements c

Verify that the licensee has established training as described in the CSP 03.05 Evaluation of Corrective Actions Verify that the licensee is identifying issues related to the cyber security program at an appropriate threshold, entering them in the CAP, and resolving the issues for a selected sample of problems associated with the cyber security program.

SELECTED SYSTEMS System Relevant ECs Inspector 1721-Security (common)

TSU-15-01053, FDCR 22-023, FDCR 22-025, FDCR 23-001, FDCR 23-002 Nutt/Bacon 2404 - Process and Area Radiation Monitoring TSU-20-01078 Doe

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 1321A - Digital Feedwater Control TSU-20-01090 Doe 2349 - Plant Computer None Nutt 3349 - Power Range monitor None Bacon 2404 - Electrohydraulic Control system None Brown Information specific to the CDAs below has already been requested/uploaded as part of RFI 2.

For your systems, if you would like information on any additional CDAs, please request it through the licensee.

1721 Security CDA Number Description 19278 Data Diode 19454 CAS Server Network Switch A-1 21820 CAS Allegiant Computer 22413 Security SIEM Firewall 22414 Security Intrusion Prevention System 2404 Process and Area Radiation Monitoring CDA Number Description 19124 DRMS NTP Time Server 19114 DRMS WORKSTATION 1 KVM NETWORK USER STATION 19126 RMS A Terminal Server 19111 RMS A Data Diode 19112 Data Diode 22441 RMS B Data Diode 1321A Digital Feedwater Control CDA Number Description 19249 Auto/ Manual Station 22959 Firewall to Digital Feed 22981 Digital Feed Ethernet Switch 22983 Digital Feed Media Converter

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 23146 Digital Feedwater computer 2349 Plant Computer CDA Number Description 18425 PPC Server 18426 PPC Server 22179 Engineering Workstation 3349 Power Range Monitor CDA Number Description 18955 Train A Power Range High Power Trip 18956 Train A Power Range Plant Computer System Terminal Server No. 2 2404 Electrohydraulic Control CDA Number Description 18604 Electrohydraulic Control unit 18608 PID Controller 18613 Pump controller

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 INSPECTION DOCUMENTATION Inspection report input is due by COB on Friday, March 14, 2025.

For any violations identified, please provide as much information as you can to fill in the SIF form (template shown below) and provide to the team leader. I will work with you to complete the forms prior to the scheduled SIF Compile a list of your most relevant documents to your inspection samples and provide to the team leader by using the format below CRs: Just the CR number WOs: WO number, date completed Procedures: Procedure number, Procedure name, revision Engineering Changes/Mods: modification number, revision/date (dd/mm/yyyy)

Other documents: document number, revision/date (dd/mm/yyyy)

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07 CYBER SIF WORKSHEET General Information:

Cyber SIF Date: XX.XX.2023 Cyber Inspection Start Date: 03/03/2025 Licensee Type: Operating Reactor Site: Choose an item.

NEI Controls:

Affected Assets:

Region: I Lead Inspector: Click here to enter text.

Requirements:

10 CFR 73.54 Security Plan / Procedure: Click here to enter text.

Title:

Click here to enter text.

Performance Deficiency:

==

Introduction:==

The team identified a finding of very low significance (Green) fining and associated non-cited violation (NCV) of Cornerstone: Security - Cyber Security attribute

==

Description:==

Click here to enter text.

Corrective Actions:

Screening:

Significance:

Crosscutting:

Regional Recommendation:

Color/Severity Level: Green Finding Type: Choose an item.

Enforcement:

Final Disposition / Comments:

Click here to enter text.

Additional Background Information (Optional):

Click here to enter text.

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07

Tsuruga Cybersecurity Inspection Plan Inspection Dates: 2025/03/03 - 2025/03/07