RA-14-0023, Duke Energy - License Amendment Request - Cyber Security Plan Implementation Schedule Milestone 8

From kanterella
Jump to navigation Jump to search

Duke Energy - License Amendment Request - Cyber Security Plan Implementation Schedule Milestone 8
ML14314A041
Person / Time
Site: Oconee, Mcguire, Catawba, McGuire  Duke Energy icon.png
Issue date: 11/06/2014
From: Kapopoulos E
Duke Energy Carolinas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML14314A039 List:
References
RA-14-0023
Download: ML14314A041 (22)
v  d  e


Text

DUKEY ENERGYe EmestJ Kapopouos, Jr.

526 South Church Street Charotte, NC 28202 Mailing Address:

Mail Code ECO7H/P.O.Box 1006 Chadotte, NC 28201-1006 704-382-8162 704-382-6056 fax SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED Serial: RA-14-0023 10 CFR 50.90 November 6, 2014 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 CATAWBA NUCLEAR STATION, UNIT NOS. 1 AND 2 DOCKET NOS. 50-413 AND 50-414 / RENEWED LICENSE NOS. NPF-35 AND NPF-52 MCGUIRE NUCLEAR STATION, UNIT NOS. 1 AND 2 DOCKET NOS. 50-369 AND 50-370 / RENEWED LICENSE NOS. NPF-9 AND NPF-17 OCONEE NUCLEAR STATION, UNIT NOS. 1, 2 AND 3 DOCKET NO. 50-269, 50-270 AND 50-287 / RENEWED LICENSE NOS. DPR-38, DPR-47 AND DPR-55

SUBJECT:

LICENSE AMENDMENT REQUEST - CYBER SECURITY PLAN IMPLEMENTATION SCHEDULE MILESTONE 8

REFERENCES:

1. Duke Energy letter, Oconee Nuclear Station, Units 1, 2 & 3, McGuire, Units 1 and 2, and Catawba, Units 1 and 2, Response to Request for Additional Information Regarding License Amendment Request for Cyber Security Plan, dated April 15, 2011 (ADAMS Accession No. ML11109A074)
2. NRC letter, Catawba Nuclear Station, Units 1 and 2, McGuire Nuclear Station, Units 1 and 2, and Oconee Nuclear Station Units 1, 2, and 3 - Issuance of Amendments Regarding Cyber Security Plans Based on Nuclear Energy Institute 08-09, Revision 6 (TAC Nos. ME4529, 4530, 4531, 4532, 4533, 4534, 4435), dated August 31, 2011 (ADAMS Accession No. ML11216A064)

Pursuant to 10 CFR 50.90, Duke Energy Carolinas, LLC, referred to henceforth as "Duke Energy", hereby requests a license amendment pertaining to the Cyber Security Plan (CSP) implementation schedule, including a proposed revision to the existing Physical Protection license condition for the associated facility operating licenses.

Reference 1 provided, in part, the Revised Duke Energy Cyber Security Plan (Enclosure 4 of Reference 1) and the associated revised CSP. implementation schedule (Enclosure 3 of SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED U.S. Nuclear Regulatory Commission RA-14-0023 Page 2 Reference 1). In Reference 2, the NRC approved the CSP and associated implementation schedule and added a license condition to each of the facility operating licenses to require the licensees to fully implement and maintain in effect all provisions of the NRC-approved CSP.

The CSP implementation schedule provided in Reference 1 listed completion dates for Milestones 8 and 9. Milestone 8 pertains to the date that complete operational and management controls, as provided in NEI 08-09, Revision 6, Appendix E, will be achieved. Milestone 9 pertains to the date that full implementation of the CSP for all Safety, Security, and Emergency Preparedness (SSEP) functions will be achieved. As stated in Reference 2, subsequent changes to the NRC-approved CSP implementation schedule require prior NRC approval pursuant to 10 CFR 50.90. Accordingly, pursuant to the provisions of 10 CFR 50.4 and 10 CFR 50.90, Duke Energy is submitting this request for an amendment to the facility operating licenses for the stations listed in this letter to propose a change in the completion date for Milestone 8. provides an evaluation of the proposed change. Marked-up facility operating license pages for the Physical Protection license condition for the affected plants, reflecting the commitment change proposed in this submittal, are included as Enclosure 2. Enclosure 3 provides a complete, redacted version of Enclosure 1. This submittal also contains a revised regulatory commitment as identified in Enclosure 4.

The proposed changes have been evaluated in accordance with 10 CFR 50.91 (a)(1) using criteria in 10 CFR 50.92(c), and it has been determined that the proposed changes involve no significant hazards consideration. The bases for these determinations are included in .

NRC approval of this license amendment application is requested prior to June 30, 2015. Once approved, the license amendments will be implemented within 30 days. contains security-related information (SRI) to be withheld from public disclosure in accordance with 10 CFR 2.390. Enclosures 2, 3, and 4 are not SRI documents and are not marked as such in this submittal.

In accordance with 10 CFR 50.91, Duke Energy is notifying the States of North Carolina and South Carolina of this license amendment request by transmitting a copy of this letter and enclosures to the designated State Officials. Should you have any questions concerning this letter, or require additional information, please contact Julie Olivier, Manager - Nuclear Fleet Licensing, at 980-373-4045.

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED U.S. Nuclear Regulatory Commission RA- 14-0023 Page 3 I declare under penalty of perjury that the foregoing is true and correct. Executed on November 6, 2014.

Sincerely, Ernest J. Kapopoulos, Jr.

Vice President - Corporate Governance and Operations Support MKL/NDE

Enclosures:

1. Evaluation of the Proposed Change
2. Proposed Facility Operating License Changes (Mark-up)
3. Evaluation of the Proposed Change (Redacted)
4. Revised Cyber Security Plan Implementation Schedule (Milestone 8)

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED U.S. Nuclear Regulatory Commission RA-14-0023 Page 4 cc: USNRC Region II USNRC Resident Inspector - CNS USNRC Resident Inspector - MNS USNRC Resident Inspector - ONS G. E. Miller, NRR Project Manager - CNS & MNS J. R. Hall, NRR Project Manager - ONS W. L. Cox, Ill, Chief, North Carolina Department of Health and Human Services, RP Section (NC)

S. E. Jenkins, Manager, Radioactive and Infectious Waste Management (SC)

SECURITY-RELATED INFORMATION -WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED U.S. Nuclear Regulatory Commission RA- 14-0023 Page 5 bcc: Chris Nolan Julie Olivier Matt Coulter Joe Frisco Lara Nichols David Cummings File: (Corporate)

Electronic Licensing Library (ELL)

Kelvin Henderson Randy Hart Tolani Owusu Andy Gullion North Carolina Municipal Power Agency No. 1 (NCMPA)

Piedmont Municipal Power Agency (PMPA)

North Carolina Electric Membership Corporation (NCEMC)

CNS Master File 801.01 - CN04DM T. K. Pasour (For CNS Licensing/Nuclear Records)

Steven Capps Jeff Robertson Julius Bryant Mike Vanhoy MNS Master File 801.01 - MG01 DM K. L. Crane (For MNS Licensing/Nuclear Records)

Scott Batson Chris Wasik Sandy Severance Steve Newman Eddie Cleveland ONS Master File 801.01 - ON03DM J. E. Smith (For ONS Licensing/Nuclear Records)

SECURITY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390 UPON REMOVAL OF ENCLOSURE 1 LETTER IS UNCONTROLLED to RA-14-0023 Enclosure 2 RA-14-0023 Proposed Facility Operating License Changes (Mark-up) to RA-14-0023 Page 1 of 7 Catawba Nuclear Station, Unit No. 1, Docket No. 50-413 / Renewed License No. NPF-35 E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made as supplemented pursuant to provisions of the Miscellaneous Amendments and Search by a change Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the approved by Uthorty of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, License *ch contains safeguards information protected under 10 CFR 73.21, is Amendment No. entid: "Duke Energy Physical Security Plan," Revision 8 submitted by letter dated y 17, 2007.

lzzz Duke Ene Carolinas, LLC shall fully Implement and maintain in effect all provisions of t Commission-approved cyber security plan (CSP), including changes made p suant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duk nergy Carolinas, LLC CSP was approved by License Amendment No. 2 -

F. Reporting to the Commission Deleted by Amendment No. 230 G. The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

3. This renewed license is effective as of the date of issuance and shall expire at midnight on December 5, 2043.

FOR THE NUCLEAR REGULATORY COMMISSION Original Signed By: J. E. Dyer J. E. Dyer, Director Office of Nuclear Reactor Regulation Attachments:

1. Appendix A - Technical Specifications
2. Appendix B - Additional Conditions
3. Appendix C - Antitrust Conditions Date of Issuance: December 5, 2003 Renewed License No. NPF-35 Amendment No. -6f-to RA-14-0023 Page 2 of 7 Catawba Nuclear Station, Unit No. 2, Docket No. 50-414 / Renewed License No. NPF-52 E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and

, as supplemented Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and by a change 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The approved by combined set of plans, which contains safeguards information protected License under 10 CFR 73.21, is entitled: "Duke Energy Physical Security Plan,"

Revision 8 submitted by letter dated May 17, 2007.

Amendment No.

zzz Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved cyber security plan (CSP), including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Duke Energy Carolinas, LLC CSP was approved by License Amendment No. 262.

F. Reporting to the Commission Deleted by Amendment No. 226 G. The licensees shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

3. This renewed license is effective as of the date of issuance and shall expire at midnight on December 5, 2043.

FOR THE NUCLEAR REGULATORY COMMISSION Original Signed By: J. E. Dyer J. E. Dyer, Director Office of Nuclear Reactor Regulation Attachments:

1. Appendix A - Technical Specifications
2. Appendix B -Additional Conditions
3. Appendix C - Antitrust Conditions Date of Issuance: December 5, 2003 Renewed License No. NPF-52 Amendment No. 262

,4 69FFOGteGliayieffeFuateraaept9F:RuBF 28 Aldii to RA-1 4-0023 Page 3 of 7 McGuire Nuclear Station, Unit No. 1, Docket No. 50-369 / Renewed License No. NPF-9

-4A-D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the as supplemented authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, bya change byaehchItled:ontains "Duke safeguards information Energy Physical Securityprotected under 10 CFR 73.21, is Plan' submitted by letter dated approved by Selmber 8. 2004. and supplemented on September 30, 2004, October 15, License 2004A.ctober 21, 2004, and October 27, 2004.

Amendment No.

Duke Enerof Carolinas, provisions LLC shall fully implement and maintain in effect all Commission-approved cyber security plan (CSP), including changes made p uant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).The Duke ergy Carolinas, LLC CSP was approved by License Amendment No. 2 E. Deleted by Amendment No. 233.

Renewed License No. NPF-9 Amendment No. -'

to RA-1 4-0023 Page 4 of 7 McGuire Nuclear Station, Unit No. 2, Docket No. 50-370 / Renewed License No. NPF-17

4. Procedures for implementing integrated fire response strategy
5. Identification of readily-available pre-staged equipment
6. Training on integrated fire response strategy
7. Spent fuel pool mitigation measures C) Actions to minimize release to include consideration of:
1. Water spray scrubbing
2. Dose to onsite responders D. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of plans, which contains safeguards information protected under 10 CFR 73.21, is as supplemented entitled: -Duke Energy Physical Security Plan" submitted by letter dated by a change September 8. 2004, and supplemented on September 30, 2004, October 15, approved by T004. October 21, 2004, and October 27, 2004.

License Amendment No. D ke Energy Carolinas, LLC shall fully implement and maintain in effect all pr visions of the Commission-approved cyber security plan (CSP), including ZZZ ch ges made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The uke Energy Carolinas, LLC CSP was approved by License Amendment No.

244" E. Deleted by Amendment No. 215.

F. The licensee shall have and maintain financial protection of such type and in such amounts as the Commission shall require in accordance with Section 170 of the Atomic Energy Act of 1954, as amended, to cover public liability claims.

G. In accordance with the Commission's direction in its Statement of Policy, Ucensina and Reaulatorv Policy and Procedures for Environmental Protection:

Uranium Fuel Cycle Imoacts. October 29, 1982, this renewed operating license is subject to the final resolution of the pending litigation involving Table S-3.

See, Natural Resources Defense Council v. NRC. No. 74-1586 (D.C. cir. April 27, 1982).

H. The licensee is authorized to receive from the Oconee Nuclear Station, Units 1, 2, and 3, possess, and store irradiated Oconee fuel assemblies containing special nuclear material, enriched to not more than 3.24% by weight U-235 subject to the following conditions:

a. Oconee fuel assemblies may not be placed in the McGuire Nuclear Station, Unit 1 and 2, reactors.
b. Irradiated fuel shipped to McGuire Nuclear Station, Units 1 and 2, from Oconee shall have been removed from the Oconee reactor no less than 270 days prior to shipment.

Renewed License No. NPF-1 7 Amendment No. 2*

to RA-1 4-0023 Page 5 of 7 Oconee Nuclear Station, Unit No. 1, Docket No. 50-269 / Renewed License No. DPR-38

3) The licensee shall maintain appropriate compensatory measures In place until completion of all modifications and implementation items delineated above.

E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain ineffect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to as supplemented the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of by a change plans, which contains safeguards information protected under 10 CFR 73.21, approved by is entitled: "Duke Energy Physical Security Plan' submitted by letter dated September 8, 2004, and supplemented on September 30, 2004, October 15, License 004, October 21, 2004, and October 27, 2004.

Amendment No.

zzz Du e Energy Carolinas, LLC shall fully implement and maintain in effect all prov Ions of the Commission-approved cyber security plan (CSP), including chang s made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Du Energy Carolinas, LLC CSP was approved by License Amendment No. 37 F. In the update to the UFSAR required pursuant to 10 CFR 50.71(e)(4) scheduled for July. 2001. the licensee shall update the UFSAR to Include the UFSAR supplement submitted pursuant to 10 CFR 54.21(d) as revised on March 27. 2000. Until the UFSAR update is complete, the licensee may make changes to the programs described in its UFSAR supplement without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.

G. The licensee's UFSAR supplement submitted pursuant to 10 CFR 54.21(d), as revised on March 27, 2000, describes certain future inspection activities to be completed before the period of extended operation. The licensee shall complete these activities no later than February 6, 2013.

H. Mitloation Strateev License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas:

(a) Fire fighting response strategy with the following elements:

1. Pre-defined coordinated fire response strategy and guidance
2. Assessment of mutual aid fire fighting assets
3. Designated staging areas for equipment and materials
4. Command and control
5. Training of response personnel Renewed License No. DPR-38 Amendment No. -3%-

to RA-14-0023 Page 6 of 7 Oconee Nuclear Station, Unit No. 2 Docket No. 50-270 / Renewed License No. DPR-47

3) The licensee shall maintain appropriate compensatory measures in place until completion of all modifications and implementation items delineated above.

E. Physical Protection Duke Energy Carolinas, LLC shall fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made as supplemented pursuant to provisions of the Miscellaneous Amendments and Search Requirements by a change uthority of 10 revisions CFR 50.90 to and 10 CFR 73.55 10 CFR (51 FR 27817 50.54(p). and 27822)

The combined and to the set of plans, approved by ich contains safeguards information protected under 10 CFR 73.21, is License en ed: Duke Energy Physical Security Plan" submitted by letter dated Amendment No. Sept ber 8,2004. and supplemented on September 30.2004, October 15, 2004, ober 21, 2004. and October 27, 2004.

Duke Energ arolinas, LLC shall fully implement and maintain In effect all provisions of Commission-approved cyber security plan (CSP). including changes made p uant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The Duk nergy Carolinas, LLC CSP was approved by License Amendment No.0.

F. In the update to the UFSAR required pursuant to 10 CFR 50.71(e)(4) scheduled for July, 2001, the licensee shall update the UFSAR to include the UFSAR supplement submitted pursuant to 10 CFR 54.21(d) as revised on March 27, 2000. Until the UFSAR update is complete, the licensee may make changes to the programs described in its UFSAR supplement without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.

G. The licensee's UFSAR supplement submitted pursuant to 10 CFR 54.21(d), as revised on March 27, 2000, describes certain future inspection activities to be completed before the period of extended operation. The licensee shall complete these activities no later than February 6, 2013.

H. Mitigation Strategv License Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas:

(a) Fire fighting response strategy with the following elements:

1. Pre-defined coordinated fire response strategy and guidance
2. Assessment of mutual aid fire fighting assets
3. Designated staging areas for equipment and materials
4. Command and control
5. Training of response personnel Renewed License No. DPR-47 Amendment No. 38&

to RA-14-0023 Page 7 of 7 Oconee Nuclear Station, Unit No. 3 Docket No. 50-287 / Renewed License No. DPR-55

3) The licensee shall maintain appropriate compensatory measures in place until completion of all modifications and implementation items delineated above.

E. Physical Protection Duke Energy Carolinas. LLC shalR fully implement and maintain in effect all provisions of the Commission-approved physical security, training and qualification and safeguards contingency plans including amendments made pursuant to provisions of the Miscellaneous Amendments and Search as supplemented Requirements revisions to 10 CFR 73.55 (51 FR 27817 and 27822) and to by a change the authority of 10 CFR 50.90 and 10 CFR 50.54(p). The combined set of by v plans, which contains safeguards information protected under 10 CFR approved by 73.21, is entitled: 'Duke Energy Physical Security Plan submitted by letter License ated September 8, 2004, and supplemented on September 30, 2004, Amendment No. ober 15, 2004, October 21. 2004, and October 27, 2004.

lZZZ I Du Energy Carolinas, LLC shall fully implement and maintain in effect all provi ns of the Commission-approved cyber security plan (CSP), including chang made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

The Ou Energy Carolinas, LLC CSP was approved by License Amendment No. 37 F. In the update to the UFSAR required pursuant to 10 CFR 50.71(e)(4) scheduled for July, 2001. the licensee shall update the UFSAR to include the UFSAR supplement submitted pursuant to 10 CFR 54.21(d) as revised on March 27, 2000. Until the UFSAR update Is complete, the licensee may make changes to the programs described in its UFSAR supplement without prior Commission approval, provided that the licensee evaluates each such change pursuant to the criteria set forth in 10 CFR 50.59 and otherwise complies with the requirements in that section.

G. The licensee's UFSAR supplement submitted pursuant to 10 CFR 54.21(d),

as revised on March 27, 2000, describes certain future inspection activities to be completed before the period of extended operation. The licensee shall complete these activities no later than February 6. 2013.

H. Mitiaation Strateav Ucense Condition Develop and maintain strategies for addressing large fires and explosions and that include the following key areas:

(a) Fire fighting response strategy with the following elements:

1. Pre-defined coordinated fire response strategy and guidance
2. Assessment of mutual aid fire fighting assets
3. Designated staging areas for equipment and materials
4. Command and control
5. Training of response personnel Renewed License No. DPR-55 Amendment No. -379-to RA- 14-0023 REDACTED Enclosure 3 RA-1 4-0023 Evaluation of the Proposed Change (Redacted)

Attached is the Redacted Version of Enclosure 1 to RA- 14-0023.

to RA-14-0023 Page 1 of 7 SREDACTEDl Enclosure 1 Evaluation of the Proposed Change

Subject:

This license amendment request (LAR) includes a proposed change to Milestone 8 of the Cyber Security Plan implementation schedule and a proposed revision to the existing Physical Protection license condition for the facility operating licenses

1.

SUMMARY

DESCRIPTION

2. DETAILED DESCRIPTION
3. TECHNICAL EVALUATION
4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration Determination 4.4 Conclusions
5. ENVIRONMENTAL CONSIDERATION
6. REFERENCES to RA-1 4-0023 Page 2 of 7 REDACTED
1.

SUMMARY

DESCRIPTION This license amendment request (LAR) includes a proposed change to Milestone 8 of the Cyber Security Plan (CSP) implementation schedule and a proposed revision to the existing Physical Protection license condition for the facility operating licenses for Catawba Nuclear Station, Unit Nos. 1 and 2 (CNS), McGuire Nuclear Station, Unit Nos. 1 and 2 (MNS) and Oconee Nuclear Station, Unit Nos. 1, 2 and 3 (ONS). The completion date for Milestone 8 is proposed to be changed from June 30, 2015, to December 31, 2017.

2. DETAILED DESCRIPTION Reference 1 provided, in part, the Revised Duke Energy Cyber Security Plan (Enclosure 4 of Reference 1) and the associated revised CSP implementation schedule (Enclosure 3 of Reference 1). In Reference 2, the NRC approved the CSP and associated implementation schedule and added a license condition to each of the facility operating licenses to require the licensees to fully implement and maintain in effect all provisions of the NRC-approved CSP.

Nuclear Energy Institute (NEI) 08-09 (Reference 3) was developed by the industry to assist licensees in constructing and implementing their CSP. The CSP implementation schedule provided in Reference 1 listed a completion date of June 30, 2015 for Milestone 8. Milestone 8 pertains to the date that complete operational and management controls, as provided in NEI 08-09, Revision 6, Appendix E, will be achieved. Appendix E of NEI 08-09 pertains to operational and management cyber security controls.

As stated in Reference 2, subsequent changes to the NRC-approved CSP implementation schedule require prior NRC approval pursuant to 10 CFR 50.90. Accordingly, pursuant to the provisions of 10 CFR 50.4 and 10 CFR 50.90, Duke Energy is submitting this request for an amendment to the aforementioned facility operating licenses to propose a change in the completion date for Milestone 8 from June 30, 2015, to December 31, 2017.

This license amendment application includes the proposed change to the existing operating license condition for "Physical Protection" (Enclosure 2 to the cover letter) for CNS, Unit Nos. 1 and 2, MNS, Unit Nos. 1 and 2, and ONS, Unit Nos. 1, 2 and 3. Enclosure 4 to the cover letter contains the proposed Revised Cyber Security Plan Implementation Schedule (Milestone 8).

3. TECHNICAL EVALUATION to RA- 14-0023 Page 3 of77REDACTE]

to RA-1 4-0023 Page 4 of 7 FI iTEDAýD

4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria 10 CFR 73.54 requires licensees to maintain and implement a Cyber Security Plan. Catawba Nuclear Station, Unit Nos. 1 and 2 (Renewed Facility Operating License Nos. NPF-35 and NPF-52), McGuire Nuclear Station, Unit Nos. 1 and 2 (Renewed Facility Operating License Nos.

NPF-9 and NPF-17) and Oconee Nuclear Station, Unit Nos. 1, 2 and 3 (Renewed Facility Operating License Nos. DPR-38, DPR-47, and DPR-55) include a Physical Protection license condition that requires the respective licensees to fully implement and maintain in effect all provisions of the Commission-approved Cyber Security Plan, including changes made pursuant to the authority of 10 CFR 50.90 and 10 CFR 50.54(p).

4.2 Precedent In Reference 5, NEI transmitted to the NRC an implementation schedule template to aid compliance with the NRC's cyber security regulations codified in 10 CFR 73.54. In Reference 6, the NRC indicated that they had identified no issues with the template. The NEI template included eight milestones, with Milestone 8 relating to the date of full implementation of the Cyber Security Plan. In contrast, the implementation schedule proposed for CNS, MNS, and ONS (Reference 1) included nine milestones, with Milestone 9 being equivalent to Milestone 8 of the NEI template, and Milestone 8 being an intermediate milestone not included in the NEI template. This LAR does not propose a change to the scheduled date of full implementation of the Cyber Security Plan (i.e., December 31, 2017 for Milestone 9); it does align the date Milestone 8 with Milestone 9. Therefore, the effect of the LAR is to eliminate the intermediate milestone and bring the structure of the milestones in closer alignment with the NEI template and the rest of the industry.

to RA-14-0023 REDACTED Page 5 of 7 While the subject of this LAR is believed to be unique, there are several precedents in the industry of license amendments involving changes to cyber security milestone schedules. See References 7 and 8 for recent examples.

4.3 No Significant Hazards Consideration Determination Duke Energy is requesting an amendment to the Catawba Nuclear Station, Unit Nos. 1 and 2 (Renewed Facility Operating License Nos. NPF-35 and NPF-52), McGuire Nuclear Station, Unit Nos. 1 and 2 (Renewed Facility Operating License Nos. NPF-9 and NPF-1 7) and Oconee Nuclear Station, Unit Nos. 1, 2 and 3 (Renewed Facility Operating License Nos. DPR-38, DPR-47, and DPR-55) Facility Operating Licenses to revise the Physical Protection license condition as it relates to the Cyber Security Plan. The current license condition reflects the Cyber Security Plan implementation schedule previously approved by the NRC, which listed a completion date of June 30, 2015, for Milestone 8. Milestone 8 pertains to the date that complete operational and management controls, as provided in Nuclear Energy Institute 08-09, Revision 6, Appendix E, will be achieved. A revised Milestone 8 completion date of December 31, 2017, is requested.

Duke Energy has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of Amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The amendment proposes a change to the Milestone 8 schedule date, as set forth in the Cyber Security Plan (CSP) implementation schedule. The revision of the schedule date for the CSP does not involve modifications to any safety related structures, systems or components (SSCs). Rather, the implementation schedule provides a timetable for fully implementing the CSP. The CSP describes how the requirements of 10 CFR 73.54 are to be implemented to identify, evaluate, and mitigate cyber-attacks up to and including the design basis cyber-attack threat, thereby achieving high assurance that the facility digital computer and communications systems and networks are protected from cyber-attacks. The revision of the CSP implementation schedule will not alter previously evaluated design basis accident analysis assumptions, add any accident initiators, modify the function of the plant safety related SSCs, or affect how any plant safety-related SSCs are operated, maintained, modified, tested, or inspected. Further, based on the efforts accomplished to date in implementing CSP Milestones 1 through 7, Duke Energy believes that the proposed schedule change will have no adverse effect on safety.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The amendment proposes a change to the Milestone 8 schedule date, as set forth in the Cyber Security Plan (CSP) implementation schedule. The implementation of the Cyber to RA-14-0023 REDACTED Page 6 of 7 Security Plan does not introduce new equipment that could create a new or different kind of accident, and no new equipment failure modes are created. No new accident scenarios, failure mechanisms, or limiting single failures are introduced as a result of this proposed amendment. Further based on the efforts accomplished to date in implementing CSP Milestones 1 through 7, Duke Energy believes that the proposed schedule change will have no adverse effect on safety.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

Plant safety margins are established through limiting conditions for operation, limiting safety system settings, and safety limits specified in the technical specifications. The proposed change revises the Cyber Security Plan implementation schedule. Because there is no change to these established safety margins as result of this change, the proposed change does not involve a significant reduction in a margin of safety.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, Duke Energy concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of "no significant hazards consideration" is justified.

4.4 Conclusions In conclusion, based on the considerations discussed above: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5. ENVIRONMENTAL CONSIDERATION The proposed amendment provides a change to the Cyber Security Plan implementation schedule for Milestone 8. The proposed amendment meets the eligibility criterion for a categorical exclusion set forth in 10 CFR 51.22(c)(12). Therefore, pursuant to 10 CFR 51.22(b),

no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6. REFERENCES
1. Duke Energy letter, Oconee Nuclear Station, Units 1, 2, and 3, Docket Nos. 50-269, 50-270, and 50-287, McGuire Nuclear Station, Units 1 and 2, Docket Nos. 50-369 and 50-370, and Catawba NuclearStation, Units 1 and 2, Docket Nos. 50-413 and 50-414, Response to Request for Additional Information Regarding License Amendment Request for Cyber Security Plan, dated April 15, 2011 (ADAMS Accession No. ML11109A074)
2. NRC letter, CatawbaNuclear Station, Units 1 and 2 (Catawba 1 and 2), McGuire Nuclear Station, Units 1 and 2 (McGuire 1 and 2), and Oconee Nuclear Station, Units 1, 2, and 3 to RA-1 4-0023 Page 7 of77REDACTED (Oconee 1, 2, and 3) - Issuance of Amendments Regarding Cyber Security Plans Based on Nuclear Energy Institute 08-09, Revision 6 (TAC Nos. ME4529, ME4530, Catawba; ME4531, ME4532, McGuire; ME4533, ME4534, ME4535, Oconee), dated August 31, 2011 (ADAMS Accession No. ML11216A064)
3. Nuclear Energy Institute, NEI 08-09, Revision 6, Cyber Security Plan for Nuclear Power Reactors, April 2010
4. Nuclear Energy Institute, NEI 13-10, Revision 0, Cyber Security ControlAssessments, January 2014
5. Letter from Christopher E. Earls (NEI) to Richard P. Correia (NRC), Template for the Cyber Security Plan Implementation Schedule, dated February 28, 2011 (ADAMS Accession No. ML110600211 and ML110600218)
6. Letter from Richard P. Correia (NRC) to Christopher E. Earls (NEI), Template for the Cyber Security Plan Implementation Schedule, dated March 1, 2011 (ADAMS Accession No. ML110070348)
7. NRC letter, Virgil C. Summer Nuclear Station, Unit 1 - Issuance of Amendment 198 Regarding the Cyber Security Plan Implementation Schedule Milestone 8 (TAC No. MF2899), dated May 29, 2014 (ADAMS Accession No. ML14122A309)
8. NRC letter, Comanche Peak Nuclear Power Plant, Unit Nos. 1 and2 - Issuance of Amendments re: Approval of the Revised Cyber Security Plan Implementation Schedule (TAC Nos. MF3216 and MF3217), dated September 8, 2014 (ADAMS Accession No. ML14183A342) to RA-14-0023 Page 1 of 1 Revised Cyber Security Plan Implementation Schedule (Milestone 8)

The following table identifies the regulatory commitments in this document. Any other statements in this submittal represent intended or planned actions. They are provided for information purposes and are not considered to be regulatory commitments.

  1. I M Co-pletionDate Basi 8 Complete Operational and December 31, 2017 The implementation of the cyber Management controls, as security program is expected to require provided in NEI 08-09, Rev 6, policy/procedure development and/or Appendix E. upgrades for nearly every plant department. Many of the security The implementation of controls controls will require development of the that require a design technical processes for implementing modification that are not the control in a nuclear plant finished by the completion date environment including development of will be documented in the site new procedures for surveillances, configuration management periodic monitoring and reviews.

and/or change control program to assure completion of the Some controls from Appendix E could design modification as soon as require a design modification.

possible, but no later than the final implementation date.

Retrieved from "https://kanterella.com/w/index.php?title=RA-14-0023,_Duke_Energy_-_License_Amendment_Request_-_Cyber_Security_Plan_Implementation_Schedule_Milestone_8&oldid=2450864"