ML110600759: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
| number = ML110600759 | | number = ML110600759 | ||
| issue date = 03/02/2011 | | issue date = 03/02/2011 | ||
| title = | | title = Generic Request for Additional Information, License Amendment Request to Revise License Condition and Approve Cyber Security Plan | ||
| author name = Wilkins L | | author name = Wilkins L | ||
| author affiliation = NRC/NRR/DORL/LPLIV | | author affiliation = NRC/NRR/DORL/LPLIV | ||
| addressee name = Bannister D | | addressee name = Bannister D | ||
| addressee affiliation = Omaha Public Power District | | addressee affiliation = Omaha Public Power District | ||
| docket = 05000285 | | docket = 05000285 | ||
Line 13: | Line 13: | ||
| document type = Request for Additional Information (RAI), Letter | | document type = Request for Additional Information (RAI), Letter | ||
| page count = 5 | | page count = 5 | ||
| project = TAC:ME4380 | |||
| stage = RAI | |||
}} | }} | ||
=Text= | |||
{{#Wiki_filter:UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 March 2, 2011 Mr. David J. Bannister Vice President and CNO Omaha Public Power District Fort Calhoun Station 444 South 16th St. Mall Omaha, NE 68102-2247 | |||
==SUBJECT:== | |||
FORT CALHOUN STATION, UNIT NO.1 - REQUEST FOR ADDITIONAL INFORMATION REGARDING REVISION TO THE RENEWED FACILITY OPERATING LICENSE AND REQUEST FOR REVIEW AND APPROVAL OF THE CYBER SECURITY PLAN (TAC NO. ME4380) | |||
==Dear Mr. Bannister:== | |||
By letter dated July 26, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080452), Omaha Public Power District (OPPD, the licensee) submitted a request for revision to the Renewed Facility Operating License No. DPR-40 and review and approval of the Cyber Security Plan (CSP) for Fort Calhoun Station, Unit No.1, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54. | |||
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided in your application and determined that additional information is required in order to complete its review. A draft copy of the enclosed request for additional information was provided to Mr. Bill Hansher of your staff via e-mail on February 24, 2011. Mr. Hansher informed the NRC staff on February 28, 2011, that a conference call to discuss the request for additional information is not needed and agreed to provide the response to the request for additional information within 30 days from the date of this letter. | |||
If you have any questions, please contact me at 301-415-1377 or via e-mail at Iynnea.wilkins@nrc.gov. | |||
S.inc:o/lY, | |||
// | |||
fit}?; | |||
;L' V ; | |||
ynnea E. Wilkins, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No, 50-285 | |||
==Enclosure:== | |||
As stated cc w/encl: Distribution via Listserv | |||
REQUEST FOR ADDITIONAL INFORMATION REVISION TO THE RENEWED FACILITY OPERATING LICENSE AND REQUEST FOR REVIEW AND APPROVAL OF THE CYBER SECURITY PLAN OMAHA PUBLIC POWER DISTRICT FORT CALHOUN STATION, UNIT 1 DOCKET NO. 50-285 By letter dated July 26, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080452), Omaha Public Power District (OPPD, the licensee) submitted a request for revision to the Renewed Facility Operating License No. DPR-40 and review and approval of the Cyber Security Plan (CSP) for Fort Calhoun Station, Unit No.1, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54, "Protection of digital computer and communication systems and networks." | |||
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided in your application and determined that the following additional information is required in order to complete its review. | |||
: 1. Records Retention The regulations in 10 CFR 73.54(c)(2} requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks. | |||
Furthermore, 10 CFR 73.54(e}(2)(i} requires licensees to maintain a CSP plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h), | |||
which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. | |||
The licensee's CSP in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h}. | |||
Please explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73,54. | |||
Enclosure | |||
- 2 | |||
: 2. Implementation Schedule The regulations in 10 CFR 73.54 require licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule. | |||
Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat. | |||
The completion of several key intermediate milestones (items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The NRC staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows: | |||
a} Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP. | |||
b} Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP. | |||
c} Implement cyber security defense-in-depth architecture by installation of | |||
[deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies," of the CSP. | |||
d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D, Section 1.19, "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6. | |||
e} Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E, Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E, Section 10.3, "Baseline Configuration," of NEI 08-09, Revision 6. | |||
f} Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP. | |||
g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP. | |||
h} Full implementation of the CSP for all safety, security, and emergency preparedness functions. | |||
-3 Please provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates. | |||
: 3. Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1. | |||
In addition, 10 CFR 73.54(a)(1) states that The licensee shall protect digital computer and communication systems and networks associated with: | |||
(i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions. | |||
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (ADAMS Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54{a){1). | |||
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination. | |||
Please explain how the scoping of systems provided by CSP for Fort Calhoun Station, Unit No.1, meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC. | |||
March 2, 2011 Mr. David J. Bannister Vice President and CNO Omaha Public Power District Fort Calhoun Station 444 South 16th S1. Mall Omaha, NE 68102-2247 | |||
==SUBJECT:== | |||
FORT CALHOUN STATION, UNIT NO.1 - REQUEST FOR ADDITIONAL INFORMATION REGARDING REVISION TO THE RENEWED FACILITY OPERATING LICENSE AND REQUEST FOR REVIEW AND APPROVAL OF THE CYBER SECURITY PLAN (TAC NO. ME4380) | |||
==Dear Mr. Bannister:== | |||
By letter dated July 26, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080452), Omaha Public Power District (OPPD, the licensee) submitted a request for revision to the Renewed Facility Operating License No. DPR-40 and review and approval of the Cyber Security Plan (CSP) for Fort Calhoun Station, Unit No.1, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54. | |||
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided in your application and determined that additional information is required in order to complete its review. A draft copy of the enclosed request for additional information was provided to Mr. Bill Hansher of your staff via e-mail onFebruary24.2011.Mr. Hansher informed the NRC staff on February 28, 2011, that a conference call to discuss the request for additional information is not needed and agreed to provide the response to the request for additional information within 30 days from the date of this letter. | |||
If you have any questions, please contact me at 301-415-1377 or via e-mail at Iynnea. wi Iki ns@nrc.gov. | |||
Sincerely, IRAJ Lynnea E. Wilkins, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-285 | |||
==Enclosure:== | |||
As stated cc w/encl: Distribution via Listserv DISTRIBUTION: | |||
PUBLIC RidsNrrPMFortCalhoun Resource RidsRgn4MailCenter Resource LPLIV Reading RidsNrrLAJBurkhardt Resource PPederson, NSIR/DSPIISCPB RidsAcrsAcnw_MailCTR Resource RidsNsirDsp Resource RidsNrrDorlLpl4 Resource RidsOgcRp Resource ADAMS Accession No ML110600759 *memo dated OFFICE NRR/LPL4/PM NRR/LPL4/LA NSIR/DSPIISCPB/BC NRR/LPL4/BC NRR/LPL4/PM NAME LWilkins JBurkhardt CErlanger* MMarkley LWilkins DATE 3/2/11 3/2/11 2/18/11 3/2111 3/2/11 OFFICIAL RECORD COpy}} |
Latest revision as of 02:42, 13 November 2019
ML110600759 | |
Person / Time | |
---|---|
Site: | Fort Calhoun |
Issue date: | 03/02/2011 |
From: | Lynnea Wilkins Plant Licensing Branch IV |
To: | Bannister D Omaha Public Power District |
Wilkins, L E, NRR/DORL/LPL4, 415-1377 | |
References | |
TAC ME4380 | |
Download: ML110600759 (5) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 March 2, 2011 Mr. David J. Bannister Vice President and CNO Omaha Public Power District Fort Calhoun Station 444 South 16th St. Mall Omaha, NE 68102-2247
SUBJECT:
FORT CALHOUN STATION, UNIT NO.1 - REQUEST FOR ADDITIONAL INFORMATION REGARDING REVISION TO THE RENEWED FACILITY OPERATING LICENSE AND REQUEST FOR REVIEW AND APPROVAL OF THE CYBER SECURITY PLAN (TAC NO. ME4380)
Dear Mr. Bannister:
By letter dated July 26, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080452), Omaha Public Power District (OPPD, the licensee) submitted a request for revision to the Renewed Facility Operating License No. DPR-40 and review and approval of the Cyber Security Plan (CSP) for Fort Calhoun Station, Unit No.1, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54.
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided in your application and determined that additional information is required in order to complete its review. A draft copy of the enclosed request for additional information was provided to Mr. Bill Hansher of your staff via e-mail on February 24, 2011. Mr. Hansher informed the NRC staff on February 28, 2011, that a conference call to discuss the request for additional information is not needed and agreed to provide the response to the request for additional information within 30 days from the date of this letter.
If you have any questions, please contact me at 301-415-1377 or via e-mail at Iynnea.wilkins@nrc.gov.
S.inc:o/lY,
//
fit}?;
- L' V ;
ynnea E. Wilkins, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No, 50-285
Enclosure:
As stated cc w/encl: Distribution via Listserv
REQUEST FOR ADDITIONAL INFORMATION REVISION TO THE RENEWED FACILITY OPERATING LICENSE AND REQUEST FOR REVIEW AND APPROVAL OF THE CYBER SECURITY PLAN OMAHA PUBLIC POWER DISTRICT FORT CALHOUN STATION, UNIT 1 DOCKET NO. 50-285 By letter dated July 26, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080452), Omaha Public Power District (OPPD, the licensee) submitted a request for revision to the Renewed Facility Operating License No. DPR-40 and review and approval of the Cyber Security Plan (CSP) for Fort Calhoun Station, Unit No.1, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54, "Protection of digital computer and communication systems and networks."
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided in your application and determined that the following additional information is required in order to complete its review.
- 1. Records Retention The regulations in 10 CFR 73.54(c)(2} requires licensees to design a cyber security program to ensure the capability to detect, respond to, and recover from cyber attacks.
Furthermore, 10 CFR 73.54(e}(2)(i} requires licensees to maintain a CSP plan that describes how the licensee will maintain the capability for timely detection and response to cyber attacks. The ability for a licensee to detect and respond to cyber attacks requires accurate and complete records and is further supported by 10 CFR 73.54(h),
which states that the licensee shall retain all records and supporting technical documentation required to satisfy the requirements of 10 CFR Section 73.54 as a record until the Commission terminates the license for which the records were developed, and shall maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission.
The licensee's CSP in Section 4.13 states that Critical Digital Asset (CDA) audit records and audit data (e.g., operating system logs, network device logs) are retained for a period of time that is less than what is required by 10 CFR 73.54(h}.
Please explain the deviation from the 10 CFR 73.54(h) requirement to retain records and supporting technical documentation until the Commission terminates the license (or to maintain superseded portions of these records for at least 3 years) and how that meets the requirements of 10 CFR 73,54.
Enclosure
- 2
- 2. Implementation Schedule The regulations in 10 CFR 73.54 require licensees to submit a CSP that satisfies the requirements of this section for Commission review and approval. Furthermore, each submittal must include a proposed implementation schedule and the implementation of the licensee's cyber security program must be consistent with the approved schedule.
Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat.
The completion of several key intermediate milestones (items (a) through (g) below) would demonstrate progress toward meeting the requirements of 10 CFR 73.54. The NRC staff's expectation is that the key intermediate milestones will be completed in a timely manner, but no later than December 31, 2012. The key CSP implementation milestones are as follows:
a} Establish, train and qualify Cyber Security Assessment Team, as described in Section 3.1.2, "Cyber Security Assessment Team," of the CSP.
b} Identify Critical Systems and CDAs, as described in Section 3.1.3, "Identification of Critical Digital Assets," of the CSP.
c} Implement cyber security defense-in-depth architecture by installation of
[deterministic one-way] devices, as described in Section 4.3, "Defense-In-Depth Protective Strategies," of the CSP.
d) Implement the management, operational and technical cyber security controls that address attacks promulgated by use of portable media, portable devices, and portable equipment as described in Appendix D, Section 1.19, "Access Control for Portable and Mobile Devices," of Nuclear Energy Institute (NEI) 08-09, Revision 6.
e} Implement observation and identification of obvious cyber related tampering to existing insider mitigation rounds as described in Appendix E, Section 4.3, "Personnel Performing Maintenance and Testing Activities," and Appendix E, Section 10.3, "Baseline Configuration," of NEI 08-09, Revision 6.
f} Identify, document, and implement cyber security controls to physical security target set CDAs in accordance with Section 3.1.6, "Mitigation of Vulnerabilities and Application of Cyber Security Controls," of the CSP.
g) Ongoing monitoring and assessment activities will commence for those target set CDAs whose security controls have been implemented, as described in Section 4.4, "Ongoing Monitoring and Assessment," of the CSP.
h} Full implementation of the CSP for all safety, security, and emergency preparedness functions.
-3 Please provide a revised CSP implementation schedule that identifies the appropriate milestones, completion dates, supporting rationale, and level of detail to allow the NRC to evaluate the licensee's proposed schedule and associated milestone dates which include the final completion date. It is the NRC's intention to develop a license condition incorporating your revised CSP implementation schedule containing the key milestone dates.
- 3. Scope of Systems Paragraph 73.54(a) of 10 CFR requires licensees to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks, up to and including the design basis threat as described in 10 CFR 73.1.
In addition, 10 CFR 73.54(a)(1) states that The licensee shall protect digital computer and communication systems and networks associated with:
(i) Safety-related and important-to-safety functions; (ii) Security functions; (iii) Emergency preparedness functions, including offsite communications; and (iv) Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions.
Subsequent to the issuance of the cyber security rule, the NRC stated that 10 CFR 73.54 should be interpreted to include structures, systems, and components (SSCs) in the balance of plant (BOP) that have a nexus to radiological health and safety (ADAMS Accession No. ML103490344, dated November 19, 2010). The SSCs in the BOP are those that could directly or indirectly affect reactivity of a nuclear power plant and could result in an unplanned reactor shutdown or transient and are, therefore, within the scope of important-to-safety functions described in 10 CFR 73.54{a){1).
Furthermore, the NRC issued a letter to NEI dated January 5, 2011 (ADAMS Accession No. ML103550480) that provided licensees with additional guidance on one acceptable approach to comply with the Commission's policy determination.
Please explain how the scoping of systems provided by CSP for Fort Calhoun Station, Unit No.1, meets the requirements of 10 CFR 73.54 and the additional guidance provided by the NRC.
March 2, 2011 Mr. David J. Bannister Vice President and CNO Omaha Public Power District Fort Calhoun Station 444 South 16th S1. Mall Omaha, NE 68102-2247
SUBJECT:
FORT CALHOUN STATION, UNIT NO.1 - REQUEST FOR ADDITIONAL INFORMATION REGARDING REVISION TO THE RENEWED FACILITY OPERATING LICENSE AND REQUEST FOR REVIEW AND APPROVAL OF THE CYBER SECURITY PLAN (TAC NO. ME4380)
Dear Mr. Bannister:
By letter dated July 26, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML102080452), Omaha Public Power District (OPPD, the licensee) submitted a request for revision to the Renewed Facility Operating License No. DPR-40 and review and approval of the Cyber Security Plan (CSP) for Fort Calhoun Station, Unit No.1, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Section 73.54.
The U.S. Nuclear Regulatory Commission (NRC) staff has reviewed the information provided in your application and determined that additional information is required in order to complete its review. A draft copy of the enclosed request for additional information was provided to Mr. Bill Hansher of your staff via e-mail onFebruary24.2011.Mr. Hansher informed the NRC staff on February 28, 2011, that a conference call to discuss the request for additional information is not needed and agreed to provide the response to the request for additional information within 30 days from the date of this letter.
If you have any questions, please contact me at 301-415-1377 or via e-mail at Iynnea. wi Iki ns@nrc.gov.
Sincerely, IRAJ Lynnea E. Wilkins, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-285
Enclosure:
As stated cc w/encl: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsNrrPMFortCalhoun Resource RidsRgn4MailCenter Resource LPLIV Reading RidsNrrLAJBurkhardt Resource PPederson, NSIR/DSPIISCPB RidsAcrsAcnw_MailCTR Resource RidsNsirDsp Resource RidsNrrDorlLpl4 Resource RidsOgcRp Resource ADAMS Accession No ML110600759 *memo dated OFFICE NRR/LPL4/PM NRR/LPL4/LA NSIR/DSPIISCPB/BC NRR/LPL4/BC NRR/LPL4/PM NAME LWilkins JBurkhardt CErlanger* MMarkley LWilkins DATE 3/2/11 3/2/11 2/18/11 3/2111 3/2/11 OFFICIAL RECORD COpy