WO 11-0017, Response to Request for Additional Information Regarding License Amendment Request for Approval of the Cyber Security Plan

From kanterella
Jump to navigation Jump to search
Response to Request for Additional Information Regarding License Amendment Request for Approval of the Cyber Security Plan
ML110970134
Person / Time
Site: Wolf Creek Wolf Creek Nuclear Operating Corporation icon.png
Issue date: 04/01/2011
From: Hedges S
Wolf Creek
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
WO 11-0017
Download: ML110970134 (13)
v  d  e


Text

W.'LF CREEK NUCLEAR OPERATING CORPORATION Stephen E. Hedges Site Vice President April 1, 2011 WO 11-0017 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555

Reference:

1) Letter WO 10-0048, dated July 19, 2010, from S. E. Hedges WCNOC, to USNRC
2) Letter dated January 10, 2011, from B. K. Singal, USNRC, to M.

W. Sunseri, WCNOC, "Wolf Creek Generating Station -

Request for Additional Information Regarding License Amendment Request for Approval of the Cyber Security Plan (TAC NO. ME4265)"

3) Letter WO 11-0002, dated January 20, 2011, from S. E.

Hedges, WCNOC, to USNRC

4) Letter dated March 2, 2011, from B. K. Singal, USNRC to M. W.

Sunseri, WCNOC, "Wolf Creek Generating Station - Request for Additional Information Regarding Revision to the Renewed Facility Operating License and Request for Review and Approval of the Cyber Security Plan (TAC NO. ME4265)"

Subject:

Docket No. 50-482: Response to Request for Additional Information Regarding License Amendment Request for Approval of the Cyber Security Plan Gentlemen:

Reference 1 provided Wolf Creek Nuclear Operating Corporation's (WCNOC) application requesting Commission review and approval of a Cyber Security Plan in accordance with 10 CFR 73.54. The application included a revision to Section 2.E. of the Renewed Facility Operating License, in accordance with 10 CFR 50.90, to incorporate the provisions for implementing and maintaining in effect the provisions of the approved Cyber Security Plan.

Reference 2 provided a request for additional information related to the application. Reference PO. Box 411 / Burlington, KS 66839 / Phone: (620) 364-8831 ScI )//4 An Equal Opportunity Employer M/F/HC/VET

WO 11-0017 Page 2 of 3 3 provided WCNOC's response to the request for additional information. Reference 4 provided a second request for additional information related to the application. Attachment I provides WCNOC's response to the second request for additional information.

The response to the second request for additional information does not expand the scope of the application and does not impact the conclusions of the no significant hazards consideration determination provided in Reference 1.

In accordance with 10 CFR 50.91, a copy of this submittal is being provided to the designated Kansas State official.

Attachment ii provides a list of regulatory commitments. The commitments in Attachment II supersede the commitments in Attachment IV of Reference 1. If you have any questions concerning this matter, please contact me at (620) 364-4190, or Mr. Gautam Sen at (620) 364-4175.

Sincerely, Ste Se/E.Hedges SEH/rlt

Attachment:

I - Response to Second Request for Additional Information II - List of Regulatory Commitments cc: E. E. Collins (NRC), w/a T. A. Conley (KDHE), w/a J. R. Hall (NRC), w/a G. B. Miller (NRC), w/a Senior Resident Inspector (NRC), w/a

WO 11-0017 Page 3 of 3 STATE OF KANSAS

)S COUNTY OF COFFEY Stephen E. Hedges, of lawful age, being first duly sworn upon oath says that he is Site Vice President of Wolf Creek Nuclear Operating Corporation; that he has read the foregoing document and knows the contents thereof; that he has executed the same for and on behalf of said Corporation with full power and authority to do so; and that the facts therein stated are true and correct to the best of his knowledge, information and belief.

By Stephen Edes Site Vice Pplsident SUBSCRIBED and sworn to before me JULIE A. DALE Notary Public. State of Kansas My Aoint ent Exires Expiration Date ExpirationDate / 4q

Attachment I to WO 11-0017 Page 1 of 9 Response to Second Request for Additional Information Reference 1 provided Wolf Creek Nuclear Operating Corporation's (WCNOC) application requesting Commission review and approval of a Cyber Security Plan (CSP) in accordance with 10 CFR 73.54. The application included a revision to Section 2.E. of the Renewed Facility Operating License, in accordance with 10 CFR 50.50, to incorporate the provisions for implementing and maintaining in effect the provisions of the approved CSP. Reference 2 provided a second request for additional information related to the application. The specific NRC questions are provided in italics.

1. Records Retention The regulations in 10 CFR 73.54(c)(2) requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks.

Furthermore, 10 CFR 73.54(e)(2)(i) requires licensees to maintain a CSP plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.

The licensee's CSP in Section 4.13 states that CriticalDigitalAsset (CDA) audit recordsand audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is requiredby 10 CFR 73.54(h).

Please explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirementsof 10 CFR 73.54.

Response: In response to the above question, WCNOC will revise Section 4.13 of the Cyber Security Plan for Wolf Creek Nuclear Operating Corporation, Wolf Creek Generating Station submitted in Reference 1 (hereafter referred to as the CSP). By revising the CSP to include the information below, WCNOC will be in compliance with 10 CFR 73.54.

4.13 Document Control And Records Retention And Handling WCNOC has established the necessary measures and governing procedures to ensure that sufficient records of items and activities affecting cyber security are developed, reviewed, approved, issued, used, and revised to reflect completed work.

The following are examples of records or supporting technical documentation that are retained as a record until the Commission terminates the license for which the records are developed.

Superseded portions of these records are retained for three years unless otherwise specified by the Commission in accordance with the requirements of 10 CFR 73.54(h):

Attachment I to WO 11-0017 Page 2 of 9

" Modification records for CDAs;

  • Analyses, basis, conclusions, and determinations used to establish a component as a CDA;
  • Written policies and procedures that implement and maintain the Cyber Security Plan, with records of changes;
  • Corrective action records related to cyber security non-conformance or adverse conditions;
  • Documentation of periodic Cyber Security Plan reviews and program audits;

" Vulnerability notifications determined to adversely impact CDAs and the associated analyses, assessments and dispositions;

" Training records to document personnel qualifications and program implementation and maintenance; and

  • Audit records are electronic or manual event records (logs) that facilitate the identification and analysis of cyber security attacks and are developed in accordance with Appendix D, Section 2, Audit and Accountability.

The scope of auditable events is developed in accordance with Appendix D, Section 2.2, Auditable Events. Events identified for auditing are recorded in accordance with Appendix D, Section 2.3, Content of Audible Events and Appendix D, Section 2.4, Audit Storage Capacity (for electronic audit records).

The source of auditable events (electronic and non-electronic) include, but are not limited to:

o Operating system logs o Service and application logs o Network device logs o Access Logs

" Audit records of auditable events are retained to document access history, as well as to discover the source of cyber attacks or other security-related incidents affecting CDAs or SSEP functions, or both. These records are reviewed and analyzed accordance with procedures implementing Appendix D, Section 2.6, Audit Review, Analysis and Reporting. The review and analysis is conducted consistent with maintaining high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1.

Superseded records (or portions thereof) are then retained for three years, after the record has been reviewed and analyzed.

Attachment I to WO 11-0017 Page 3 of 9

2. Implementation Schedule The regulations in 10 CFR 73.54 require licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule.

Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequatelyprotected againstcyber attacks, up to and including the design basis threat.

The completion of several key intermediate milestones (items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The NRC staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:

a) Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "CyberSecurity Assessment Team," of the CSP.

b) Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of CriticalDigitalAssets," of the CSP.

c) Implement cyber security defense-in-depth architecture by installation of [deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies,"

of the CSP.

d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D, Section 1.19, "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6.

e) Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as, described in Appendix E, Section 4.3, "PersonnelPerforming Maintenance and Testing Activities," and Appendix E, Section 10.3, "Baseline Configuration," of NEI 08-09, Revision 6.

]) Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP.

g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP.

h) Full implementation of the CSP for all safety, security, and emergency preparedness functions.

Attachment I to WO 11-0017 Page 4 of 9 Please provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associatedmilestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.

Response: Provided below is a revised CSP implementation schedule that includes milestones, completion dates, and associated basis. The below information supersedes the information provided in Enclosure II of Reference 1.

Wolf Creek Nuclear Operating Corporation (WCNOC) Cvber Security Plan Implementation Schedule Full implementation of the CSP involves many supporting tasks. Major activities include:

program and procedure development; performing of individual critical digital asset (CDA) assessments; and identification, scheduling, and implementing individual asset security control design remediation actions through the site configuration management program. These design modifications may be performed on-line or could require a refueling outage for installation.

The extensive workload associated with full implementation of the CSP requires prioritization to assure those activities that provide higher degrees of protection against radiological sabotage are performed first. Therefore the CSP implementation schedule will be implemented with two major milestone dates. The first milestone date of no later than December 31, 2012, includes the activities listed in the table below. The second milestone date, December 31, 2014, includes the completion of all remaining actions that result in the full implementation of the cyber security plan for all applicable Safety, Security, and Emergency Preparedness (SSEP) functions. The December 31, 2014 final completion date also includes implementation of cyber security controls for the systems, structures, and components (SSCs) in the Balance of Plant (BOP) that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient. This date also bounds the completion of all individual asset security control design remediation actions.

Cyber security controls are not applied if the control adversely impacts safety and important to SSEP functions.

Attachment I to WO 11-0017 Page 5 of 9

  1. Imlmntto Completion Bsis Mietn DateI.

1 Establish Cyber Security No later than The CSAT, collectively, will need to Assessment Team (CSAT) as December 31, have digital plant systems knowledge described in Section 3.1.2 "Cyber 2012 as well as nuclear power plant Security Assessment Team" of the operations, engineering and nuclear Cyber Security Plan (CSP). safety experience and technical expertise. The personnel selected for this team may require additional training to ensure adequate capabilities to perform cyber security assessments as well as other duties.

2 Identify Critical Systems (CSs) and No later than The scope of 10 CFR 73.54 includes Critical Digital Assets (CDAs) as December 31, digital computer and communication described in Section 3.1.3 2012 systems and networks associated with:

"Identification of Critical Digital safety-related and important-to safety Assets" of the CSP. functions; security functions; emergency preparedness functions, including offsite communications; and support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. The scope of 10 CFR 73.54 includes structures, systems, and components (SSCs) that have a nexus to radiological health and safety and therefore can directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient.

3 Implement Installation of a No later than The implementation of communication deterministic one-way device December 31, barriers protects the most critical between lower level devices (level 2 2012 SSEP functions from remote attacks

& 3) and a firewall between higher on plant systems. Isolating the plant level devices (level 3 & 4) as systems from the internet as well as described in Section 4.3, "Defense- from the corporate business systems In-Depth Protective Strategies" of is an important milestone in defending the CSP. against external threats. While the deployment of the barriers is critical to Lower security level devices (level protection from external cyber threats, 0,1, 2 devices) that bypass the it also prevents remote access to core deterministic devices and connect to monitoring and plant data systems for level 3 or 4 will be modified to reactor engineers, plant operations, prevent the digital connectivity to the and other plant staff. This elimination higher level or will be modified to of remote access to reactor core meet cyber security requirements monitoring systems may require the commensurate with the level [3 or 4] development and execution of a devices to which they connect. detailed change management plan to

Attachment IIto WO 11-0017 Page 6 of 9

  1. Imlmntto Copeto Bas-Mietn Dat ensure continued safe operation of the The design modifications that are plants. Vendors may be required to not finished by the completion date develop software revisions to support will be documented in the site the model. The modification will be configuration management and/or developed, prioritized and scheduled.

change control program to assure completion of the design The WCNOC Cyber Security Plan modification as soon as possible, but does not allow lower level security no later than the final implementation devices to bypass the deterministic date. device.

4 The security control "Access Control No later than Portable media devices are used to For Portable And Mobile Devices" December 31, transfer electronic information (e.g.,

described in Appendix D 1.19 of NEI 2012 data, software, firmware, virus engine 08-09, Revision 6, will be updates and configuration information) implemented. to and from plant process equipment.

Careful use of this class of media is required to minimize the spread of malicious software to plant process equipment. The effective implementation of this control may require the coordinated implementation of other complimentary controls to ensure adequate mitigation.

5 Implement observation and No later than Insider mitigation rounds by trained identification of obvious cyber December 31, staff look for obvious signs of cyber related tampering to existing insider 2012 related tampering and would provide mitigation rounds by incorporating mitigation of observable cyber related the appropriate elements in insider actions. Implementing steps to Appendix E Section 4.3 "Personnel add signs of cyber security-related Performing Maintenance And tampering to insider mitigation rounds Testing Activities." will be performed by the completion date.

6 Identify, document, and implement No later than The site physical protection program cyber security controls in December 31, provides high assurance that these accordance with the Cyber Security 2012 elements are protected from physical Plan Section 3.1.6 "Mitigation of harm by an adversary. The cyber Vulnerabilities and Application of security program will enhance the Cyber Security Controls" for CDAs defense-in-depth nature of the that could adversely impact the protection of CDAs associated with design function of physical security target sets. Implementing Cyber target set equipment. Security Plan security controls to target set CDAs provides a high degree of The implementation of controls that protection against cyber related require a design modification that attacks that could lead to radiological are not finished by the completion sabotage. Security controls will be

Attachment I to WO 11-0017 Page 7 of 9

  1. ~~~~~ Imlmntto Copeioai Mietn Dat date will be documented in the site addressed in accordance with Cyber configuration management and/or Security Plan Section 3.1.6 with the change control program to assure exception of those that require a completion of the design design modification.

modification as soon as possible, but no later than the final implementation Note that the Operational and date. Management controls, as provided in NEI 08-09, Rev 6, Appendix E, will be implemented in conjunction with the full implementation of the Cyber Security Program. These controls are primarily procedure based programs and must be implemented in coordination with the comprehensive Cyber Security Program. However, a high degree of protection against cyber related attacks is maintained as many of these programs (e.g., physical protection, maintenance and work management, configuration management, operational experience, etc) are currently in place and are well established within the nuclear industry.

7 Ongoing monitoring and assessment No later than The ongoing monitoring and activities commence, as described in December 31, assessment activities as described in Section 4.4, "Ongoing Monitoring 2012 Section 4.4, "Ongoing Monitoring and and Assessment" of the CSP, for Assessment" of the Cyber Security those target set CDAs whose Plan will be implemented for the security controls have been controls applied to target set CDAs.

implemented. This action results in the commencement of the cyber security program for target set related CDAs.

8 Full implementation of the WCNOC December 31, By the completion date, the WCNOC Cyber Security Plan for all SSEP 2014 Cyber Security Plan will be fully functions will be achieved. implemented for all SSEP functions in accordance with 10 CFR 73.54. This date also bounds the completion of all individual asset security control design remediation actions including those that require a refuel outage for implementation.

The full implementation date includes the addition into scope of the Balance of Plant (BOP) SSCs that could directly or indirectly affect reactivity.

Attachment I to WO 11-0017 Page 8 of 9

3. Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. In addition, 10 CFR 73.54(a)(1) states that The licensee shall protect digital computer and communication systems and networks associatedwith:

(i) Safety-related and important-to-safetyfunctions; (ii) Security functions; (iii) Emergency preparednessfunctions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparednessfunctions.

Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (ADAMS Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54(a)(1). Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission'spolicy determination.

Please explain how the scoping of systems provided by CSP for Wolf Creek Generating Station meets the requirements of 10 CFR 73.54 and the additionalguidance provided by the NRC.

Response: WCNOC will revise the CSP submitted in Reference 1 by inserting a new paragraph into Section 2.1, "Scope and Purpose." Provided below is the proposed wording that is consistent with the language provided in the letter from the NRC to NEI dated January 5, 2011 (Reference 3).

Within the scope of NRC's cyber security rule at Title 10 of the Code of Federal Regulations (10 CFR) 73.54, systems or equipment that perform important to safety functions include structures, systems, and components (SSCs) in the balance of plant (BOP) that could directly or indirectly affect reactivity at a nuclear power plant and could result in an unplanned reactor shutdown or transient. Additionally, these SSCs are under WCNOC's control and include electrical distribution equipment out to the first inter-tie with the offsite distribution system.

Attachment I to WO 11-0017 Page 9 of 9

References:

1. WCNOC Letter WO 10-0048, "Revision to Renewed Facility Operating License and Request for Approval of the Cyber Security Plan," July 19, 2010.
2. Letter dated March 2, 2011, from B. K. Singal, USNRC to M. W. Sunseri, WCNOC, "Wolf Creek Generating Station - Request for Additional Information Regarding Revision to the Renewed Facility Operating License and Request for Review and Approval of the Cyber Security Plan (TAC NO. ME4265)"
3. Letter dated January 5, 2011, from R. P. Correia, USNRC, to C. Earls, Nuclear Energy Institute.

Attachment II to WO 11-0017 Page 1 of 1 LIST OF REGULATORY COMMITMENTS The following table identifies those actions committed to by WCNOC in this document. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments. Please direct questions regarding these commitments to Mr.

Gautam Sen at (620) 364-4175.

Regulatory Commitments Due Date I Event WCNOC will revise the Cyber Security Plan by inserting a new April 15, 2011 paragraph into Section 2.1.

WCNOC will revise Section 4.13 of the Cyber Security Plan. April 15, 2011 The CSP will be fully implemented for all SSEP functions in December 31, 2014 accordance with 10 CFR 73.54. This date also bounds the completion of all individual asset security control design remediation actions including those that require a refueling outage for implementation.

The full implementation date includes the addition into scope of the Balance of Plant (BOP) SSCs that could directly or indirectly affect reactivity.

Retrieved from "https://kanterella.com/w/index.php?title=WO_11-0017,_Response_to_Request_for_Additional_Information_Regarding_License_Amendment_Request_for_Approval_of_the_Cyber_Security_Plan&oldid=2119327"