Text

10 CFR 50.90 TMI-10-128 RA-10-103 RS-10-214 December 21, 2010 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, D.C. 20555-0001 Braidwood Station, Units 1 and 2 Facility Operating License Nos. NPF-72 and NPF-77 NRC Docket Nos. STN 50-456 and STN 50-457 Byron Station, Units 1 and 2 Facility Operating License Nos. NPF-37 and NPF-66 NRC Docket Nos. STN 50-454 and STN 50-455 Clinton Power Station, Unit 1 Facility Operating License No. NPF-62 NRC Docket No. 50-461 Dresden Nuclear Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-19 and DPR-25 NRC Docket Nos. 50-237 and 50-249 LaSalle County Station, Units 1 and 2 Facility Operating License Nos. NPF-11 and NPF-18 NRC Docket Nos. 50-373 and 50-374 Limerick Generating Station, Units 1 and 2 Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353 Oyster Creek Nuclear Generating Station Renewed Facility Operating License No. DPR-16 NRC Docket No. 50-219 Peach Bottom Atomic Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-44 and DPR-56 NRC Docket Nos. 50-277 and 50-278

U.S. Nuclear Regulatory Commission Exelon Cyber Security Plan RAI Response December 21,2010 Page 2 Quad Cities Nuclear Power Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-29 and DPR-30 NRC Docket Nos. 50-254 and 50-265 Three Mile Island Nuclear Station, Unit 1 Renewed Facility Operating License No. DPR-50 NRC Docket No. 50-289

Subject:

Exelon Cyber Security Plan RAI Response

Reference:

(1)

Letter from Pamela B. Cowan to the USNRC Document Control Desk, Exelon Cyber Security Plan, dated November 23, 2009 (2)

Letter from Pamela B. Cowan to the USNRC Document Control Desk, Re-submittal of the Exelon Cyber Security Plan, dated July 23, 2010 (3)

Letter from Eva A. Brown (U.S. Nuclear Regulatory Commission) to Michael J. Padlio (Exelon Generation Company, LLC), Braidwood Station, Units 1 and 2; Byron Station, Unit Nos. 1 and 2; Clinton Power Station, Unit No.1; Dresden Nuclear Power Station, Units 2 and 3; LaSalle County Station, Units 1 and 2; Limerick Generating Station, Units 1 and 2; Oyster Creek Nuclear Generating Station; Peach Bottom Atomic Power Station, Units 2, and 3; Quad Cities Nuclear Power Station, Units 1 and 2; and Three Mile Island Nuclear Station, Unit 1 Request For Additional Information Regarding Approval of Cyber Security Plan, dated December 7, 2010 On November 23, 2009, in accordance with the provisions of 10 CFR 50.4 and 10 CFR 50.90, Exelon Generation Company, LLC (Exelon) submitted a request for an amendment to the Facility Operating Licenses (FOL) for the above listed facilities (Reference 1). This proposed amendment requested U.S. Nuclear Regulatory Commission (NRC) approval of the Exelon Cyber Security Plan, provided an Implementation Schedule, and added to the existing FOL Physical Protection license condition to require Exelon to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan. By letter dated July 23, 2010, Exelon supplemented the Cyber Security Plan License Amendment Request with a revised Cyber Security Plan based on the template contained in NEI 08-09, Revision 6 (Reference 2).

By letter to Exelon dated December 7, 2010 the NRC provided a Request for Additional Information regarding the submitted Exelon Cyber Security Plan (Reference 3). The NRC staff requested that Exelon provide a response to the Request for Additional Information within 30 days of the letter date. to this letter provides the information requested by the NRC.

There is no adverse impact to the previously submitted No Significant Hazards Consideration.

There are no additional commitments contained within this letter.

U.S. Nuclear Regulatory Commission Exelon Cyber Security Plan RAI Response December 21, 2010 Page 3 In accordance with 10 CFR 50.91, a copy of this letter is being provided to the designated State Officials.

If you have any questions or require additional information, please contact Mr. Doug Walker at (610) 765-5952.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 21 st day of December 2010.

RespectfulIy, David P. Helker Manager - Licensing and Regulatory Affairs Exelon Generation Company, LLC :

Response to NRC Request for Additional Information cc:

USNRC Region I, Regional Administrator USNRC Region III, Regional Administrator NRC Project Manager, NRR - Braidwood Station NRC Project Manager, NRR - Byron Station NRC Project Manager, NRR - Clinton Power Station NRC Project Manager, NRR - Dresden Nuclear Power Station NRC Project Manager, NRR - LaSalle County Station NRC Project Manager, NRR - Limerick Generating Station NRC Project Manager, NRR - Oyster Creek Nuclear Generating Station NRC Project Manager, NRR - Peach Bottom Atomic Power Station NRC Project Manager, NRR - Quad Cities Nuclear Power Station NRC Project Manager, NRR -Three Mile Island Nuclear Station USNRC Senior Resident Inspector - Braidwood Station USNRC Senior Resident Inspector - Byron Station USNRC Senior Resident Inspector - Clinton Power Station USNRC Senior Resident Inspector - Dresden Nuclear Power Station USNRC Senior Resident Inspector - LaSalle County Station USNRC Senior Resident Inspector - Limerick Generating Station USNRC Senior Resident Inspector - Oyster Creek Nuclear Generating Station USNRC Senior Resident Inspector - Peach Bottom Atomic Power Station USNRC Senior Resident Inspector - Quad Cities Nuclear Power Station USNRC Senior Resident Inspector -Three Mile Island Nuclear Station S. T. Gray, State of Maryland Illinois Emergency Management Agency - Division of Nuclear Safety R. R. Janati - Bureau of Radiation Protection, Commonwealth of Pennsylvania Exelon Cyber Security Plan Response to NRC Request for Additional Information

Exelon Cyber Security Plan Response to NRC Request for Additional Information Page 1 In reviewing the Exelon Generation Company's (Exelon's) submittal dated July 23, 2010, for the subject plants, the Nuclear Regulatory Commission staff has determined that the following information is needed in order to complete its review:

Cyber Security Plan Section 4: Establishing, Implementing, and Maintaining the Cyber Security Program

Title:

Defense-in-Depth Protective Strategies -Critical Digital Asset (CDA)

Isolation Strategies.

Section 73.54(c)(2) to Title 10 to the Code of Federal Regulations requires the licensee to apply and maintain defense-in-depth protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks. Section 4.3, "Defense-in-Depth Protective Strategies," of the Exelon Generation Company, LLC (Braidwood, Byron, Clinton, Dresden, LaSalle, Limerick, Oyster Creek, Peach Bottom, Quad Cities, and Three Mile Island) Cyber Security Plan states (1) when referring to protections which isolate or secure safety-related CDAs within Level 4 and security CDAs within cyber security defensive levels 4 and 3, that these devices may be secured via "one or more deterministic devices (Le., data diodes, air gaps) that isolate CDAs in level 4, or one or more non-deterministic network isolation devices."

Clarify if any of the non-deterministic devices for the safety-related CDAs and security CDAs are in parallel (Le., connecting the same network segments) with the deterministic devices.

Clarify if any of the non-deterministic devices for the safety-related CDAs and security CDAs are in parallel (Le., connecting the same network segments) with the deterministic devices. If any safety-related and security devices are in parallel address why this configuration would not negate the protection afforded by the deterministic devices.

Response

Once the Exelon Cyber Security program is implemented, there will be no non-deterministic devices for the safety-related CDAs and security CDAs that are in parallel (Le., connecting the same network segments) with the deterministic devices.